The latest articles on DEV Community by Warren Jitsing (@warren_jitsing_dd1c1d6fc6). https://dev.to/warren_jitsing_dd1c1d6fc6 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3658537%2Fef9d7cee-36ac-45c5-9f18-457a9ea3465b.jpeg https://dev.to/warren_jitsing_dd1c1d6fc6 en Warren Jitsing Sun, 25 Jan 2026 06:07:06 +0000 https://dev.to/warren_jitsing_dd1c1d6fc6/pingora-guide-how-to-make-a-programmable-api-gateway-1oim https://dev.to/warren_jitsing_dd1c1d6fc6/pingora-guide-how-to-make-a-programmable-api-gateway-1oim <p>GitHub: <a href="https://github.com/InfiniteConsult/pingora-guide" rel="noopener noreferrer">https://github.com/InfiniteConsult/pingora-guide</a></p> <p><strong>Reference architecture in src is work-in-progress. Check back next week</strong></p> <h1> Pingora Guide </h1> <ul> <li>Quick Start: The "Pingora City" Lab</li> <li>Lesson 0: The Raw Event Loop</li> <li>Lesson 1: Configuration &amp; Lifecycle</li> <li>Lesson 2: Daemon Mode &amp; Background Services</li> <li>Lesson 3: Graceful Shutdown</li> <li>Lesson 4: Threading Models</li> <li>Lesson 5: Background Services &amp; Shared State</li> <li>Lesson 6: The Simple Forwarder</li> <li>Lesson 7: TLS Termination</li> <li>Lesson 8: Header Manipulation</li> <li>Lesson 9: Path Routing</li> <li>Lesson 10: Query Params</li> <li>Lesson 11: Response Modification</li> <li>Lesson 12: Body Inspection</li> <li>Lesson 13: Custom Errors</li> <li>Lesson 14: HTTP/2 Support</li> <li>Lesson 15: H2C (HTTP/2 Cleartext)</li> <li>Lesson 16: Static Peer</li> <li>Lesson 17: DNS Peer</li> <li>Lesson 18: Unix Domain Socket (UDS) Peer</li> <li>Lesson 19: Peer Options</li> <li>Lesson 20: SNI Routing</li> <li>Lesson 21: Mutual TLS (mTLS)</li> <li>Lesson 22: Proxy Connect (Tunneling)</li> <li>Lesson 23: WebSocket Upgrade</li> <li>Lesson 24: gRPC Proxy</li> <li>Lesson 25: Connection Reuse (Pooling)</li> <li>Lesson 26: Round Robin Load Balancing</li> <li>Lesson 27: Weighted Load Balancing</li> <li>Lesson 28: Consistent Hashing (Ketama)</li> <li>Lesson 29: Sticky Sessions (Cookie-Based)</li> <li>Lesson 30: TCP Health Checks</li> <li>Lesson 31: HTTP Health Checks</li> <li>Lesson 32: Custom Health Checks (Body Inspection)</li> <li>Lesson 33: Active-Passive Load Balancing (Failover)</li> <li>Lesson 34: Service Discovery (File-Based)</li> <li>Lesson 35: Dynamic Reconfiguration (Hot-Swap API)</li> <li>Lesson 36: Basic Rate Limiting (Fixed Window)</li> <li>Lesson 37: Sliding Window Rate Limiting</li> <li>Lesson 38: In-flight Concurrency Limiting</li> <li>Lesson 39: IP Filtering (Access Control)</li> <li>Lesson 40: Request Size Limiting</li> <li>Lesson 41: Authentication (Bearer Token)</li> <li>Lesson 42: Basic Authentication</li> <li>Lesson 43: In-Memory Caching</li> <li>Lesson 44: Respecting Cache-Control Headers</li> <li>Lesson 45: Cache Locking (Request Coalescing)</li> <li>Lesson 46: Cache Purging</li> <li>Lesson 47: Stale While Revalidate</li> <li>Lesson 48: Observability</li> </ul> <h1> Quick Start: The "Pingora City" Lab </h1> <p>To ensure a consistent environment for these tutorials, we have created a deterministic network topology using Docker Compose. This "Pingora City" simulates a real-world infrastructure with multiple clients, distinct upstreams (HTTP, HTTPS, gRPC, H2C), and a dedicated development station.</p> <h2> 1. Setup &amp; Installation </h2> <p><strong>Prerequisites:</strong> Docker and Docker Compose.</p> <p>First, generate the Certificate Authority and service certificates. This populates <code>conf/keys/</code> with the TLS assets required for the advanced lessons.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Generate Certificates (Root CA, Server, Client, Upstream)</span> <span class="nb">chmod</span> +x scripts/00-setup-certs.sh ./scripts/00-setup-certs.sh <span class="c"># 2. Build and Launch the City</span> docker compose up <span class="nt">-d</span> <span class="nt">--build</span> </code></pre> </div> <h2> 2. The Developer Environment </h2> <p>You do not need Rust installed on your host machine. We have a dedicated <code>dev</code> container (Debian Bookworm) with a pre-configured Rust toolchain, OpenSSL, and network utilities.</p> <p><strong>Enter the Dev Container:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_dev bash </code></pre> </div> <p><strong>Verify Compilation (Run Example 05):</strong><br> Once inside, run the "Background Services" example. This acts as a smoke test to ensure <code>cargo</code> can compile the project and bind to the network.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Inside pingora_dev</span> <span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 05_background_services </code></pre> </div> <p><em>Wait for the "Server started" log message, then press <code>Ctrl+C</code> to exit the process.</em></p> <p><strong>Verify Internal Network Reachability:</strong><br> We have provided a script to verify that the Dev station can reach all upstream services via both Static IP and DNS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Inside pingora_dev</span> ./scripts/validate-dev.sh </code></pre> </div> <p><em>You should see green <code>OK</code> statuses for Blue, Green, Advanced (Nginx), and gRPC upstreams.</em></p> <p>Type <code>exit</code> to return to your host terminal.</p> <h2> 3. Verification &amp; Connectivity Test </h2> <p>From your <strong>host machine</strong>, run the <code>validate-others.sh</code> script. This automation script will:</p> <ol> <li>Start <code>example 05_background_services</code> in the background on the Dev container.</li> <li>Instruct <strong>Client 1</strong> and <strong>Client 2</strong> to connect to the server.</li> <li>Verify that both clients (with distinct IPs) successfully received a response.</li> <li>Verify the server logs to confirm traffic handling.</li> <li>Send a <code>SIGTERM</code> to the server to test graceful shutdown. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># On Host</span> <span class="nb">chmod</span> +x scripts/validate-others.sh ./scripts/validate-others.sh </code></pre> </div> <h2> 4. Network Topology &amp; Services </h2> <p>The lab runs on a fixed subnet <code>172.28.0.0/24</code>. All containers mount the <code>conf/keys</code> directory to trust the local Root CA.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Service</th> <th>Hostname</th> <th>Static IP</th> <th>Role &amp; Features</th> </tr> </thead> <tbody> <tr> <td><strong>Dev Station</strong></td> <td><code>dev.pingora.local</code></td> <td><code>172.28.0.10</code></td> <td> <strong>Your Workstation.</strong> Rust toolchain, code bind-mount. Runs your Proxy.</td> </tr> <tr> <td><strong>Upstream Blue</strong></td> <td><code>blue.pingora.local</code></td> <td><code>172.28.0.20</code></td> <td> <strong>Basic HTTP.</strong> Returns "Response from BLUE" on port 8080.</td> </tr> <tr> <td><strong>Upstream Green</strong></td> <td><code>green.pingora.local</code></td> <td><code>172.28.0.21</code></td> <td> <strong>Basic HTTP.</strong> Returns "Response from GREEN" on port 8080.</td> </tr> <tr> <td><strong>Advanced Upstream</strong></td> <td><code>advanced.pingora.local</code></td> <td><code>172.28.0.22</code></td> <td> <strong>Nginx.</strong> Supports: <br><br>• Port 80: HTTP (Caching headers)<br><br>• Port 443: HTTPS<br><br>• Port 8443: Mutual TLS (mTLS)<br><br>• Port 8081: HTTP/2 Cleartext (H2C)</td> </tr> <tr> <td><strong>gRPC Upstream</strong></td> <td><code>grpc.pingora.local</code></td> <td><code>172.28.0.23</code></td> <td> <strong>gRPC.</strong> <code>grpcbin</code> server listening on TCP 9000.</td> </tr> <tr> <td><strong>Client 1</strong></td> <td><code>client1.pingora.local</code></td> <td><code>172.28.0.30</code></td> <td> <strong>Traffic Generator.</strong> Simulates User A.</td> </tr> <tr> <td><strong>Client 2</strong></td> <td><code>client2.pingora.local</code></td> <td><code>172.28.0.31</code></td> <td> <strong>Traffic Generator.</strong> Simulates User B (Useful for IP Rate Limiting).</td> </tr> </tbody> </table></div> <h1> Lesson 0: The Raw Event Loop </h1> <p>In this first lesson, we strip away the HTTP layer to understand the heart of Pingora: the <strong>Event Loop</strong>.</p> <p>Pingora is not just an HTTP proxy; it is a generic network server framework. At its lowest level, it manages the lifecycle of a server process, handles configuration, daemonization, and graceful shutdowns. It then delegates the actual handling of traffic to <strong>Services</strong>.</p> <p>We will build a raw TCP Echo Server. This requires implementing the <code>ServerApp</code> trait, which gives us direct access to the underlying TCP stream before any protocol parsing occurs.</p> <h2> Key Concepts </h2> <ol> <li> <strong><code>Server</code></strong>: The process manager. It owns the main thread, handles signals (like SIGTERM), and manages the worker threads.</li> <li> <strong><code>Service</code></strong>: A background worker or a listening endpoint. A <code>Server</code> can run multiple <code>Services</code>.</li> <li> <strong><code>ServerApp</code></strong>: The logic trait. You implement this to define <em>what</em> happens when a new connection is established.</li> <li> <strong><code>Stream</code></strong>: A wrapper around the raw socket (TCP or Unix Domain Socket). It implements <code>AsyncRead</code> and <code>AsyncWrite</code>.</li> </ol> <h2> The Code (<code>examples/00_basic_server.rs</code>) </h2> <p>We will implement a struct <code>EchoApp</code>. When a client connects, <code>EchoApp</code> will read bytes from the stream and immediately write them back until the client disconnects or the server shuts down.</p> <p>Notice the strict error handling. We avoid <code>unwrap()</code>. If the server fails to initialize or a socket read fails, we log the error and exit the scope gracefully.</p> <p>We also import <code>GetSocketDigest</code> to access metadata about the connection, such as the peer's IP address.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// examples/00_basic_server.rs</span> <span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">error</span><span class="p">,</span> <span class="n">info</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">protocols</span><span class="p">::</span><span class="n">Stream</span><span class="p">;</span> <span class="c1">// We need this trait to access connection metadata (IPs, etc.) from the Stream</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">protocols</span><span class="p">::</span><span class="n">GetSocketDigest</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::{</span><span class="n">Server</span><span class="p">,</span> <span class="n">ShutdownWatch</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">services</span><span class="p">::</span><span class="nn">listening</span><span class="p">::</span><span class="n">Service</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">io</span><span class="p">::{</span><span class="n">AsyncReadExt</span><span class="p">,</span> <span class="n">AsyncWriteExt</span><span class="p">};</span> <span class="cd">/// A custom application logic that implements `ServerApp`.</span> <span class="cd">/// This is the lowest level of logic in Pingora, dealing with raw streams.</span> <span class="nd">#[derive(Clone)]</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">EchoApp</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">apps</span><span class="p">::</span><span class="n">ServerApp</span> <span class="k">for</span> <span class="n">EchoApp</span> <span class="p">{</span> <span class="cd">/// This method is called whenever a new TCP connection is established.</span> <span class="cd">///</span> <span class="cd">/// # Arguments</span> <span class="cd">/// * `stream` - The raw TCP/Unix stream (Box&lt;dyn IO&gt;).</span> <span class="cd">/// * `shutdown` - A watcher to check if the server is requested to stop.</span> <span class="cd">///</span> <span class="cd">/// # Returns</span> <span class="cd">/// * `Some(stream)`: The connection is reusable and should be kept alive.</span> <span class="cd">/// * `None`: The connection is finished or errored and should be closed.</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">process_new</span><span class="p">(</span> <span class="k">self</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="k">Self</span><span class="o">&gt;</span><span class="p">,</span> <span class="k">mut</span> <span class="n">stream</span><span class="p">:</span> <span class="n">Stream</span><span class="p">,</span> <span class="n">shutdown</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">ShutdownWatch</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Option</span><span class="o">&lt;</span><span class="n">Stream</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Access the socket digest to get the peer address.</span> <span class="c1">// We safely check if the digest exists and if the peer address is available.</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">digest</span><span class="p">)</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.get_socket_digest</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">peer_addr</span><span class="p">)</span> <span class="o">=</span> <span class="n">digest</span><span class="nf">.peer_addr</span><span class="p">()</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"New connection from: {:?}"</span><span class="p">,</span> <span class="n">peer_addr</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">buf</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0</span><span class="p">;</span> <span class="mi">1024</span><span class="p">];</span> <span class="k">loop</span> <span class="p">{</span> <span class="c1">// 1. Graceful Shutdown Check</span> <span class="c1">// We check this every loop to ensure we don't hold connections hostage</span> <span class="c1">// during a server restart or shutdown.</span> <span class="k">if</span> <span class="o">*</span><span class="n">shutdown</span><span class="nf">.borrow</span><span class="p">()</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Server shutting down, closing connection"</span><span class="p">);</span> <span class="k">return</span> <span class="nb">None</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// 2. Read data from the stream safely</span> <span class="k">let</span> <span class="n">read_result</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.read</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">buf</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="k">match</span> <span class="n">read_result</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="c1">// 0 bytes read indicates the client closed the connection cleanly.</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Client closed connection"</span><span class="p">);</span> <span class="k">return</span> <span class="nb">None</span><span class="p">;</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">n</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="c1">// We successfully read n bytes. Now echo them back.</span> <span class="c1">// write_all ensures every byte in the buffer is transmitted.</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.write_all</span><span class="p">(</span><span class="o">&amp;</span><span class="n">buf</span><span class="p">[</span><span class="mi">0</span><span class="o">..</span><span class="n">n</span><span class="p">])</span><span class="k">.await</span> <span class="p">{</span> <span class="nd">error!</span><span class="p">(</span><span class="s">"Failed to write to stream: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">);</span> <span class="k">return</span> <span class="nb">None</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Flush ensures the data is actually sent over the wire immediately.</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.flush</span><span class="p">()</span><span class="k">.await</span> <span class="p">{</span> <span class="nd">error!</span><span class="p">(</span><span class="s">"Failed to flush stream: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">);</span> <span class="k">return</span> <span class="nb">None</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="c1">// IO errors (broken pipe, reset, etc.) happen here.</span> <span class="nd">error!</span><span class="p">(</span><span class="s">"Stream read error: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">);</span> <span class="k">return</span> <span class="nb">None</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// 1. Initialize logging. Pingora uses `log`, so we need an implementation like `env_logger`.</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="c1">// 2. Parse command line options safely.</span> <span class="c1">// Pingora provides a built-in Clap parser for standard options (-c, -d, --upgrade).</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="c1">// 3. Create the Server instance.</span> <span class="c1">// This handles process lifecycle, PID files, and configuration loading.</span> <span class="c1">// We propagate the error up instead of unwrapping.</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="c1">// 4. Bootstrap initializes the environment (e.g., file descriptor inheritance for upgrades).</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// 5. Initialize our custom logic.</span> <span class="k">let</span> <span class="n">echo_logic</span> <span class="o">=</span> <span class="n">EchoApp</span><span class="p">;</span> <span class="c1">// 6. Create a Listening Service.</span> <span class="c1">// We wrap our logic in a Service which binds it to a specific protocol/port.</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">service</span> <span class="o">=</span> <span class="nn">Service</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="s">"Echo Service"</span><span class="nf">.to_string</span><span class="p">(),</span> <span class="n">echo_logic</span><span class="p">);</span> <span class="c1">// 7. Add a TCP listening endpoint.</span> <span class="c1">// This tells the service to listen on 0.0.0.0:6142.</span> <span class="n">service</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6142"</span><span class="p">);</span> <span class="c1">// 8. Register the service with the server.</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">service</span><span class="p">);</span> <span class="c1">// 9. Run the server.</span> <span class="c1">// This enters the event loop and will not return until the process exits.</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Starting server on 0.0.0.0:6142..."</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>To verify that your raw TCP server is working correctly, we will use <code>telnet</code>.</p> <ol> <li> <strong>Run the Server</strong>: Open your terminal in the project root and run the example. We enable info logs to see the connection events. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 00_basic_server </code></pre> </div> <ol> <li> <strong>Connect with Telnet</strong>: Open a <strong>separate</strong> terminal window and connect to the server. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> telnet localhost 6142 </code></pre> </div> <ol> <li> <strong>Test Echo</strong>: Type <code>Hello Pingora</code> and press Enter. You should see the text echo back immediately. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Hello Pingora Hello Pingora </code></pre> </div> <ol> <li> <strong>Disconnect</strong>: To exit <code>telnet</code>, press <code>Ctrl</code> + <code>]</code> (Control and right bracket), then type <code>close</code> and press Enter. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ^] telnet&gt; close Connection closed. </code></pre> </div> <ol> <li> <strong>Check Logs</strong>: In your first terminal, you should see logs indicating a new connection was established, and a closure log when you exited <code>telnet</code>.</li> </ol> <h1> Lesson 1: Configuration &amp; Lifecycle </h1> <p>In Lesson 0, we built a server that ran with default settings. However, production services rarely run on defaults. They need to define how many worker threads to use, where to write error logs, where to store PID files, and how to handle process upgrades.</p> <p>Pingora handles this "infrastructure" configuration separately from your traffic handling logic. This separation allows the framework to manage the process lifecycle (daemonization, restarts, upgrades) standardly across all Pingora applications.</p> <h2> Key Concepts </h2> <ol> <li> <strong><code>Opt</code></strong>: This struct represents command-line arguments. Pingora provides a standard parser (via <code>clap</code>) that handles flags like <code>-c</code> (config file), <code>-d</code> (daemon mode), and <code>-u</code> (upgrade).</li> <li> <strong><code>ServerConf</code></strong>: This struct holds the runtime configuration for the server process. It includes settings for: <ul> <li> <strong>Threading</strong>: <code>threads</code> and <code>work_stealing</code>.</li> <li> <strong>Process Management</strong>: <code>pid_file</code>, <code>upgrade_sock</code>, <code>user</code>, <code>group</code>.</li> <li> <strong>Logging</strong>: <code>error_log</code>.</li> <li> <strong>SSL/Network</strong>: <code>ca_file</code>, <code>upstream_keepalive_pool_size</code>.</li> </ul> </li> <li> <strong><code>Server::new</code></strong>: This constructor is the bridge. It takes the command-line options (<code>Opt</code>), attempts to load the configuration file specified by <code>-c</code>, merges it with defaults, and returns a fully initialized <code>Server</code> instance.</li> </ol> <h2> The Code (<code>examples/01_configuration.rs</code>) </h2> <p>In this example, we build a "dummy" server. Its only purpose is to load a configuration file and print the resulting settings to the console so we can verify that Pingora is correctly parsing our input.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::{</span><span class="n">Server</span><span class="p">,</span> <span class="n">ShutdownWatch</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">services</span><span class="p">::</span><span class="nn">listening</span><span class="p">::</span><span class="n">Service</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">protocols</span><span class="p">::</span><span class="n">Stream</span><span class="p">;</span> <span class="nd">#[derive(Clone)]</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">ConfigDemoApp</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">apps</span><span class="p">::</span><span class="n">ServerApp</span> <span class="k">for</span> <span class="n">ConfigDemoApp</span> <span class="p">{</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">process_new</span><span class="p">(</span> <span class="k">self</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="k">Self</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">_stream</span><span class="p">:</span> <span class="n">Stream</span><span class="p">,</span> <span class="n">_shutdown</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">ShutdownWatch</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Option</span><span class="o">&lt;</span><span class="n">Stream</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// For this lesson, we don't process traffic.</span> <span class="c1">// We return None to close the connection immediately.</span> <span class="nb">None</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// 1. Initialize logging</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="c1">// 2. Parse Command Line Arguments</span> <span class="c1">// This allows us to pass `-c conf/01_config.yaml` or `-d` (daemon mode)</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="c1">// 3. Initialize Server with Options</span> <span class="c1">// Server::new will attempt to load the config file specified in `opt.conf`.</span> <span class="c1">// If the file is missing or invalid, this will return an Error.</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">conf</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">;</span> <span class="c1">// 4. Inspect the Loaded Configuration</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"--- Configuration Loaded ---"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" version: {}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.version</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" daemon: {}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.daemon</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" error_log: {:?}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.error_log</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" pid_file: {}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.pid_file</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" upgrade_sock: {}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.upgrade_sock</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" user: {:?}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.user</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" group: {:?}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.group</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" threads: {}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.threads</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" listener_tasks_per_fd: {}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.listener_tasks_per_fd</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" work_stealing: {}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.work_stealing</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" ca_file: {:?}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.ca_file</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" grace_period_seconds: {:?}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.grace_period_seconds</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" graceful_shutdown_timeout_seconds: {:?}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.graceful_shutdown_timeout_seconds</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" client_bind_to_ipv4: {:?}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.client_bind_to_ipv4</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" client_bind_to_ipv6: {:?}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.client_bind_to_ipv6</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" upstream_keepalive_pool_size: {}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.upstream_keepalive_pool_size</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" upstream_connect_offload_threadpools: {:?}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.upstream_connect_offload_threadpools</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" upstream_connect_offload_thread_per_pool: {:?}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.upstream_connect_offload_thread_per_pool</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" upstream_debug_ssl_keylog: {}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.upstream_debug_ssl_keylog</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">" max_retries: {}"</span><span class="p">,</span> <span class="n">conf</span><span class="py">.max_retries</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"----------------------------"</span><span class="p">);</span> <span class="c1">// 5. Bootstrap the server</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// 6. Setup a dummy service (required to run the server)</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">service</span> <span class="o">=</span> <span class="nn">Service</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="s">"ConfigDemo"</span><span class="nf">.to_string</span><span class="p">(),</span> <span class="n">ConfigDemoApp</span><span class="p">);</span> <span class="n">service</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6143"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">service</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Starting server. Verify the thread count in the logs above matches your YAML."</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Running the Lesson </h2> <h3> 1. Define a Configuration File </h3> <p>Create a file at <code>conf/01_config.yaml</code> with the following content. We specifically set <code>threads</code> to 2 to differentiate it from the default (which is usually 1 or the number of cores depending on environment).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">version</span><span class="pi">:</span> <span class="m">1</span> <span class="na">threads</span><span class="pi">:</span> <span class="m">2</span> <span class="na">pid_file</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/tmp/pingora_lesson_01.pid"</span> <span class="na">upgrade_sock</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/tmp/pingora_upgrade_01.sock"</span> <span class="na">error_log</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/tmp/pingora_error.log"</span> </code></pre> </div> <h3> 2. Run with Defaults </h3> <p>First, run without arguments. Pingora will use its internal defaults.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 01_configuration </code></pre> </div> <p>You should see <code>threads: 1</code> and <code>pid_file: /tmp/pingora.pid</code>.</p> <h3> 3. Run with Configuration </h3> <p>Now, pass the configuration file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 01_configuration <span class="nt">--</span> <span class="nt">-c</span> conf/01_config.yaml </code></pre> </div> <p>You should see the values change to match your YAML file:</p> <ul> <li><code>threads: 2</code></li> <li><code>pid_file: /tmp/pingora_lesson_01.pid</code></li> <li><code>error_log: Some("/tmp/pingora_error.log")</code></li> </ul> <p>This confirms that the <code>Server</code> has successfully bootstrapped itself using your external configuration.</p> <h1> Lesson 2: Daemon Mode &amp; Background Services </h1> <p>In production environments, servers are rarely run in the foreground attached to a terminal session. They run as <strong>daemons</strong>—background processes that survive user logouts and system restarts.</p> <p>Pingora has built-in support for daemonization. It handles the low-level Unix operations required to detach from the terminal (forking, setsid), manages process ID (PID) files, and redirects standard output/error streams to log files.</p> <p>This lesson also introduces the <strong><code>BackgroundService</code></strong>. Unlike the <code>ListeningService</code> from Lesson 0 (which accepts network connections), a <code>BackgroundService</code> runs an arbitrary task loop. This is useful for sidecar processes, metric exporters, or health check runners that need to live alongside your proxy logic.</p> <h2> Key Concepts </h2> <ol> <li> <strong>Daemonization Configuration</strong>: <ul> <li> <strong><code>daemon: true</code></strong>: Tells Pingora to fork into the background.</li> <li> <strong><code>pid_file</code></strong>: The path where the server writes its Process ID. External tools (like <code>systemd</code> or <code>monit</code>) use this to track and stop the server.</li> <li> <strong><code>error_log</code></strong>: In daemon mode, <code>stdout</code> and <code>stderr</code> are closed. This setting redirects logs to a file so they aren't lost.</li> </ul> </li> <li> <strong><code>BackgroundService</code></strong>: A trait for tasks that run continuously until the server shuts down. It receives a <code>ShutdownWatch</code> to know when to exit gracefully.</li> <li> <strong><code>background_service</code> Helper</strong>: A utility function in the prelude that wraps your custom logic into a generic service container, saving you from implementing boilerplate.</li> </ol> <h2> The Code (<code>examples/02_daemon_mode.rs</code>) </h2> <p>This example defines a <code>HeartbeatService</code> that logs a message every second. We check the <code>shutdown</code> signal in the loop to ensure we stop immediately when the server receives a <code>SIGTERM</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::{</span><span class="n">Server</span><span class="p">,</span> <span class="n">ShutdownWatch</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">services</span><span class="p">::</span><span class="nn">background</span><span class="p">::</span><span class="n">BackgroundService</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">interval</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">HeartbeatService</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">BackgroundService</span> <span class="k">for</span> <span class="n">HeartbeatService</span> <span class="p">{</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">start</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="k">mut</span> <span class="n">shutdown</span><span class="p">:</span> <span class="n">ShutdownWatch</span><span class="p">)</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">period</span> <span class="o">=</span> <span class="nf">interval</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Heartbeat service started. PID: {}"</span><span class="p">,</span> <span class="nn">std</span><span class="p">::</span><span class="nn">process</span><span class="p">::</span><span class="nf">id</span><span class="p">());</span> <span class="k">loop</span> <span class="p">{</span> <span class="nn">tokio</span><span class="p">::</span><span class="nd">select!</span> <span class="p">{</span> <span class="c1">// Wait for shutdown signal</span> <span class="n">_</span> <span class="o">=</span> <span class="n">shutdown</span><span class="nf">.changed</span><span class="p">()</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Shutdown signal received. Stopping heartbeat."</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Or wait for the next tick</span> <span class="n">_</span> <span class="o">=</span> <span class="n">period</span><span class="nf">.tick</span><span class="p">()</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Beep... (PID: {})"</span><span class="p">,</span> <span class="nn">std</span><span class="p">::</span><span class="nn">process</span><span class="p">::</span><span class="nf">id</span><span class="p">());</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// Inform the user if we are about to detach</span> <span class="k">if</span> <span class="n">my_server</span><span class="py">.configuration.daemon</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Preparing to daemonize. Logs will be redirected to: {:?}"</span><span class="p">,</span> <span class="n">my_server</span><span class="py">.configuration.error_log</span><span class="p">);</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Check the PID file at: {}"</span><span class="p">,</span> <span class="n">my_server</span><span class="py">.configuration.pid_file</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Running in foreground mode. Pass '-d' or use config file to daemonize."</span><span class="p">);</span> <span class="p">}</span> <span class="k">let</span> <span class="n">heartbeat</span> <span class="o">=</span> <span class="n">HeartbeatService</span><span class="p">;</span> <span class="c1">// Helper to wrap our logic in a Service container</span> <span class="k">let</span> <span class="n">service</span> <span class="o">=</span> <span class="nf">background_service</span><span class="p">(</span><span class="s">"Heartbeat"</span><span class="p">,</span> <span class="n">heartbeat</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">service</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Running the Lesson </h2> <p>To test daemonization, we must use a configuration file, as the behavior changes significantly from the default foreground mode.</p> <h3> 1. Define the Daemon Configuration </h3> <p>Create <code>conf/02_daemon.yaml</code>. We set <code>daemon: true</code> and define paths for logs and the PID file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">version</span><span class="pi">:</span> <span class="m">1</span> <span class="na">daemon</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">pid_file</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/tmp/pingora_02.pid"</span> <span class="na">error_log</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/tmp/pingora_02.log"</span> <span class="na">upgrade_sock</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/tmp/pingora_upgrade_02.sock"</span> </code></pre> </div> <h3> 2. Start the Daemon </h3> <p>Run the server with the configuration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 02_daemon_mode <span class="nt">--</span> <span class="nt">-c</span> conf/02_daemon.yaml </code></pre> </div> <p>The program will print "Preparing to daemonize..." and then <strong>exit immediately</strong>. This is expected; the parent process exits while the child process continues in the background.</p> <h3> 3. Verify Background Execution </h3> <p>The server is now running silently. You can verify this by checking the PID file or listing processes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Read the PID</span> <span class="nb">cat</span> /tmp/pingora_02.pid <span class="c"># Check if the process exists</span> ps <span class="nt">-p</span> <span class="si">$(</span><span class="nb">cat</span> /tmp/pingora_02.pid<span class="si">)</span> </code></pre> </div> <h3> 4. Check the Logs </h3> <p>Since the process is detached, you won't see "Beep..." in your terminal. Tail the log file to see the output.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">tail</span> <span class="nt">-f</span> /tmp/pingora_02.log </code></pre> </div> <p>You should see the heartbeat messages appearing every second.</p> <h3> 5. Stop the Daemon </h3> <p>To stop the server gracefully, send a <code>SIGTERM</code> to the process ID stored in the PID file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">kill</span> <span class="si">$(</span><span class="nb">cat</span> /tmp/pingora_02.pid<span class="si">)</span> </code></pre> </div> <p>If you check the log file again, you should see the "Shutdown signal received" message, confirming the <code>ShutdownWatch</code> logic worked correctly.</p> <h1> Lesson 3: Graceful Shutdown </h1> <p>In the previous lessons, stopping the server meant killing the process immediately. In a development environment, this is fine. In production, however, a hard stop is dangerous. You might interrupt a database write, corrupt a file, or drop a client connection in the middle of a request.</p> <p>Pingora provides a built-in <strong>Graceful Shutdown</strong> mechanism to handle this. When the server receives a specific signal (usually <code>SIGTERM</code>), it doesn't exit immediately. Instead:</p> <ol> <li>It broadcasts a shutdown event to all services.</li> <li>It stops accepting <em>new</em> connections (if using listeners).</li> <li>It waits for a configurable period (the <code>grace_period_seconds</code>) for services to finish their current work.</li> <li>If the grace period expires and services are still running, it forces a shutdown.</li> </ol> <h2> Key Concepts </h2> <ul> <li> <strong><code>ShutdownWatch</code></strong>: This is a Tokio <code>watch</code> channel provided to every service's <code>start()</code> method. Services must monitor this to know when to stop accepting new work and begin their cleanup.</li> <li> <strong><code>grace_period_seconds</code></strong>: A setting in <code>ServerConf</code>. It defines the maximum time the server will wait for services to finish after a shutdown signal is received.</li> <li> <strong>Signal Handling</strong>: Pingora distinguishes between two types of shutdown:</li> <li> <strong>Fast Shutdown (<code>SIGINT</code> / Ctrl+C)</strong>: The server exits immediately. Use this during development or emergencies.</li> <li> <strong>Graceful Shutdown (<code>SIGTERM</code>)</strong>: The server enters the graceful shutdown phase described above. This is the standard signal used by deployment tools like Kubernetes or systemd.</li> </ul> <h2> The Code (<code>examples/03_graceful_shutdown.rs</code>) </h2> <p>We will build a "Batch Job" service. It simulates processing long-running tasks that take 20 seconds to complete.</p> <ul> <li>If we used <strong>Fast Shutdown</strong> (Ctrl+C), the job would be cut off immediately.</li> <li>By using <strong>Graceful Shutdown</strong> (SIGTERM) and checking <code>ShutdownWatch</code>, the service detects the signal, stops starting <em>new</em> jobs, but finishes the <em>current</em> job before exiting. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">info</span><span class="p">,</span> <span class="n">warn</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::{</span><span class="n">Server</span><span class="p">,</span> <span class="n">ShutdownWatch</span><span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">services</span><span class="p">::</span><span class="nn">background</span><span class="p">::</span><span class="n">BackgroundService</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">sleep</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">BatchJobService</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">BackgroundService</span> <span class="k">for</span> <span class="n">BatchJobService</span> <span class="p">{</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">start</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="k">mut</span> <span class="n">shutdown</span><span class="p">:</span> <span class="n">ShutdownWatch</span><span class="p">)</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"BatchJob Service started. Waiting for jobs"</span><span class="p">);</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">job_id</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">loop</span> <span class="p">{</span> <span class="c1">// 1. Check before starting work</span> <span class="c1">// If shutdown is requested, we break the loop immediately so no new jobs start.</span> <span class="k">if</span> <span class="o">*</span><span class="n">shutdown</span><span class="nf">.borrow</span><span class="p">()</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Shutdown requested. No new jobs will be started."</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="n">job_id</span> <span class="o">+=</span> <span class="mi">1</span><span class="p">;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Starting Job #{} (simulated 20s duration)..."</span><span class="p">,</span> <span class="n">job_id</span><span class="p">);</span> <span class="c1">// 2. Run the job with cancellation awareness</span> <span class="c1">// We use tokio::select! to listen for the shutdown signal WHILE the job is running.</span> <span class="k">let</span> <span class="n">job_duration</span> <span class="o">=</span> <span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">20</span><span class="p">);</span> <span class="nn">tokio</span><span class="p">::</span><span class="nd">select!</span> <span class="p">{</span> <span class="c1">// The "Happy Path": The job finishes normally</span> <span class="n">_</span> <span class="o">=</span> <span class="nf">sleep</span><span class="p">(</span><span class="n">job_duration</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Job #{} completed successfully."</span><span class="p">,</span> <span class="n">job_id</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// The "Shutdown Path": Signal received mid-job</span> <span class="n">_</span> <span class="o">=</span> <span class="n">shutdown</span><span class="nf">.changed</span><span class="p">()</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"Shutdown signal received while Job #{} is running!"</span><span class="p">,</span> <span class="n">job_id</span><span class="p">);</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"Finishing Job #{} before exiting..."</span><span class="p">,</span> <span class="n">job_id</span><span class="p">);</span> <span class="c1">// 3. Simulate wrapping up critical work (e.g., flushing buffers)</span> <span class="c1">// In a real app, this ensures we don't leave data in a corrupt state.</span> <span class="nf">sleep</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">10</span><span class="p">))</span><span class="k">.await</span><span class="p">;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Job #{} completed gracefully during shutdown."</span><span class="p">,</span> <span class="n">job_id</span><span class="p">);</span> <span class="c1">// Now we break the loop to allow the service to exit</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Brief pause between jobs</span> <span class="nf">sleep</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">))</span><span class="k">.await</span><span class="p">;</span> <span class="p">}</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"BatchJob Service has stopped cleanly."</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="c1">// 4. Configure the Grace Period</span> <span class="c1">// We set this to 10 seconds. Pingora will wait up to this long for</span> <span class="c1">// BatchJobService to exit. If we didn't set this, the server might exit</span> <span class="c1">// before our cleanup logic finishes.</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">conf</span><span class="p">)</span> <span class="o">=</span> <span class="nn">Arc</span><span class="p">::</span><span class="nf">get_mut</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">my_server</span><span class="py">.configuration</span><span class="p">)</span> <span class="p">{</span> <span class="n">conf</span><span class="py">.grace_period_seconds</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> <span class="p">}</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="n">service</span> <span class="o">=</span> <span class="nf">background_service</span><span class="p">(</span><span class="s">"BatchJobService"</span><span class="p">,</span> <span class="n">BatchJobService</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">service</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Server running. Send SIGTERM to trigger graceful shutdown (e.g. 'pkill -TERM -f 03_graceful_shutdown')."</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Running the Lesson </h2> <p>To verify this lesson, we need to send specific signals to the process. We will test both the graceful path and the fast path.</p> <h3> 1. Test Graceful Shutdown (The Happy Path) </h3> <p>We want to confirm that if we stop the server while a job is running, it finishes that job.</p> <ol> <li> <strong>Start the Server</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 03_graceful_shutdown </code></pre> </div> <ol> <li> <strong>Wait for a Job to Start</strong>: Watch the logs until you see <code>Starting Job #1...</code>.</li> <li> <strong>Send SIGTERM</strong>: Open a <strong>second terminal</strong> window and run: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> pkill <span class="nt">-TERM</span> <span class="nt">-f</span> 03_graceful_shutdown </code></pre> </div> <ol> <li> <strong>Observe the Logs</strong>: Back in the first terminal, you should see the shutdown sequence. <ul> <li>Pingora logs <code>SIGTERM received, gracefully exiting</code>.</li> <li>Our service logs <code>Shutdown signal received... Finishing Job #1</code>.</li> <li> <strong>Crucially</strong>, the server <em>waits</em> for the job to finish (<code>Job #1 completed gracefully</code>) before the process actually exits.</li> </ul> </li> </ol> <h3> 2. Test Fast Shutdown (The Emergency Path) </h3> <p>We want to confirm that we can still force-kill the server if needed.</p> <ol> <li> <strong>Start the Server</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 03_graceful_shutdown </code></pre> </div> <ol> <li> <strong>Wait for a Job to Start</strong>.</li> <li> <strong>Press</strong> <code>Ctrl+C</code>: This sends <code>SIGINT</code>.</li> <li> <strong>Observe the Logs</strong>: The server should exit <strong>immediately</strong>. You will see <code>SIGINT received, exiting</code>, but you will <em>not</em> see the "Finishing Job" or "Job completed" messages. The work was abandoned instantly.</li> </ol> <h1> Lesson 4: Threading Models </h1> <p>Pingora offers two distinct threading models (runtimes) to execute your services. Choosing the right one is critical for performance tuning, as it dictates how your CPU cores are utilized and how tasks are scheduled.</p> <h2> The Two Flavors </h2> <ol> <li> <strong>Work Stealing (<code>Steal</code>)</strong>: <ul> <li> <strong>What it is:</strong> This is the standard Tokio multi-threaded runtime behavior. All worker threads share a global queue of tasks. If one thread finishes its work early, it "steals" tasks from other busy threads.</li> <li> <strong>Pros:</strong> Excellent handling of uneven workloads. If one request takes 500ms and others take 1ms, the idle threads pick up the slack, preventing the system from stalling.</li> <li> <strong>Cons:</strong> Higher overhead due to synchronization (locking) between threads. This "chatter" can become a bottleneck at very high throughputs (e.g., 100k+ RPS).</li> <li> <strong>Default:</strong> <code>true</code> in <code>ServerConf</code>.</li> </ul> </li> <li> <strong>Shared-Nothing (<code>NoSteal</code>)</strong>: <ul> <li> <strong>What it is:</strong> This is Pingora's specialized optimization. Instead of one large runtime, Pingora spawns a separate, single-threaded Tokio runtime for <em>each</em> CPU core/thread configured. Incoming connections are sharded (distributed) to these threads. Once a connection belongs to a thread, it stays there.</li> <li> <strong>Pros:</strong> Zero contention. Thread A never locks Thread B. This mimics the architecture of Nginx (one worker per core) and maximizes CPU cache locality.</li> <li> <strong>Cons:</strong> Susceptible to "head-of-line blocking." If Thread A gets a heavy CPU-bound job, it cannot offload pending tasks to Thread B, even if Thread B is idle.</li> <li> <strong>Use Case:</strong> High-throughput proxies where request latency is uniform (IO-bound).</li> </ul> </li> </ol> <h2> The Code (<code>examples/04_threading_model.rs</code>) </h2> <p>In this lesson, we programmatically toggle the threading model to <code>NoSteal</code> (disabling work stealing) and set the thread count to 2.</p> <p>We then spawn two background services. Because we are in <code>NoSteal</code> mode, Pingora will distribute these services across the available independent runtimes. We print the <code>ThreadId</code> to verify that they are indeed running on different OS threads without moving between them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::{</span><span class="n">Server</span><span class="p">,</span> <span class="n">ShutdownWatch</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">services</span><span class="p">::</span><span class="nn">background</span><span class="p">::</span><span class="n">BackgroundService</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="n">thread</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">interval</span><span class="p">;</span> <span class="cd">/// A service that simply announces which thread it is running on.</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">ThreadReporterService</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">BackgroundService</span> <span class="k">for</span> <span class="n">ThreadReporterService</span> <span class="p">{</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">start</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="k">mut</span> <span class="n">shutdown</span><span class="p">:</span> <span class="n">ShutdownWatch</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// We set the interval to 1 second so logs don't flood the console</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">period</span> <span class="o">=</span> <span class="nf">interval</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"ThreadReporter started."</span><span class="p">);</span> <span class="k">loop</span> <span class="p">{</span> <span class="k">if</span> <span class="o">*</span><span class="n">shutdown</span><span class="nf">.borrow</span><span class="p">()</span> <span class="p">{</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// This print will show us WHICH OS thread is executing this task.</span> <span class="c1">// In a 'Steal' runtime, this ID might change if the task moves (rare but possible).</span> <span class="c1">// In a 'NoSteal' runtime, this task is pinned to one specific thread forever.</span> <span class="k">let</span> <span class="n">thread_id</span> <span class="o">=</span> <span class="nn">thread</span><span class="p">::</span><span class="nf">current</span><span class="p">()</span><span class="nf">.id</span><span class="p">();</span> <span class="k">let</span> <span class="n">thread_name</span> <span class="o">=</span> <span class="nn">thread</span><span class="p">::</span><span class="nf">current</span><span class="p">()</span><span class="nf">.name</span><span class="p">()</span><span class="nf">.unwrap_or</span><span class="p">(</span><span class="s">"unnamed"</span><span class="p">)</span><span class="nf">.to_string</span><span class="p">();</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"I am running on thread: {:?} ({})"</span><span class="p">,</span> <span class="n">thread_id</span><span class="p">,</span> <span class="n">thread_name</span><span class="p">);</span> <span class="n">period</span><span class="nf">.tick</span><span class="p">()</span><span class="k">.await</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="c1">// 1. Configure the Threading Model</span> <span class="c1">// Access the configuration via Arc::get_mut to modify it before bootstrapping.</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">conf</span><span class="p">)</span> <span class="o">=</span> <span class="nn">Arc</span><span class="p">::</span><span class="nf">get_mut</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">my_server</span><span class="py">.configuration</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Set the number of worker threads to 2 so we can see concurrency.</span> <span class="n">conf</span><span class="py">.threads</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> <span class="c1">// Disable work stealing. This switches Pingora to the "Shared-Nothing" model.</span> <span class="c1">// Each of the 2 threads will run its own independent single-threaded runtime.</span> <span class="n">conf</span><span class="py">.work_stealing</span> <span class="o">=</span> <span class="k">false</span><span class="p">;</span> <span class="p">}</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// 2. Add multiple services</span> <span class="c1">// We add TWO instances of the same service. </span> <span class="c1">// In a NoSteal runtime with 2 threads, Pingora will attempt to distribute </span> <span class="c1">// these services across the available runtimes.</span> <span class="k">let</span> <span class="n">reporter_a</span> <span class="o">=</span> <span class="nf">background_service</span><span class="p">(</span><span class="s">"Reporter-A"</span><span class="p">,</span> <span class="n">ThreadReporterService</span><span class="p">);</span> <span class="k">let</span> <span class="n">reporter_b</span> <span class="o">=</span> <span class="nf">background_service</span><span class="p">(</span><span class="s">"Reporter-B"</span><span class="p">,</span> <span class="n">ThreadReporterService</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">reporter_a</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">reporter_b</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Server starting with work_stealing = False."</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>Run the server and observe the logs. You are looking for proof that two different Operating System threads are active.</p> <ol> <li> <strong>Run the Example</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 04_threading_model </code></pre> </div> <ol> <li> <strong>Analyze the Output</strong>: You should see two different <code>ThreadId</code> values appearing in the logs. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> INFO 04_threading_model &gt; Server starting with work_stealing = False. INFO 04_threading_model &gt; ThreadReporter started. INFO 04_threading_model &gt; ThreadReporter started. INFO 04_threading_model &gt; I am running on thread: ThreadId(2) (BG Reporter-B) INFO 04_threading_model &gt; I am running on thread: ThreadId(3) (BG Reporter-A) </code></pre> </div> <p>If <code>work_stealing</code> were enabled (default), you might see the same ThreadId for both, or the IDs swapping, depending on how Tokio schedules the tasks. With <code>work_stealing = false</code>, these tasks are rigidly pinned to their respective threads.</p> <h1> Lesson 5: Background Services &amp; Shared State </h1> <p>Real-world proxies rarely run in isolation. They need to report metrics, fetch dynamic configurations, or perform health checks on upstream servers. These tasks must run continuously but independently of the request-handling logic.</p> <p>Pingora provides the <strong><code>BackgroundService</code></strong> trait for these scenarios. Unlike a <code>ListeningService</code> (which waits for incoming network connections), a background service runs an arbitrary loop.</p> <p>In this lesson, we build a <strong>Traffic Monitor</strong>. It consists of two parts running in parallel:</p> <ol> <li> <strong>Traffic Service</strong>: Accepts TCP connections and increments a shared counter.</li> <li> <strong>Metric Exporter</strong>: A background service that wakes up every 2 seconds to read and log the current connection count.</li> </ol> <h2> Key Concepts </h2> <h3> 1. Shared State with <code>Arc</code> </h3> <p>To share data between the Traffic Service (which writes) and the Exporter (which reads), we wrap our state struct in an <code>Arc</code> (Atomic Reference Counted smart pointer). This allows multiple threads to own a reference to the same memory location safely.</p> <h3> 2. Atomic Operations &amp; Memory Ordering </h3> <p>Since multiple threads access the <code>connection_count</code> simultaneously, we cannot use a simple <code>usize</code>. We must use <code>AtomicUsize</code>.</p> <p>When reading or writing atomic variables, we must specify a <strong>Memory Ordering</strong>. This tells the CPU and compiler how strictly they must synchronize this operation with other memory operations. In our example, we used <code>Ordering::Relaxed</code>.</p> <ul> <li> <strong><code>Ordering::Relaxed</code></strong>: "I only care that this specific variable is updated atomically. I don't care about the order of <em>other</em> memory operations around it." <ul> <li> <em>Why use it here?</em> We are just counting numbers. If the "Exporter" sees the count update 5 nanoseconds later than it actually happened, or if it sees the updates out of perfect chronological order with unrelated variables, it doesn't matter. It is the fastest option.</li> </ul> </li> <li> <strong><code>Ordering::SeqCst</code> (Sequential Consistency)</strong>: "Every thread must see all operations in the exact same global order." <ul> <li> <em>Why avoid it here?</em> It forces heavy synchronization barriers on the CPU, slowing down performance unnecessarily for a simple counter.</li> </ul> </li> <li> <strong><code>Ordering::Acquire</code> / <code>Release&lt;/strong&gt;</code>: Used for locks. "If I see this flag set (Acquire), I am guaranteed to see all the data you wrote before you set the flag (Release)."</strong> </li> </ul> <h3> 3. <code>BackgroundService</code> Lifecycle </h3> <p>A background service receives a <code>ShutdownWatch</code> in its <code>start()</code> method. It is critical to check this watcher (usually via <code>tokio::select!</code>). If you ignore it, your background loop will keep running forever, preventing the server from shutting down gracefully.</p> <h2> The Code (<code>examples/05_background_services.rs</code>) </h2> <p>We define a shared <code>AppState</code> and pass clones of it to both services. The <code>Traffic</code> service simulates handling requests by incrementing the counter and writing a response. The <code>MetricExporter</code> wakes up periodically to read that counter.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::{</span><span class="n">Server</span><span class="p">,</span> <span class="n">ShutdownWatch</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">services</span><span class="p">::</span><span class="nn">background</span><span class="p">::</span><span class="n">BackgroundService</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">services</span><span class="p">::</span><span class="nn">listening</span><span class="p">::</span><span class="n">Service</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">protocols</span><span class="p">::</span><span class="n">Stream</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nn">atomic</span><span class="p">::{</span><span class="n">AtomicUsize</span><span class="p">,</span> <span class="n">Ordering</span><span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">io</span><span class="p">::</span><span class="n">AsyncWriteExt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">interval</span><span class="p">;</span> <span class="cd">/// Shared state between the Traffic Service and the Background Service.</span> <span class="k">struct</span> <span class="n">AppState</span> <span class="p">{</span> <span class="n">connection_count</span><span class="p">:</span> <span class="n">AtomicUsize</span><span class="p">,</span> <span class="p">}</span> <span class="c1">// --- 1. Traffic Handling Service ---</span> <span class="nd">#[derive(Clone)]</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">CounterApp</span> <span class="p">{</span> <span class="n">state</span><span class="p">:</span> <span class="nb">Arc</span><span class="o">&lt;</span><span class="n">AppState</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">}</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">apps</span><span class="p">::</span><span class="n">ServerApp</span> <span class="k">for</span> <span class="n">CounterApp</span> <span class="p">{</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">process_new</span><span class="p">(</span> <span class="k">self</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="k">Self</span><span class="o">&gt;</span><span class="p">,</span> <span class="k">mut</span> <span class="n">stream</span><span class="p">:</span> <span class="n">Stream</span><span class="p">,</span> <span class="n">_shutdown</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">ShutdownWatch</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Option</span><span class="o">&lt;</span><span class="n">Stream</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Increment the shared counter.</span> <span class="c1">// We use Relaxed because we don't rely on this value to synchronize other data.</span> <span class="k">let</span> <span class="n">count</span> <span class="o">=</span> <span class="k">self</span><span class="py">.state.connection_count</span><span class="nf">.fetch_add</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="nn">Ordering</span><span class="p">::</span><span class="n">Relaxed</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Traffic: New connection handled. Count is now {}"</span><span class="p">,</span> <span class="n">count</span><span class="p">);</span> <span class="k">let</span> <span class="n">response</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Hello! You are visitor #{}</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">count</span><span class="p">);</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.write_all</span><span class="p">(</span><span class="n">response</span><span class="nf">.as_bytes</span><span class="p">())</span><span class="k">.await</span><span class="p">;</span> <span class="c1">// Return None to close the connection immediately</span> <span class="nb">None</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// --- 2. Background Metric Exporter ---</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">MetricExporter</span> <span class="p">{</span> <span class="n">state</span><span class="p">:</span> <span class="nb">Arc</span><span class="o">&lt;</span><span class="n">AppState</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">}</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">BackgroundService</span> <span class="k">for</span> <span class="n">MetricExporter</span> <span class="p">{</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">start</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="k">mut</span> <span class="n">shutdown</span><span class="p">:</span> <span class="n">ShutdownWatch</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Run every 2 seconds</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">period</span> <span class="o">=</span> <span class="nf">interval</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">2</span><span class="p">));</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Exporter: Service started."</span><span class="p">);</span> <span class="k">loop</span> <span class="p">{</span> <span class="nn">tokio</span><span class="p">::</span><span class="nd">select!</span> <span class="p">{</span> <span class="n">_</span> <span class="o">=</span> <span class="n">shutdown</span><span class="nf">.changed</span><span class="p">()</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Exporter: Shutdown requested."</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="n">_</span> <span class="o">=</span> <span class="n">period</span><span class="nf">.tick</span><span class="p">()</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="c1">// Read the shared state</span> <span class="k">let</span> <span class="n">count</span> <span class="o">=</span> <span class="k">self</span><span class="py">.state.connection_count</span><span class="nf">.load</span><span class="p">(</span><span class="nn">Ordering</span><span class="p">::</span><span class="n">Relaxed</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Exporter: Current Total Connections: {}"</span><span class="p">,</span> <span class="n">count</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// Initialize shared state</span> <span class="k">let</span> <span class="n">state</span> <span class="o">=</span> <span class="nn">Arc</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">AppState</span> <span class="p">{</span> <span class="n">connection_count</span><span class="p">:</span> <span class="nn">AtomicUsize</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="p">});</span> <span class="c1">// 1. Setup the Traffic Service (Port 6145)</span> <span class="k">let</span> <span class="n">traffic_logic</span> <span class="o">=</span> <span class="n">CounterApp</span> <span class="p">{</span> <span class="n">state</span><span class="p">:</span> <span class="n">state</span><span class="nf">.clone</span><span class="p">()</span> <span class="p">};</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">traffic_service</span> <span class="o">=</span> <span class="nn">Service</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="s">"Traffic"</span><span class="nf">.to_string</span><span class="p">(),</span> <span class="n">traffic_logic</span><span class="p">);</span> <span class="n">traffic_service</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6145"</span><span class="p">);</span> <span class="c1">// 2. Setup the Background Service</span> <span class="k">let</span> <span class="n">exporter_logic</span> <span class="o">=</span> <span class="n">MetricExporter</span> <span class="p">{</span> <span class="n">state</span><span class="p">:</span> <span class="n">state</span><span class="nf">.clone</span><span class="p">()</span> <span class="p">};</span> <span class="c1">// 'background_service' is a helper that wraps our struct into a Pingora Service</span> <span class="k">let</span> <span class="n">background_service</span> <span class="o">=</span> <span class="nf">background_service</span><span class="p">(</span><span class="s">"MetricExporter"</span><span class="p">,</span> <span class="n">exporter_logic</span><span class="p">);</span> <span class="c1">// 3. Add both to the server</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">traffic_service</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">background_service</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Server started. Traffic on port 6145. Metrics in logs."</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We will verify that both services are running and successfully communicating via the shared state. Since <code>nc</code> (Netcat) is useful for testing network services, you may need to install it if you haven't already and are operating outside the dev container:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt <span class="nb">install </span>netcat-traditional </code></pre> </div> <p><strong>1. Run the Server</strong><br> Start your server with info-level logging enabled.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 05_background_services </code></pre> </div> <p><strong>2. Observe Initial Logs</strong><br> You should see the "Exporter" logging <code>Current Total Connections: 0</code> every 2 seconds. This confirms the background service is running.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>INFO 05_background_services &gt; Exporter: Service started. INFO 05_background_services &gt; Exporter: Current Total Connections: 0 </code></pre> </div> <p><strong>3. Generate Traffic</strong><br> Open a <strong>second terminal</strong> and connect to the traffic port a few times. Each connection will trigger the Traffic Service.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"hi"</span> | nc localhost 6145 <span class="nb">echo</span> <span class="s2">"hi"</span> | nc localhost 6145 </code></pre> </div> <p><strong>4. Observe State Update</strong><br> Back in your first terminal, you should see the "Traffic" service log the new connections. Shortly after, the "Exporter" log should automatically reflect the new count, proving that the <code>Arc&lt;AppState&gt;</code> is successfully sharing data between the two services.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>INFO 05_background_services &gt; Traffic: New connection handled. Count is now 1 INFO 05_background_services &gt; Traffic: New connection handled. Count is now 2 INFO 05_background_services &gt; Exporter: Current Total Connections: 2 </code></pre> </div> <p><strong>5. Graceful Stop</strong><br> Use <code>pkill -TERM -f 05_background_services</code> (or <code>Ctrl+C</code> if you don't mind the fast shutdown) to confirm the background service exits cleanly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pkill <span class="nt">-TERM</span> <span class="nt">-f</span> 05_background_services </code></pre> </div> <h1> Module 2: The Proxy Logic </h1> <p>We have established the foundation of running a Pingora server. Now, we move to the core utility of the framework: <strong>HTTP Proxying</strong>.</p> <p><strong>Important: The Lab Environment</strong><br> From this module onwards, all examples must be run inside the <code>pingora_dev</code> Docker container. The examples rely on the deterministic network topology of "Pingora City" to connect to upstream services (like <code>blue.pingora.local</code>) and receive traffic from clients.</p> <p>If you are not inside the container yet, enter it now:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_dev bash </code></pre> </div> <h1> Lesson 6: The Simple Forwarder </h1> <p>A "Simple Forwarder" or "Dumb Proxy" is the most basic proxy implementation. It accepts a request from a downstream client and forwards it to a single, hardcoded upstream server. It does not perform load balancing, authentication, or complex routing.</p> <p>This lesson introduces the <strong><code>ProxyHttp</code></strong> trait, which is the primary interface for building HTTP proxies in Pingora.</p> <h2> Key Concepts </h2> <ol> <li> <strong><code>ProxyHttp</code> Trait</strong>: This is the heart of any HTTP proxy service. It provides hooks into the request lifecycle (request arrival, upstream selection, response filtering, etc.).</li> <li> <strong><code>upstream_peer()</code></strong>: This is the only <em>mandatory</em> hook you must implement (besides <code>new_ctx</code>). It tells Pingora <em>where</em> to send the current request.</li> <li> <strong><code>HttpPeer</code></strong>: A struct defining the destination. It includes the IP/Port, whether to use TLS, and the SNI (Server Name Indication).</li> <li> <strong><code>upstream_request_filter()</code></strong>: An optional hook that runs <em>after</em> the peer is selected but <em>before</em> the request is sent. This is the place to modify headers (e.g., setting the <code>Host</code> header).</li> </ol> <h2> The Code (<code>examples/06_simple_forward.rs</code>) </h2> <p>We will build a proxy that listens on port <code>6146</code>. It will forward every request it receives to our lab's <strong>Upstream Blue</strong> (IP <code>172.28.0.20</code>, port <code>8080</code>).</p> <p>We also implement <code>upstream_request_filter</code> to rewrite the <code>Host</code> header. This is a best practice; many web servers (like Nginx) will reject requests if the <code>Host</code> header does not match their configuration, even if the IP is correct.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="c1">// 1. Define the Proxy Logic</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">SimpleProxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">SimpleProxy</span> <span class="p">{</span> <span class="c1">// Context (CTX) is per-request state. We don't need it for a simple forwarder.</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="c1">// 2. Define the Upstream Peer</span> <span class="c1">// This hook is called for EVERY request.</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nn">pingora</span><span class="p">::</span><span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// In our lab, Upstream Blue is at this fixed IP.</span> <span class="k">let</span> <span class="n">addr</span> <span class="o">=</span> <span class="p">(</span><span class="s">"172.28.0.20"</span><span class="p">,</span> <span class="mi">8080</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Forwarding request to Upstream Blue ({:?})"</span><span class="p">,</span> <span class="n">addr</span><span class="p">);</span> <span class="c1">// Construct the peer. </span> <span class="c1">// - addr: The destination IP and Port.</span> <span class="c1">// - false: Do not use TLS (Blue is a plaintext HTTP server).</span> <span class="c1">// - "blue.pingora.local": The SNI (ignored for HTTP, but required by struct).</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="n">addr</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"blue.pingora.local"</span><span class="nf">.to_string</span><span class="p">()</span> <span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// 3. Modify headers before forwarding</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_request</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">RequestHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nn">pingora</span><span class="p">::</span><span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Rewrite the Host header to match the destination.</span> <span class="c1">// Without this, the upstream sees the Host header sent by the client </span> <span class="c1">// (e.g., "172.28.0.10"), which might cause it to reject the request.</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">upstream_request</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Host"</span><span class="p">,</span> <span class="s">"blue.pingora.local"</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// 4. Create the Service</span> <span class="c1">// `http_proxy_service` is a helper that wraps our logic in a ready-to-use Service.</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span> <span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">SimpleProxy</span> <span class="p">);</span> <span class="c1">// 5. Configure the Listener</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6146"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Simple Proxy running on 0.0.0.0:6146 -&gt; Forwarding to Upstream Blue"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We verified this code by running the proxy in the <code>dev</code> container and generating traffic from <code>client_1</code> in a separate container.</p> <ol> <li> <strong>Start the Proxy (in <code>pingora_dev</code>)</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 06_simple_forward </code></pre> </div> <p><em>Output:</em> <code>Simple Proxy running on 0.0.0.0:6146 -&gt; Forwarding to Upstream Blue</code></p> <ol> <li> <strong>Generate Traffic (from Host)</strong>: We instructed <code>client_1</code> to curl our proxy's IP (<code>172.28.0.10</code>): </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6146 </code></pre> </div> <ol> <li> <strong>Result</strong>: <ul> <li> <strong>Client</strong>: Received <code>200 OK</code> and the body <code>'Response from BLUE'</code>, confirming the traffic successfully traversed the proxy and reached the correct upstream.</li> <li> <strong>Proxy Logs</strong>: Showed <code>Forwarding request to Upstream Blue</code>, confirming the <code>upstream_peer</code> hook was executed.</li> </ul> </li> </ol> <h1> Lesson 7: TLS Termination </h1> <p>In the previous lesson, we built a proxy that communicated over plain text (HTTP). In the modern web, this is insufficient for public-facing services. You need encryption (HTTPS) to protect data in transit.</p> <p><strong>TLS Termination</strong> (also known as SSL Offloading) is a pattern where the proxy handles the encrypted connection from the client, decrypts the traffic, and forwards it to the upstream service. Often, the connection to the upstream is kept as plain HTTP to save CPU cycles on the application servers, provided the internal network is secure (like our Docker bridge network).</p> <h2> Key Concepts </h2> <ol> <li> <strong><code>TlsSettings</code></strong>: This struct configures the SSL/TLS stack (OpenSSL or BoringSSL). Pingora provides an <code>intermediate()</code> helper that configures a secure set of ciphers and protocols based on Mozilla's security guidelines, striking a balance between compatibility and security.</li> <li> <strong><code>enable_h2()</code></strong>: Modern TLS listeners often negotiate the application protocol using ALPN (Application-Layer Protocol Negotiation). This setting enables <strong>HTTP/2</strong>, which allows multiplexing multiple requests over a single TCP connection, significantly improving performance.</li> <li> <strong><code>add_tls_with_settings</code></strong>: Instead of <code>add_tcp</code>, we use this method to bind the service to a port. It requires the certificate and private key.</li> <li> <strong>End-to-End vs. Termination</strong>: In this lesson, we terminate TLS at the proxy. The client speaks HTTPS to us, but we speak HTTP to <code>blue.pingora.local</code>.</li> </ol> <h2> The Code (<code>examples/07_tls_termination.rs</code>) </h2> <p>We load the self-signed certificates generated by our lab environment (<code>server.crt</code> and <code>server.key</code>). We then configure the proxy to listen on port <code>6147</code>.</p> <p>Notice that inside <code>upstream_peer</code>, we still pass <code>false</code> to <code>HttpPeer::new</code>. This confirms that while the <em>downstream</em> (user) connection is secure, the <em>upstream</em> (backend) connection remains plain text.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">error</span><span class="p">,</span> <span class="n">info</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">listeners</span><span class="p">::</span><span class="nn">tls</span><span class="p">::</span><span class="n">TlsSettings</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">path</span><span class="p">::</span><span class="n">Path</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">TlsProxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">TlsProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nn">pingora</span><span class="p">::</span><span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// We forward to Upstream Blue.</span> <span class="k">let</span> <span class="n">addr</span> <span class="o">=</span> <span class="p">(</span><span class="s">"172.28.0.20"</span><span class="p">,</span> <span class="mi">8080</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Forwarding HTTPS request to Upstream Blue ({:?})"</span><span class="p">,</span> <span class="n">addr</span><span class="p">);</span> <span class="c1">// CRITICAL: We pass 'false' here. </span> <span class="c1">// This effectively "terminates" the TLS. We decrypted the traffic,</span> <span class="c1">// and now we are sending it as plain HTTP to the internal backend.</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="n">addr</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"blue.pingora.local"</span><span class="nf">.to_string</span><span class="p">()</span> <span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span> <span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">TlsProxy</span><span class="p">,</span> <span class="p">);</span> <span class="c1">// 1. Locate Certificates</span> <span class="c1">// These are mounted into the dev container at /keys/</span> <span class="k">let</span> <span class="n">cert_path</span> <span class="o">=</span> <span class="s">"/keys/server.crt"</span><span class="p">;</span> <span class="k">let</span> <span class="n">key_path</span> <span class="o">=</span> <span class="s">"/keys/server.key"</span><span class="p">;</span> <span class="k">if</span> <span class="o">!</span><span class="nn">Path</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">cert_path</span><span class="p">)</span><span class="nf">.exists</span><span class="p">()</span> <span class="p">||</span> <span class="o">!</span><span class="nn">Path</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">key_path</span><span class="p">)</span><span class="nf">.exists</span><span class="p">()</span> <span class="p">{</span> <span class="nd">error!</span><span class="p">(</span><span class="s">"Certificates not found! Make sure you ran scripts/00-setup-certs.sh"</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nd">format!</span><span class="p">(</span><span class="s">"Missing keys at {}"</span><span class="p">,</span> <span class="n">cert_path</span><span class="p">)</span><span class="nf">.into</span><span class="p">());</span> <span class="p">}</span> <span class="c1">// 2. Configure TLS</span> <span class="c1">// We use the 'intermediate' profile for best-practice security defaults.</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">tls_settings</span> <span class="o">=</span> <span class="nn">TlsSettings</span><span class="p">::</span><span class="nf">intermediate</span><span class="p">(</span><span class="n">cert_path</span><span class="p">,</span> <span class="n">key_path</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Enable HTTP/2 support (ALPN)</span> <span class="n">tls_settings</span><span class="nf">.enable_h2</span><span class="p">();</span> <span class="c1">// 3. Bind the TLS Listener</span> <span class="c1">// We use port 6147 for this lesson.</span> <span class="n">my_proxy</span><span class="nf">.add_tls_with_settings</span><span class="p">(</span><span class="s">"0.0.0.0:6147"</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="n">tls_settings</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"HTTPS Proxy running on 0.0.0.0:6147 -&gt; Forwarding to Upstream Blue"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);;</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>To verify TLS termination, we need a client that trusts our lab's self-signed Certificate Authority (CA).</p> <ol> <li> <strong>Start the Proxy (in <code>pingora_dev</code>)</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 07_tls_termination </code></pre> </div> <p><em>Output:</em> <code>HTTPS Proxy running on 0.0.0.0:6147</code></p> <ol> <li> <strong>Test from Client (from Host Machine)</strong>: We use <code>curl</code> with the CA certificate. We also map the hostname <code>dev.pingora.local</code> to the container's IP to ensure the SSL certificate matches the domain name. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> <span class="se">\</span> <span class="nt">--cacert</span> /keys/ca.crt <span class="se">\</span> <span class="nt">--resolve</span> dev.pingora.local:6147:172.28.0.10 <span class="se">\</span> https://dev.pingora.local:6147 </code></pre> </div> <ol> <li> <strong>Result Analysis</strong>: <ul> <li> <strong>TLS Handshake</strong>: You will see the handshake occur: <code>SSL connection using TLSv1.3</code>.</li> <li> <strong>ALPN</strong>: If verified, you may see <code>ALPN: offers h2,http/1.1</code>.</li> <li> <strong>Response</strong>: <code>Response from BLUE</code>.</li> <li> <strong>Proxy Logs</strong>: <code>Forwarding HTTPS request to Upstream Blue</code>.</li> </ul> </li> </ol> <h1> Lesson 8: Header Manipulation </h1> <p>One of the most common tasks for an API Gateway is to modify traffic as it passes through. You might need to sanitize requests (removing sensitive headers like internal tokens), tag traffic (adding request IDs for tracing), or modify responses (adding security headers like CORS or <code>Strict-Transport-Security</code>).</p> <p>Pingora provides specific hooks in the <code>ProxyHttp</code> trait to inspect and mutate headers at different stages of the request lifecycle.</p> <h2> Key Concepts </h2> <ol> <li> <strong><code>upstream_request_filter</code></strong>: This hook runs <em>after</em> the upstream peer has been selected but <em>before</em> the request is sent to the backend. It allows you to modify the <code>RequestHeader</code>. <ul> <li> <em>Use cases:</em> Adding authentication tokens, removing client-identifying info (scrubbing), or rewriting the <code>Host</code> header.</li> </ul> </li> <li> <strong><code>response_filter</code></strong>: This hook runs <em>after</em> the response receives the headers from the backend but <em>before</em> the body is streamed to the client. It allows you to modify the <code>ResponseHeader</code>. <ul> <li> <em>Use cases:</em> Hiding backend server versions (<code>Server: nginx/1.18</code>), adding custom watermarks, or fixing caching headers.</li> </ul> </li> </ol> <h2> The Code (<code>examples/08_header_manipulation.rs</code>) </h2> <p>In this lesson, we proxy traffic to <strong>Upstream Green</strong> (172.28.0.21). We perform the following manipulations:</p> <ul> <li> <strong>Request Phase</strong>: We inject <code>X-Pingora-Proxy: true</code> so the backend knows the request came via our gateway. We also remove the <code>User-Agent</code> header to anonymize the client.</li> <li> <strong>Response Phase</strong>: We inject <code>X-Edited-By: Pingora</code> into the response headers so the client can verify the gateway handled the traffic. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">http</span><span class="p">::</span><span class="n">ResponseHeader</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">HeaderModProxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">HeaderModProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nn">pingora</span><span class="p">::</span><span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">addr</span> <span class="o">=</span> <span class="p">(</span><span class="s">"172.28.0.21"</span><span class="p">,</span> <span class="mi">8080</span><span class="p">);</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="n">addr</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"green.pingora.local"</span><span class="nf">.to_string</span><span class="p">()</span> <span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// 1. Modify the REQUEST (Client -&gt; Proxy -&gt; Upstream)</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_request</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">RequestHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nn">pingora</span><span class="p">::</span><span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// Set the Host header to match the upstream</span> <span class="n">upstream_request</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Host"</span><span class="p">,</span> <span class="s">"green.pingora.local"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Add a custom header for the backend to see</span> <span class="n">upstream_request</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"X-Pingora-Proxy"</span><span class="p">,</span> <span class="s">"true"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Remove the User-Agent header for privacy</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">upstream_request</span><span class="nf">.remove_header</span><span class="p">(</span><span class="s">"User-Agent"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Request headers modified: Added X-Pingora-Proxy, Removed User-Agent."</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="c1">// 2. Modify the RESPONSE (Upstream -&gt; Proxy -&gt; Client)</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">response_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_response</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">ResponseHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// Add a custom header so the client knows who handled this</span> <span class="n">upstream_response</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"X-Edited-By"</span><span class="p">,</span> <span class="s">"Pingora"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Response headers modified: Added X-Edited-By"</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">HeaderModProxy</span><span class="p">);</span> <span class="c1">// Bind to port 6148</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6148"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Header Manipulation Proxy running on 0.0.0.0:6148 -&gt; Forwarding to Upstream Green"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>To verify that the headers are being modified, we inspect the traffic from the client side.</p> <ol> <li> <strong>Start the Proxy (in <code>pingora_dev</code>)</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 08_header_manipulation </code></pre> </div> <p><em>Output:</em> <code>Header Manipulation Proxy running on 0.0.0.0:6148</code></p> <ol> <li> <strong>Test from Client (from Host)</strong>: Run <code>curl -v</code> against port <code>6148</code>. We use verbose mode to see the response headers. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6148 </code></pre> </div> <ol> <li> <strong>Result Analysis</strong>: <ul> <li> <strong>Body</strong>: You should see <code>Response from GREEN</code>.</li> <li> <strong>Headers</strong>: In the response section (lines starting with <code>&lt;</code>), you should see our custom header: </li> </ul> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> &lt; X-Edited-By: Pingora </code></pre> </div> <ul> <li> <strong>Proxy Logs</strong>: The console running the proxy will confirm the hooks executed: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> INFO Request headers modified: Added X-Pingora-Proxy, Removed User-Agent. INFO Response headers modified: Added X-Edited-By </code></pre> </div> <h1> Lesson 9: Path Routing </h1> <p>In previous lessons, we blindly forwarded every request to a single destination. In reality, proxies act as traffic routers, dispatching requests to different microservices based on the URL path, HTTP method, or headers.</p> <p>This lesson introduces two critical architectural concepts in Pingora:</p> <ol> <li> <strong>The Request Filter</strong>: A hook that runs <em>early</em> in the lifecycle to validate requests or make routing decisions.</li> <li> <strong>The Context (<code>CTX</code>)</strong>: A mechanism to share state between different phases of a request (e.g., passing the routing decision from the "Filter" phase to the "Peer Selection" phase).</li> </ol> <h2> Key Concepts </h2> <ol> <li> <strong><code>request_filter</code></strong>: This hook runs immediately after the proxy receives the request headers from the client. It returns a <code>Result&lt;bool&gt;</code>. <ul> <li>If it returns <code>Ok(false)</code>: Pingora continues to the next phase (upstream peer selection).</li> <li>If it returns <code>Ok(true)</code>: Pingora assumes the request has been fully handled (e.g., you sent a 404 error response manually) and stops processing.</li> </ul> </li> <li> <strong>Context (<code>CTX</code>)</strong>: The <code>ProxyHttp</code> trait has an associated type <code>CTX</code>. This is your custom state object created via <code>new_ctx()</code> for every new request. <ul> <li>In simple proxies, this is <code>()</code>.</li> <li>In routing proxies, we use it to store decisions (like <code>Option&lt;Target&gt;</code>) so subsequent hooks (like <code>upstream_peer</code> or <code>upstream_request_filter</code>) know what to do.</li> </ul> </li> </ol> <h2> The Code (<code>examples/09_path_routing.rs</code>) </h2> <p>We define a simple <code>Target</code> enum to represent our microservices.</p> <ul> <li> <strong><code>/blue</code></strong> -&gt; Routes to Upstream Blue.</li> <li> <strong><code>/green</code></strong> -&gt; Routes to Upstream Green.</li> <li> <strong>Other</strong> -&gt; Returns a 404 error immediately. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">error</span><span class="p">,</span> <span class="n">info</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="c1">// 1. Define an Enum to track our routing decision</span> <span class="c1">// This will be stored in the Request Context (CTX)</span> <span class="nd">#[derive(Debug,</span> <span class="nd">Clone,</span> <span class="nd">Copy)]</span> <span class="k">pub</span> <span class="k">enum</span> <span class="n">Target</span> <span class="p">{</span> <span class="n">Blue</span><span class="p">,</span> <span class="n">Green</span><span class="p">,</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">PathRouter</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">PathRouter</span> <span class="p">{</span> <span class="c1">// 2. Define the Context Type</span> <span class="c1">// Instead of (), we now use Option&lt;Target&gt; to store our decision.</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="nb">Option</span><span class="o">&lt;</span><span class="n">Target</span><span class="o">&gt;</span><span class="p">;</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{</span> <span class="nb">None</span> <span class="p">}</span> <span class="c1">// 3. Request Filter: The Gatekeeper</span> <span class="c1">// We check the path *before* picking a peer.</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nn">pingora</span><span class="p">::</span><span class="nb">Result</span><span class="o">&lt;</span><span class="nb">bool</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">path</span> <span class="o">=</span> <span class="n">session</span><span class="nf">.req_header</span><span class="p">()</span><span class="py">.uri</span><span class="nf">.path</span><span class="p">();</span> <span class="k">if</span> <span class="n">path</span><span class="nf">.starts_with</span><span class="p">(</span><span class="s">"/blue"</span><span class="p">)</span> <span class="p">{</span> <span class="o">*</span><span class="n">ctx</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Target</span><span class="p">::</span><span class="n">Blue</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="n">path</span><span class="nf">.starts_with</span><span class="p">(</span><span class="s">"/green"</span><span class="p">)</span> <span class="p">{</span> <span class="o">*</span><span class="n">ctx</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Target</span><span class="p">::</span><span class="n">Green</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c1">// Unknown path: Return 404 immediately</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">session</span><span class="nf">.respond_error</span><span class="p">(</span><span class="mi">404</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="c1">// Return true to tell Pingora "we handled this, stop processing".</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// Return false to continue to the next phase (upstream_peer)</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">false</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// 4. Upstream Peer: The Router</span> <span class="c1">// We read the decision made in request_filter to pick the IP.</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">target</span> <span class="o">=</span> <span class="n">ctx</span><span class="nf">.expect</span><span class="p">(</span><span class="s">"Context should be set by request_filter"</span><span class="p">);</span> <span class="k">let</span> <span class="p">(</span><span class="n">addr</span><span class="p">,</span> <span class="n">sni</span><span class="p">)</span> <span class="o">=</span> <span class="k">match</span> <span class="n">target</span> <span class="p">{</span> <span class="nn">Target</span><span class="p">::</span><span class="n">Blue</span> <span class="k">=&gt;</span> <span class="p">((</span><span class="s">"172.28.0.20"</span><span class="p">,</span> <span class="mi">8080</span><span class="p">),</span> <span class="s">"blue.pingora.local"</span><span class="p">),</span> <span class="nn">Target</span><span class="p">::</span><span class="n">Green</span> <span class="k">=&gt;</span> <span class="p">((</span><span class="s">"172.28.0.21"</span><span class="p">,</span> <span class="mi">8080</span><span class="p">),</span> <span class="s">"green.pingora.local"</span><span class="p">),</span> <span class="p">};</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Routing request to {:?} based on path"</span><span class="p">,</span> <span class="n">target</span><span class="p">);</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">addr</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="n">sni</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// 5. Upstream Request Filter: The Modifier</span> <span class="c1">// We rewrite the Host header to match the chosen upstream.</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_request</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">RequestHeader</span><span class="p">,</span> <span class="n">ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="k">let</span> <span class="n">target</span> <span class="o">=</span> <span class="n">ctx</span><span class="nf">.expect</span><span class="p">(</span><span class="s">"Context should be set"</span><span class="p">);</span> <span class="k">let</span> <span class="n">host</span> <span class="o">=</span> <span class="k">match</span> <span class="n">target</span> <span class="p">{</span> <span class="nn">Target</span><span class="p">::</span><span class="n">Blue</span> <span class="k">=&gt;</span> <span class="s">"blue.pingora.local"</span><span class="p">,</span> <span class="nn">Target</span><span class="p">::</span><span class="n">Green</span> <span class="k">=&gt;</span> <span class="s">"green.pingora.local"</span><span class="p">,</span> <span class="p">};</span> <span class="n">upstream_request</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Host"</span><span class="p">,</span> <span class="n">host</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">PathRouter</span><span class="p">);</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6149"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Path Router running on 0.0.0.0:6149"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Try: curl http://127.0.0.1:6149/blue or /green"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We verified this routing logic by sending requests to different paths and observing the responses.</p> <ol> <li> <strong>Start the Proxy (in <code>pingora_dev</code>)</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 09_path_routing </code></pre> </div> <p><em>Output:</em> <code>Path Router running on 0.0.0.0:6149</code></p> <ol> <li> <strong>Test Blue Route</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6149/blue </code></pre> </div> <p><em>Result:</em> <code>200 OK</code> and <code>'Response from BLUE'</code>.</p> <ol> <li> <strong>Test Green Route</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6149/green </code></pre> </div> <p><em>Result:</em> <code>200 OK</code> and <code>'Response from GREEN'</code>.</p> <ol> <li> <strong>Test Invalid Route (404)</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6149/invalid </code></pre> </div> <p><em>Result:</em> <code>404 Not Found</code> (Pingora Default Error Page).</p> <h1> Lesson 10: Query Params </h1> <p>Modifying the request URI—specifically the query string—is a frequent requirement for edge proxies. Common use cases include:</p> <ol> <li> <strong>Cache Normalization</strong>: Reordering parameters or removing volatile ones (like <code>utm_source</code> or <code>fbclid</code>) so that requests map to the same cache key.</li> <li> <strong>Security</strong>: Stripping internal debug flags or administrative parameters before they reach the backend.</li> <li> <strong>Analytics Tagging</strong>: Injecting a source identifier (e.g., <code>ref=gateway</code>) so the upstream knows the request passed through the proxy.</li> </ol> <h2> Key Concepts </h2> <ul> <li> <strong><code>upstream_request.uri</code></strong>: Accessing the URI within the <code>upstream_request_filter</code> hook allows us to inspect the path and query string.</li> <li> <strong>URI Immutability</strong>: The <code>http::Uri</code> type is immutable. To modify it, we typically extract the string components, manipulate them, parse a new <code>Uri</code> object, and then use <code>upstream_request.set_uri()</code>.</li> <li> <strong>Robust Parsing</strong>: In production code, it is recommended to use the <code>url</code> crate for complex parsing (decoding percent-encoding, handling edge cases). For simple string replacement, standard string manipulation works fine.</li> </ul> <h2> The Code (<code>examples/10_query_params.rs</code>) </h2> <p>In this lesson, we manipulate the URI string directly in <code>upstream_request_filter</code>. We perform two actions:</p> <ol> <li> <strong>Security</strong>: Remove any parameter starting with <code>debug=</code> (e.g., preventing <code>debug=true</code> from triggering verbose backend logs).</li> <li> <strong>Tagging</strong>: Append <code>ref=pingora</code> to every request. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">http</span><span class="p">::</span><span class="nn">uri</span><span class="p">::</span><span class="n">Uri</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">QueryModeProxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">QueryModeProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="p">(</span><span class="s">"172.28.0.20"</span><span class="p">,</span> <span class="mi">8080</span><span class="p">),</span> <span class="k">false</span><span class="p">,</span> <span class="s">"blue.pingora.local"</span><span class="nf">.to_string</span><span class="p">(),</span> <span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_request</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">RequestHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// 1. Access the URI parts</span> <span class="k">let</span> <span class="n">uri</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">upstream_request</span><span class="py">.uri</span><span class="p">;</span> <span class="k">let</span> <span class="n">path</span> <span class="o">=</span> <span class="n">uri</span><span class="nf">.path</span><span class="p">();</span> <span class="k">let</span> <span class="n">query</span> <span class="o">=</span> <span class="n">uri</span><span class="nf">.query</span><span class="p">()</span><span class="nf">.unwrap_or</span><span class="p">(</span><span class="s">""</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Original Query: '{}'"</span><span class="p">,</span> <span class="n">query</span><span class="p">);</span> <span class="c1">// 2. Manipulate the Query String</span> <span class="c1">// We filter OUT "debug=..." and append "ref=pingora"</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">params</span><span class="p">:</span> <span class="nb">Vec</span><span class="o">&lt;&amp;</span><span class="nb">str</span><span class="o">&gt;</span> <span class="o">=</span> <span class="n">query</span><span class="nf">.split</span><span class="p">(</span><span class="s">"&amp;"</span><span class="p">)</span> <span class="nf">.filter</span><span class="p">(|</span><span class="n">part</span><span class="p">|</span> <span class="o">!</span><span class="n">part</span><span class="nf">.is_empty</span><span class="p">()</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">part</span><span class="nf">.starts_with</span><span class="p">(</span><span class="s">"debug="</span><span class="p">))</span> <span class="nf">.collect</span><span class="p">();</span> <span class="n">params</span><span class="nf">.push</span><span class="p">(</span><span class="s">"ref=pingora"</span><span class="p">);</span> <span class="k">let</span> <span class="n">new_query</span> <span class="o">=</span> <span class="n">params</span><span class="nf">.join</span><span class="p">(</span><span class="s">"&amp;"</span><span class="p">);</span> <span class="c1">// 3. Construct and parse the new URI</span> <span class="k">let</span> <span class="n">new_uri_string</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"{}?{}"</span><span class="p">,</span> <span class="n">path</span><span class="p">,</span> <span class="n">new_query</span><span class="p">);</span> <span class="k">let</span> <span class="n">new_uri</span><span class="p">:</span> <span class="n">Uri</span> <span class="o">=</span> <span class="n">new_uri_string</span><span class="nf">.parse</span><span class="p">()</span><span class="nf">.expect</span><span class="p">(</span><span class="s">"Failed to parse new URI"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Rewritten URI: {}"</span><span class="p">,</span> <span class="n">new_uri</span><span class="p">);</span> <span class="c1">// 4. Update the request</span> <span class="n">upstream_request</span><span class="nf">.set_uri</span><span class="p">(</span><span class="n">new_uri</span><span class="p">);</span> <span class="n">upstream_request</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Host"</span><span class="p">,</span> <span class="s">"blue.pingora.local"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">QueryModeProxy</span><span class="p">);</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6150"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Query Param Proxy running on 0.0.0.0:6150"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We will verify this by sending a request containing the forbidden <code>debug</code> parameter and observing the logs to confirm it was removed and replaced.</p> <ol> <li> <strong>Start the Proxy (in <code>pingora_dev</code>)</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 10_query_params </code></pre> </div> <p><em>Output:</em> <code>Query Param Proxy running on 0.0.0.0:6150</code></p> <ol> <li> <strong>Send a Request (from Host)</strong>: We construct a URL with a mix of parameters: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> <span class="s2">"http://172.28.0.10:6150/search?q=rust&amp;debug=true&amp;sort=asc"</span> </code></pre> </div> <ol> <li> <strong>Result Analysis</strong>: <ul> <li> <strong>Proxy Logs</strong>: You should see the transformation happening. The <code>debug=true</code> segment is dropped, and <code>ref=pingora</code> is appended. </li> </ul> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> INFO Original Query: 'q=rust&amp;debug=true&amp;sort=asc' INFO Rewritten URI: /search?q=rust&amp;sort=asc&amp;ref=pingora </code></pre> </div> <ul> <li> <strong>Upstream Behavior</strong>: If you inspect the <code>blue</code> container logs (or if the echo server reflected the query string), you would see it received the sanitized version.</li> </ul> <h1> Lesson 11: Response Modification </h1> <p>Just as we can modify requests before they reach the upstream, we can intercept and modify the response coming back from the backend before it reaches the client.</p> <p>This is critical for:</p> <ol> <li> <strong>Security</strong>: Adding headers like <code>HSTS</code>, <code>X-Frame-Options</code>, or <code>Content-Security-Policy</code> (CSP) centrally, rather than configuring them on every backend service.</li> <li> <strong>Privacy</strong>: Stripping headers that leak internal implementation details (e.g., removing <code>X-Powered-By</code> or internal version numbers).</li> <li> <strong>Legacy Compatibility</strong>: Renaming or duplicating headers to satisfy old client applications.</li> </ol> <h2> Key Concepts </h2> <ul> <li> <strong><code>response_filter</code></strong>: The <code>ProxyHttp</code> hook that runs after the upstream has responded with headers, but before the body is streamed.</li> <li> <strong><code>ResponseHeader</code></strong>: The struct representing the response. It behaves similarly to <code>RequestHeader</code>, allowing you to <code>insert</code>, <code>remove</code>, or <code>get</code> headers.</li> <li> <strong>Header Handling</strong>: Headers in HTTP are technically multi-valued. When using <code>.get()</code>, you receive the first value. If you need to handle multiple values (like multiple <code>Set-Cookie</code> headers), you would iterate over them, though simple insertion/removal is the most common use case.</li> </ul> <h2> The Code (<code>examples/11_response_modification.rs</code>) </h2> <p>We configure the proxy to forward traffic to <strong>Upstream Blue</strong>. On the return trip, we perform three operations:</p> <ol> <li> <strong>Strip</strong> the <code>X-App-Version</code> header to hide the backend version.</li> <li> <strong>Inject</strong> <code>X-Content-Type-Options: nosniff</code> to prevent browsers from MIME-sniffing the response.</li> <li> <strong>Duplicate</strong> the <code>Date</code> header into <code>X-Legacy-Date</code> to simulate supporting a legacy client that expects this specific header name. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">http</span><span class="p">::</span><span class="n">ResponseHeader</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">ResponseModProxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">ResponseModProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="p">(</span><span class="s">"172.28.0.20"</span><span class="p">,</span> <span class="mi">8080</span><span class="p">),</span> <span class="k">false</span><span class="p">,</span> <span class="s">"blue.pingora.local"</span><span class="nf">.to_string</span><span class="p">(),</span> <span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">response_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_response</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">ResponseHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// 1. Remove a header to hide backend details</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">upstream_response</span><span class="nf">.remove_header</span><span class="p">(</span><span class="s">"X-App-Version"</span><span class="p">);</span> <span class="c1">// 2. Add a security header</span> <span class="n">upstream_response</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"X-Content-Type-Options"</span><span class="p">,</span> <span class="s">"nosniff"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// 3. Copy/Rename a header</span> <span class="c1">// We retrieve the 'Date' header and insert it as 'X-Legacy-Date'.</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">date_val</span><span class="p">)</span> <span class="o">=</span> <span class="n">upstream_response</span><span class="py">.headers</span><span class="nf">.get</span><span class="p">(</span><span class="s">"Date"</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// We clone the bytes because insert_header takes ownership</span> <span class="k">let</span> <span class="n">val_bytes</span> <span class="o">=</span> <span class="n">date_val</span><span class="nf">.as_bytes</span><span class="p">()</span><span class="nf">.to_vec</span><span class="p">();</span> <span class="n">upstream_response</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"X-Legacy-Date"</span><span class="p">,</span> <span class="n">val_bytes</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="p">}</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Response filtered. Stripped Version. Added Security Headers."</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">ResponseModProxy</span><span class="p">);</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6151"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Response Mod Proxy running on 0.0.0.0:6151"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We verified the logic by inspecting the HTTP headers using <code>curl</code>.</p> <ol> <li> <strong>Start the Proxy (in <code>pingora_dev</code>)</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 11_response_modification </code></pre> </div> <ol> <li> <strong>Test from Client (from Host)</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6151 </code></pre> </div> <ol> <li> <strong>Result Analysis</strong>: <ul> <li> <strong>Removed</strong>: The output showed <code>&lt; X-App-Name: http-echo</code>, but <code>X-App-Version</code> was successfully absent (it is normally present in the echo server response).</li> <li> <strong>Added</strong>: The line <code>&lt; X-Content-Type-Options: nosniff</code> appeared.</li> <li> <strong>Copied</strong>: The line <code>&lt; X-Legacy-Date: ...</code> appeared with the exact timestamp as the standard <code>Date</code> header.</li> </ul> </li> </ol> <h1> Lesson 12: Body Inspection </h1> <p>Validating the request <em>body</em> is a powerful capability for an edge proxy. While standard Load Balancers often just route based on headers, a sophisticated proxy can act as a <strong>WAF</strong> (Web Application Firewall), inspecting payloads for SQL injection, malware signatures, or prohibited keywords.</p> <p>However, inspecting bodies in a proxy is challenging because proxies are typically <strong>streaming</strong> by default to maintain high performance and low memory usage. To inspect the body, we often need to buffer it (hold it in memory), which creates trade-offs between security and resource consumption.</p> <h2> Key Concepts </h2> <ul> <li> <strong><code>request_body_filter</code></strong>: This hook is called iteratively for every chunk of data the client uploads. It provides a <code>&amp;mut Option&lt;Bytes&gt;</code>, which allows you to inspect, modify, or reject the chunk before it is passed to the upstream.</li> <li> <strong>Streaming vs. Buffering</strong>:</li> <li> <strong>Streaming</strong>: Data flows <code>Client -&gt; Proxy -&gt; Upstream</code> immediately. Good for speed, bad for inspection (you might send half a malicious payload before detecting it).</li> <li> <strong>Buffering</strong>: Data is held in the Proxy's <code>CTX</code> until a condition is met. In this lesson, we buffer chunks into a <code>Vec&lt;u8&gt;</code> to perform a string check.</li> <li> <strong>Safety</strong>: When inspecting bodies, you <strong>must</strong> enforce size limits (e.g., stopping after 1MB). Otherwise, a client could exhaust your proxy's RAM by sending an infinite stream of data.</li> </ul> <h2> The Code (<code>examples/12_body_inspection.rs</code>) </h2> <p>We define a <code>BodyCtx</code> struct to hold our inspection buffer. We then implement <code>request_body_filter</code> to accumulate incoming bytes and scan for the forbidden keyword <code>"rogue"</code>. If detected, we return a custom error, which immediately aborts the connection.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="nn">bytes</span><span class="p">::</span><span class="n">Bytes</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">info</span><span class="p">,</span> <span class="n">warn</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">BodyInspector</span><span class="p">;</span> <span class="c1">// 1. Define the Context</span> <span class="c1">// We use a simple buffer (Vec&lt;u8&gt;) to accumulate the body for inspection.</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">BodyCtx</span> <span class="p">{</span> <span class="n">buffer</span><span class="p">:</span> <span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">u8</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">}</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">BodyInspector</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="n">BodyCtx</span><span class="p">;</span> <span class="c1">// Initialize the empty buffer for each request</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{</span> <span class="n">BodyCtx</span> <span class="p">{</span> <span class="n">buffer</span><span class="p">:</span> <span class="nn">Vec</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="p">(</span><span class="s">"172.28.0.20"</span><span class="p">,</span> <span class="mi">8080</span><span class="p">),</span> <span class="k">false</span><span class="p">,</span> <span class="s">"blue.pingora.local"</span><span class="nf">.to_string</span><span class="p">(),</span> <span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// 2. Request Body Filter</span> <span class="c1">// This runs for EVERY chunk of the request body.</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">request_body_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">body</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="nb">Option</span><span class="o">&lt;</span><span class="n">Bytes</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">_end_of_stream</span><span class="p">:</span> <span class="nb">bool</span><span class="p">,</span> <span class="n">ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// If there is data in this chunk...</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">bytes</span><span class="p">)</span> <span class="o">=</span> <span class="n">body</span> <span class="p">{</span> <span class="c1">// ...append it to our inspection buffer.</span> <span class="c1">// Note: In production, enforce a size limit (e.g. 1MB) to prevent memory DoS.</span> <span class="n">ctx</span><span class="py">.buffer</span><span class="nf">.extend_from_slice</span><span class="p">(</span><span class="n">bytes</span><span class="p">);</span> <span class="c1">// Check for the forbidden pattern</span> <span class="c1">// We use String::from_utf8_lossy to handle potential binary data safely.</span> <span class="k">let</span> <span class="n">content</span> <span class="o">=</span> <span class="nn">String</span><span class="p">::</span><span class="nf">from_utf8_lossy</span><span class="p">(</span><span class="o">&amp;</span><span class="n">ctx</span><span class="py">.buffer</span><span class="p">);</span> <span class="k">if</span> <span class="n">content</span><span class="nf">.contains</span><span class="p">(</span><span class="s">"rogue"</span><span class="p">)</span> <span class="p">{</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"Security Alert: Forbidden content 'rogue' detected in body!"</span><span class="p">);</span> <span class="c1">// Returning an error here immediately aborts the proxy session.</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">pingora</span><span class="p">::</span><span class="nn">Error</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"SecurityPolicyViolation"</span><span class="p">)));</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// If we didn't find the keyword, we allow the chunk to proceed.</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">BodyInspector</span><span class="p">);</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6152"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Body Inspector running on 0.0.0.0:6152"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>To verify the "WAF" functionality, we send both compliant and non-compliant POST requests using <code>curl</code>.</p> <h3> 1. Start the Proxy </h3> <p>Run the example inside the <code>pingora_dev</code> container:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 12_body_inspection </code></pre> </div> <h3> 2. Test Clean Request </h3> <p>From the host machine, send a harmless payload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> <span class="nt">-X</span> POST <span class="nt">-d</span> <span class="s2">"Hello World"</span> http://172.28.0.10:6152 </code></pre> </div> <p><em>Result:</em> <code>200 OK</code> with body <code>'Response from BLUE'</code>.</p> <h3> 3. Test Forbidden Request </h3> <p>From the host machine, send a payload containing the trigger word:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> <span class="nt">-X</span> POST <span class="nt">-d</span> <span class="s2">"I am a rogue agent"</span> http://172.28.0.10:6152 </code></pre> </div> <p><em>Result:</em> <code>500 Internal Server Error</code> (or Connection Closed).</p> <p><em>Proxy Logs:</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>WARN Security Alert: Forbidden content 'rogue' detected in body! ERROR Fail to proxy: SecurityPolicyViolation ... </code></pre> </div> <h1> Lesson 13: Custom Errors </h1> <p>In production environments, returning generic error pages (like <code>502 Bad Gateway</code> or <code>500 Internal Server Error</code>) provides a poor user experience. Modern APIs and web applications expect structured error responses—typically JSON for APIs (<code>{"error": "message"}</code>) or branded HTML pages for browsers.</p> <p>Pingora provides a dedicated hook, <strong><code>fail_to_proxy</code></strong>, which acts as a global catch-all for any error that occurs during the request lifecycle. This allows you to inspect the error cause and generate a custom response before closing the connection.</p> <h2> Key Concepts </h2> <ul> <li> <strong><code>fail_to_proxy</code></strong>: This hook is triggered if any previous phase (e.g., <code>request_filter</code>, <code>upstream_peer</code>, <code>upstream_request_filter</code>) returns an <code>Err</code>. It replaces the default error handling logic.</li> <li> <strong><code>ErrorType::Custom</code></strong>: You can generate your own errors using <code>pingora::Error::new(ErrorType::Custom("MyReason"))</code>. This allows you to "throw" specific exceptions (like "BlockedByWAF" or "MaintenanceMode") and "catch" them in the error handler to serve specific status codes.</li> <li> <strong><code>FailToProxy</code> Struct</strong>: The return type of this hook. It instructs the server on two things: <ol> <li> <code>error_code</code>: The HTTP status code to log internally.</li> <li> <code>can_reuse_downstream</code>: Whether the TCP connection to the client is safe to reuse for another request (Keep-Alive). Usually, this is <code>false</code> for fatal errors.</li> </ol> </li> </ul> <h2> The Code (<code>examples/13_custom_errors.rs</code>) </h2> <p>We implement a proxy that normally forwards to <strong>Upstream Blue</strong>. However, if the user requests the path <code>/oops</code>, we intentionally raise a custom error. We then catch this error in <code>fail_to_proxy</code> and return a structured JSON response instead of a default error page.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">error</span><span class="p">,</span> <span class="n">info</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">http</span><span class="p">::</span><span class="n">ResponseHeader</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">proxy</span><span class="p">::</span><span class="n">FailToProxy</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">CustomErrorProxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">CustomErrorProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="p">(</span><span class="s">"172.28.0.20"</span><span class="p">,</span> <span class="mi">8080</span><span class="p">),</span> <span class="k">false</span><span class="p">,</span> <span class="s">"blue.pingora.local"</span><span class="nf">.to_string</span><span class="p">(),</span> <span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// 1. Trigger an error intentionally</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">request_filter</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">bool</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="k">if</span> <span class="n">session</span><span class="nf">.req_header</span><span class="p">()</span><span class="py">.uri</span><span class="nf">.path</span><span class="p">()</span> <span class="o">==</span> <span class="s">"/oops"</span> <span class="p">{</span> <span class="c1">// Raise a custom error. This immediately jumps to fail_to_proxy.</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">pingora</span><span class="p">::</span><span class="nn">Error</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"SimulatedFailure"</span><span class="p">)));</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">false</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// 2. Handle the error (The "Catch" block)</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">fail_to_proxy</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">e</span><span class="p">:</span> <span class="o">&amp;</span><span class="nn">pingora</span><span class="p">::</span><span class="n">Error</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="n">FailToProxy</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="nd">error!</span><span class="p">(</span><span class="s">"Entered fail_to_proxy with error: {:?}"</span><span class="p">,</span> <span class="n">e</span><span class="p">);</span> <span class="c1">// Map the internal error to an HTTP Status Code</span> <span class="k">let</span> <span class="n">code</span> <span class="o">=</span> <span class="k">if</span> <span class="k">let</span> <span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"SimulatedFailure"</span><span class="p">)</span> <span class="o">=</span> <span class="n">e</span><span class="py">.etype</span> <span class="p">{</span> <span class="mi">400</span> <span class="c1">// Bad Request</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="mi">500</span> <span class="c1">// Internal Server Error</span> <span class="p">};</span> <span class="c1">// Construct the Custom JSON Response</span> <span class="k">let</span> <span class="n">body</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span> <span class="s">r#"{{"status": "error", "code": {}, "message": "We caught a custom error!"}}"#</span><span class="p">,</span> <span class="n">code</span> <span class="p">);</span> <span class="k">let</span> <span class="n">content_length</span> <span class="o">=</span> <span class="n">body</span><span class="nf">.len</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">header</span> <span class="o">=</span> <span class="nn">ResponseHeader</span><span class="p">::</span><span class="nf">build</span><span class="p">(</span><span class="n">code</span><span class="p">,</span> <span class="nf">Some</span><span class="p">(</span><span class="mi">3</span><span class="p">))</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="n">header</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="n">header</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Content-Length"</span><span class="p">,</span> <span class="n">content_length</span><span class="nf">.to_string</span><span class="p">())</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="c1">// Write the response manually</span> <span class="c1">// - false: end_of_stream is false because body follows</span> <span class="c1">// - true: end_of_stream is true because this is the end</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">session</span><span class="nf">.write_response_header</span><span class="p">(</span><span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">header</span><span class="p">),</span> <span class="k">false</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">session</span><span class="nf">.write_response_body</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">body</span><span class="nf">.into</span><span class="p">()),</span> <span class="k">true</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="c1">// Return instruction to Pingora core</span> <span class="n">FailToProxy</span> <span class="p">{</span> <span class="n">error_code</span><span class="p">:</span> <span class="n">code</span><span class="p">,</span> <span class="n">can_reuse_downstream</span><span class="p">:</span> <span class="k">false</span><span class="p">,</span> <span class="c1">// Close connection for safety</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">CustomErrorProxy</span><span class="p">);</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6153"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Custom Error Proxy running on 0.0.0.0:6153"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Try: curl http://127.0.0.1:6153/oops"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We will verify both the standard success path and the custom error path.</p> <h3> 1. Start the Proxy </h3> <p>Run the example inside the <code>pingora_dev</code> container:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 13_custom_errors </code></pre> </div> <h3> 2. Test Normal Request </h3> <p>From the host machine, request the root path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6153 </code></pre> </div> <p><em>Result:</em> <code>200 OK</code> from Upstream Blue.</p> <h3> 3. Test Custom Error </h3> <p>From the host machine, request the trigger path <code>/oops</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6153/oops </code></pre> </div> <p><em>Result:</em> <code>400 Bad Request</code>.<br> The body should be our custom JSON:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"error"</span><span class="p">,</span><span class="w"> </span><span class="nl">"code"</span><span class="p">:</span><span class="w"> </span><span class="mi">400</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"We caught a custom error!"</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h1> Lesson 14: HTTP/2 Support </h1> <p>HTTP/2 (H2) is a major upgrade to the HTTP protocol, introducing binary framing, header compression (HPACK), and multiplexing (multiple requests over one TCP connection).</p> <p>Pingora supports HTTP/2 on both sides of the proxy:</p> <ol> <li> <strong>Downstream (Client → Proxy)</strong>: Negotiated via TLS ALPN (Application-Layer Protocol Negotiation).</li> <li> <strong>Upstream (Proxy → Backend)</strong>: Configured explicitly in the <code>HttpPeer</code> options.</li> </ol> <p>In this lesson, we configure <strong>End-to-End HTTP/2</strong>. We will proxy traffic from an H2 client to our "Advanced" Nginx upstream, which is also listening on H2.</p> <h2> Key Concepts </h2> <ul> <li> <strong>ALPN (Application-Layer Protocol Negotiation)</strong>: An extension to TLS where the client sends a list of supported protocols (e.g., <code>h2</code>, <code>http/1.1</code>) during the handshake. The server selects one. To enable this in Pingora, we call <code>tls_settings.enable_h2()</code>.</li> <li> <strong><code>ALPN</code> Enum</strong>: When connecting to an upstream, we must tell Pingora which protocols to offer. <ul> <li> <code>ALPN::H2H1</code>: Prefer HTTP/2, but fallback to HTTP/1.1 (safest).</li> <li> <code>ALPN::H2</code>: Force HTTP/2.</li> </ul> </li> <li> <strong><code>SSL_CERT_FILE</code></strong>: Pingora uses OpenSSL (via <code>boringssl</code>). It respects standard environment variables. Because our Docker container has <code>SSL_CERT_FILE=/keys/ca.crt</code> set, Pingora automatically trusts our lab's local Certificate Authority. We do <em>not</em> need to disable certificate verification manually.</li> </ul> <h2> The Code (<code>examples/14_http2_support.rs</code>) </h2> <p>We configure the listener on port <code>6154</code> to accept H2. We configure the upstream peer to target <code>advanced.pingora.local:443</code> (our Nginx container) and offer H2.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">listeners</span><span class="p">::</span><span class="nn">tls</span><span class="p">::</span><span class="n">TlsSettings</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::{</span><span class="n">ALPN</span><span class="p">,</span> <span class="n">HttpPeer</span><span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">path</span><span class="p">::</span><span class="n">Path</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">Http2Proxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">Http2Proxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// Target the "Advanced" Nginx upstream on port 443 (HTTPS)</span> <span class="k">let</span> <span class="n">addr</span> <span class="o">=</span> <span class="p">(</span><span class="s">"172.28.0.22"</span><span class="p">,</span> <span class="mi">443</span><span class="p">);</span> <span class="c1">// true = Enable TLS for the upstream connection</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="n">addr</span><span class="p">,</span> <span class="k">true</span><span class="p">,</span> <span class="s">"advanced.pingora.local"</span><span class="nf">.to_string</span><span class="p">(),</span> <span class="p">));</span> <span class="c1">// Offer HTTP/2 to the upstream, fallback to HTTP/1.1</span> <span class="n">peer</span><span class="py">.options.alpn</span> <span class="o">=</span> <span class="nn">ALPN</span><span class="p">::</span><span class="n">H2H1</span><span class="p">;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Forwarding to Upstream Advanced via HTTPS (ALPN: H2/H1)"</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_request</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">RequestHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// Nginx requires the Host header to match the server_name</span> <span class="n">upstream_request</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Host"</span><span class="p">,</span> <span class="s">"advanced.pingora.local"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">Http2Proxy</span><span class="p">);</span> <span class="c1">// 1. Configure Downstream TLS</span> <span class="k">let</span> <span class="n">cert_path</span> <span class="o">=</span> <span class="s">"/keys/server.crt"</span><span class="p">;</span> <span class="k">let</span> <span class="n">key_path</span> <span class="o">=</span> <span class="s">"/keys/server.key"</span><span class="p">;</span> <span class="k">if</span> <span class="o">!</span><span class="nn">Path</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">cert_path</span><span class="p">)</span><span class="nf">.exists</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nd">format!</span><span class="p">(</span><span class="s">"Missing keys at {}"</span><span class="p">,</span> <span class="n">cert_path</span><span class="p">)</span><span class="nf">.into</span><span class="p">());</span> <span class="p">}</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">tls_settings</span> <span class="o">=</span> <span class="nn">TlsSettings</span><span class="p">::</span><span class="nf">intermediate</span><span class="p">(</span><span class="n">cert_path</span><span class="p">,</span> <span class="n">key_path</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// CRITICAL: This enables H2 negotiation with the Client</span> <span class="n">tls_settings</span><span class="nf">.enable_h2</span><span class="p">();</span> <span class="n">my_proxy</span><span class="nf">.add_tls_with_settings</span><span class="p">(</span><span class="s">"0.0.0.0:6154"</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="n">tls_settings</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"HTTP/2 Proxy running on 0.0.0.0:6154"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We verify that the connection uses HTTP/2 using <code>curl</code>.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>debug cargo run <span class="nt">--example</span> 14_http2_support </code></pre> </div> <p><em>Note: We use <code>debug</code> logs to see the ALPN handshake details.</em></p> <h3> 2. Test with Curl </h3> <p>From the host machine, we run <code>curl</code> inside the client container. We use the <code>--http2</code> flag to encourage H2 usage.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> <span class="nt">--http2</span> <span class="se">\</span> <span class="nt">--cacert</span> /keys/ca.crt <span class="se">\</span> https://dev.pingora.local:6154 </code></pre> </div> <h3> 3. Result Analysis </h3> <ul> <li> <strong>Handshake</strong>: You should see <code>ALPN: server accepted h2</code>.</li> <li> <strong>Protocol</strong>: <code>using HTTP/2</code>.</li> <li> <strong>Certificate</strong>: <code>SSL certificate verify ok</code>. This confirms that our <code>SSL_CERT_FILE</code> environment variable correctly pointed to the CA, allowing the client to trust the proxy, and the proxy to trust the upstream.</li> <li> <strong>Response</strong>: <code>Response from Advanced Upstream (HTTPS + HTTP/2)</code>.</li> </ul> <h1> Lesson 15: H2C (HTTP/2 Cleartext) </h1> <p>While HTTP/2 is almost exclusively used over HTTPS (TLS) on the public internet, the specification also defines a cleartext version known as <strong>h2c</strong>.</p> <p><strong>h2c</strong> is widely used in internal infrastructure, particularly for <strong>gRPC</strong> microservices running inside a secure cluster (like Kubernetes). It allows services to benefit from HTTP/2's multiplexing and binary framing without the CPU overhead of encryption/decryption at every hop.</p> <p>In this lesson, we demonstrate <strong>Protocol Translation</strong>:</p> <ul> <li> <strong>Downstream (Client → Proxy)</strong>: Standard HTTP/1.1.</li> <li> <strong>Upstream (Proxy → Backend)</strong>: HTTP/2 Cleartext (h2c).</li> </ul> <h2> Key Concepts </h2> <ul> <li> <strong>Forcing HTTP/2</strong>: When using TLS, the protocol is negotiated via ALPN. With Cleartext, there is no handshake to negotiate the protocol. Therefore, we must explicitly tell Pingora to treat the connection as HTTP/2 immediately upon connecting.</li> <li> <strong><code>ALPN::H2</code></strong>: By setting <code>peer.options.alpn = ALPN::H2</code> combined with <code>tls: false</code>, we instruct the connection pool to start the HTTP/2 "preface" sequence immediately.</li> <li> <strong>No Fallback</strong>: Unlike <code>ALPN::H2H1</code>, there is no fallback mechanism here. If the upstream server does not speak H2C, the connection will fail instantly with a protocol error.</li> </ul> <h2> The Code (<code>examples/15_h2c_support.rs</code>) </h2> <p>We configure the proxy to listen for standard HTTP traffic on port <code>6155</code>. It forwards requests to the lab's <strong>Advanced Upstream</strong> on port <strong>8081</strong>, which is configured to accept H2C traffic.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::{</span><span class="n">ALPN</span><span class="p">,</span> <span class="n">HttpPeer</span><span class="p">};</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">H2cProxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">H2cProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// Target the "Advanced" Nginx upstream on port 8081 (H2C)</span> <span class="k">let</span> <span class="n">addr</span> <span class="o">=</span> <span class="p">(</span><span class="s">"172.28.0.22"</span><span class="p">,</span> <span class="mi">8081</span><span class="p">);</span> <span class="c1">// TLS is false (Cleartext)</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="n">addr</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"advanced.pingora.local"</span><span class="nf">.to_string</span><span class="p">(),</span> <span class="p">));</span> <span class="c1">// We must Force H2.</span> <span class="c1">// There is no negotiation (ALPN) in Cleartext; we just send H2 frames.</span> <span class="n">peer</span><span class="py">.options.alpn</span> <span class="o">=</span> <span class="nn">ALPN</span><span class="p">::</span><span class="n">H2</span><span class="p">;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Forwarding to Upstream Advanced via H2C (Port 8081)"</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_request</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">RequestHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// Nginx requires the Host header to match the server block</span> <span class="n">upstream_request</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Host"</span><span class="p">,</span> <span class="s">"advanced.pingora.local"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">H2cProxy</span><span class="p">);</span> <span class="c1">// We accept standard HTTP/1.1 on the front end for simplicity</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6155"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Proxy running on 0.0.0.0:6155 (HTTP/1.1) -&gt; Forwarding to Upstream (H2C)"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We verify that the proxy accepts HTTP/1.1 but receives a response from the H2C-only upstream port.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 15_h2c_support </code></pre> </div> <h3> 2. Test with Curl </h3> <p>We use a standard <code>curl</code> command (which defaults to HTTP/1.1).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6155 </code></pre> </div> <h3> 3. Result Analysis </h3> <ul> <li> <strong>Client Side</strong>: <code>HTTP/1.1 200 OK</code>. The client (curl) spoke HTTP/1.1 to the proxy.</li> <li> <strong>Proxy Logs</strong>: <code>Forwarding to Upstream Advanced via H2C</code>.</li> <li> <strong>Body</strong>: <code>Response from Advanced Upstream (H2C - Cleartext HTTP/2)</code>. This specific body text confirms that we successfully hit the Nginx server block listening on port 8081.</li> </ul> <h1> Module 3: Upstream Management </h1> <p>In the previous modules, we focused on the request lifecycle—how the proxy accepts, routes, and modifies traffic from the client. Now, we turn our attention to the <strong>Upstream</strong>: the backend services your proxy protects and serves.</p> <p>A production proxy rarely talks to a single, static IP address. It must navigate dynamic environments where services scale up and down, reside behind secure TLS layers, or communicate over specialized protocols like gRPC and WebSockets.</p> <p>In this module, we will explore the mechanics of connectivity. You will learn how to:</p> <ul> <li> <strong>Discover Peers</strong>: Switch from hardcoded IPs to dynamic DNS resolution and Unix Domain Sockets.</li> <li> <strong>Secure Connections</strong>: Manage TLS handshakes, SNI routing, and Mutual TLS (mTLS) authentication.</li> <li> <strong>Handle Advanced Protocols</strong>: Tunnel traffic via <code>CONNECT</code>, upgrade connections for WebSockets, and proxy gRPC streams.</li> <li> <strong>Tune Performance</strong>: optimize connection reuse (Keep-Alive) and configure granular timeouts to ensure resilience.</li> </ul> <h1> Lesson 16: Static Peer </h1> <p>The simplest way to connect to an upstream service is by using a <strong>Static Peer</strong>. In this configuration, the IP address and port of the backend server are known ahead of time and do not change (or change very rarely).</p> <p>While modern cloud environments often rely on dynamic service discovery, static definitions are still widely used for:</p> <ul> <li>Connecting to legacy infrastructure with fixed IPs.</li> <li>Routing traffic to local sidecars (e.g., sending to <code>127.0.0.1:8080</code>).</li> <li>Simple, high-performance setups where DNS overhead is undesirable.</li> </ul> <h2> Key Concepts </h2> <ul> <li> <strong><code>HttpPeer</code></strong>: This is the fundamental struct Pingora uses to represent a backend connection. It encapsulates three critical pieces of information: <ol> <li> <strong>Address</strong>: A <code>SocketAddr</code> (IP + Port).</li> <li> <strong>TLS Config</strong>: A boolean flag (<code>true</code> for HTTPS, <code>false</code> for HTTP).</li> <li> <strong>SNI (Server Name Indication)</strong>: The domain name associated with the backend.</li> </ol> </li> <li> <strong>The Role of SNI</strong>: Even when <code>use_tls</code> is false, providing a valid SNI string is important. Pingora often uses this string to populate the default <code>Host</code> header if the request doesn't explicitly provide one.</li> </ul> <h2> The Code (<code>examples/16_static_peer.rs</code>) </h2> <p>We configure the proxy to route all traffic to <strong>Upstream Blue</strong> at the hardcoded address <code>172.28.0.20:8080</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">StaticPeerProxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">StaticPeerProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// 1. Define the Socket Address</span> <span class="c1">// In a static setup, this is hardcoded or loaded from a config file.</span> <span class="c1">// It accepts any type that implements ToSocketAddrs (e.g., tuple or string)</span> <span class="k">let</span> <span class="n">addr</span> <span class="o">=</span> <span class="p">(</span><span class="s">"172.28.0.20"</span><span class="p">,</span> <span class="mi">8080</span><span class="p">);</span> <span class="c1">// 2. Configure TLS</span> <span class="c1">// false = Plaintext (HTTP)</span> <span class="k">let</span> <span class="n">use_tls</span> <span class="o">=</span> <span class="k">false</span><span class="p">;</span> <span class="c1">// 3. Define SNI</span> <span class="c1">// Used for TLS handshake and Host header generation</span> <span class="k">let</span> <span class="n">sni</span> <span class="o">=</span> <span class="s">"blue.pingora.local"</span><span class="nf">.to_string</span><span class="p">();</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">addr</span><span class="p">,</span> <span class="n">use_tls</span><span class="p">,</span> <span class="n">sni</span><span class="p">));</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Connecting to static peer: {:?}"</span><span class="p">,</span> <span class="n">addr</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">StaticPeerProxy</span><span class="p">);</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6160"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Static Peer Proxy running on 0.0.0.0:6160"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We verify that the proxy successfully connects to the specific static IP provided.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 16_static_peer </code></pre> </div> <h3> 2. Test Connection </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6160 </code></pre> </div> <h3> 3. Result Analysis </h3> <ul> <li> <strong>Response</strong>: <code>200 OK</code> containing <code>'Response from BLUE'</code>.</li> <li> <strong>Logs</strong>: You should see the log entry <code>Connecting to static peer: ("172.28.0.20", 8080)</code>. This confirms the <code>upstream_peer</code> hook executed and selected the correct hardcoded address.</li> </ul> <h1> Lesson 17: DNS Peer </h1> <p>In dynamic environments like Kubernetes, AWS, or Docker, backend IP addresses change frequently. Hardcoding IPs is brittle; instead, we rely on DNS to resolve service names (e.g., <code>blue.pingora.local</code>) to their current IP addresses at runtime.</p> <h3> Key Concepts </h3> <ul> <li> <strong>Async Resolution</strong>: Standard Rust DNS resolution (<code>std::net::ToSocketAddrs</code>) is <strong>blocking</strong>. Using it inside Pingora's async runtime will freeze the worker thread, causing massive latency spikes. You <strong>must</strong> use an async resolver like <code>tokio::net::lookup_host</code>.</li> <li> <strong>Dynamic <code>HttpPeer</code></strong>: Instead of a static constant, we create the <code>HttpPeer</code> struct dynamically inside <code>upstream_peer</code> based on the result of the DNS lookup.</li> <li> <strong>Error Handling</strong>: DNS lookups can fail (NXDOMAIN, timeouts). Robust proxies must catch these errors and return appropriate internal error codes.</li> </ul> <h2> The Code (<code>examples/17_dns_peer.rs</code>) </h2> <p>We perform an asynchronous DNS lookup for <code>blue.pingora.local</code> and use the resolved IP to construct the peer connection.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">error</span><span class="p">,</span> <span class="n">info</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">net</span><span class="p">::</span><span class="n">lookup_host</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">DnsPeerProxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">DnsPeerProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">hostname</span> <span class="o">=</span> <span class="s">"blue.pingora.local"</span><span class="p">;</span> <span class="k">let</span> <span class="n">port</span> <span class="o">=</span> <span class="mi">8080</span><span class="p">;</span> <span class="k">let</span> <span class="n">target</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"{}:{}"</span><span class="p">,</span> <span class="n">hostname</span><span class="p">,</span> <span class="n">port</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Resolving host: {}"</span><span class="p">,</span> <span class="n">target</span><span class="p">);</span> <span class="c1">// 1. Perform Async DNS Lookup</span> <span class="c1">// We use tokio::net::lookup_host to avoid blocking the runtime.</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">addrs</span> <span class="o">=</span> <span class="nf">lookup_host</span><span class="p">(</span><span class="o">&amp;</span><span class="n">target</span><span class="p">)</span><span class="k">.await</span> <span class="nf">.map_err</span><span class="p">(|</span><span class="n">_e</span><span class="p">|</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">Error</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"DNSResolutionFailed"</span><span class="p">)))</span><span class="o">?</span><span class="p">;</span> <span class="c1">// 2. Select an Address</span> <span class="c1">// A hostname might resolve to multiple IPs. We pick the first one.</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">addr</span><span class="p">)</span> <span class="o">=</span> <span class="n">addrs</span><span class="nf">.next</span><span class="p">()</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Resolved {} -&gt; {}"</span><span class="p">,</span> <span class="n">hostname</span><span class="p">,</span> <span class="n">addr</span><span class="p">);</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">addr</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="n">hostname</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nd">error!</span><span class="p">(</span><span class="s">"DNS lookup returned no records for {}"</span><span class="p">,</span> <span class="n">hostname</span><span class="p">);</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">pingora</span><span class="p">::</span><span class="nn">Error</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"DNSNoRecords"</span><span class="p">)))</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">DnsPeerProxy</span><span class="p">);</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6161"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"DNS Peer Proxy running on 0.0.0.0:6161"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We verify that the proxy correctly resolves the internal Docker DNS name to an IP address.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 17_dns_peer </code></pre> </div> <h3> 2. Test Connection </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6161 </code></pre> </div> <h3> 3. Result Analysis </h3> <ul> <li> <strong>Response</strong>: <code>200 OK</code> from Upstream Blue.</li> <li> <strong>Logs</strong>: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> INFO Resolving host: blue.pingora.local:8080 INFO Resolved blue.pingora.local -&gt; 172.28.0.20:8080 </code></pre> </div> <p>The logs confirm that <code>lookup_host</code> successfully returned the internal IP address <code>172.28.0.20</code>.</p> <h1> Lesson 18: Unix Domain Socket (UDS) Peer </h1> <p>In high-performance local environments—such as communicating with a sidecar proxy (e.g., Envoy, Linkerd) or a local PHP-FPM process—using TCP/IP can introduce unnecessary overhead. <strong>Unix Domain Sockets (UDS)</strong> allow processes on the same machine to communicate via the kernel without touching the network stack.</p> <p>Pingora supports proxying traffic to UDS endpoints natively. This is often used to offload TLS termination or WAF duties to Pingora while the application logic runs locally on a socket.</p> <h2> Key Concepts </h2> <ul> <li> <strong><code>HttpPeer::new_uds()</code></strong>: This constructor is distinct from the standard <code>new()</code>. It takes a file system path (e.g., <code>/tmp/upstream.sock</code>) instead of an IP address. Note that it returns a <code>Result</code>, so it must be unwrapped with <code>?</code>.</li> <li> <strong>The "Host" in UDS</strong>: Even though we are connecting to a file, the HTTP protocol still requires a <code>Host</code> header. You must still provide a valid SNI/Host string (e.g., <code>"uds.local"</code>).</li> <li> <strong>Mocking in Rust</strong>: Since our lab environment lacks a real UDS upstream (like a local Python server), we implement a mock upstream using <code>tokio::net::UnixListener</code>. Because Pingora controls the main thread, we spawn this mock server in a background thread with its own Tokio runtime.</li> </ul> <h2> The Code (<code>examples/18_uds_peer.rs</code>) </h2> <p>We launch a background thread to act as the "Upstream Server," listening on <code>/tmp/upstream.sock</code>. The Proxy then accepts traffic on TCP port <code>6162</code> and tunnels it to that socket file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">io</span><span class="p">::{</span><span class="n">AsyncReadExt</span><span class="p">,</span> <span class="n">AsyncWriteExt</span><span class="p">};</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">net</span><span class="p">::</span><span class="n">UnixListener</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">UdsProxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">UdsProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// Connect to the Unix Domain Socket file</span> <span class="c1">// Note: new_uds returns a Result, so we use '?'</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new_uds</span><span class="p">(</span> <span class="s">"/tmp/upstream.sock"</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="c1">// TLS is rarely used over UDS</span> <span class="s">"uds.local"</span><span class="nf">.to_string</span><span class="p">(),</span> <span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Forwarding to UDS: /tmp/upstream.sock"</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// A simple Mock Server that listens on a Unix Socket</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">run_mock_uds_server</span><span class="p">(</span><span class="n">path</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">'static</span> <span class="nb">str</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// 1. Clean up old socket file if it exists</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="nn">std</span><span class="p">::</span><span class="nn">fs</span><span class="p">::</span><span class="nf">remove_file</span><span class="p">(</span><span class="n">path</span><span class="p">);</span> <span class="c1">// 2. Bind to the path</span> <span class="k">let</span> <span class="n">listener</span> <span class="o">=</span> <span class="nn">UnixListener</span><span class="p">::</span><span class="nf">bind</span><span class="p">(</span><span class="n">path</span><span class="p">)</span><span class="nf">.expect</span><span class="p">(</span><span class="s">"Failed to bind UDS"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Mock Upstream running at {}"</span><span class="p">,</span> <span class="n">path</span><span class="p">);</span> <span class="c1">// 3. Accept loop</span> <span class="nn">tokio</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(</span><span class="k">async</span> <span class="k">move</span> <span class="p">{</span> <span class="k">loop</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Ok</span><span class="p">((</span><span class="k">mut</span> <span class="n">stream</span><span class="p">,</span> <span class="n">_addr</span><span class="p">))</span> <span class="o">=</span> <span class="n">listener</span><span class="nf">.accept</span><span class="p">()</span><span class="k">.await</span> <span class="p">{</span> <span class="nn">tokio</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(</span><span class="k">async</span> <span class="k">move</span> <span class="p">{</span> <span class="c1">// Simple Read (drain request)</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">buf</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="mi">4096</span><span class="p">];</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.read</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">buf</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="c1">// Simple Write (static response)</span> <span class="k">let</span> <span class="n">response</span> <span class="o">=</span> <span class="s">"HTTP/1.1 200 OK</span><span class="se">\r\n</span><span class="s">Content-Length: 13</span><span class="se">\r\n</span><span class="s">Connection: close</span><span class="se">\r\n\r\n</span><span class="s">Hello via UDS"</span><span class="p">;</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.write_all</span><span class="p">(</span><span class="n">response</span><span class="nf">.as_bytes</span><span class="p">())</span><span class="k">.await</span><span class="p">;</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// Spawn our mock upstream server in the background</span> <span class="c1">// We use a separate thread + runtime to avoid conflicting with Pingora's main loop</span> <span class="nn">std</span><span class="p">::</span><span class="nn">thread</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(</span><span class="k">move</span> <span class="p">||</span> <span class="p">{</span> <span class="k">let</span> <span class="n">rt</span> <span class="o">=</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">runtime</span><span class="p">::</span><span class="nn">Runtime</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="n">rt</span><span class="nf">.block_on</span><span class="p">(</span><span class="nf">run_mock_uds_server</span><span class="p">(</span><span class="s">"/tmp/upstream.sock"</span><span class="p">));</span> <span class="nn">std</span><span class="p">::</span><span class="nn">thread</span><span class="p">::</span><span class="nf">park</span><span class="p">();</span> <span class="c1">// Keep the thread alive</span> <span class="p">});</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">UdsProxy</span><span class="p">);</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6162"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"UDS Proxy running on 0.0.0.0:6162"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We verify that the proxy can bridge a standard TCP HTTP request to a local Unix Domain Socket.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 18_uds_peer </code></pre> </div> <h3> 2. Test Connection </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6162 </code></pre> </div> <h3> 3. Result Analysis </h3> <ul> <li> <strong>Logs</strong>: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> INFO Mock Upstream running at /tmp/upstream.sock INFO Forwarding to UDS: /tmp/upstream.sock </code></pre> </div> <ul> <li> <strong>Response</strong>: <code>200 OK</code> with body <code>Hello via UDS</code>.</li> </ul> <h1> Lesson 19: Peer Options </h1> <p>In a complex microservices architecture, not all upstreams are created equal. A real-time bidding server might need to fail fast (e.g., 50ms), while a legacy reporting service might need a generous 30-second window.</p> <p>Pingora allows granular control over connection parameters via the <code>peer.options</code> struct. This allows you to apply different Service Level Agreements (SLAs) dynamically per request.</p> <h2> Key Concepts </h2> <ul> <li> <strong><code>connection_timeout</code></strong>: The maximum time allowed to establish the TCP (and TLS) handshake.</li> <li> <strong><code>read_timeout</code></strong>: The maximum time allowed between bytes when reading the response body.</li> <li> <strong>The "Blackhole" Pattern</strong>: To test connection timeouts reliably in a local lab, we route traffic to <code>192.0.2.1</code>. This is a reserved "TEST-NET" IP address that is guaranteed not to route, causing the connection attempt to hang until the timeout fires.</li> <li> <strong><code>fail_to_proxy</code></strong>: Timeouts in Pingora generate specific error types (<code>ConnectTimedout</code>, <code>ReadTimedout</code>). We catch these here to return a specific <code>504 Gateway Timeout</code> status instead of a generic 502.</li> </ul> <h2> The Code (<code>examples/19_peer_options.rs</code>) </h2> <p>We configure the proxy to switch behaviors based on the URL path:</p> <ol> <li> <strong><code>/normal</code></strong>: Connects to the standard upstream with a 2-second timeout.</li> <li> <strong><code>/timeout</code></strong>: Attempts to connect to the "Blackhole" IP with a <strong>100ms</strong> timeout. This guarantees a <code>ConnectTimedout</code> error. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">info</span><span class="p">,</span> <span class="n">warn</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">proxy</span><span class="p">::</span><span class="n">FailToProxy</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">TimeoutProxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">TimeoutProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">path</span> <span class="o">=</span> <span class="n">session</span><span class="nf">.req_header</span><span class="p">()</span><span class="py">.uri</span><span class="nf">.path</span><span class="p">();</span> <span class="c1">// 1. Determine Target based on path</span> <span class="k">let</span> <span class="p">(</span><span class="n">addr</span><span class="p">,</span> <span class="n">sni</span><span class="p">,</span> <span class="n">timeout</span><span class="p">)</span> <span class="o">=</span> <span class="k">if</span> <span class="n">path</span> <span class="o">==</span> <span class="s">"/timeout"</span> <span class="p">{</span> <span class="c1">// Case A: The "Blackhole"</span> <span class="c1">// 192.0.2.1 is a reserved Test-Net IP. It will not respond.</span> <span class="c1">// We set a 100ms timeout to fail fast.</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Routing to Blackhole IP (192.0.2.1) to force timeout..."</span><span class="p">);</span> <span class="p">((</span><span class="s">"192.0.2.1"</span><span class="p">,</span> <span class="mi">80</span><span class="p">),</span> <span class="s">"blackhole.local"</span><span class="p">,</span> <span class="nn">Duration</span><span class="p">::</span><span class="nf">from_millis</span><span class="p">(</span><span class="mi">100</span><span class="p">))</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c1">// Case B: The Happy Path</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Routing to Blue (Standard Timeout)"</span><span class="p">);</span> <span class="p">((</span><span class="s">"172.28.0.20"</span><span class="p">,</span> <span class="mi">8080</span><span class="p">),</span> <span class="s">"blue.pingora.local"</span><span class="p">,</span> <span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">2</span><span class="p">))</span> <span class="p">};</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">addr</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="n">sni</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="c1">// 2. Apply the specific timeout config</span> <span class="n">peer</span><span class="py">.options.connection_timeout</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="n">timeout</span><span class="p">);</span> <span class="c1">// We set generous read/write timeouts to ensure only connection time is tested</span> <span class="n">peer</span><span class="py">.options.read_timeout</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">2</span><span class="p">));</span> <span class="n">peer</span><span class="py">.options.write_timeout</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">2</span><span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">fail_to_proxy</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">e</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Error</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="n">FailToProxy</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// 3. Handle the Timeout Error</span> <span class="k">match</span> <span class="n">e</span><span class="py">.etype</span> <span class="p">{</span> <span class="nn">ErrorType</span><span class="p">::</span><span class="n">ConnectTimedout</span> <span class="p">|</span> <span class="nn">ErrorType</span><span class="p">::</span><span class="n">ReadTimedout</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"Custom Error Handler: Connection Timed Out!"</span><span class="p">);</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">session</span><span class="nf">.respond_error</span><span class="p">(</span><span class="mi">504</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="k">return</span> <span class="n">FailToProxy</span> <span class="p">{</span> <span class="n">error_code</span><span class="p">:</span> <span class="mi">504</span><span class="p">,</span> <span class="n">can_reuse_downstream</span><span class="p">:</span> <span class="k">false</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="n">_</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="c1">// Fallback for other errors</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"Fail to proxy: {:?}"</span><span class="p">,</span> <span class="n">e</span><span class="p">);</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">session</span><span class="nf">.respond_error</span><span class="p">(</span><span class="mi">502</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="n">FailToProxy</span><span class="p">{</span> <span class="n">error_code</span><span class="p">:</span> <span class="mi">502</span><span class="p">,</span> <span class="n">can_reuse_downstream</span><span class="p">:</span> <span class="k">false</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">TimeoutProxy</span><span class="p">);</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6163"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Timeout Config Proxy running on 0.0.0.0:6163"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p><strong>1. Start the Proxy</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 19_peer_options </code></pre> </div> <p><strong>2. Test Normal Request</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6163/normal </code></pre> </div> <p><em>Result:</em> <code>200 OK</code> from Blue.</p> <p><strong>3. Test Timeout Request</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6163/timeout </code></pre> </div> <p><em>Result:</em> After exactly 100ms, you will receive <code>504 Gateway Timeout</code>.<br> <em>Logs:</em> <code>Routing to Blackhole IP...</code> followed by <code>Custom Error Handler: Connection Timed Out!</code>.</p> <h1> Lesson 20: SNI Routing </h1> <p>In modern multi-tenant architectures (like CDNs or SaaS platforms), a single backend IP address often serves thousands of different domains. To route traffic correctly, the proxy must tell the upstream server <em>which</em> domain it is trying to reach during the TLS handshake. This is done via the <strong>SNI (Server Name Indication)</strong> extension.</p> <p>In this lesson, we will build a proxy that dynamically selects the SNI based on the request path.</p> <h2> Key Concepts </h2> <ul> <li> <strong>SNI (Server Name Indication):</strong> A TLS extension where the client (Pingora) sends the hostname it wants to connect to in the initial <code>ClientHello</code> packet. This allows the backend (Nginx) to select the correct certificate and server block.</li> <li> <strong>Context (<code>CTX</code>)</strong>: We use the request context to store the decision made in <code>request_filter</code> (the routing logic) so it can be retrieved later in <code>upstream_peer</code> (where the TLS connection is created).</li> <li> <strong>Host Header vs. SNI</strong>: While they often match, they are distinct. SNI is Layer 4 (TLS), while the Host header is Layer 7 (HTTP). To avoid confusion or rejection by the upstream, it is best practice to keep them in sync.</li> <li> <strong>Wildcard Certificates</strong>: In our lab, the upstream Nginx server (<code>advanced.pingora.local</code>) holds a wildcard certificate for <code>*.api.pingora.local</code>. This allows it to accept connections for both <code>v1.api.pingora.local</code> and <code>v2.api.pingora.local</code> using the same certificate.</li> </ul> <h2> The Code (<code>examples/20_sni_routing.rs</code>) </h2> <p>We map incoming paths to different subdomains:</p> <ul> <li> <code>/v1/...</code> → <code>v1.api.pingora.local</code> </li> <li>Other → <code>v2.api.pingora.local</code> </li> </ul> <p>We use the <code>SniCtx</code> struct to pass this decision from the filter phase to the peer selection phase.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">SniRouter</span><span class="p">;</span> <span class="c1">// 1. Define Context to share data between hooks</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">SniCtx</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">target_host</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="p">}</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">SniRouter</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="n">SniCtx</span><span class="p">;</span> <span class="c1">// Initialize the context for each new request</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{</span> <span class="n">SniCtx</span> <span class="p">{</span> <span class="n">target_host</span><span class="p">:</span> <span class="nn">String</span><span class="p">::</span><span class="nf">new</span><span class="p">(),</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// 2. Determine Routing Logic early (Layer 7 Filter)</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">request_filter</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">bool</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="k">let</span> <span class="n">path</span> <span class="o">=</span> <span class="n">session</span><span class="nf">.req_header</span><span class="p">()</span><span class="py">.uri</span><span class="nf">.path</span><span class="p">();</span> <span class="c1">// Calculate the target hostname based on path prefix</span> <span class="n">ctx</span><span class="py">.target_host</span> <span class="o">=</span> <span class="k">if</span> <span class="n">path</span><span class="nf">.starts_with</span><span class="p">(</span><span class="s">"/v1"</span><span class="p">)</span> <span class="p">{</span> <span class="s">"v1.api.pingora.local"</span><span class="nf">.to_string</span><span class="p">()</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="s">"v2.api.pingora.local"</span><span class="nf">.to_string</span><span class="p">()</span> <span class="p">};</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">false</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// 3. Configure the Connection (Layer 4 Peer Selection)</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">addr</span> <span class="o">=</span> <span class="p">(</span><span class="s">"172.28.0.22"</span><span class="p">,</span> <span class="mi">443</span><span class="p">);</span> <span class="c1">// Retrieve the SNI we decided on earlier</span> <span class="k">let</span> <span class="n">sni</span> <span class="o">=</span> <span class="n">ctx</span><span class="py">.target_host</span><span class="nf">.clone</span><span class="p">();</span> <span class="c1">// Create the peer with TLS enabled (true)</span> <span class="c1">// Because the upstream cert covers *.api.pingora.local, </span> <span class="c1">// both "v1" and "v2" SNIs will be accepted and validated.</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">addr</span><span class="p">,</span> <span class="k">true</span><span class="p">,</span> <span class="n">sni</span><span class="nf">.clone</span><span class="p">()));</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Connecting to IP: {:?} with SNI: {}"</span><span class="p">,</span> <span class="n">addr</span><span class="p">,</span> <span class="n">sni</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// 4. Sync the Host Header (Layer 7 Request Modification)</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_request</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">RequestHeader</span><span class="p">,</span> <span class="n">ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// Ensure the Host header matches the SNI to satisfy the web server</span> <span class="n">upstream_request</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Host"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">ctx</span><span class="py">.target_host</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">SniRouter</span><span class="p">);</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6164"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"SNI Routing Proxy running on 0.0.0.0:6164"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We will verify that Pingora connects to the same upstream IP but presents different identities (SNI) depending on the URL.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 20_sni_routing </code></pre> </div> <h3> 2. Test V1 Path </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6164/v1/test </code></pre> </div> <p><em>Result:</em> <code>200 OK</code>.<br> <em>Log:</em> <code>Connecting to ... SNI: v1.api.pingora.local</code></p> <h3> 3. Test V2 Path </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6164/v2/test </code></pre> </div> <p><em>Result:</em> <code>200 OK</code>.<br> <em>Log:</em> <code>Connecting to ... SNI: v2.api.pingora.local</code></p> <p>This works seamlessly because we updated our certificate infrastructure to include <code>*.api.pingora.local</code> in the upstream certificate. Pingora successfully negotiates a secure TLS connection for both subdomains using the same backend IP.</p> <h1> Lesson 21: Mutual TLS (mTLS) </h1> <p>Standard TLS (HTTPS) involves one-way authentication: the client validates the server's identity. <strong>Mutual TLS (mTLS)</strong> adds a second layer of security where the server also validates the client's identity. This is commonly used in Zero Trust architectures to ensure only authorized proxies or microservices can talk to sensitive backends.</p> <p>In this lesson, we will configure Pingora to present a <strong>Client Certificate</strong> when connecting to a secured upstream.</p> <h2> Key Concepts </h2> <ul> <li> <strong>Client Certificate (<code>client.crt</code>)</strong>: A digital identity card for the proxy. It is signed by a Root CA trusted by the upstream.</li> <li> <strong>Private Key (<code>client.key</code>)</strong>: The secret key used to prove ownership of the certificate during the handshake.</li> <li> <strong><code>CertKey</code> Struct</strong>: Pingora's internal wrapper for an <code>X509</code> certificate chain and a <code>PKey</code> private key.</li> <li> <strong><code>upstream_peer</code> Hook</strong>: We attach the credentials to the <code>HttpPeer</code> struct dynamically. We can choose to send them for some requests (e.g., <code>/auth</code>) and omit them for others (e.g., <code>/anon</code>).</li> <li> <strong>Performance</strong>: Parsing certificates from PEM files is CPU-intensive. We must load them into memory <strong>once</strong> during startup and wrap them in an <code>Arc</code> (Atomic Reference Counted) pointer to share them efficiently across thousands of requests.</li> </ul> <h2> The Code (<code>examples/21_mutual_tls.rs</code>) </h2> <p>We create a proxy that connects to the <strong>Advanced Upstream</strong> on port <code>8443</code>, which enforces mTLS.</p> <ul> <li>If the path is <code>/auth</code>, we attach the client certificate.</li> <li>If the path is <code>/anon</code>, we attempt to connect without one. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">utils</span><span class="p">::</span><span class="nn">tls</span><span class="p">::</span><span class="n">CertKey</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">tls</span><span class="p">::</span><span class="nn">x509</span><span class="p">::</span><span class="n">X509</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">tls</span><span class="p">::</span><span class="nn">pkey</span><span class="p">::</span><span class="n">PKey</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="n">fs</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="c1">// The struct holds the parsed Certificate/Key pair in an Arc.</span> <span class="c1">// This is thread-safe and cheap to clone for every request.</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">MtlsProxy</span> <span class="p">{</span> <span class="n">client_cert</span><span class="p">:</span> <span class="nb">Arc</span><span class="o">&lt;</span><span class="n">CertKey</span><span class="o">&gt;</span> <span class="p">}</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">MtlsProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">path</span> <span class="o">=</span> <span class="n">session</span><span class="nf">.req_header</span><span class="p">()</span><span class="py">.uri</span><span class="nf">.path</span><span class="p">();</span> <span class="c1">// Target the mTLS port (8443) on the Advanced Upstream</span> <span class="k">let</span> <span class="n">addr</span> <span class="o">=</span> <span class="p">(</span><span class="s">"172.28.0.22"</span><span class="p">,</span> <span class="mi">8443</span><span class="p">);</span> <span class="k">let</span> <span class="n">sni</span> <span class="o">=</span> <span class="s">"advanced.pingora.local"</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">addr</span><span class="p">,</span> <span class="k">true</span><span class="p">,</span> <span class="n">sni</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="c1">// Decision Logic: To Auth or Not to Auth?</span> <span class="k">if</span> <span class="n">path</span> <span class="o">==</span> <span class="s">"/auth"</span> <span class="p">{</span> <span class="c1">// Case 1: Authenticated</span> <span class="c1">// We attach the Arc&lt;CertKey&gt;. Pingora will use this in the TLS handshake.</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Attaching Client Certificate for /auth request..."</span><span class="p">);</span> <span class="n">peer</span><span class="py">.client_cert_key</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="k">self</span><span class="py">.client_cert</span><span class="nf">.clone</span><span class="p">());</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c1">// Case 2: Anonymous</span> <span class="c1">// We explicitly leave client_cert_key as None.</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Connecting anonymously (no cert) for {}..."</span><span class="p">,</span> <span class="n">path</span><span class="p">);</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// 1. Load Credentials at Startup (Critical for Performance)</span> <span class="k">let</span> <span class="n">cert_path</span> <span class="o">=</span> <span class="s">"/keys/client.crt"</span><span class="p">;</span> <span class="k">let</span> <span class="n">key_path</span> <span class="o">=</span> <span class="s">"/keys/client.key"</span><span class="p">;</span> <span class="k">if</span> <span class="o">!</span><span class="nn">std</span><span class="p">::</span><span class="nn">path</span><span class="p">::</span><span class="nn">Path</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">cert_path</span><span class="p">)</span><span class="nf">.exists</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nd">format!</span><span class="p">(</span><span class="s">"Client keys missing at {}. Run 00-setup-certs.sh"</span><span class="p">,</span> <span class="n">cert_path</span><span class="p">)</span><span class="nf">.into</span><span class="p">());</span> <span class="p">}</span> <span class="k">let</span> <span class="n">cert_bytes</span> <span class="o">=</span> <span class="nn">fs</span><span class="p">::</span><span class="nf">read</span><span class="p">(</span><span class="n">cert_path</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">key_bytes</span> <span class="o">=</span> <span class="nn">fs</span><span class="p">::</span><span class="nf">read</span><span class="p">(</span><span class="n">key_path</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// 2. Parse PEM into OpenSSL Objects</span> <span class="k">let</span> <span class="n">x509</span> <span class="o">=</span> <span class="nn">X509</span><span class="p">::</span><span class="nf">from_pem</span><span class="p">(</span><span class="o">&amp;</span><span class="n">cert_bytes</span><span class="p">[</span><span class="o">..</span><span class="p">])</span> <span class="nf">.map_err</span><span class="p">(|</span><span class="n">e</span><span class="p">|</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to parse certificate: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">key</span> <span class="o">=</span> <span class="nn">PKey</span><span class="p">::</span><span class="nf">private_key_from_pem</span><span class="p">(</span><span class="o">&amp;</span><span class="n">key_bytes</span><span class="p">)</span> <span class="nf">.map_err</span><span class="p">(|</span><span class="n">e</span><span class="p">|</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to parse private key: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="c1">// 3. Wrap in CertKey and Arc</span> <span class="k">let</span> <span class="n">cert_key</span> <span class="o">=</span> <span class="nn">CertKey</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nd">vec!</span><span class="p">[</span><span class="n">x509</span><span class="p">],</span> <span class="n">key</span><span class="p">);</span> <span class="k">let</span> <span class="n">client_cert</span> <span class="o">=</span> <span class="nn">Arc</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">cert_key</span><span class="p">);</span> <span class="k">let</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="n">MtlsProxy</span> <span class="p">{</span> <span class="n">client_cert</span> <span class="p">};</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_service</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_service</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6165"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"mTLS Proxy running on 0.0.0.0:6165"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_service</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We will verify that the upstream server rejects anonymous connections but accepts authenticated ones.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 21_mutual_tls </code></pre> </div> <h3> 2. Test Anonymous Access (Expected Failure) </h3> <p>The upstream Nginx is configured with <code>ssl_verify_client on</code>. It should reject connections that lack a certificate.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6165/anon </code></pre> </div> <p><em>Result:</em> <code>400 Bad Request</code>.<br> <em>Body:</em> The HTML error page contains <code>&lt;center&gt;No required SSL certificate was sent&lt;/center&gt;</code>.</p> <h3> 3. Test Authenticated Access (Expected Success) </h3> <p>We hit the <code>/auth</code> path, causing Pingora to attach the client certificate.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6165/auth </code></pre> </div> <p><em>Result:</em> <code>200 OK</code>.<br> <em>Body:</em> <code>Response from mTLS Protected Upstream. Hello, Authenticated Client!</code></p> <h1> Lesson 22: Proxy Connect (Tunneling) </h1> <h2> 1. Proxy Tunnels </h2> <p>In enterprise environments, direct internet access is rarely granted to backend servers. Instead, all outbound traffic must pass through a designated <strong>Forward Proxy</strong> (like Squid, Zscaler, or an AWS NAT Gateway).</p> <p>If your Pingora instance is running in such a restricted environment, it cannot simply open a TCP connection to <code>api.stripe.com</code>. It must ask the corporate proxy to open that connection on its behalf. This is achieved using the HTTP <strong><code>CONNECT</code></strong> method.</p> <p>In this lesson, we will implement a custom connector that allows Pingora to "tunnel" through an intermediate proxy to reach a secure upstream.</p> <h2> 2. Understanding HTTP <code>CONNECT</code> </h2> <p>The <code>CONNECT</code> method is unique because it asks the proxy to stop acting like an HTTP parser and start acting like a blind pipe. This is essential for secure traffic (HTTPS), because the intermediate proxy cannot read the encrypted data—it just shovels bytes back and forth.</p> <h3> The "Double Handshake" </h3> <p>Tunneling involves two distinct connection phases:</p> <ol> <li> <strong>The Setup (Plaintext):</strong> The client (Pingora) connects to the <strong>Proxy</strong> and sends a <code>CONNECT</code> request specifying the ultimate destination. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"> CONNECT advanced.pingora.local:443 HTTP/1.1 Host: advanced.pingora.local:443 </span></code></pre> </div> <ol> <li> <strong>The Tunnel (Encrypted):</strong> If allowed, the Proxy connects to the destination and replies <code>200 Connection Established</code>. At this precise moment, the connection transforms. The HTTP layer vanishes, and it becomes a raw TCP stream. Pingora then initiates the TLS handshake <em>through</em> this stream, effectively talking directly to the destination.</li> </ol> <h2> 3. The Challenge: Pingora's Limitation </h2> <p>As of today, Pingora's high-level API (<code>peer.proxy</code>) is optimized for Unix Domain Sockets (UDS). It does <strong>not</strong> natively support configuring a standard TCP/IP address (like <code>10.0.0.5:3128</code>) as a forward proxy.</p> <p>If you attempt to set <code>peer.proxy</code> to a standard HTTP proxy address, Pingora will struggle to establish the connection because it expects a local socket file path.</p> <p><strong>The Consequence:</strong> We cannot rely on simple configuration flags. To support this common enterprise requirement, we must extend Pingora's networking capabilities manually.</p> <h2> 4. The Solution: Transport Layer Hijacking </h2> <p>To solve this, we will use Pingora's <code>L4Connect</code> trait. This powerful interface allows us to intercept the "Dialing" phase of the connection lifecycle.</p> <p>We will implement a custom connector that performs a "Bait and Switch" operation:</p> <ol> <li> <strong>Intercept the Dial:</strong> When Pingora asks to connect to a peer, our custom code takes over.</li> <li> <strong>Dial the Proxy:</strong> Instead of connecting to the Upstream, we physically connect to the <strong>Forward Proxy IP</strong> (e.g., <code>127.0.0.1:3128</code>).</li> <li> <strong>Perform the Handshake:</strong> We manually write the <code>CONNECT</code> headers to the socket and wait for the <code>200 OK</code> response.</li> <li> <strong>Return the Socket:</strong> We hand this established tunnel back to Pingora.</li> </ol> <p>Pingora's core doesn't know (or care) that the socket is tunneled. It simply sees a valid TCP stream and proceeds to perform the TLS handshake on top of it.</p> <h3> The "FD Mismatch" Trap </h3> <p>There is one critical safety mechanism we must navigate: <strong>File Descriptor (FD) Reuse Checks</strong>.<br> Pingora checks if the connected socket's remote address matches the configured <code>HttpPeer</code> address.</p> <ul> <li> <strong>If we configure:</strong> Peer = <code>advanced.pingora.local</code> </li> <li> <strong>But we connect to:</strong> Socket = <code>127.0.0.1</code> </li> </ul> <p>Pingora will detect this mismatch ("I asked for X but you gave me Y!") and close the connection to prevent security risks.</p> <p><strong>The Fix:</strong> We must align the physical and logical layers:</p> <ul> <li> <strong>Physical Layer:</strong> We configure the <code>HttpPeer</code> address to be the <strong>Proxy's IP</strong>. This satisfies the safety check.</li> <li> <strong>Logical Layer:</strong> We manually set the <strong>SNI</strong> and <strong>Host Header</strong> to the <strong>Upstream's Domain</strong>. This ensures the TLS handshake and HTTP request are valid for the destination.</li> </ul> <h2> 5. The Code (<code>examples/22_proxy_connect.rs</code>) </h2> <p>This implementation is advanced because it requires us to touch three different layers of the networking stack simultaneously:</p> <ol> <li> <strong>Layer 4 (Transport):</strong> We physically connect to the Proxy IP.</li> <li> <strong>Layer 5 (Session):</strong> We manually negotiate the HTTP <code>CONNECT</code> tunnel.</li> <li> <strong>Layer 7 (Application):</strong> We lie to the application layer, telling it we are connecting to the Upstream Host so that SNI and Host headers are generated correctly.</li> </ol> <h3> The Components </h3> <ul> <li> <strong><code>ProxyTunnelConnector</code></strong>: This struct implements <code>L4Connect</code>. It is the "driver" that Pingora uses when it needs to establish a TCP connection. Instead of dialing the destination, it dials the proxy, negotiates the tunnel, and returns the active socket.</li> <li> <strong><code>TunnelProxy</code></strong>: The main proxy logic. Its job is to configure the <code>HttpPeer</code> with the <strong>Physical Address</strong> (Proxy IP) to satisfy safety checks, while injecting our custom connector to handle the <strong>Logical Connection</strong> (Target Host).</li> <li> <strong><code>run_mock_forward_proxy</code></strong>: A minimal TCP proxy running in the background to simulate a corporate firewall like Zscaler or Squid. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">error</span><span class="p">,</span> <span class="n">info</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">connectors</span><span class="p">::</span><span class="n">L4Connect</span><span class="p">;</span> <span class="c1">// We alias the specific Stream type Pingora expects for L4 connections</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">protocols</span><span class="p">::</span><span class="nn">l4</span><span class="p">::</span><span class="nn">stream</span><span class="p">::</span><span class="n">Stream</span> <span class="k">as</span> <span class="n">L4Stream</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">protocols</span><span class="p">::</span><span class="nn">l4</span><span class="p">::</span><span class="nn">socket</span><span class="p">::</span><span class="n">SocketAddr</span> <span class="k">as</span> <span class="n">PingoraSocketAddr</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">net</span><span class="p">::</span><span class="n">SocketAddr</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">io</span><span class="p">::{</span><span class="n">AsyncReadExt</span><span class="p">,</span> <span class="n">AsyncWriteExt</span><span class="p">};</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">net</span><span class="p">::{</span><span class="n">TcpListener</span><span class="p">,</span> <span class="n">TcpStream</span><span class="p">};</span> <span class="c1">// --- COMPONENT 1: The Custom Connector ---</span> <span class="c1">// This acts as the "Client" in the CONNECT handshake.</span> <span class="nd">#[derive(Debug)]</span> <span class="k">struct</span> <span class="n">ProxyTunnelConnector</span> <span class="p">{</span> <span class="n">proxy_addr</span><span class="p">:</span> <span class="n">SocketAddr</span><span class="p">,</span> <span class="c1">// Physical: Where packets go (127.0.0.1:3128)</span> <span class="n">remote_host</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="c1">// Logical: Who we want to reach (advanced.pingora.local)</span> <span class="n">remote_port</span><span class="p">:</span> <span class="nb">u16</span><span class="p">,</span> <span class="c1">// Logical: Port (443)</span> <span class="p">}</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">L4Connect</span> <span class="k">for</span> <span class="n">ProxyTunnelConnector</span> <span class="p">{</span> <span class="c1">// Pingora calls this method when it wants to open a connection.</span> <span class="c1">// We ignore the `_addr` argument provided by Pingora because we are hijacking the destination.</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">connect</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_addr</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">PingoraSocketAddr</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">L4Stream</span><span class="o">&gt;</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Connector: Dialing Proxy at {:?}..."</span><span class="p">,</span> <span class="k">self</span><span class="py">.proxy_addr</span><span class="p">);</span> <span class="c1">// 1. Establish Physical TCP Connection</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">socket</span> <span class="o">=</span> <span class="nn">TcpStream</span><span class="p">::</span><span class="nf">connect</span><span class="p">(</span><span class="k">self</span><span class="py">.proxy_addr</span><span class="p">)</span><span class="k">.await</span><span class="nf">.map_err</span><span class="p">(|</span><span class="n">e</span><span class="p">|</span> <span class="p">{</span> <span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="n">ConnectError</span><span class="p">,</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to connect to proxy: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span> <span class="p">})</span><span class="o">?</span><span class="p">;</span> <span class="c1">// 2. Perform the HTTP CONNECT Handshake</span> <span class="c1">// We construct a raw HTTP request asking the proxy to open a tunnel.</span> <span class="k">let</span> <span class="n">connect_req</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span> <span class="s">"CONNECT {}:{} HTTP/1.1</span><span class="se">\r\n</span><span class="s">Host: {}:{}</span><span class="se">\r\n\r\n</span><span class="s">"</span><span class="p">,</span> <span class="k">self</span><span class="py">.remote_host</span><span class="p">,</span> <span class="k">self</span><span class="py">.remote_port</span><span class="p">,</span> <span class="k">self</span><span class="py">.remote_host</span><span class="p">,</span> <span class="k">self</span><span class="py">.remote_port</span> <span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Connector: Sending CONNECT request for {}:{}"</span><span class="p">,</span> <span class="k">self</span><span class="py">.remote_host</span><span class="p">,</span> <span class="k">self</span><span class="py">.remote_port</span><span class="p">);</span> <span class="n">socket</span><span class="nf">.write_all</span><span class="p">(</span><span class="n">connect_req</span><span class="nf">.as_bytes</span><span class="p">())</span><span class="k">.await</span><span class="nf">.map_err</span><span class="p">(|</span><span class="n">e</span><span class="p">|</span> <span class="p">{</span> <span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="n">WriteError</span><span class="p">,</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to write CONNECT req: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span> <span class="p">})</span><span class="o">?</span><span class="p">;</span> <span class="c1">// 3. Verify the Tunnel</span> <span class="c1">// We must read the response headers to ensure we got a "200 Connection Established".</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">buf</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="mi">4096</span><span class="p">];</span> <span class="k">let</span> <span class="n">n</span> <span class="o">=</span> <span class="n">socket</span><span class="nf">.read</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">buf</span><span class="p">)</span><span class="k">.await</span><span class="nf">.map_err</span><span class="p">(|</span><span class="n">e</span><span class="p">|</span> <span class="p">{</span> <span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="n">ReadError</span><span class="p">,</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to read proxy resp: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span> <span class="p">})</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">response</span> <span class="o">=</span> <span class="nn">String</span><span class="p">::</span><span class="nf">from_utf8_lossy</span><span class="p">(</span><span class="o">&amp;</span><span class="n">buf</span><span class="p">[</span><span class="o">..</span><span class="n">n</span><span class="p">]);</span> <span class="k">if</span> <span class="o">!</span><span class="n">response</span><span class="nf">.contains</span><span class="p">(</span><span class="s">" 200 "</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span> <span class="nn">ErrorType</span><span class="p">::</span><span class="n">ConnectProxyFailure</span><span class="p">,</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Proxy refused tunnel: {}"</span><span class="p">,</span> <span class="n">response</span><span class="nf">.lines</span><span class="p">()</span><span class="nf">.next</span><span class="p">()</span><span class="nf">.unwrap_or</span><span class="p">(</span><span class="s">"Unknown"</span><span class="p">))</span> <span class="p">));</span> <span class="p">}</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Connector: Tunnel established! Handing socket to Pingora core."</span><span class="p">);</span> <span class="c1">// 4. Handover</span> <span class="c1">// We wrap the standard Tokio TcpStream into Pingora's L4Stream wrapper.</span> <span class="c1">// Pingora's TLS layer will now take this socket and perform the SSL Handshake *over* it.</span> <span class="nf">Ok</span><span class="p">(</span><span class="nn">L4Stream</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="n">socket</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// --- COMPONENT 2: The Main Proxy Logic ---</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">TunnelProxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">TunnelProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">upstream_host</span> <span class="o">=</span> <span class="s">"advanced.pingora.local"</span><span class="p">;</span> <span class="k">let</span> <span class="n">upstream_port</span> <span class="o">=</span> <span class="mi">443</span><span class="p">;</span> <span class="c1">// The Proxy's physical address (The "Next Hop")</span> <span class="k">let</span> <span class="n">proxy_addr_str</span> <span class="o">=</span> <span class="s">"127.0.0.1:3128"</span><span class="p">;</span> <span class="k">let</span> <span class="n">proxy_socket_addr</span><span class="p">:</span> <span class="n">SocketAddr</span> <span class="o">=</span> <span class="n">proxy_addr_str</span><span class="nf">.parse</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="c1">// THE CRITICAL CONFIGURATION:</span> <span class="c1">// 1. Peer Address: Set to the PROXY IP. </span> <span class="c1">// This prevents "FD Mismatch" errors. Pingora checks: "Is the socket connected to </span> <span class="c1">// the address in the peer struct?" Since our connector dials 127.0.0.1, this must match.</span> <span class="c1">// 2. SNI: Set to the UPSTREAM HOST.</span> <span class="c1">// This ensures the ClientHello generated by Pingora asks for the correct certificate.</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="n">proxy_socket_addr</span><span class="p">,</span> <span class="c1">// Address matches physical socket</span> <span class="k">true</span><span class="p">,</span> <span class="c1">// TLS matches final destination</span> <span class="n">upstream_host</span><span class="nf">.to_string</span><span class="p">()</span> <span class="c1">// SNI matches final destination</span> <span class="p">));</span> <span class="c1">// 3. Inject the Custom Connector</span> <span class="c1">// This overrides the default logic of "Just dial the Peer Address".</span> <span class="k">let</span> <span class="n">connector</span> <span class="o">=</span> <span class="n">ProxyTunnelConnector</span> <span class="p">{</span> <span class="n">proxy_addr</span><span class="p">:</span> <span class="n">proxy_socket_addr</span><span class="p">,</span> <span class="n">remote_host</span><span class="p">:</span> <span class="n">upstream_host</span><span class="nf">.to_string</span><span class="p">(),</span> <span class="n">remote_port</span><span class="p">:</span> <span class="n">upstream_port</span><span class="p">,</span> <span class="p">};</span> <span class="n">peer</span><span class="py">.options.custom_l4</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Arc</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">connector</span><span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// 4. Override the Host Header</span> <span class="c1">// Even though we are physically talking to 127.0.0.1, the HTTP request </span> <span class="c1">// inside the encrypted tunnel must look like it's going to the upstream.</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_request</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">RequestHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="n">upstream_request</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Host"</span><span class="p">,</span> <span class="s">"advanced.pingora.local"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// --- COMPONENT 3: Mock Forward Proxy (Background Task) ---</span> <span class="c1">// Simulates a corporate proxy that accepts CONNECT requests.</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">run_mock_forward_proxy</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">addr</span> <span class="o">=</span> <span class="s">"0.0.0.0:3128"</span><span class="p">;</span> <span class="k">let</span> <span class="n">listener</span> <span class="o">=</span> <span class="nn">TcpListener</span><span class="p">::</span><span class="nf">bind</span><span class="p">(</span><span class="n">addr</span><span class="p">)</span><span class="k">.await</span><span class="nf">.expect</span><span class="p">(</span><span class="s">"Failed to bind Mock Proxy"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Mock Proxy listening on {}"</span><span class="p">,</span> <span class="n">addr</span><span class="p">);</span> <span class="k">loop</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Ok</span><span class="p">((</span><span class="k">mut</span> <span class="n">client_socket</span><span class="p">,</span> <span class="n">_</span><span class="p">))</span> <span class="o">=</span> <span class="n">listener</span><span class="nf">.accept</span><span class="p">()</span><span class="k">.await</span> <span class="p">{</span> <span class="nn">tokio</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(</span><span class="k">async</span> <span class="k">move</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">buf</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="mi">1024</span><span class="p">];</span> <span class="k">let</span> <span class="n">n</span> <span class="o">=</span> <span class="n">client_socket</span><span class="nf">.read</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">buf</span><span class="p">)</span><span class="k">.await</span><span class="nf">.unwrap_or</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="k">if</span> <span class="n">n</span> <span class="o">==</span> <span class="mi">0</span> <span class="p">{</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">let</span> <span class="n">req</span> <span class="o">=</span> <span class="nn">String</span><span class="p">::</span><span class="nf">from_utf8_lossy</span><span class="p">(</span><span class="o">&amp;</span><span class="n">buf</span><span class="p">[</span><span class="o">..</span><span class="n">n</span><span class="p">]);</span> <span class="k">if</span> <span class="n">req</span><span class="nf">.starts_with</span><span class="p">(</span><span class="s">"CONNECT"</span><span class="p">)</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Mock Proxy: Connecting to upstream_advanced..."</span><span class="p">);</span> <span class="c1">// In a real proxy, we would parse the requested host.</span> <span class="c1">// Here we hardcode the destination for the lab.</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">mut</span> <span class="n">upstream</span><span class="p">)</span> <span class="o">=</span> <span class="nn">TcpStream</span><span class="p">::</span><span class="nf">connect</span><span class="p">(</span><span class="s">"172.28.0.22:443"</span><span class="p">)</span><span class="k">.await</span> <span class="p">{</span> <span class="c1">// Reply "Success" to the client</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">client_socket</span><span class="nf">.write_all</span><span class="p">(</span><span class="s">b"HTTP/1.1 200 Connection Established</span><span class="se">\r\n\r\n</span><span class="s">"</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="c1">// Enter "Blind Pipe" mode</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">io</span><span class="p">::</span><span class="nf">copy_bidirectional</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">client_socket</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">upstream</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// Start the mock proxy in a background thread</span> <span class="nn">std</span><span class="p">::</span><span class="nn">thread</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(</span><span class="k">move</span> <span class="p">||</span> <span class="p">{</span> <span class="k">let</span> <span class="n">rt</span> <span class="o">=</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">runtime</span><span class="p">::</span><span class="nn">Runtime</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="n">rt</span><span class="nf">.block_on</span><span class="p">(</span><span class="nf">run_mock_forward_proxy</span><span class="p">());</span> <span class="p">});</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">TunnelProxy</span><span class="p">);</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6166"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Pingora Tunnel Service running on 0.0.0.0:6166"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> 6. Verification </h2> <p>We will confirm that traffic is actually flowing through the proxy by observing the logs from our Mock Proxy component.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 22_proxy_connect </code></pre> </div> <h3> 2. Make the Request </h3> <p>We send a request to the Pingora listener (port 6166). We expect Pingora to transparently handle the complex tunneling.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6166/ </code></pre> </div> <h3> 3. Log Analysis </h3> <p>Observe the <code>stdout</code> of your running Rust program. You should see the following sequence of events:</p> <ol> <li> <strong><code>Connector: Dialing Proxy...</code></strong>: The <code>upstream_peer</code> hook executed, and our custom connector was invoked. It is connecting to <code>127.0.0.1:3128</code>.</li> <li> <strong><code>Mock Proxy: Connecting to upstream_advanced...</code></strong>: The background thread received the connection and the <code>CONNECT</code> header.</li> <li> <strong><code>Connector: Tunnel established!</code></strong>: The Mock Proxy replied with <code>200 OK</code>, and our connector handed the socket back to Pingora.</li> <li> <strong><code>Response from Advanced Upstream...</code></strong>: Pingora successfully performed the TLS handshake <em>inside</em> the tunnel and retrieved the response.</li> </ol> <h3> 4. Why this matters </h3> <p>If you attempted to use <code>HttpPeer::new_proxy</code> with a TCP address, you would have seen an error like <code>No such file or directory</code> (OS Error 2). This confirms that native support is lacking for TCP, and that our "Hijack" method is currently the correct way to implement TCP Tunneling in Pingora.</p> <h1> Lesson 23: WebSocket Upgrade </h1> <h2> 1. WebSockets </h2> <p>In modern real-time applications (chat apps, live sports feeds, stock tickers), the request-response model of HTTP is often insufficient. These applications rely on <strong>WebSockets</strong>, which allow for persistent, bidirectional communication between the client and the server.</p> <p>A WebSocket connection begins its life as a standard HTTP request but quickly "upgrades" into a raw TCP stream. In this lesson, we will configure Pingora to handle this upgrade process and maintain these long-lived connections.</p> <h2> 2. How the Upgrade Works </h2> <p>The WebSocket protocol (RFC 6455) uses a specific "handshake" to establish the connection:</p> <ol> <li> <strong>Client Request:</strong> The client sends an HTTP GET request with two special headers: <ul> <li><code>Connection: Upgrade</code></li> <li><code>Upgrade: websocket</code></li> </ul> </li> <li> <strong>Proxy Behavior:</strong> Pingora forwards this request to the upstream.</li> <li> <strong>Upstream Response:</strong> If the upstream accepts the upgrade, it replies with <code>101 Switching Protocols</code>.</li> <li> <strong>The Switch:</strong> Upon receiving the 101 status, both the client and the upstream (and the proxy in the middle) stop speaking HTTP. They switch to the WebSocket binary protocol over the same underlying TCP connection.</li> </ol> <h2> 3. The Critical Challenge: Timeouts </h2> <p>The most common issue when proxying WebSockets is premature disconnection.</p> <ul> <li> <strong>HTTP Mindset:</strong> HTTP proxies are designed for short bursts of activity. If a connection is idle for 60 seconds, it's usually considered dead or "stuck," and the proxy kills it to free up resources.</li> <li> <strong>WebSocket Reality:</strong> WebSockets are often idle for long periods (e.g., waiting for a chat message).</li> </ul> <p><strong>The Solution:</strong><br> When configuring the <code>HttpPeer</code> for WebSocket traffic, we must explicitly <strong>disable or extend the read/write timeouts</strong>. If we leave the defaults (e.g., 60s), Pingora will aggressively terminate perfectly healthy WebSocket connections during quiet periods.</p> <h2> 4. Setup for this Lesson </h2> <p>To demonstrate a complete WebSocket lifecycle without external dependencies, we will build a self-contained system in a single file:</p> <ol> <li> <strong>The Echo Server (Background Thread):</strong> A simple server using <code>tokio-tungstenite</code> that accepts WebSocket connections and echoes back any text it receives with a timestamp.</li> <li> <strong>The Test Client (Background Thread):</strong> A script that connects to our proxy, sends a "Ping" every second, and logs the "Pong" it receives.</li> <li> <strong>The Pingora Proxy:</strong> The intermediary that routes the traffic between them.</li> </ol> <p>This "Self-Driving" example allows you to verify the entire flow—handshake, message passing, and termination—just by watching the logs.</p> <h2> 5. The Code (<code>examples/23_websocket_upgrade.rs</code>) </h2> <p>First, ensure your <code>Cargo.toml</code> includes the necessary dependencies for handling WebSockets and time formatting.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[dependencies]</span> <span class="c"># ... previous dependencies ...</span> <span class="py">tokio-tungstenite</span> <span class="p">=</span> <span class="s">"0.28.0"</span> <span class="py">futures-util</span> <span class="p">=</span> <span class="s">"0.3.31"</span> <span class="py">chrono</span> <span class="p">=</span> <span class="s">"0.4.42"</span> </code></pre> </div> <p>The following code sets up a complete ecosystem: a Proxy, a Mock Server, and a Test Client.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">net</span><span class="p">::</span><span class="n">TcpListener</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">sleep</span><span class="p">;</span> <span class="c1">// WebSocket Dependencies</span> <span class="k">use</span> <span class="nn">futures_util</span><span class="p">::{</span><span class="n">SinkExt</span><span class="p">,</span> <span class="n">StreamExt</span><span class="p">};</span> <span class="k">use</span> <span class="nn">tokio_tungstenite</span><span class="p">::{</span><span class="n">accept_async</span><span class="p">,</span> <span class="n">connect_async</span><span class="p">,</span> <span class="nn">tungstenite</span><span class="p">::</span><span class="nn">protocol</span><span class="p">::</span><span class="n">Message</span><span class="p">};</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">WebSocketProxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">WebSocketProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// Forward to the Mock Server running in the background</span> <span class="k">let</span> <span class="n">addr</span> <span class="o">=</span> <span class="p">(</span><span class="s">"127.0.0.1"</span><span class="p">,</span> <span class="mi">9091</span><span class="p">);</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">addr</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">""</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="c1">// CRITICAL: WebSocket Configuration</span> <span class="c1">// 1. read_timeout: Set to None (infinity). WebSockets are often idle.</span> <span class="c1">// If we leave the default (e.g., 60s), Pingora will kill the connection.</span> <span class="c1">// 2. connection_timeout: Standard TCP connect timeout.</span> <span class="n">peer</span><span class="py">.options.read_timeout</span> <span class="o">=</span> <span class="nb">None</span><span class="p">;</span> <span class="n">peer</span><span class="py">.options.write_timeout</span> <span class="o">=</span> <span class="nb">None</span><span class="p">;</span> <span class="n">peer</span><span class="py">.options.connection_timeout</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">5</span><span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_request</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">RequestHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// Pingora automatically preserves the "Connection" and "Upgrade" headers</span> <span class="c1">// required for the handshake. We log here purely for visibility.</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">upgrade</span><span class="p">)</span> <span class="o">=</span> <span class="n">upstream_request</span><span class="py">.headers</span><span class="nf">.get</span><span class="p">(</span><span class="s">"Upgrade"</span><span class="p">)</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Proxy: Detected Upgrade Header: {:?}"</span><span class="p">,</span> <span class="n">upgrade</span><span class="p">);</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// --- Background Task: The Upstream Server ---</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">run_echo_server</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">addr</span> <span class="o">=</span> <span class="s">"127.0.0.1:9091"</span><span class="p">;</span> <span class="k">let</span> <span class="n">listener</span> <span class="o">=</span> <span class="nn">TcpListener</span><span class="p">::</span><span class="nf">bind</span><span class="p">(</span><span class="n">addr</span><span class="p">)</span><span class="k">.await</span><span class="nf">.expect</span><span class="p">(</span><span class="s">"Failed to bind Echo Server."</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Echo Server listening on {}"</span><span class="p">,</span> <span class="n">addr</span><span class="p">);</span> <span class="k">while</span> <span class="k">let</span> <span class="nf">Ok</span><span class="p">((</span><span class="n">stream</span><span class="p">,</span> <span class="n">_</span><span class="p">))</span> <span class="o">=</span> <span class="n">listener</span><span class="nf">.accept</span><span class="p">()</span><span class="k">.await</span> <span class="p">{</span> <span class="nn">tokio</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(</span><span class="k">async</span> <span class="k">move</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">ws_stream</span> <span class="o">=</span> <span class="nf">accept_async</span><span class="p">(</span><span class="n">stream</span><span class="p">)</span><span class="k">.await</span><span class="nf">.expect</span><span class="p">(</span><span class="s">"Failed to accept WS"</span><span class="p">);</span> <span class="k">while</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span> <span class="o">=</span> <span class="n">ws_stream</span><span class="nf">.next</span><span class="p">()</span><span class="k">.await</span> <span class="p">{</span> <span class="k">let</span> <span class="n">msg</span> <span class="o">=</span> <span class="n">msg</span><span class="nf">.expect</span><span class="p">(</span><span class="s">"Error reading message."</span><span class="p">);</span> <span class="k">if</span> <span class="n">msg</span><span class="nf">.is_text</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">text</span> <span class="o">=</span> <span class="n">msg</span><span class="nf">.to_text</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="c1">// Reply with a timestamped echo</span> <span class="k">let</span> <span class="n">response_text</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Echo [{}]: {}"</span><span class="p">,</span> <span class="nn">chrono</span><span class="p">::</span><span class="nn">Local</span><span class="p">::</span><span class="nf">now</span><span class="p">()</span><span class="nf">.format</span><span class="p">(</span><span class="s">"%H:%M:%S"</span><span class="p">),</span> <span class="n">text</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Server: Received '{}', Replying..."</span><span class="p">,</span> <span class="n">text</span><span class="p">);</span> <span class="n">ws_stream</span><span class="nf">.send</span><span class="p">(</span><span class="nn">Message</span><span class="p">::</span><span class="nf">Text</span><span class="p">(</span><span class="n">response_text</span><span class="nf">.into</span><span class="p">()))</span><span class="k">.await</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// --- Background Task: The Test Client ---</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">run_test_client</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Wait for Proxy to bind port</span> <span class="nf">sleep</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">2</span><span class="p">))</span><span class="k">.await</span><span class="p">;</span> <span class="k">let</span> <span class="n">url</span> <span class="o">=</span> <span class="s">"ws://127.0.0.1:6167"</span><span class="p">;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Client: Connection to Proxy at {}"</span><span class="p">,</span> <span class="n">url</span><span class="p">);</span> <span class="k">let</span> <span class="p">(</span><span class="k">mut</span> <span class="n">ws_stream</span><span class="p">,</span> <span class="n">_</span><span class="p">)</span> <span class="o">=</span> <span class="nf">connect_async</span><span class="p">(</span><span class="n">url</span><span class="p">)</span><span class="k">.await</span><span class="nf">.expect</span><span class="p">(</span><span class="s">"Failed to connect to proxy."</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Client: Connected! Starting message loop..."</span><span class="p">);</span> <span class="c1">// Send 3 Pings with a 1-second delay</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">..=</span><span class="mi">3</span> <span class="p">{</span> <span class="k">let</span> <span class="n">msg</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Ping #{}"</span><span class="p">,</span> <span class="n">i</span><span class="p">);</span> <span class="n">ws_stream</span><span class="nf">.send</span><span class="p">(</span><span class="nn">Message</span><span class="p">::</span><span class="nf">Text</span><span class="p">(</span><span class="n">msg</span><span class="nf">.into</span><span class="p">()))</span><span class="k">.await</span><span class="nf">.expect</span><span class="p">(</span><span class="s">"Failed to send"</span><span class="p">);</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">resp</span><span class="p">)</span> <span class="o">=</span> <span class="n">ws_stream</span><span class="nf">.next</span><span class="p">()</span><span class="k">.await</span> <span class="p">{</span> <span class="k">let</span> <span class="n">resp_msg</span> <span class="o">=</span> <span class="n">resp</span><span class="nf">.expect</span><span class="p">(</span><span class="s">"Failed to read response"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Client: Received '{}'"</span><span class="p">,</span> <span class="n">resp_msg</span><span class="nf">.to_text</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">());</span> <span class="p">}</span> <span class="nf">sleep</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">))</span><span class="k">.await</span><span class="p">;</span> <span class="p">}</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Client: Test Complete. Closing connection."</span><span class="p">);</span> <span class="n">ws_stream</span><span class="nf">.close</span><span class="p">(</span><span class="nb">None</span><span class="p">)</span><span class="k">.await</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// Spawn Background Services</span> <span class="k">let</span> <span class="n">_server_handle</span> <span class="o">=</span> <span class="nn">std</span><span class="p">::</span><span class="nn">thread</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(||</span> <span class="p">{</span> <span class="k">let</span> <span class="n">rt</span> <span class="o">=</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">runtime</span><span class="p">::</span><span class="nn">Runtime</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="n">rt</span><span class="nf">.block_on</span><span class="p">(</span><span class="nf">run_echo_server</span><span class="p">());</span> <span class="p">});</span> <span class="k">let</span> <span class="n">_client_handle</span> <span class="o">=</span> <span class="nn">std</span><span class="p">::</span><span class="nn">thread</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(||</span> <span class="p">{</span> <span class="k">let</span> <span class="n">rt</span> <span class="o">=</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">runtime</span><span class="p">::</span><span class="nn">Runtime</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="n">rt</span><span class="nf">.block_on</span><span class="p">(</span><span class="nf">run_test_client</span><span class="p">());</span> <span class="p">});</span> <span class="c1">// Start Proxy Service</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">WebSocketProxy</span><span class="p">);</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6167"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"WebSocket Proxy running on 0.0.0.0:6167"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> 6. Verification </h2> <p>This script verifies itself automatically. When you run it, you will see the logs from all three components (Client, Proxy, Server) interleaved, showing the flow of data.</p> <p><strong>1. Run the Example</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 23_websocket_upgrade </code></pre> </div> <p><strong>2. Analyze the Output</strong><br> You should see the following sequence:</p> <ol> <li> <strong>Setup:</strong> The Proxy and Echo Server start.</li> <li> <strong>Handshake:</strong> The Client connects (<code>ws://127.0.0.1:6167</code>). The Proxy detects the <code>Upgrade</code> header.</li> <li> <strong>Traffic:</strong> The Client sends "Ping #1". The Server receives it and replies with "Echo [Time]: Ping #1".</li> <li> <strong>Repeat:</strong> This happens 3 times over the same persistent connection.</li> </ol> <p><strong>Sample Log Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[INFO] Echo Server listening on 127.0.0.1:9091 [INFO] WebSocket Proxy running on 0.0.0.0:6167 [INFO] Client: Connection to Proxy at ws://127.0.0.1:6167 [INFO] Proxy: Detected Upgrade Header: "websocket" [INFO] Client: Connected! Starting message loop... [INFO] Client: Sending 'Ping #1' [INFO] Server: Received 'Ping #1', Replying... [INFO] Client: Received 'Echo [11:00:19]: Ping #1' ... [INFO] Client: Test Complete. Closing connection. </code></pre> </div> <h1> Lesson 24: gRPC Proxy </h1> <p>gRPC is a high-performance RPC framework that runs on top of <strong>HTTP/2</strong>. Unlike standard REST APIs, gRPC relies heavily on specific HTTP/2 features:</p> <ul> <li> <strong>Binary Framing:</strong> It uses Protocol Buffers (protobufs) instead of JSON text.</li> <li> <strong>Trailers:</strong> It sends status codes (like <code>grpc-status</code>) in a separate header block <em>after</em> the response body has finished.</li> <li> <strong>Multiplexing:</strong> It allows multiple requests to be interleaved over a single TCP connection.</li> </ul> <p>To proxy gRPC traffic effectively, Pingora must be configured to establish an <strong>HTTP/2 connection</strong> to the upstream server. If the proxy falls back to HTTP/1.1, standard gRPC backends will often reject the connection immediately.</p> <h2> Key Concepts </h2> <h3> 1. ALPN (Application-Layer Protocol Negotiation) </h3> <p>When establishing a TLS connection, the client and server perform a handshake to decide which protocol to speak (e.g., "http/1.1" or "h2").</p> <ul> <li> <strong>The Problem:</strong> By default, connections might settle on HTTP/1.1 for compatibility.</li> <li> <strong>The Fix:</strong> We must explicitly configure Pingora's upstream peer to request <code>h2</code> during the TLS handshake.</li> </ul> <h3> 2. Trailers </h3> <p>In REST, an HTTP 200 OK means success. In gRPC, an HTTP 200 OK just means "I received your message." The actual success or failure is communicated in the <strong>Trailers</strong> (headers sent <em>after</em> the body). Pingora supports HTTP trailers natively, ensuring this critical status information is preserved.</p> <h3> 3. End-to-End Encryption (and Trust) </h3> <p>In previous steps, we generated a specific certificate for our gRPC container (<code>grpc.pingora.local</code>). Because we set the <code>SSL_CERT_FILE</code> environment variable in our docker-compose, Pingora automatically trusts our Root CA. This allows us to connect securely to the upstream without disabling certificate verification—a best practice for production gRPC services.</p> <h2> The Code (<code>examples/24_grpc_proxy.rs</code>) </h2> <p>In this example, we configure Pingora to target the secure port (9001) of our <code>grpcbin</code> container. The critical line is forcing the ALPN negotiation to <code>H2</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="c1">// We import ALPN from the peer module to control protocol negotiation</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::{</span><span class="n">HttpPeer</span><span class="p">,</span> <span class="n">ALPN</span><span class="p">};</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">GrpcProxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">GrpcProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// Target the gRPC server (Secure Port 9001)</span> <span class="k">let</span> <span class="n">addr</span> <span class="o">=</span> <span class="p">(</span><span class="s">"172.28.0.23"</span><span class="p">,</span> <span class="mi">9001</span><span class="p">);</span> <span class="k">let</span> <span class="n">sni</span> <span class="o">=</span> <span class="s">"grpc.pingora.local"</span><span class="p">;</span> <span class="c1">// 1. Enable TLS</span> <span class="c1">// Pingora will use the system trust store (defined by SSL_CERT_FILE)</span> <span class="c1">// to verify the upstream's certificate.</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">addr</span><span class="p">,</span> <span class="k">true</span><span class="p">,</span> <span class="n">sni</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="c1">// 2. Force HTTP/2 via ALPN</span> <span class="c1">// This is mandatory. If we negotiate HTTP/1.1, most gRPC servers will</span> <span class="c1">// close the connection or return a protocol error.</span> <span class="n">peer</span><span class="py">.options.alpn</span> <span class="o">=</span> <span class="nn">ALPN</span><span class="p">::</span><span class="n">H2</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_request</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">RequestHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Optional: Log when we see gRPC traffic</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">ctype</span><span class="p">)</span> <span class="o">=</span> <span class="n">upstream_request</span><span class="py">.headers</span><span class="nf">.get</span><span class="p">(</span><span class="s">"content-type"</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">ctype</span><span class="nf">.to_str</span><span class="p">()</span><span class="nf">.unwrap_or</span><span class="p">(</span><span class="s">""</span><span class="p">)</span><span class="nf">.starts_with</span><span class="p">(</span><span class="s">"application/grpc"</span><span class="p">)</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Proxying gRPC request..."</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">GrpcProxy</span><span class="p">);</span> <span class="c1">// We listen on TLS so we can support secure gRPC clients.</span> <span class="c1">// This allows the client to negotiate H2 with Pingora as well.</span> <span class="n">my_proxy</span><span class="nf">.add_tls</span><span class="p">(</span> <span class="s">"0.0.0.0:6168"</span><span class="p">,</span> <span class="s">"conf/keys/server.crt"</span><span class="p">,</span> <span class="s">"conf/keys/server.key"</span> <span class="p">)</span><span class="nf">.expect</span><span class="p">(</span><span class="s">"Failed to add TLS listener"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"gRPC Proxy running on 0.0.0.0:6168"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We will use <code>curl</code> to simulate a gRPC client. Since we don't have a full gRPC client (like <code>grpcurl</code>) installed in our environment, we will manually construct a compliant HTTP/2 request.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 24_grpc_proxy </code></pre> </div> <h3> 2. Send the Request </h3> <p>We target the Pingora proxy (<code>172.28.0.10:6168</code>). We must provide the Root CA so <code>curl</code> trusts Pingora's TLS certificate.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> <span class="se">\</span> <span class="nt">--cacert</span> /keys/ca.crt <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/grpc"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"TE: trailers"</span> <span class="se">\</span> <span class="nt">-X</span> POST https://172.28.0.10:6168/grpc.health.v1.Health/Check </code></pre> </div> <h3> 3. Analyze the Output </h3> <p>You should observe the following in the <code>curl</code> output:</p> <ol> <li> <strong>Status 200 OK:</strong> <code>&lt; HTTP/1.1 200 OK</code> (or <code>HTTP/2</code>). This indicates the upstream accepted the connection.</li> <li> <strong>gRPC Headers:</strong> You will see headers like <code>Content-Type: application/grpc</code> and trailers like <code>Grpc-Status</code>.</li> <li> <strong>Logs:</strong> The proxy logs will show <code>Proxying gRPC request...</code>.</li> </ol> <p><strong>Note on Protocol Versions:</strong><br> Even if your <code>curl</code> client negotiates HTTP/1.1 with Pingora (as seen in some test environments), Pingora is actively translating that traffic and speaking <strong>HTTP/2</strong> to the upstream <code>grpcbin</code>. This confirms that Pingora is correctly acting as a gateway, bridging the protocols as defined in our configuration.</p> <h1> Lesson 25: Connection Reuse (Pooling) </h1> <p>Establishing a new TCP connection (and potentially a TLS handshake) for every single request is expensive. It adds significant latency and consumes CPU on both the proxy and the upstream.</p> <p><strong>Connection Reuse</strong> (or "Keep-Alive") allows Pingora to keep a connection to an upstream open after a request finishes, putting it into a "Pool." When a new request arrives for that same upstream, Pingora checks the pool first. If a healthy connection exists, it reuses it—skipping the handshake entirely.</p> <p>In this lesson, we will configure connection pooling and, critically, <strong>prove</strong> it works by capturing the reuse flag using Pingora's lifecycle hooks.</p> <h2> Key Concepts </h2> <h3> 1. The <code>CTX</code> (Context) Pattern </h3> <p>Since Pingora's request lifecycle is split across multiple asynchronous phases, variables don't persist automatically between them. To track whether a connection was reused, we must:</p> <ol> <li>Define a custom <code>CTX</code> struct.</li> <li>Capture the <code>reused</code> boolean in the <code>connected_to_upstream</code> hook.</li> <li>Store it in our <code>CTX</code>.</li> <li>Read it back in the <code>logging</code> hook.</li> </ol> <h3> 2. Tuning the Pool </h3> <ul> <li> <strong><code>idle_timeout</code>:</strong> How long a connection can sit in the pool doing nothing before Pingora closes it. If this is too short (e.g., 0), reuse will never happen.</li> <li> <strong><code>pool_max_idle</code></strong>: (Global setting, not shown here) Limits how many idle connections we keep per peer.</li> </ul> <h2> The Code (<code>examples/25_connection_reuse.rs</code>) </h2> <p>We define a <code>ReusingCtx</code> to hold our state, and implement the <code>connected_to_upstream</code> hook to intercept the connection event.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">protocols</span><span class="p">::</span><span class="n">Digest</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">ReusingProxy</span><span class="p">;</span> <span class="c1">// 1. Define a Context to hold state across the request lifecycle</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">ReusingCtx</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">is_reused</span><span class="p">:</span> <span class="nb">bool</span><span class="p">,</span> <span class="p">}</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">ReusingProxy</span> <span class="p">{</span> <span class="c1">// 2. Use the custom Context type</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="n">ReusingCtx</span><span class="p">;</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{</span> <span class="n">ReusingCtx</span> <span class="p">{</span> <span class="n">is_reused</span><span class="p">:</span> <span class="k">false</span> <span class="p">}</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// Target Upstream Blue</span> <span class="k">let</span> <span class="n">addr</span> <span class="o">=</span> <span class="p">(</span><span class="s">"172.28.0.20"</span><span class="p">,</span> <span class="mi">8080</span><span class="p">);</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">addr</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"blue.pingora.local"</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="c1">// --- CONNECTION REUSE CONFIGURATION ---</span> <span class="c1">// idle_timeout: Controls how long an idle connection stays in the pool.</span> <span class="c1">// We set this to 30s. If we set this to 0, the connection would likely </span> <span class="c1">// close immediately after use, preventing reuse.</span> <span class="n">peer</span><span class="py">.options.idle_timeout</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">30</span><span class="p">));</span> <span class="n">peer</span><span class="py">.options.connection_timeout</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// 3. Intercept the connection step to capture the 'reused' flag</span> <span class="c1">// This hook runs immediately after Pingora gets a connection (either new or from pool).</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">connected_to_upstream</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">reused</span><span class="p">:</span> <span class="nb">bool</span><span class="p">,</span> <span class="c1">// &lt;--- The flag we want!</span> <span class="n">_peer</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">HttpPeer</span><span class="p">,</span> <span class="nd">#[cfg(unix)]</span> <span class="n">_fd</span><span class="p">:</span> <span class="nn">std</span><span class="p">::</span><span class="nn">os</span><span class="p">::</span><span class="nn">unix</span><span class="p">::</span><span class="nn">io</span><span class="p">::</span><span class="n">RawFd</span><span class="p">,</span> <span class="nd">#[cfg(windows)]</span> <span class="n">_sock</span><span class="p">:</span> <span class="nn">std</span><span class="p">::</span><span class="nn">os</span><span class="p">::</span><span class="nn">windows</span><span class="p">::</span><span class="nn">io</span><span class="p">::</span><span class="n">RawSocket</span><span class="p">,</span> <span class="n">_digest</span><span class="p">:</span> <span class="nb">Option</span><span class="o">&lt;&amp;</span><span class="n">Digest</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="c1">// &lt;--- Our mutable context</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Store the status in our context for logging later</span> <span class="n">ctx</span><span class="py">.is_reused</span> <span class="o">=</span> <span class="n">reused</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">logging</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_e</span><span class="p">:</span> <span class="nb">Option</span><span class="o">&lt;&amp;</span><span class="nn">pingora</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="c1">// &lt;--- Access the stored context</span> <span class="p">)</span> <span class="p">{</span> <span class="c1">// 4. Log the state to prove reuse happened</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Request Complete. Reused Connection: {}"</span><span class="p">,</span> <span class="n">ctx</span><span class="py">.is_reused</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">ReusingProxy</span><span class="p">);</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6169"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Connection Reuse Demo running on 0.0.0.0:6169"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>To verify reuse, we need to send requests fast enough that the previous connection hasn't timed out yet. Using <code>curl</code> with two URLs in a single command is a great way to do this.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 25_connection_reuse </code></pre> </div> <h3> 2. Send Sequential Requests </h3> <p>We ask <code>curl</code> to fetch the same URL twice in a row.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6169/ http://172.28.0.10:6169/ </code></pre> </div> <h3> 3. Analyze the Logs </h3> <p>You will see exactly how the pooling mechanism works:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[INFO] Request Complete. Reused Connection: false [INFO] Request Complete. Reused Connection: true </code></pre> </div> <ul> <li> <strong>Request 1 (<code>false</code>):</strong> The pool was empty. Pingora had to perform a TCP handshake with <code>172.28.0.20</code>.</li> <li> <strong>Request 2 (<code>true</code>):</strong> Pingora checked the pool, found the live connection from Request 1, and reused it immediately.</li> </ul> <p>This "0-RTT" (Zero Round Trip Time) connection setup is vital for high-performance proxies.</p> <h1> Module 4: Load Balancing </h1> <p>Up to this point, our proxy has been a <strong>1-to-1</strong> conduit. We accepted a request and forwarded it to a single, hardcoded destination (e.g., <code>172.28.0.20</code>).</p> <p>In <strong>Module 4</strong>, we graduate to <strong>1-to-N</strong> routing. We are no longer just "proxying"; we are <strong>distributing</strong> traffic. This module focuses on the <code>pingora-load-balancing</code> crate, which provides the logic to manage pools of upstream servers, ensuring high availability, scalability, and efficiency.</p> <p>We will move away from defining a single <code>HttpPeer</code> and start defining <strong>Clusters</strong> of backends. We will explore:</p> <ul> <li> <strong>Selection Algorithms:</strong> How does Pingora decide which server gets the next request? (Round Robin, Weighted, Hashing).</li> <li> <strong>Health Checking:</strong> How does Pingora automatically detect and remove dead servers from rotation <em>before</em> they cause errors?</li> <li> <strong>Session Persistence:</strong> How do we ensure a user always returns to the same backend for stateful applications?</li> <li> <strong>Dynamic Discovery:</strong> How do we update our list of backends without restarting the server?</li> </ul> <p>This is where Pingora transforms from a simple pipe into a robust Edge Gateway capable of handling production-scale traffic.</p> <h1> Lesson 26: Round Robin Load Balancing </h1> <p>In previous modules, our proxy acted as a simple pipe: one listener mapped to one upstream. In <strong>Module 4</strong>, we unlock the power of <strong>Load Balancing</strong>, transforming Pingora into a gateway that distributes traffic across a cluster of servers.</p> <p>We start with the most fundamental algorithm: <strong>Round Robin</strong>. This strategy rotates requests sequentially through the list of available backends (<code>Blue -&gt; Green -&gt; Blue -&gt; Green</code>). It is ideal for stateless services where all backends have roughly equal capacity.</p> <h2> Key Concepts </h2> <h3> 1. The <code>LoadBalancer</code> Struct </h3> <p>The <code>pingora_load_balancing::LoadBalancer&lt;S&gt;</code> struct is the "brain" of this module.</p> <ul> <li> <strong>Inventory:</strong> It holds the list of all backend servers.</li> <li> <strong>State:</strong> It tracks which servers are healthy (and eligible for traffic) and which are not.</li> <li> <strong>Strategy (<code>S</code>):</strong> It is generic over a selection algorithm. In this lesson, we specify <code>LoadBalancer&lt;RoundRobin&gt;</code>.</li> </ul> <h3> 2. The Background Service </h3> <p>Load balancing involves more than just picking a random IP. It often requires active maintenance tasks like:</p> <ul> <li>Pinging servers to check if they are alive (Health Checks).</li> <li>Querying DNS or APIs to find new servers (Service Discovery).</li> </ul> <p>To perform these tasks without blocking the main proxy thread, Pingora runs the <code>LoadBalancer</code> as a separate <strong>Background Service</strong>. Even if we provide a static list of IPs (as we do here), using this architecture from the start prepares us for dynamic features later.</p> <h2> The Code (<code>examples/26_round_robin.rs</code>) </h2> <p>This code sets up a Load Balancer with two upstreams (<code>Blue</code> and <code>Green</code>) and routes traffic between them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">services</span><span class="p">::</span><span class="nn">background</span><span class="p">::</span><span class="n">background_service</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="c1">// 1. The Struct holding our Load Balancer state</span> <span class="c1">// We wrap it in Arc so it can be shared between the Background Service (which updates it)</span> <span class="c1">// and the Proxy Service (which reads from it).</span> <span class="k">pub</span> <span class="k">struct</span> <span class="nf">LB</span><span class="p">(</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="n">LoadBalancer</span><span class="o">&lt;</span><span class="n">RoundRobin</span><span class="o">&gt;&gt;</span><span class="p">);</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">LB</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// 2. Load Balancing Selection</span> <span class="c1">// select() takes a key (for hashing) and a max_iterations limit.</span> <span class="c1">// Since we are using RoundRobin, the key (b"") is ignored.</span> <span class="c1">// We look up to 256 times to find a healthy backend.</span> <span class="k">let</span> <span class="n">upstream</span> <span class="o">=</span> <span class="k">self</span><span class="na">.0</span> <span class="nf">.select</span><span class="p">(</span><span class="s">b""</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"NoUpstreamAvailable"</span><span class="p">),</span> <span class="s">"Empty upstream pool"</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Selected upstream: {:?}"</span><span class="p">,</span> <span class="n">upstream</span><span class="p">);</span> <span class="c1">// 3. Construct the Peer</span> <span class="c1">// We use the address provided by the Load Balancer.</span> <span class="c1">// "upstream" is a generic SNI/Host since we are hitting simple echo servers.</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="n">upstream</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="c1">// No TLS for these specific echo containers</span> <span class="s">"upstream"</span><span class="nf">.to_string</span><span class="p">()</span> <span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_request</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">RequestHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Just for clarity in the logs</span> <span class="n">upstream_request</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Host"</span><span class="p">,</span> <span class="s">"round-robin-cluster"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// 4. Initialize the Load Balancer</span> <span class="c1">// We create a static list. In later modules, this can be dynamic.</span> <span class="k">let</span> <span class="n">upstreams</span> <span class="o">=</span> <span class="nn">LoadBalancer</span><span class="p">::</span><span class="nf">try_from_iter</span><span class="p">([</span> <span class="s">"172.28.0.20:8080"</span><span class="p">,</span> <span class="c1">// Blue</span> <span class="s">"172.28.0.21:8080"</span><span class="p">,</span> <span class="c1">// Green</span> <span class="p">])</span><span class="o">?</span><span class="p">;</span> <span class="c1">// 5. Create the Background Service</span> <span class="c1">// This allows the LoadBalancer to run tasks (like health checks) in the background.</span> <span class="k">let</span> <span class="n">background</span> <span class="o">=</span> <span class="nf">background_service</span><span class="p">(</span><span class="s">"round_robin_lb"</span><span class="p">,</span> <span class="n">upstreams</span><span class="p">);</span> <span class="c1">// Get the Arc pointer to the LB to pass to our proxy</span> <span class="k">let</span> <span class="n">lb_ref</span> <span class="o">=</span> <span class="n">background</span><span class="nf">.task</span><span class="p">();</span> <span class="c1">// 6. Create the Proxy Service</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="nf">LB</span><span class="p">(</span><span class="n">lb_ref</span><span class="p">));</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6170"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Round Robin Load Balancer running on 0.0.0.0:6170"</span><span class="p">);</span> <span class="c1">// 7. Register both services</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">background</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 26_round_robin </code></pre> </div> <h3> 2. Observe the "Service Exited" Log </h3> <p>You might see a log line saying <code>[INFO pingora_core::server] service exited</code>.<br> <strong>Do not panic.</strong></p> <ul> <li>This refers to the <code>round_robin_lb</code> background service.</li> <li>Because we haven't configured any <strong>Health Checks</strong> or <strong>Dynamic Discovery</strong> yet, the background service realized it had no periodic work to do and exited to save resources.</li> <li>The Load Balancer state (the list of IPs) remains safely in memory, held by the Proxy Service.</li> </ul> <h3> 3. Send Traffic </h3> <p>From another terminal, send two requests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://172.28.0.10:6170/ curl http://172.28.0.10:6170/ </code></pre> </div> <h3> 4. Analyze Output </h3> <p>You will see the responses alternate perfectly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>'Response from BLUE' 'Response from GREEN' </code></pre> </div> <p>In the proxy logs, you will see the selection logic at work:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[INFO] Selected upstream: Backend { addr: Inet(172.28.0.20:8080), ... } [INFO] Selected upstream: Backend { addr: Inet(172.28.0.21:8080), ... } </code></pre> </div> <h1> Lesson 27: Weighted Load Balancing </h1> <p>In a real-world cluster, not all servers are created equal. You might have a beefy bare-metal server ("Blue") alongside a smaller virtual machine ("Green"). If you use standard Round Robin, you will overload the small server or underutilize the big one.</p> <p><strong>Weighted Load Balancing</strong> solves this by assigning a "weight" to each backend. A server with Weight 3 receives 3x more requests than a server with Weight 1.</p> <p>In this lesson, we will configure:</p> <ul> <li> <strong>Upstream Blue (172.28.0.20):</strong> Weight <strong>3</strong> (High Capacity).</li> <li> <strong>Upstream Green (172.28.0.21):</strong> Weight <strong>1</strong> (Low Capacity).</li> </ul> <h2> Key Concepts </h2> <h3> 1. The Initialization "Trap" </h3> <p>In the previous lesson, we used <code>LoadBalancer::try_from_iter(["ip1", "ip2"])</code>.</p> <ul> <li> <strong>The Problem:</strong> This convenience method takes raw strings and converts them into <code>Backend</code> objects with a <strong>default weight of 1</strong>. If we used it here, it would wipe out our custom weights.</li> <li> <strong>The Fix:</strong> We must manually create <code>Backend</code> objects using <code>Backend::new_with_weight</code>. Then, we manually build the discovery pipeline: <code>Backend</code> → <code>BTreeSet</code> → <code>Static Discovery</code> → <code>Backends</code> → <code>LoadBalancer</code>.</li> </ul> <h3> 2. The <code>RoundRobin</code> Type Alias </h3> <p>You might think we need to define our balancer as <code>LoadBalancer&lt;Weighted&lt;RoundRobin&gt;&gt;</code>.<br> <strong>Do not do this.</strong><br> In Pingora, the <code>RoundRobin</code> type you import is actually a type alias for <code>Weighted&lt;algorithms::RoundRobin&gt;</code>. It supports weights natively. If you try to wrap it manually, you will get complex compilation errors about unsatisfied trait bounds.</p> <h2> The Code (<code>examples/27_weighted_lb.rs</code>) </h2> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">services</span><span class="p">::</span><span class="nn">background</span><span class="p">::</span><span class="n">background_service</span><span class="p">;</span> <span class="c1">// Key Imports for Load Balancing</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::{</span><span class="n">LoadBalancer</span><span class="p">,</span> <span class="n">Backend</span><span class="p">,</span> <span class="n">Backends</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="nn">discovery</span><span class="p">::</span><span class="n">Static</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="nn">selection</span><span class="p">::</span><span class="n">RoundRobin</span><span class="p">;</span> <span class="c1">// This alias includes Weighted logic</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">collections</span><span class="p">::</span><span class="n">BTreeSet</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="c1">// The struct wraps the LoadBalancer.</span> <span class="c1">// Note: We use 'RoundRobin' as the generic type. In Pingora, the 'RoundRobin' type alias</span> <span class="c1">// is actually defined as 'Weighted&lt;algorithms::RoundRobin&gt;', so it supports weights natively.</span> <span class="k">pub</span> <span class="k">struct</span> <span class="nf">LB</span><span class="p">(</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="n">LoadBalancer</span><span class="o">&lt;</span><span class="n">RoundRobin</span><span class="o">&gt;&gt;</span><span class="p">);</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">LB</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// Selection: b"" key is ignored by RoundRobin.</span> <span class="c1">// The balancer automatically handles the 3:1 distribution logic.</span> <span class="k">let</span> <span class="n">upstream</span> <span class="o">=</span> <span class="k">self</span><span class="na">.0</span> <span class="nf">.select</span><span class="p">(</span><span class="s">b""</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"NoUpstreamAvailable"</span><span class="p">),</span> <span class="s">"Empty upstream pool"</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Selected upstream: {:?}"</span><span class="p">,</span> <span class="n">upstream</span><span class="p">);</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="n">upstream</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"weighted.upstream"</span><span class="nf">.to_string</span><span class="p">()</span> <span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_request</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">RequestHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="n">upstream_request</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Host"</span><span class="p">,</span> <span class="s">"weighted-cluster"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// 1. Create Backends with specific Weights</span> <span class="k">let</span> <span class="n">blue</span> <span class="o">=</span> <span class="nn">Backend</span><span class="p">::</span><span class="nf">new_with_weight</span><span class="p">(</span><span class="s">"172.28.0.20:8080"</span><span class="p">,</span> <span class="mi">3</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">green</span> <span class="o">=</span> <span class="nn">Backend</span><span class="p">::</span><span class="nf">new_with_weight</span><span class="p">(</span><span class="s">"172.28.0.21:8080"</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// 2. Construct the Upstream Set Manually</span> <span class="c1">// We CANNOT use LoadBalancer::try_from_iter() here, because that helper method</span> <span class="c1">// extracts IPs and creates *new* Backend objects with default weight (1).</span> <span class="c1">// We must pass our pre-weighted Backend objects into a Static discovery service.</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">set</span> <span class="o">=</span> <span class="nn">BTreeSet</span><span class="p">::</span><span class="nf">new</span><span class="p">();</span> <span class="n">set</span><span class="nf">.insert</span><span class="p">(</span><span class="n">blue</span><span class="p">);</span> <span class="n">set</span><span class="nf">.insert</span><span class="p">(</span><span class="n">green</span><span class="p">);</span> <span class="k">let</span> <span class="n">discovery</span> <span class="o">=</span> <span class="nn">Static</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">set</span><span class="p">);</span> <span class="k">let</span> <span class="n">backends</span> <span class="o">=</span> <span class="nn">Backends</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">discovery</span><span class="p">);</span> <span class="k">let</span> <span class="n">upstreams</span> <span class="o">=</span> <span class="nn">LoadBalancer</span><span class="p">::</span><span class="nf">from_backends</span><span class="p">(</span><span class="n">backends</span><span class="p">);</span> <span class="c1">// 3. Create Background Service</span> <span class="k">let</span> <span class="n">background</span> <span class="o">=</span> <span class="nf">background_service</span><span class="p">(</span><span class="s">"weighted_lb"</span><span class="p">,</span> <span class="n">upstreams</span><span class="p">);</span> <span class="k">let</span> <span class="n">lb_ref</span> <span class="o">=</span> <span class="n">background</span><span class="nf">.task</span><span class="p">();</span> <span class="c1">// 4. Create Proxy Service</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="nf">LB</span><span class="p">(</span><span class="n">lb_ref</span><span class="p">));</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6171"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Weighted Load Balancer running on 0.0.0.0:6171"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Configuration: Blue (Weight 3) vs Green (Weight 1)"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">background</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 27_weighted_lb </code></pre> </div> <h3> 2. Run the Traffic Test </h3> <p>We will run <code>curl</code> 4 times. Based on our 3:1 configuration, we expect 3 responses from Blue and 1 from Green.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 bash <span class="nt">-c</span> <span class="s2">"for i in {1..4}; do curl -s http://172.28.0.10:6171/; echo; done"</span> </code></pre> </div> <h3> 3. Analyze Output </h3> <p>You should see a pattern similar to this (order may vary slightly, but the ratio holds):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>'Response from BLUE' 'Response from BLUE' 'Response from BLUE' 'Response from GREEN' </code></pre> </div> <p>In the proxy logs, you can confirm the selection details:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[INFO] Selected upstream: Backend { addr: Inet(172.28.0.20:8080), weight: 3, ... } [INFO] Selected upstream: Backend { addr: Inet(172.28.0.20:8080), weight: 3, ... } [INFO] Selected upstream: Backend { addr: Inet(172.28.0.20:8080), weight: 3, ... } [INFO] Selected upstream: Backend { addr: Inet(172.28.0.21:8080), weight: 1, ... } </code></pre> </div> <h1> Lesson 28: Consistent Hashing (Ketama) </h1> <p>In a typical load balancing setup (like Round Robin), requests are distributed evenly. However, for applications relying on <strong>local caching</strong> or <strong>user sessions</strong>, this is inefficient. If User A logs in on Server 1, but their next request goes to Server 2, they might be logged out or experience a "cold" cache.</p> <p><strong>Consistent Hashing</strong> ensures that requests with the same "Key" (e.g., URL path, User ID, or IP address) are <strong>always</strong> routed to the same upstream server.</p> <p>In this lesson, we will implement the <strong>Ketama</strong> algorithm. We will route requests based on their <strong>URL Path</strong>:</p> <ul> <li> <code>/user/123</code> → Always hits Server A.</li> <li> <code>/user/456</code> → Always hits Server B.</li> </ul> <h2> Key Concepts </h2> <h3> The Hash Ring </h3> <p>Imagine a clock face (a ring).</p> <ol> <li> <strong>Nodes:</strong> We hash our servers (Blue, Green) to specific points on this ring.</li> <li> <strong>Keys:</strong> We hash the incoming request path (e.g., <code>/user/123</code>) to a point on the ring.</li> <li> <strong>Routing:</strong> To find the correct server, we move <strong>clockwise</strong> from the request's point until we hit a server.</li> </ol> <p><strong>Why Ketama?</strong><br> It minimizes disruption. If you add or remove a server, only the keys immediately "behind" that server on the ring are reassigned. In standard modulo hashing (<code>hash % N</code>), changing <code>N</code> (the number of servers) would reshuffle nearly 100% of your traffic.</p> <h2> The Code (<code>examples/28_consistent_hashing.rs</code>) </h2> <p>We configure the <code>LoadBalancer</code> to use <code>KetamaHashing</code> as its selection strategy. The critical change happens in <code>upstream_peer</code>, where we extract the path and pass it as the hash key.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">services</span><span class="p">::</span><span class="nn">background</span><span class="p">::</span><span class="n">background_service</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="n">LoadBalancer</span><span class="p">;</span> <span class="c1">// Import the specific Ketama algorithm</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="nn">selection</span><span class="p">::</span><span class="nn">consistent</span><span class="p">::</span><span class="n">KetamaHashing</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="c1">// 1. The Struct: Wraps LoadBalancer with the KetamaHashing strategy</span> <span class="k">pub</span> <span class="k">struct</span> <span class="nf">LB</span><span class="p">(</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="n">LoadBalancer</span><span class="o">&lt;</span><span class="n">KetamaHashing</span><span class="o">&gt;&gt;</span><span class="p">);</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">LB</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// 2. The Key: Extract the path from the request URI</span> <span class="c1">// This is what makes the routing "sticky" to the URL.</span> <span class="k">let</span> <span class="n">path</span> <span class="o">=</span> <span class="n">session</span><span class="nf">.req_header</span><span class="p">()</span><span class="py">.uri</span><span class="nf">.path</span><span class="p">();</span> <span class="k">let</span> <span class="n">key</span> <span class="o">=</span> <span class="n">path</span><span class="nf">.as_bytes</span><span class="p">();</span> <span class="c1">// 3. Selection: Pass the path as the hash key.</span> <span class="c1">// This ensures Deterministic Routing: Same Key -&gt; Same Server.</span> <span class="k">let</span> <span class="n">upstream</span> <span class="o">=</span> <span class="k">self</span><span class="na">.0</span> <span class="nf">.select</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"NoUpstreamAvailable"</span><span class="p">),</span> <span class="s">"Empty upstream pool"</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Path '{}' hashed to upstream: {:?}"</span><span class="p">,</span> <span class="n">path</span><span class="p">,</span> <span class="n">upstream</span><span class="p">);</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="n">upstream</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"consistent.cluster"</span><span class="nf">.to_string</span><span class="p">()</span> <span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_request</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">RequestHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="n">upstream_request</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Host"</span><span class="p">,</span> <span class="s">"consistent-hash-cluster"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// 4. Initialization: Create the pool.</span> <span class="c1">// Ketama handles distribution via the ring, so 'try_from_iter' is sufficient.</span> <span class="k">let</span> <span class="n">upstreams</span> <span class="o">=</span> <span class="nn">LoadBalancer</span><span class="p">::</span><span class="nf">try_from_iter</span><span class="p">([</span> <span class="s">"172.28.0.20:8080"</span><span class="p">,</span> <span class="c1">// Blue</span> <span class="s">"172.28.0.21:8080"</span><span class="p">,</span> <span class="c1">// Green</span> <span class="p">])</span><span class="o">?</span><span class="p">;</span> <span class="c1">// 5. Background Service: Essential for LB maintenance</span> <span class="k">let</span> <span class="n">background</span> <span class="o">=</span> <span class="nf">background_service</span><span class="p">(</span><span class="s">"consistent_lb"</span><span class="p">,</span> <span class="n">upstreams</span><span class="p">);</span> <span class="k">let</span> <span class="n">lb_ref</span> <span class="o">=</span> <span class="n">background</span><span class="nf">.task</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="nf">LB</span><span class="p">(</span><span class="n">lb_ref</span><span class="p">));</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6172"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Consistent Hashing LB running on 0.0.0.0:6172"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Try: curl http://127.0.0.1:6172/user/123 vs /user/456"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">background</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>To verify that the hashing is consistent, we need to show that requesting the same URL repeatedly <em>always</em> results in the same backend being chosen, but different URLs might map to different backends.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 28_consistent_hashing </code></pre> </div> <h3> 2. Run the Test Loop </h3> <p>Run the following command in your client terminal. It loops through 5 different "User IDs" (paths), hitting each one twice.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 bash <span class="nt">-c</span> <span class="s2">"for i in {1..5}; do curl -s http://172.28.0.10:6172/user/</span><span class="se">\$</span><span class="s2">i; echo; curl -s http://172.28.0.10:6172/user/</span><span class="se">\$</span><span class="s2">i; echo; echo ---; done"</span> </code></pre> </div> <h3> 3. Analyze Results </h3> <p>You will observe <strong>Sticky</strong> behavior:</p> <ul> <li> <strong>User 1:</strong> Might go to <strong>Green</strong> both times.</li> <li> <strong>User 3:</strong> Might go to <strong>Blue</strong> both times.</li> <li>Unlike Round Robin, you will never see <code>/user/1</code> go to Blue and then immediately swap to Green.</li> </ul> <p><strong>Sample Log Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[INFO] Path '/user/1' hashed to upstream: Backend { addr: Inet(172.28.0.21:8080)... } [INFO] Path '/user/1' hashed to upstream: Backend { addr: Inet(172.28.0.21:8080)... } ... [INFO] Path '/user/3' hashed to upstream: Backend { addr: Inet(172.28.0.20:8080)... } [INFO] Path '/user/3' hashed to upstream: Backend { addr: Inet(172.28.0.20:8080)... } </code></pre> </div> <p>This confirms that Pingora is correctly using the path as a stable routing key.</p> <h1> Lesson 29: Sticky Sessions (Cookie-Based) </h1> <p>In the previous lesson, we used <strong>Consistent Hashing</strong> on the <em>URL Path</em>. This ensures that <code>/image.png</code> always comes from the same server, which is great for caching.</p> <p>However, for stateful applications (e.g., a shopping cart or a login session), we need <strong>User Affinity</strong>. We want User A to stay on Server Blue, regardless of whether they visit <code>/home</code>, <code>/profile</code>, or <code>/cart</code>.</p> <p>To achieve this, we combine <strong>Consistent Hashing</strong> with <strong>Cookies</strong>.</p> <h2> Key Concepts </h2> <h3> 1. The Session Cookie </h3> <p>The logic flow is:</p> <ol> <li> <strong>Incoming Request:</strong> Does it have a <code>session-id</code> cookie?</li> <li> <strong>No (New User):</strong> Generate a new ID (e.g., <code>user-100</code>), hash it to pick a server, and send a <code>Set-Cookie</code> header so the client remembers it.</li> <li> <strong>Yes (Returning User):</strong> Extract the ID, hash it (which results in the exact same server), and route the request.</li> </ol> <h3> 2. The Context (<code>CTX</code>) Bridge </h3> <p>This lesson demonstrates a critical pattern in Pingora: <strong>Sharing state between Request and Response phases.</strong></p> <ul> <li>We detect/generate the session ID in <code>upstream_peer</code> (Request Phase).</li> <li>We need to write the <code>Set-Cookie</code> header in <code>response_filter</code> (Response Phase).</li> <li>We use a custom <code>StickyCtx</code> struct to carry this data across the lifecycle.</li> </ul> <h2> The Code (<code>examples/29_sticky_sessions.rs</code>) </h2> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">services</span><span class="p">::</span><span class="nn">background</span><span class="p">::</span><span class="n">background_service</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">http</span><span class="p">::</span><span class="n">ResponseHeader</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="n">LoadBalancer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="nn">selection</span><span class="p">::</span><span class="nn">consistent</span><span class="p">::</span><span class="n">KetamaHashing</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nn">atomic</span><span class="p">::{</span><span class="n">AtomicUsize</span><span class="p">,</span> <span class="n">Ordering</span><span class="p">};</span> <span class="c1">// Global counter to generate simple unique session IDs for this demo</span> <span class="k">static</span> <span class="n">SESSION_COUNTER</span><span class="p">:</span> <span class="n">AtomicUsize</span> <span class="o">=</span> <span class="nn">AtomicUsize</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="mi">100</span><span class="p">);</span> <span class="c1">// 1. Context: Holds state between the Request phase and the Response phase.</span> <span class="c1">// If we generate a new ID, we must store it here to inject the Set-Cookie header later.</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">StickyCtx</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">new_session_id</span><span class="p">:</span> <span class="nb">Option</span><span class="o">&lt;</span><span class="nb">String</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">}</span> <span class="c1">// Struct wrapping the Ketama-based Load Balancer</span> <span class="k">pub</span> <span class="k">struct</span> <span class="nf">LB</span><span class="p">(</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="n">LoadBalancer</span><span class="o">&lt;</span><span class="n">KetamaHashing</span><span class="o">&gt;&gt;</span><span class="p">);</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">LB</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="n">StickyCtx</span><span class="p">;</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{</span> <span class="n">StickyCtx</span> <span class="p">{</span> <span class="n">new_session_id</span><span class="p">:</span> <span class="nb">None</span> <span class="p">}</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">session_id</span> <span class="o">=</span> <span class="nn">String</span><span class="p">::</span><span class="nf">new</span><span class="p">();</span> <span class="c1">// 2. Cookie Parsing Logic</span> <span class="c1">// We look for "Cookie: session-id=xyz".</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">cookie_val</span><span class="p">)</span> <span class="o">=</span> <span class="n">session</span><span class="nf">.req_header</span><span class="p">()</span><span class="py">.headers</span><span class="nf">.get</span><span class="p">(</span><span class="s">"Cookie"</span><span class="p">)</span> <span class="p">{</span> <span class="k">let</span> <span class="n">cookie_str</span> <span class="o">=</span> <span class="n">cookie_val</span><span class="nf">.to_str</span><span class="p">()</span><span class="nf">.unwrap_or</span><span class="p">(</span><span class="s">""</span><span class="p">);</span> <span class="k">for</span> <span class="n">part</span> <span class="k">in</span> <span class="n">cookie_str</span><span class="nf">.split</span><span class="p">(</span><span class="sc">';'</span><span class="p">)</span> <span class="p">{</span> <span class="k">let</span> <span class="n">part</span> <span class="o">=</span> <span class="n">part</span><span class="nf">.trim</span><span class="p">();</span> <span class="k">if</span> <span class="n">part</span><span class="nf">.starts_with</span><span class="p">(</span><span class="s">"session-id="</span><span class="p">)</span> <span class="p">{</span> <span class="n">session_id</span> <span class="o">=</span> <span class="n">part</span><span class="nf">.trim_start_matches</span><span class="p">(</span><span class="s">"session-id="</span><span class="p">)</span><span class="nf">.to_string</span><span class="p">();</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Found existing session cookie: {}"</span><span class="p">,</span> <span class="n">session_id</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// 3. New Session Generation</span> <span class="c1">// If no cookie was found, create a new ID and mark it for injection.</span> <span class="k">if</span> <span class="n">session_id</span><span class="nf">.is_empty</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">new_id</span> <span class="o">=</span> <span class="n">SESSION_COUNTER</span><span class="nf">.fetch_add</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="nn">Ordering</span><span class="p">::</span><span class="n">Relaxed</span><span class="p">);</span> <span class="n">session_id</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"user-{}"</span><span class="p">,</span> <span class="n">new_id</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"No cookie found. Generated new session id: {}"</span><span class="p">,</span> <span class="n">session_id</span><span class="p">);</span> <span class="n">ctx</span><span class="py">.new_session_id</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="n">session_id</span><span class="nf">.clone</span><span class="p">());</span> <span class="p">}</span> <span class="c1">// 4. Consistent Hashing Selection</span> <span class="c1">// Crucial: Use the session_id as the hash key, NOT the request path.</span> <span class="k">let</span> <span class="n">key</span> <span class="o">=</span> <span class="n">session_id</span><span class="nf">.as_bytes</span><span class="p">();</span> <span class="k">let</span> <span class="n">upstream</span> <span class="o">=</span> <span class="k">self</span><span class="na">.0</span> <span class="nf">.select</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"NoUpstreamAvailable"</span><span class="p">),</span> <span class="s">"Empty upstream pool"</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Session '{}' stuck to upstream: {:?}"</span><span class="p">,</span> <span class="n">session_id</span><span class="p">,</span> <span class="n">upstream</span><span class="p">);</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="n">upstream</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"sticky.cluster"</span><span class="nf">.to_string</span><span class="p">()</span> <span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// 5. Response Filter</span> <span class="c1">// Injects the Set-Cookie header if we generated a new session ID.</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">response_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_response</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">ResponseHeader</span><span class="p">,</span> <span class="n">ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">new_id</span><span class="p">)</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">ctx</span><span class="py">.new_session_id</span> <span class="p">{</span> <span class="k">let</span> <span class="n">cookie_value</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"session-id={}; Path=/"</span><span class="p">,</span> <span class="n">new_id</span><span class="p">);</span> <span class="n">upstream_response</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Set-Cookie"</span><span class="p">,</span> <span class="n">cookie_value</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Injected Set-Cookie header for {}"</span><span class="p">,</span> <span class="n">new_id</span><span class="p">);</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// 6. Initialization</span> <span class="k">let</span> <span class="n">upstreams</span> <span class="o">=</span> <span class="nn">LoadBalancer</span><span class="p">::</span><span class="nf">try_from_iter</span><span class="p">([</span> <span class="s">"172.28.0.20:8080"</span><span class="p">,</span> <span class="c1">// Blue</span> <span class="s">"172.28.0.21:8080"</span><span class="p">,</span> <span class="c1">// Green</span> <span class="p">])</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">background</span> <span class="o">=</span> <span class="nf">background_service</span><span class="p">(</span><span class="s">"sticky_lb"</span><span class="p">,</span> <span class="n">upstreams</span><span class="p">);</span> <span class="k">let</span> <span class="n">lb_ref</span> <span class="o">=</span> <span class="n">background</span><span class="nf">.task</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="nf">LB</span><span class="p">(</span><span class="n">lb_ref</span><span class="p">));</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6173"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Sticky Session LB running on 0.0.0.0:6173"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">background</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>To verify sticky sessions, we must act like a browser that saves cookies. We will use <code>curl</code>'s "cookie jar" feature.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 29_sticky_sessions </code></pre> </div> <h3> 2. The First Visit (New User) </h3> <p>Run this command. It saves received cookies to <code>cookies.txt</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> <span class="nt">-c</span> /cookies.txt http://172.28.0.10:6173/ </code></pre> </div> <ul> <li> <strong>Result:</strong> You will see <code>&lt; Set-Cookie: session-id=user-100; Path=/</code>.</li> <li> <strong>Routing:</strong> The logs will show "No cookie found" and routing to a specific server (e.g., Green).</li> </ul> <h3> 3. The Second Visit (Returning User) </h3> <p>Run this command. It reads cookies from <code>cookies.txt</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> <span class="nt">-b</span> /cookies.txt http://172.28.0.10:6173/ </code></pre> </div> <ul> <li> <strong>Result:</strong> You will see <code>&gt; Cookie: session-id=user-100</code>.</li> <li> <strong>Routing:</strong> The logs will show "Found existing session cookie" and routing to <strong>Green</strong> (the same server).</li> </ul> <h3> 4. The Third Visit (Different URL) </h3> <p>Try a different path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> <span class="nt">-b</span> /cookies.txt http://172.28.0.10:6173/different/path </code></pre> </div> <ul> <li> <strong>Result:</strong> Still routed to <strong>Green</strong>. The routing is now tied to the <em>User</em>, not the <em>URL</em>.</li> </ul> <h1> Lesson 30: TCP Health Checks </h1> <p>In previous lessons, our Load Balancer was "blind." If an upstream server crashed, Pingora would still try to route requests to it, resulting in errors for the client (502 Bad Gateway) until the server came back online.</p> <p><strong>Active Health Checking</strong> solves this. Pingora can actively probe your servers in the background. If a server fails to respond, it is marked "unhealthy" and removed from the rotation <em>before</em> a real user request hits it.</p> <h2> Key Concepts </h2> <h3> 1. Active vs. Passive </h3> <ul> <li> <strong>Passive Checking:</strong> The load balancer watches real traffic. If 5 requests fail in a row, it marks the server down. <em>Downside: Real users have to see errors for the system to react.</em> </li> <li> <strong>Active Checking:</strong> The load balancer opens a separate connection (probe) every second. If the probe fails, the server is marked down. <em>Upside: The system often reacts before users notice.</em> We are using this approach today.</li> </ul> <h3> 2. The <code>TcpHealthCheck</code> </h3> <p>This is a Layer 4 check. It simply tries to establish a TCP handshake.</p> <ul> <li> <strong>Success:</strong> Handshake completes.</li> <li> <strong>Failure:</strong> Connection refused or timeout.</li> </ul> <h3> 3. The Race Condition </h3> <p>There is always a tiny window between probes (e.g., 1 second) where a server could die. To handle this, we also set a short <code>connection_timeout</code> on the actual request peer. This ensures that if we <em>do</em> hit a dead server during that window, we fail fast rather than hanging for a minute.</p> <h2> The Code (<code>examples/30_health_check_tcp.rs</code>) </h2> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">services</span><span class="p">::</span><span class="nn">background</span><span class="p">::</span><span class="n">background_service</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="n">LoadBalancer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="nn">selection</span><span class="p">::</span><span class="n">RoundRobin</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="nn">health_check</span><span class="p">::</span><span class="n">TcpHealthCheck</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="nf">LB</span><span class="p">(</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="n">LoadBalancer</span><span class="o">&lt;</span><span class="n">RoundRobin</span><span class="o">&gt;&gt;</span><span class="p">);</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">LB</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// Selection: The LoadBalancer handles filtering.</span> <span class="c1">// If a backend is marked unhealthy, select() will effectively skip it.</span> <span class="c1">// If ALL backends are unhealthy, this returns None (mapped to Error).</span> <span class="k">let</span> <span class="n">upstream</span> <span class="o">=</span> <span class="k">self</span><span class="na">.0</span> <span class="nf">.select</span><span class="p">(</span><span class="s">b""</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"NoUpstreamAvailable"</span><span class="p">),</span> <span class="s">"All upstreams are down"</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Routed to upstream: {:?}"</span><span class="p">,</span> <span class="n">upstream</span><span class="p">);</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="n">upstream</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"health-check.cluster"</span><span class="nf">.to_string</span><span class="p">()</span> <span class="p">));</span> <span class="c1">// Critical: Set timeouts on the actual request peer as well.</span> <span class="c1">// If the health check hasn't caught a failure yet (race condition window),</span> <span class="c1">// we don't want the client waiting 60s.</span> <span class="n">peer</span><span class="py">.options.read_timeout</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="n">peer</span><span class="py">.options.connection_timeout</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_request</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">RequestHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="n">upstream_request</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Host"</span><span class="p">,</span> <span class="s">"health-check-cluster"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// 1. Initialize Load Balancer</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">upstreams</span> <span class="o">=</span> <span class="nn">LoadBalancer</span><span class="p">::</span><span class="nf">try_from_iter</span><span class="p">([</span> <span class="s">"172.28.0.20:8080"</span><span class="p">,</span> <span class="c1">// Blue</span> <span class="s">"172.28.0.21:8080"</span><span class="p">,</span> <span class="c1">// Green</span> <span class="p">])</span><span class="o">?</span><span class="p">;</span> <span class="c1">// 2. Configure the TCP Health Check</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">hc</span> <span class="o">=</span> <span class="nn">TcpHealthCheck</span><span class="p">::</span><span class="nf">new</span><span class="p">();</span> <span class="c1">// Fail Fast: probe times out after 1s</span> <span class="n">hc</span><span class="py">.peer_template.options.connection_timeout</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="c1">// Sensitivity: 1 failure marks it down, 1 success marks it up</span> <span class="n">hc</span><span class="py">.consecutive_success</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="n">hc</span><span class="py">.consecutive_failure</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="c1">// 3. Attach Check to LB</span> <span class="n">upstreams</span><span class="nf">.set_health_check</span><span class="p">(</span><span class="n">hc</span><span class="p">);</span> <span class="n">upstreams</span><span class="py">.health_check_frequency</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="n">upstreams</span><span class="py">.parallel_health_check</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span> <span class="c1">// 4. Background Service (The "Heart" of the health check)</span> <span class="c1">// The health checks run inside this service.</span> <span class="k">let</span> <span class="n">background</span> <span class="o">=</span> <span class="nf">background_service</span><span class="p">(</span><span class="s">"health_check_lb"</span><span class="p">,</span> <span class="n">upstreams</span><span class="p">);</span> <span class="k">let</span> <span class="n">lb_ref</span> <span class="o">=</span> <span class="n">background</span><span class="nf">.task</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="nf">LB</span><span class="p">(</span><span class="n">lb_ref</span><span class="p">));</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6174"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"TCP Health Check LB running on 0.0.0.0:6174"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">background</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>To verify this, we will crash a server mid-stream and watch Pingora react.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 30_health_check_tcp </code></pre> </div> <h3> 2. Start the Traffic Loop </h3> <p>In a separate terminal, run a continuous check against the proxy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">while </span><span class="nb">true</span><span class="p">;</span> <span class="k">do </span>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6174/<span class="p">;</span> <span class="nb">sleep </span>0.5<span class="p">;</span> <span class="k">done</span> </code></pre> </div> <p><em>Output:</em> You should see alternating <code>Response from BLUE</code> and <code>Response from GREEN</code>.</p> <h3> 3. Kill Blue </h3> <p>In a third terminal, stop the Blue container.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker container stop pingora-guide-upstream_blue-1 </code></pre> </div> <h3> 4. Observe Reaction </h3> <ol> <li> <strong>Client:</strong> The output will immediately switch to <code>Response from GREEN</code> only. You might see one single error if you hit the race window, but otherwise, it's seamless.</li> <li> <strong>Logs:</strong> You will see the detection log: <code>[WARN] Backend { ... } becomes unhealthy, ConnectTimedout</code> </li> </ol> <h3> 5. Revive Blue </h3> <p>Start the container again.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker container start pingora-guide-upstream_blue-1 </code></pre> </div> <ul> <li> <strong>Logs:</strong> <code>[INFO] Backend { ... } becomes healthy</code> </li> <li> <strong>Client:</strong> Traffic seamlessly resumes alternating between Blue and Green.</li> </ul> <p>This confirms that Pingora is actively managing the health of your upstream pool.</p> <h1> Lesson 31: HTTP Health Checks </h1> <p>In the previous lesson, we used <strong>TCP Health Checks</strong> to verify that a server's port was open. However, "Port Open" does not mean "Application Working."</p> <p>A server can be:</p> <ul> <li> <strong>Deadlocked:</strong> The process is running and accepting TCP connections, but stuck in an infinite loop.</li> <li> <strong>Overloaded:</strong> It accepts connections but never responds.</li> <li> <strong>Broken:</strong> It returns <code>500 Internal Server Error</code> for every request.</li> </ul> <p>A TCP check will pass in all these cases. An <strong>HTTP Health Check</strong> (Layer 7) solves this by sending a real request (e.g., <code>GET /</code>) and requiring a valid <code>200 OK</code> response.</p> <h2> Key Concepts </h2> <h3> 1. Layer 4 vs. Layer 7 Checks </h3> <ul> <li> <strong>Layer 4 (TCP):</strong> "Is the phone line connected?" (Fast, cheap, catches crashes).</li> <li> <strong>Layer 7 (HTTP):</strong> "Is the person answering the phone making sense?" (Slower, more expensive, catches application bugs).</li> </ul> <h3> 2. The <code>HttpHealthCheck</code> </h3> <p>This struct performs the active probing.</p> <ul> <li> <strong>Request:</strong> <code>GET /</code> (default, but customizable).</li> <li> <strong>Validation:</strong> Requires status <code>200 OK</code> (default).</li> <li> <strong>Timeout:</strong> If the server accepts the connection but doesn't send headers back within <code>read_timeout</code>, it is marked unhealthy.</li> </ul> <h2> The Code (<code>examples/31_health_check_http.rs</code>) </h2> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">services</span><span class="p">::</span><span class="nn">background</span><span class="p">::</span><span class="n">background_service</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="n">LoadBalancer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="nn">selection</span><span class="p">::</span><span class="n">RoundRobin</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="nn">health_check</span><span class="p">::</span><span class="n">HttpHealthCheck</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="nf">LB</span><span class="p">(</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="n">LoadBalancer</span><span class="o">&lt;</span><span class="n">RoundRobin</span><span class="o">&gt;&gt;</span><span class="p">);</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">LB</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// Selection: Returns only endpoints responding 200 OK to probes</span> <span class="k">let</span> <span class="n">upstream</span> <span class="o">=</span> <span class="k">self</span><span class="na">.0</span> <span class="nf">.select</span><span class="p">(</span><span class="s">b""</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"NoUpstreamAvailable"</span><span class="p">),</span> <span class="s">"All upstreams are down"</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Routed to upstream: {:?}"</span><span class="p">,</span> <span class="n">upstream</span><span class="p">);</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="n">upstream</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"http-health-check.cluster.local"</span><span class="nf">.to_string</span><span class="p">(),</span> <span class="p">));</span> <span class="c1">// Critical: Set timeouts on client traffic too.</span> <span class="c1">// This ensures the client doesn't hang if the server dies between probes.</span> <span class="n">peer</span><span class="py">.options.read_timeout</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="n">peer</span><span class="py">.options.connection_timeout</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_request</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">RequestHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="n">upstream_request</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Host"</span><span class="p">,</span> <span class="s">"http-health-check-cluster"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// 1. Initialize Load Balancer</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">upstreams</span> <span class="o">=</span> <span class="nn">LoadBalancer</span><span class="p">::</span><span class="nf">try_from_iter</span><span class="p">([</span> <span class="s">"172.28.0.20:8080"</span><span class="p">,</span> <span class="s">"172.28.0.21:8080"</span><span class="p">,</span> <span class="p">])</span><span class="o">?</span><span class="p">;</span> <span class="c1">// 2. Configure HTTP Health Check</span> <span class="c1">// "localhost" -&gt; The Host header sent in the probe</span> <span class="c1">// false -&gt; No TLS (use HTTP)</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">hc</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpHealthCheck</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="s">"localhost"</span><span class="p">,</span> <span class="k">false</span><span class="p">));</span> <span class="c1">// 3. Tuning</span> <span class="c1">// Read timeout catches the "Hang": connection established, but no data returned.</span> <span class="n">hc</span><span class="py">.peer_template.options.read_timeout</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="n">hc</span><span class="py">.peer_template.options.connection_timeout</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="n">hc</span><span class="py">.consecutive_success</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="n">hc</span><span class="py">.consecutive_failure</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="c1">// 4. Attach Check</span> <span class="c1">// Note: HttpHealthCheck must be manually boxed here.</span> <span class="n">upstreams</span><span class="nf">.set_health_check</span><span class="p">(</span><span class="n">hc</span><span class="p">);</span> <span class="c1">// Frequency: How often to probe (every 1s)</span> <span class="n">upstreams</span><span class="py">.health_check_frequency</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="n">upstreams</span><span class="py">.parallel_health_check</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span> <span class="c1">// 5. Background Service</span> <span class="k">let</span> <span class="n">background</span> <span class="o">=</span> <span class="nf">background_service</span><span class="p">(</span><span class="s">"http_health_check_lb"</span><span class="p">,</span> <span class="n">upstreams</span><span class="p">);</span> <span class="k">let</span> <span class="n">lb_ref</span> <span class="o">=</span> <span class="n">background</span><span class="nf">.task</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="nf">LB</span><span class="p">(</span><span class="n">lb_ref</span><span class="p">));</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6175"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"HTTP Health Check LB running on 0.0.0.0:6175"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">background</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>To verify the power of Layer 7 checks, we will simulate a "Frozen App."</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 31_health_check_http </code></pre> </div> <h3> 2. Start Traffic </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">while </span><span class="nb">true</span><span class="p">;</span> <span class="k">do </span>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6175/<span class="p">;</span> <span class="nb">sleep </span>0.5<span class="p">;</span> <span class="k">done</span> </code></pre> </div> <h3> 3. Freeze the App (Docker Pause) </h3> <p>Instead of stopping the container (which closes the port), we <code>pause</code> it. This freezes the process in memory. The TCP stack (kernel) is still alive, so <code>telnet</code> would succeed, but the app cannot respond.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker container pause pingora-guide-upstream_blue-1 </code></pre> </div> <h3> 4. Observe Reaction </h3> <ul> <li> <strong>Logs:</strong> <code>[WARN] Backend ... becomes unhealthy, ReadTimedout</code>. <ul> <li>Pingora connected (TCP success), waited 1 second for headers, got nothing, and marked it dead.</li> </ul> </li> <li> <strong>Traffic:</strong> All traffic shifts to Green.</li> </ul> <h3> 5. Unfreeze </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker container unpause pingora-guide-upstream_blue-1 </code></pre> </div> <p>The app wakes up, answers the next probe, and re-enters rotation.</p> <h1> Lesson 32: Custom Health Checks (Body Inspection) </h1> <p>Standard HTTP health checks have a limitation: they typically only validate the <strong>Status Code</strong>. A server might return <code>200 OK</code> but serve an error page saying "Database Connection Failed."</p> <p>To catch these "zombie" servers, we need <strong>Deep Inspection</strong>. We must read the response body and verify that it matches a specific pattern.</p> <p>In this lesson, we enforce a strict business rule:</p> <ul> <li> <strong>Rule:</strong> A server is healthy <strong>only</strong> if its response contains the string <code>"BLUE"</code>.</li> <li><strong>Scenario:</strong></li> <li> <strong>Upstream Blue:</strong> Returns "Response from BLUE" -&gt; <strong>Pass</strong>.</li> <li> <strong>Upstream Green:</strong> Returns "Response from GREEN" -&gt; <strong>Fail</strong> (even though it returns 200 OK).</li> </ul> <h2> Key Concepts </h2> <h3> 1. The <code>HealthCheck</code> Trait </h3> <p>Pingora provides built-in <code>TcpHealthCheck</code> and <code>HttpHealthCheck</code>, but for custom logic, we implement the <code>HealthCheck</code> trait ourselves. This gives us complete control. We can:</p> <ul> <li>Validate specific JSON fields.</li> <li>Check cryptographic signatures.</li> <li>Verify database connectivity.</li> </ul> <h3> 2. Manual Socket Handling </h3> <p>Because we are bypassing the standard check, we must handle the networking manually.</p> <ol> <li> <strong>Connect:</strong> Open a TCP stream to the backend.</li> <li> <strong>Write:</strong> Send a raw HTTP request bytes (<code>GET / ...</code>).</li> <li> <strong>Read:</strong> Buffer the response.</li> <li> <strong>Validate:</strong> check if the buffer contains our target string.</li> </ol> <h2> The Code (<code>examples/32_custom_health_check.rs</code>) </h2> <p>We define a struct <code>BodyMatchCheck</code> and implement the health check logic to scan the response body.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">info</span><span class="p">,</span> <span class="n">warn</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">services</span><span class="p">::</span><span class="nn">background</span><span class="p">::</span><span class="n">background_service</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::{</span><span class="n">LoadBalancer</span><span class="p">,</span> <span class="n">Backend</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="nn">selection</span><span class="p">::</span><span class="n">RoundRobin</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="nn">health_check</span><span class="p">::</span><span class="n">HealthCheck</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">protocols</span><span class="p">::</span><span class="nn">l4</span><span class="p">::</span><span class="nn">socket</span><span class="p">::</span><span class="n">SocketAddr</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">net</span><span class="p">::</span><span class="n">TcpStream</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">io</span><span class="p">::{</span><span class="n">AsyncReadExt</span><span class="p">,</span> <span class="n">AsyncWriteExt</span><span class="p">};</span> <span class="c1">// 1. Define Custom Health Check Struct</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">BodyMatchCheck</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">host</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="k">pub</span> <span class="n">expected_string</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="p">}</span> <span class="c1">// 2. Implement the HealthCheck Trait</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">HealthCheck</span> <span class="k">for</span> <span class="n">BodyMatchCheck</span> <span class="p">{</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">check</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">target</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Backend</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// A. Extract Standard Socket Address</span> <span class="c1">// Pingora uses a custom SocketAddr enum (Inet/Unix). We convert it for Tokio.</span> <span class="k">let</span> <span class="n">addr</span> <span class="o">=</span> <span class="k">match</span> <span class="o">&amp;</span><span class="n">target</span><span class="py">.addr</span> <span class="p">{</span> <span class="nn">SocketAddr</span><span class="p">::</span><span class="nf">Inet</span><span class="p">(</span><span class="n">addr</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="o">*</span><span class="n">addr</span><span class="p">,</span> <span class="nn">SocketAddr</span><span class="p">::</span><span class="nf">Unix</span><span class="p">(</span><span class="n">_</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="n">InternalError</span><span class="p">,</span> <span class="s">"Custom check only supports TCP backends"</span><span class="p">));</span> <span class="p">}</span> <span class="p">};</span> <span class="c1">// B. Connect (Fail Fast Timeout)</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">stream</span> <span class="o">=</span> <span class="k">match</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="nf">timeout</span><span class="p">(</span> <span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="nn">TcpStream</span><span class="p">::</span><span class="nf">connect</span><span class="p">(</span><span class="n">addr</span><span class="p">),</span> <span class="p">)</span><span class="k">.await</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="nf">Ok</span><span class="p">(</span><span class="n">s</span><span class="p">))</span> <span class="k">=&gt;</span> <span class="n">s</span><span class="p">,</span> <span class="n">_</span> <span class="k">=&gt;</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="n">ConnectTimedout</span><span class="p">,</span> <span class="s">"Connection timed out"</span><span class="p">)),</span> <span class="p">};</span> <span class="c1">// C. Send Raw HTTP Request</span> <span class="k">let</span> <span class="n">request</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span> <span class="s">"GET / HTTP/1.1</span><span class="se">\r\n</span><span class="s">Host: {}</span><span class="se">\r\n</span><span class="s">Connection: close</span><span class="se">\r\n\r\n</span><span class="s">"</span><span class="p">,</span> <span class="k">self</span><span class="py">.host</span> <span class="p">);</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.write_all</span><span class="p">(</span><span class="n">request</span><span class="nf">.as_bytes</span><span class="p">())</span><span class="k">.await</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="n">WriteError</span><span class="p">,</span> <span class="n">e</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="p">}</span> <span class="c1">// D. Read Response</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">buffer</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="mi">1024</span><span class="p">];</span> <span class="k">let</span> <span class="n">n</span> <span class="o">=</span> <span class="k">match</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="nf">timeout</span><span class="p">(</span> <span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="n">stream</span><span class="nf">.read</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">buffer</span><span class="p">),</span> <span class="p">)</span><span class="k">.await</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="nf">Ok</span><span class="p">(</span><span class="n">n</span><span class="p">))</span> <span class="k">=&gt;</span> <span class="n">n</span><span class="p">,</span> <span class="n">_</span> <span class="k">=&gt;</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="n">ReadTimedout</span><span class="p">,</span> <span class="s">"Read timed out"</span><span class="p">)),</span> <span class="p">};</span> <span class="c1">// E. Validate Content</span> <span class="k">let</span> <span class="n">response_text</span> <span class="o">=</span> <span class="nn">String</span><span class="p">::</span><span class="nf">from_utf8_lossy</span><span class="p">(</span><span class="o">&amp;</span><span class="n">buffer</span><span class="p">[</span><span class="o">..</span><span class="n">n</span><span class="p">]);</span> <span class="k">if</span> <span class="n">response_text</span><span class="nf">.contains</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="py">.expected_string</span><span class="p">)</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"Custom Check Failed for {:?}: Body did not contain '{}'"</span><span class="p">,</span> <span class="n">addr</span><span class="p">,</span> <span class="k">self</span><span class="py">.expected_string</span><span class="p">);</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"InvalidBody"</span><span class="p">),</span> <span class="s">"Body validation failed"</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">health_threshold</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_success</span><span class="p">:</span> <span class="nb">bool</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">usize</span> <span class="p">{</span> <span class="mi">1</span> <span class="p">}</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">struct</span> <span class="nf">LB</span><span class="p">(</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="n">LoadBalancer</span><span class="o">&lt;</span><span class="n">RoundRobin</span><span class="o">&gt;&gt;</span><span class="p">);</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">LB</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// Selection: Automatically filters out nodes failing the custom check</span> <span class="k">let</span> <span class="n">upstream</span> <span class="o">=</span> <span class="k">self</span><span class="na">.0</span> <span class="nf">.select</span><span class="p">(</span><span class="s">b""</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"NoUpstreamAvailable"</span><span class="p">),</span> <span class="s">"All upstreams are down"</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Routed to upstream: {:?}"</span><span class="p">,</span> <span class="n">upstream</span><span class="p">);</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="n">upstream</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"custom-check.cluster.local"</span><span class="nf">.to_string</span><span class="p">(),</span> <span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_request</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">RequestHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="n">upstream_request</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Host"</span><span class="p">,</span> <span class="s">"custom-check-cluster"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">upstreams</span> <span class="o">=</span> <span class="nn">LoadBalancer</span><span class="p">::</span><span class="nf">try_from_iter</span><span class="p">([</span> <span class="s">"172.28.0.20:8080"</span><span class="p">,</span> <span class="c1">// Blue</span> <span class="s">"172.28.0.21:8080"</span><span class="p">,</span> <span class="c1">// Green</span> <span class="p">])</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Configure the Custom Check</span> <span class="k">let</span> <span class="n">hc</span> <span class="o">=</span> <span class="n">BodyMatchCheck</span> <span class="p">{</span> <span class="n">host</span><span class="p">:</span> <span class="s">"localhost"</span><span class="nf">.to_string</span><span class="p">(),</span> <span class="n">expected_string</span><span class="p">:</span> <span class="s">"BLUE"</span><span class="nf">.to_string</span><span class="p">(),</span> <span class="p">};</span> <span class="c1">// Attach it (Boxing required)</span> <span class="n">upstreams</span><span class="nf">.set_health_check</span><span class="p">(</span><span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">hc</span><span class="p">));</span> <span class="n">upstreams</span><span class="py">.health_check_frequency</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="n">upstreams</span><span class="py">.parallel_health_check</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span> <span class="k">let</span> <span class="n">background</span> <span class="o">=</span> <span class="nf">background_service</span><span class="p">(</span><span class="s">"custom_health_check"</span><span class="p">,</span> <span class="n">upstreams</span><span class="p">);</span> <span class="k">let</span> <span class="n">lb_ref</span> <span class="o">=</span> <span class="n">background</span><span class="nf">.task</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="nf">LB</span><span class="p">(</span><span class="n">lb_ref</span><span class="p">));</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6176"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Custom Health Check LB running on 0.0.0.0:6176"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">background</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We will verify that <strong>Upstream Green</strong> is removed from the rotation because it fails the string match.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 32_custom_health_check </code></pre> </div> <h3> 2. Observe the Logs </h3> <p>Watch the logs immediately. You will see Pingora rejecting Green:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[WARN] Custom Check Failed for 172.28.0.21:8080: Body did not contain 'BLUE' [WARN] Backend { ... } becomes unhealthy, InvalidBody context: Body validation failed </code></pre> </div> <h3> 3. Verify Traffic </h3> <p>Run a loop against the proxy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">while </span><span class="nb">true</span><span class="p">;</span> <span class="k">do </span>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6176/<span class="p">;</span> <span class="nb">sleep </span>0.5<span class="p">;</span> <span class="k">done</span> </code></pre> </div> <p><strong>Expected Output:</strong><br> You should see 100% Blue responses.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>'Response from BLUE' 'Response from BLUE' 'Response from BLUE' </code></pre> </div> <p>Green is returning <code>200 OK</code> (so a standard HTTP check would pass it), but our custom logic successfully filtered it out based on the content.</p> <h1> Lesson 33: Active-Passive Load Balancing (Failover) </h1> <p>In standard load balancing (like Round Robin), all servers are "Active." Traffic is shared among them.</p> <p><strong>Active-Passive</strong> routing is different. You have a <strong>Primary</strong> server (or pool) that handles 100% of the traffic. You also have a <strong>Backup</strong> server that sits idle, receiving zero traffic, until the Primary fails. This is common for disaster recovery setups or when the backup is a "Sorry Page" server hosted in a different region.</p> <h2> Key Concepts </h2> <h3> 1. Pool Separation </h3> <p>To achieve this in Pingora, we <strong>do not</strong> put the Backup server into the <code>LoadBalancer</code>.</p> <ul> <li>If we put both Blue and Green in the <code>LoadBalancer</code>, Pingora would try to route traffic to both (Active-Active).</li> <li>Instead, we put <strong>only Blue</strong> in the <code>LoadBalancer</code>. Green is defined manually in the code as a fallback.</li> </ul> <h3> 2. The Logic Flow </h3> <p>We rely on the return value of <code>select()</code>:</p> <ul> <li> <strong><code>Some(upstream)</code>:</strong> The Primary is healthy. Use it.</li> <li> <strong><code>None</code>:</strong> The Primary is unhealthy (the pool is empty). Execute the fallback logic to route to the Backup.</li> </ul> <h2> The Code (<code>examples/33_active_passive_lb.rs</code>) </h2> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">info</span><span class="p">,</span> <span class="n">warn</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="c1">// Import background service for running health checks</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">services</span><span class="p">::</span><span class="nn">background</span><span class="p">::</span><span class="n">background_service</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="n">LoadBalancer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="nn">selection</span><span class="p">::</span><span class="n">RoundRobin</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="nn">health_check</span><span class="p">::</span><span class="n">TcpHealthCheck</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="nf">LB</span><span class="p">(</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="n">LoadBalancer</span><span class="o">&lt;</span><span class="n">RoundRobin</span><span class="o">&gt;&gt;</span><span class="p">);</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">LB</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// 1. Attempt to select from the Primary Pool</span> <span class="k">let</span> <span class="n">selection</span> <span class="o">=</span> <span class="k">self</span><span class="na">.0</span><span class="nf">.select</span><span class="p">(</span><span class="s">b""</span><span class="p">,</span> <span class="mi">256</span><span class="p">);</span> <span class="k">match</span> <span class="n">selection</span> <span class="p">{</span> <span class="nf">Some</span><span class="p">(</span><span class="n">upstream</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="c1">// HAPPY PATH: Primary is healthy</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Primary (Blue) is healthy. Routing to {:?}"</span><span class="p">,</span> <span class="n">upstream</span><span class="py">.addr</span><span class="p">);</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="n">upstream</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"primary.cluster.local"</span><span class="nf">.to_string</span><span class="p">()</span> <span class="p">));</span> <span class="c1">// Important: Set timeouts to ensure we don't hang if the server dies mid-request</span> <span class="n">peer</span><span class="py">.options.read_timeout</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="n">peer</span><span class="py">.options.connection_timeout</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="nb">None</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="c1">// FAILURE PATH: Primary is down (Health Check removed it)</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"FAILOVER ALERT: Primary pool is empty! Switching to Backup (Green)."</span><span class="p">);</span> <span class="c1">// Manually define the Backup IP</span> <span class="k">let</span> <span class="n">backup_addr</span> <span class="o">=</span> <span class="p">(</span><span class="s">"172.28.0.21"</span><span class="p">,</span> <span class="mi">8080</span><span class="p">);</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="n">backup_addr</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"backup.cluster.local"</span><span class="nf">.to_string</span><span class="p">()</span> <span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_request</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">RequestHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="n">upstream_request</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Host"</span><span class="p">,</span> <span class="s">"active-passive-cluster"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// 2. Initialize Load Balancer with ONLY the Primary (Blue)</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">upstreams</span> <span class="o">=</span> <span class="nn">LoadBalancer</span><span class="p">::</span><span class="nf">try_from_iter</span><span class="p">([</span> <span class="s">"172.28.0.20:8080"</span><span class="p">,</span> <span class="p">])</span><span class="o">?</span><span class="p">;</span> <span class="c1">// 3. Configure Aggressive Health Check (Fail Fast)</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">hc</span> <span class="o">=</span> <span class="nn">TcpHealthCheck</span><span class="p">::</span><span class="nf">new</span><span class="p">();</span> <span class="n">hc</span><span class="py">.peer_template.options.connection_timeout</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="n">hc</span><span class="py">.consecutive_success</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="n">hc</span><span class="py">.consecutive_failure</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="n">upstreams</span><span class="nf">.set_health_check</span><span class="p">(</span><span class="n">hc</span><span class="p">);</span> <span class="n">upstreams</span><span class="py">.health_check_frequency</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="n">upstreams</span><span class="py">.parallel_health_check</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span> <span class="c1">// 4. Background Service</span> <span class="k">let</span> <span class="n">background</span> <span class="o">=</span> <span class="nf">background_service</span><span class="p">(</span><span class="s">"primary_pool_lb"</span><span class="p">,</span> <span class="n">upstreams</span><span class="p">);</span> <span class="k">let</span> <span class="n">lb_ref</span> <span class="o">=</span> <span class="n">background</span><span class="nf">.task</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="nf">LB</span><span class="p">(</span><span class="n">lb_ref</span><span class="p">));</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6177"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Active-Passive LB running on 0.0.0.0:6177"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Primary: Blue (Checked). Backup: Green (Static Fallback)."</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">background</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>To verify this, we will crash the Primary and watch the traffic automatically flow to the Backup.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 33_active_passive_lb </code></pre> </div> <h3> 2. Start the Traffic Loop </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">while </span><span class="nb">true</span><span class="p">;</span> <span class="k">do </span>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6177/<span class="p">;</span> <span class="nb">sleep </span>1<span class="p">;</span> <span class="k">done</span> </code></pre> </div> <ul> <li> <strong>Status:</strong> <code>Response from BLUE</code> </li> <li> <strong>Logs:</strong> <code>Primary (Blue) is healthy.</code> </li> </ul> <h3> 3. Kill the Primary (Blue) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker container stop pingora-guide-upstream_blue-1 </code></pre> </div> <ul> <li> <strong>Status:</strong> <code>Response from GREEN</code> (Immediate switch).</li> <li> <strong>Logs:</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> [WARN] Backend ... becomes unhealthy [WARN] FAILOVER ALERT: Primary pool is empty! Switching to Backup (Green). </code></pre> </div> <h3> 4. Revive the Primary </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker container start pingora-guide-upstream_blue-1 </code></pre> </div> <ul> <li> <strong>Status:</strong> <code>Response from BLUE</code> (Automatic recovery).</li> <li> <strong>Logs:</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> [INFO] Backend ... becomes healthy [INFO] Primary (Blue) is healthy. </code></pre> </div> <h1> Lesson 34: Service Discovery (File-Based) </h1> <p>In all previous lessons, we hardcoded IP addresses (e.g., <code>172.28.0.20:8080</code>) directly into the Rust source code. This is fine for a lab, but in production, servers change IP addresses, scale up, or scale down constantly. Recompiling and restarting the proxy every time an IP changes is not acceptable.</p> <p><strong>Service Discovery</strong> allows Pingora to fetch the list of upstream servers from an external source (a file, an API, DNS, Consul, etc.) dynamically.</p> <p>In this lesson, we will implement <strong>File-Based Discovery</strong>:</p> <ol> <li>Pingora will read <code>conf/upstreams.txt</code>.</li> <li>It will populate the Load Balancer with the IPs found there.</li> <li>It will watch the file for changes. If you edit the file, Pingora updates its routing table <strong>instantly</strong> without a restart.</li> </ol> <h2> Key Concepts </h2> <h3> 1. The <code>ServiceDiscovery</code> Trait </h3> <p>This is the heart of dynamic routing in Pingora. It defines a single method: <code>discover()</code>.</p> <ul> <li> <strong>Input:</strong> None.</li> <li> <strong>Output:</strong> A list of <code>Backend</code> objects.</li> <li> <strong>Behavior:</strong> The Load Balancer calls this method periodically (e.g., every 1 second). If the list returned is different from the current list, the Load Balancer performs an atomic swap.</li> </ul> <h3> 2. Hot Reloading (Atomic Swaps) </h3> <p>When the discovery service returns a new list of backends, Pingora replaces the old list in memory.</p> <ul> <li> <strong>Existing connections</strong> continue to finish on the old servers.</li> <li> <strong>New requests</strong> immediately use the new list.</li> <li>This ensures <strong>Zero Downtime</strong> during configuration changes.</li> </ul> <h2> The Code (<code>examples/34_service_discovery_file.rs</code>) </h2> <p>Since Pingora provides the trait but leaves the specific implementation details flexible, we will implement a simple <code>FileDiscovery</code> struct that reads a file and parses IP addresses line-by-line.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">info</span><span class="p">,</span> <span class="n">error</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">services</span><span class="p">::</span><span class="nn">background</span><span class="p">::</span><span class="n">background_service</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::{</span><span class="n">Backends</span><span class="p">,</span> <span class="n">LoadBalancer</span><span class="p">,</span> <span class="n">Backend</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="nn">discovery</span><span class="p">::</span><span class="n">ServiceDiscovery</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="nn">selection</span><span class="p">::</span><span class="n">RoundRobin</span><span class="p">;</span> <span class="c1">// We need the internal SocketAddr enum to construct Backends manually</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">protocols</span><span class="p">::</span><span class="nn">l4</span><span class="p">::</span><span class="nn">socket</span><span class="p">::</span><span class="n">SocketAddr</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">path</span><span class="p">::</span><span class="n">PathBuf</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">collections</span><span class="p">::{</span><span class="n">BTreeSet</span><span class="p">,</span> <span class="n">HashMap</span><span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">net</span><span class="p">::</span><span class="n">ToSocketAddrs</span><span class="p">;</span> <span class="k">use</span> <span class="nn">http</span><span class="p">::</span><span class="n">Extensions</span><span class="p">;</span> <span class="c1">// 1. Define Custom Discovery Struct</span> <span class="c1">// This holds the configuration path state.</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">FileDiscovery</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">path</span><span class="p">:</span> <span class="n">PathBuf</span><span class="p">,</span> <span class="p">}</span> <span class="c1">// 2. Implement the ServiceDiscovery Trait</span> <span class="c1">// This is the contract Pingora uses to pull backend updates.</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ServiceDiscovery</span> <span class="k">for</span> <span class="n">FileDiscovery</span> <span class="p">{</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">discover</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(</span><span class="n">BTreeSet</span><span class="o">&lt;</span><span class="n">Backend</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">HashMap</span><span class="o">&lt;</span><span class="nb">u64</span><span class="p">,</span> <span class="nb">bool</span><span class="o">&gt;</span><span class="p">)</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// A. Read the file</span> <span class="k">let</span> <span class="n">contents</span> <span class="o">=</span> <span class="k">match</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">fs</span><span class="p">::</span><span class="nf">read_to_string</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="py">.path</span><span class="p">)</span><span class="k">.await</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">c</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="n">c</span><span class="p">,</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">error!</span><span class="p">(</span><span class="s">"Failed to read upstream file: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="n">InternalError</span><span class="p">,</span> <span class="n">e</span><span class="nf">.to_string</span><span class="p">()))</span> <span class="p">},</span> <span class="p">};</span> <span class="c1">// B. Parse Line-by-Line</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">upstreams</span> <span class="o">=</span> <span class="nn">BTreeSet</span><span class="p">::</span><span class="nf">new</span><span class="p">();</span> <span class="k">for</span> <span class="n">line</span> <span class="k">in</span> <span class="n">contents</span><span class="nf">.lines</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">line</span> <span class="o">=</span> <span class="n">line</span><span class="nf">.trim</span><span class="p">();</span> <span class="c1">// Skip empty lines and comments</span> <span class="k">if</span> <span class="n">line</span><span class="nf">.is_empty</span><span class="p">()</span> <span class="p">||</span> <span class="n">line</span><span class="nf">.starts_with</span><span class="p">(</span><span class="s">"#"</span><span class="p">)</span> <span class="p">{</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// C. Resolve Address</span> <span class="c1">// Converts "1.2.3.4:80" into a SocketAddr</span> <span class="k">match</span> <span class="n">line</span><span class="nf">.to_socket_addrs</span><span class="p">()</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">mut</span> <span class="n">addrs</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">addr</span><span class="p">)</span> <span class="o">=</span> <span class="n">addrs</span><span class="nf">.next</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">backend</span> <span class="o">=</span> <span class="n">Backend</span> <span class="p">{</span> <span class="n">addr</span><span class="p">:</span> <span class="nn">SocketAddr</span><span class="p">::</span><span class="nf">Inet</span><span class="p">(</span><span class="n">addr</span><span class="p">),</span> <span class="n">weight</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="n">ext</span><span class="p">:</span> <span class="nn">Extensions</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span> <span class="p">};</span> <span class="n">upstreams</span><span class="nf">.insert</span><span class="p">(</span><span class="n">backend</span><span class="p">);</span> <span class="p">}</span> <span class="p">},</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="nd">error!</span><span class="p">(</span><span class="s">"Failed to parse address '{}': {}"</span><span class="p">,</span> <span class="n">line</span><span class="p">,</span> <span class="n">e</span><span class="p">),</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Return the new set of backends. </span> <span class="c1">// The second return value (HashMap) is for readiness/health overrides, which we leave empty.</span> <span class="nf">Ok</span><span class="p">((</span><span class="n">upstreams</span><span class="p">,</span> <span class="nn">HashMap</span><span class="p">::</span><span class="nf">new</span><span class="p">()))</span> <span class="p">}</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">struct</span> <span class="nf">LB</span><span class="p">(</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="n">LoadBalancer</span><span class="o">&lt;</span><span class="n">RoundRobin</span><span class="o">&gt;&gt;</span><span class="p">);</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">LB</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// Selection: The LoadBalancer has the most recent list from the file</span> <span class="k">let</span> <span class="n">upstream</span> <span class="o">=</span> <span class="k">self</span><span class="na">.0</span> <span class="nf">.select</span><span class="p">(</span><span class="s">b""</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"NoUpstreamAvailable"</span><span class="p">),</span> <span class="s">"Empty upstream pool"</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Routed to upstream: {:?}"</span><span class="p">,</span> <span class="n">upstream</span><span class="p">);</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="n">upstream</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"file-discovery.cluster"</span><span class="nf">.to_string</span><span class="p">()</span> <span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_request</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">RequestHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="n">upstream_request</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Host"</span><span class="p">,</span> <span class="s">"file-discovery-cluster"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// 1. Initialize Custom Discovery</span> <span class="k">let</span> <span class="n">discovery</span> <span class="o">=</span> <span class="n">FileDiscovery</span> <span class="p">{</span> <span class="n">path</span><span class="p">:</span> <span class="nn">PathBuf</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="s">"conf/upstreams.txt"</span><span class="p">),</span> <span class="p">};</span> <span class="c1">// 2. Setup Backends and LoadBalancer</span> <span class="c1">// We wrap our discovery struct in the Backends container</span> <span class="k">let</span> <span class="n">backends</span> <span class="o">=</span> <span class="nn">Backends</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">discovery</span><span class="p">));</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">upstreams</span> <span class="o">=</span> <span class="nn">LoadBalancer</span><span class="p">::</span><span class="nf">from_backends</span><span class="p">(</span><span class="n">backends</span><span class="p">);</span> <span class="c1">// 3. Configure Update Frequency</span> <span class="c1">// Critical: This tells Pingora to call discover() every 1 second.</span> <span class="n">upstreams</span><span class="py">.update_frequency</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="c1">// 4. Background Service</span> <span class="k">let</span> <span class="n">background</span> <span class="o">=</span> <span class="nf">background_service</span><span class="p">(</span><span class="s">"file_discovery"</span><span class="p">,</span> <span class="n">upstreams</span><span class="p">);</span> <span class="k">let</span> <span class="n">lb_ref</span> <span class="o">=</span> <span class="n">background</span><span class="nf">.task</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="nf">LB</span><span class="p">(</span><span class="n">lb_ref</span><span class="p">));</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6178"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"File-Based Discovery LB running on 0.0.0.0:6178"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Watching file: conf/upstreams.txt"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">background</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We will start with one server, verify traffic, then edit the file on the fly to switch servers.</p> <h3> 1. Setup the Config File </h3> <p>Create a <code>conf</code> directory if it doesn't exist, and add the <strong>Blue</strong> upstream.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> conf <span class="nb">echo</span> <span class="s2">"172.28.0.20:8080"</span> <span class="o">&gt;</span> conf/upstreams.txt </code></pre> </div> <h3> 2. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 34_service_discovery_file </code></pre> </div> <h3> 3. Start Traffic (Terminal 2) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">while </span><span class="nb">true</span><span class="p">;</span> <span class="k">do </span>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6178/<span class="p">;</span> <span class="nb">sleep </span>1<span class="p">;</span> <span class="k">done</span> </code></pre> </div> <ul> <li> <strong>Output:</strong> <code>Response from BLUE</code> </li> <li> <strong>Logs:</strong> <code>Routed to upstream: ... 172.28.0.20:8080</code> </li> </ul> <h3> 4. Hot Reload (Terminal 3) </h3> <p>While the curl loop is running, overwrite the file with the <strong>Green</strong> upstream.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"172.28.0.21:8080"</span> <span class="o">&gt;</span> conf/upstreams.txt </code></pre> </div> <h3> 5. Observe Results </h3> <p>Within 1 second (our configured update frequency), you will see the traffic shift in the client terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>'Response from BLUE' 'Response from BLUE' 'Response from GREEN' &lt;-- Automatic Switch 'Response from GREEN' </code></pre> </div> <p>And in the proxy logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[INFO] Routed to upstream: Backend { addr: Inet(172.28.0.20:8080)... } [INFO] Routed to upstream: Backend { addr: Inet(172.28.0.21:8080)... } </code></pre> </div> <p>This confirms that Pingora successfully discovered the new configuration and applied it dynamically.</p> <h1> Lesson 35: Dynamic Reconfiguration (Hot-Swap API) </h1> <p>In the previous lesson, we used <strong>File-Based Discovery</strong>, where Pingora "pulled" configuration changes by watching a file. While effective, modern cloud-native environments often prefer a <strong>"Push" model</strong>.</p> <p>In this lesson, we will implement an <strong>Admin Control Plane</strong>. We will run two separate services inside our Pingora process:</p> <ol> <li> <strong>Proxy Service (Port 6179):</strong> Handles standard user traffic.</li> <li> <strong>Admin Service (Port 9090):</strong> Listens for configuration commands.</li> </ol> <p>We will share state between them using a thread-safe lock (<code>RwLock</code>). When you send a POST request to the Admin Port, it updates the memory immediately, and the Proxy Service sees the change instantly.</p> <h2> Key Concepts </h2> <h3> 1. Shared State (<code>Arc&lt;RwLock&lt;...&gt;&gt;</code>) </h3> <p>To make two independent services talk to each other, we create a shared "Source of Truth" for the upstream list.</p> <ul> <li> <strong><code>Arc</code>:</strong> Allows multiple parts of the code to own the data.</li> <li> <strong><code>RwLock</code>:</strong> Allows multiple readers (the Load Balancer) to access data simultaneously, but ensures exclusive access for the writer (the Admin API) during updates.</li> </ul> <h3> 2. The Admin Service </h3> <p>This is a <code>BackgroundService</code> that opens a TCP listener on port 9090. It parses incoming HTTP requests, extracts the new IP address from the body, and updates the shared state.</p> <h3> 3. In-Memory Discovery </h3> <p>We implement a custom <code>ServiceDiscovery</code> struct. Instead of reading a file or querying DNS, its <code>discover()</code> method simply acquires a <strong>Read Lock</strong> on the shared state and returns a copy of the current list.</p> <h2> The Code (<code>examples/35_dynamic_reconfiguration.rs</code>) </h2> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">info</span><span class="p">,</span> <span class="n">error</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">ShutdownWatch</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="c1">// We import BackgroundService to run our Admin API alongside the proxy</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">services</span><span class="p">::</span><span class="nn">background</span><span class="p">::{</span><span class="n">background_service</span><span class="p">,</span> <span class="n">BackgroundService</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::{</span><span class="n">Backends</span><span class="p">,</span> <span class="n">LoadBalancer</span><span class="p">,</span> <span class="n">Backend</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="nn">discovery</span><span class="p">::</span><span class="n">ServiceDiscovery</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::</span><span class="nn">selection</span><span class="p">::</span><span class="n">RoundRobin</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">protocols</span><span class="p">::</span><span class="nn">l4</span><span class="p">::</span><span class="nn">socket</span><span class="p">::</span><span class="n">SocketAddr</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">collections</span><span class="p">::{</span><span class="n">BTreeSet</span><span class="p">,</span> <span class="n">HashMap</span><span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">net</span><span class="p">::</span><span class="n">ToSocketAddrs</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="n">RwLock</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">net</span><span class="p">::</span><span class="n">TcpListener</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">io</span><span class="p">::{</span><span class="n">AsyncReadExt</span><span class="p">,</span> <span class="n">AsyncWriteExt</span><span class="p">};</span> <span class="k">use</span> <span class="nn">http</span><span class="p">::</span><span class="n">Extensions</span><span class="p">;</span> <span class="c1">// 1. Shared State Container</span> <span class="c1">// This holds the "Source of Truth" for our upstreams.</span> <span class="c1">// - Wrapped in Arc for shared ownership across threads/tasks.</span> <span class="c1">// - Wrapped in RwLock for thread-safe access (Multiple Readers, One Writer).</span> <span class="nd">#[derive(Clone)]</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">UpstreamState</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">upstreams</span><span class="p">:</span> <span class="nb">Arc</span><span class="o">&lt;</span><span class="n">RwLock</span><span class="o">&lt;</span><span class="n">BTreeSet</span><span class="o">&lt;</span><span class="n">Backend</span><span class="o">&gt;&gt;&gt;</span><span class="p">,</span> <span class="p">}</span> <span class="c1">// 2. In-Memory Discovery Strategy</span> <span class="c1">// This struct implements the ServiceDiscovery trait required by the LoadBalancer.</span> <span class="c1">// Instead of reading a file, it simply locks the shared memory and returns a copy.</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">InMemoryDiscovery</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">state</span><span class="p">:</span> <span class="n">UpstreamState</span><span class="p">,</span> <span class="p">}</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ServiceDiscovery</span> <span class="k">for</span> <span class="n">InMemoryDiscovery</span> <span class="p">{</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">discover</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(</span><span class="n">BTreeSet</span><span class="o">&lt;</span><span class="n">Backend</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">HashMap</span><span class="o">&lt;</span><span class="nb">u64</span><span class="p">,</span> <span class="nb">bool</span><span class="o">&gt;</span><span class="p">)</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// READ LOCK: Fast and non-blocking for concurrent readers</span> <span class="k">let</span> <span class="n">guard</span> <span class="o">=</span> <span class="k">self</span><span class="py">.state.upstreams</span><span class="nf">.read</span><span class="p">()</span><span class="k">.await</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">((</span><span class="n">guard</span><span class="nf">.clone</span><span class="p">(),</span> <span class="nn">HashMap</span><span class="p">::</span><span class="nf">new</span><span class="p">()))</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// 3. Admin API Service</span> <span class="c1">// This runs as a generic background service. It binds to port 9090 and</span> <span class="c1">// listens for configuration updates (POST requests).</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">AdminApiService</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">state</span><span class="p">:</span> <span class="n">UpstreamState</span><span class="p">,</span> <span class="p">}</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">BackgroundService</span> <span class="k">for</span> <span class="n">AdminApiService</span> <span class="p">{</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">start</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="k">mut</span> <span class="n">shutdown</span><span class="p">:</span> <span class="n">ShutdownWatch</span><span class="p">)</span> <span class="p">{</span> <span class="k">let</span> <span class="n">listener</span> <span class="o">=</span> <span class="nn">TcpListener</span><span class="p">::</span><span class="nf">bind</span><span class="p">(</span><span class="s">"0.0.0.0:9090"</span><span class="p">)</span><span class="k">.await</span><span class="nf">.expect</span><span class="p">(</span><span class="s">"Failed to bind Admin Port 9090"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Admin API listening on 0.0.0.0:9090"</span><span class="p">);</span> <span class="k">loop</span> <span class="p">{</span> <span class="c1">// We use tokio::select! to handle incoming connections OR shutdown signals simultaneously.</span> <span class="nn">tokio</span><span class="p">::</span><span class="nd">select!</span> <span class="p">{</span> <span class="n">_</span> <span class="o">=</span> <span class="n">shutdown</span><span class="nf">.changed</span><span class="p">()</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Admin API shutting down..."</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="n">res</span> <span class="o">=</span> <span class="n">listener</span><span class="nf">.accept</span><span class="p">()</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">match</span> <span class="n">res</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">((</span><span class="k">mut</span> <span class="n">socket</span><span class="p">,</span> <span class="n">addr</span><span class="p">))</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Admin connection from {}"</span><span class="p">,</span> <span class="n">addr</span><span class="p">);</span> <span class="k">let</span> <span class="n">state</span> <span class="o">=</span> <span class="k">self</span><span class="py">.state</span><span class="nf">.clone</span><span class="p">();</span> <span class="c1">// Spawn a new lightweight task for each connection so we don't block the listener.</span> <span class="nn">tokio</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(</span><span class="k">async</span> <span class="k">move</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">buf</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="mi">1024</span><span class="p">];</span> <span class="k">let</span> <span class="n">n</span> <span class="o">=</span> <span class="k">match</span> <span class="n">socket</span><span class="nf">.read</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">buf</span><span class="p">)</span><span class="k">.await</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">n</span><span class="p">)</span> <span class="k">if</span> <span class="n">n</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="k">=&gt;</span> <span class="n">n</span><span class="p">,</span> <span class="n">_</span> <span class="k">=&gt;</span> <span class="k">return</span><span class="p">,</span> <span class="c1">// Connection closed</span> <span class="p">};</span> <span class="c1">// Basic HTTP parsing (Demonstration purposes only)</span> <span class="k">let</span> <span class="n">req_str</span> <span class="o">=</span> <span class="nn">String</span><span class="p">::</span><span class="nf">from_utf8_lossy</span><span class="p">(</span><span class="o">&amp;</span><span class="n">buf</span><span class="p">[</span><span class="o">..</span><span class="n">n</span><span class="p">]);</span> <span class="c1">// Extract body (everything after the double newline)</span> <span class="k">let</span> <span class="n">body</span> <span class="o">=</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">idx</span><span class="p">)</span> <span class="o">=</span> <span class="n">req_str</span><span class="nf">.find</span><span class="p">(</span><span class="s">"</span><span class="se">\r\n\r\n</span><span class="s">"</span><span class="p">)</span> <span class="p">{</span> <span class="n">req_str</span><span class="p">[</span><span class="n">idx</span><span class="o">+</span><span class="mi">4</span><span class="o">..</span><span class="p">]</span><span class="nf">.trim</span><span class="p">()</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">req_str</span><span class="nf">.trim</span><span class="p">()</span> <span class="p">};</span> <span class="k">if</span> <span class="o">!</span><span class="n">body</span><span class="nf">.is_empty</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Parse the IP address from the body</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">mut</span> <span class="n">addrs</span><span class="p">)</span> <span class="o">=</span> <span class="n">body</span><span class="nf">.to_socket_addrs</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">new_addr</span><span class="p">)</span> <span class="o">=</span> <span class="n">addrs</span><span class="nf">.next</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// WRITE LOCK: Exclusive access to update the config</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">guard</span> <span class="o">=</span> <span class="n">state</span><span class="py">.upstreams</span><span class="nf">.write</span><span class="p">()</span><span class="k">.await</span><span class="p">;</span> <span class="n">guard</span><span class="nf">.clear</span><span class="p">();</span> <span class="n">guard</span><span class="nf">.insert</span><span class="p">(</span><span class="n">Backend</span> <span class="p">{</span> <span class="n">addr</span><span class="p">:</span> <span class="nn">SocketAddr</span><span class="p">::</span><span class="nf">Inet</span><span class="p">(</span><span class="n">new_addr</span><span class="p">),</span> <span class="n">weight</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="n">ext</span><span class="p">:</span> <span class="nn">Extensions</span><span class="p">::</span><span class="nf">new</span><span class="p">(),</span> <span class="p">});</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Admin: Hot-swapped upstream to {}"</span><span class="p">,</span> <span class="n">new_addr</span><span class="p">);</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">socket</span><span class="nf">.write_all</span><span class="p">(</span><span class="s">b"HTTP/1.1 200 OK</span><span class="se">\r\n</span><span class="s">Content-Length: 2</span><span class="se">\r\n\r\n</span><span class="s">OK"</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">socket</span><span class="nf">.write_all</span><span class="p">(</span><span class="s">b"HTTP/1.1 400 Bad Request</span><span class="se">\r\n\r\n</span><span class="s">Invalid IP"</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nd">error!</span><span class="p">(</span><span class="s">"Admin: Failed to parse IP: {}"</span><span class="p">,</span> <span class="n">body</span><span class="p">);</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">socket</span><span class="nf">.write_all</span><span class="p">(</span><span class="s">b"HTTP/1.1 400 Bad Request</span><span class="se">\r\n\r\n</span><span class="s">Parse Error"</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="nd">error!</span><span class="p">(</span><span class="s">"Admin accept error: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">),</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">struct</span> <span class="nf">LB</span><span class="p">(</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="n">LoadBalancer</span><span class="o">&lt;</span><span class="n">RoundRobin</span><span class="o">&gt;&gt;</span><span class="p">);</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">LB</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// Selection: Uses the InMemoryDiscovery logic implicitly</span> <span class="k">let</span> <span class="n">upstream</span> <span class="o">=</span> <span class="k">self</span><span class="na">.0</span> <span class="nf">.select</span><span class="p">(</span><span class="s">b""</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"NoUpstreamAvailable"</span><span class="p">),</span> <span class="s">"Empty upstream pool"</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Routed to upstream: {:?}"</span><span class="p">,</span> <span class="n">upstream</span><span class="p">);</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="n">upstream</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"hot-swap.cluster"</span><span class="nf">.to_string</span><span class="p">()</span> <span class="p">));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">upstream_request</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">RequestHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="n">upstream_request</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Host"</span><span class="p">,</span> <span class="s">"hot-swap-cluster"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// 1. Initialize Shared State (Default: Blue)</span> <span class="k">let</span> <span class="n">initial_addr</span> <span class="o">=</span> <span class="s">"172.28.0.20:8080"</span><span class="nf">.to_socket_addrs</span><span class="p">()</span><span class="o">?</span><span class="nf">.next</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">initial_set</span> <span class="o">=</span> <span class="nn">BTreeSet</span><span class="p">::</span><span class="nf">new</span><span class="p">();</span> <span class="n">initial_set</span><span class="nf">.insert</span><span class="p">(</span><span class="n">Backend</span> <span class="p">{</span> <span class="n">addr</span><span class="p">:</span> <span class="nn">SocketAddr</span><span class="p">::</span><span class="nf">Inet</span><span class="p">(</span><span class="n">initial_addr</span><span class="p">),</span> <span class="n">weight</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="n">ext</span><span class="p">:</span> <span class="nn">Extensions</span><span class="p">::</span><span class="nf">new</span><span class="p">(),</span> <span class="p">});</span> <span class="k">let</span> <span class="n">state</span> <span class="o">=</span> <span class="n">UpstreamState</span> <span class="p">{</span> <span class="n">upstreams</span><span class="p">:</span> <span class="nn">Arc</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">RwLock</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">initial_set</span><span class="p">)),</span> <span class="p">};</span> <span class="c1">// 2. Setup Load Balancer with InMemoryDiscovery</span> <span class="c1">// Pass a clone of the state so the LB can read from it</span> <span class="k">let</span> <span class="n">discovery</span> <span class="o">=</span> <span class="n">InMemoryDiscovery</span> <span class="p">{</span> <span class="n">state</span><span class="p">:</span> <span class="n">state</span><span class="nf">.clone</span><span class="p">()</span> <span class="p">};</span> <span class="k">let</span> <span class="n">backends</span> <span class="o">=</span> <span class="nn">Backends</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">discovery</span><span class="p">));</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">upstreams</span> <span class="o">=</span> <span class="nn">LoadBalancer</span><span class="p">::</span><span class="nf">from_backends</span><span class="p">(</span><span class="n">backends</span><span class="p">);</span> <span class="c1">// Update Frequency: Poll the shared memory state every 500ms</span> <span class="n">upstreams</span><span class="py">.update_frequency</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_millis</span><span class="p">(</span><span class="mi">500</span><span class="p">));</span> <span class="c1">// 3. Register Services</span> <span class="c1">// A. LB Updater: Runs discover() periodically</span> <span class="k">let</span> <span class="n">lb_service</span> <span class="o">=</span> <span class="nf">background_service</span><span class="p">(</span><span class="s">"lb_updater"</span><span class="p">,</span> <span class="n">upstreams</span><span class="p">);</span> <span class="k">let</span> <span class="n">lb_ref</span> <span class="o">=</span> <span class="n">lb_service</span><span class="nf">.task</span><span class="p">();</span> <span class="c1">// B. Admin API: Listens on 9090 and updates state</span> <span class="k">let</span> <span class="n">admin_task</span> <span class="o">=</span> <span class="n">AdminApiService</span> <span class="p">{</span> <span class="n">state</span><span class="p">:</span> <span class="n">state</span><span class="nf">.clone</span><span class="p">()</span> <span class="p">};</span> <span class="k">let</span> <span class="n">admin_service</span> <span class="o">=</span> <span class="nf">background_service</span><span class="p">(</span><span class="s">"admin_api"</span><span class="p">,</span> <span class="n">admin_task</span><span class="p">);</span> <span class="c1">// C. Proxy: Listens on 6179 and serves traffic</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="nf">LB</span><span class="p">(</span><span class="n">lb_ref</span><span class="p">));</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6179"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Hot-Swap Proxy running on 0.0.0.0:6179"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Admin API running on 0.0.0.0:9090"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">lb_service</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">admin_service</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>This verification requires us to act as both the <strong>End User</strong> (calling the proxy) and the <strong>System Admin</strong> (calling the admin port).</p> <h3> 1. Start the Server </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 35_dynamic_reconfiguration </code></pre> </div> <ul> <li> <strong>Logs:</strong> <code>Admin API listening on 0.0.0.0:9090</code> and <code>Hot-Swap Proxy running on 0.0.0.0:6179</code>.</li> </ul> <h3> 2. Generate Traffic (Terminal 2) </h3> <p>The client will hit the proxy continuously.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">while </span><span class="nb">true</span><span class="p">;</span> <span class="k">do </span>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6179/<span class="p">;</span> <span class="nb">sleep </span>1<span class="p">;</span> <span class="k">done</span> </code></pre> </div> <ul> <li> <strong>Output:</strong> <code>Response from BLUE</code> </li> <li> <strong>Logs:</strong> <code>Routed to upstream: ... 172.28.0.20:8080</code> </li> </ul> <h3> 3. Perform Hot-Swap (Terminal 1 or 3) </h3> <p>We will now use <code>curl</code> to send a POST request to the Admin API.<br> <strong>Important:</strong> This command must be run <strong>from the developer container</strong> (where the server is running on localhost:9090), not from the client container.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># -d sends the new IP in the body</span> curl <span class="nt">-v</span> <span class="nt">-d</span> <span class="s2">"172.28.0.21:8080"</span> http://127.0.0.1:9090/ </code></pre> </div> <h3> 4. Observe Results </h3> <ul> <li> <strong>Admin Logs:</strong> <code>Admin: Hot-swapped upstream to 172.28.0.21:8080</code> </li> <li> <strong>Traffic Output:</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>'Response from BLUE' 'Response from GREEN' &lt;-- Instant switch 'Response from GREEN' </code></pre> </div> <p>You have successfully built a control plane that allows you to reconfigure Pingora's routing logic in real-time without restarting the process.</p> <h1> Module 5: Traffic Control &amp; Security </h1> <p>We have built a proxy that routes, balances, and heals itself. But a production system must also <strong>protect</strong> itself.</p> <p>A proxy is the gateway to your infrastructure. If it allows every request through unchecked, your backend services will be overwhelmed by traffic spikes, abusive bots, or malicious attackers.</p> <p>In <strong>Module 5</strong>, we will implement the defensive layer of Pingora using the <code>pingora-limits</code> crate and custom filters. We will explore:</p> <ul> <li> <strong>Rate Limiting:</strong> How to cap the number of requests a user can send per second (Fixed &amp; Sliding Windows).</li> <li> <strong>Concurrency Control:</strong> How to limit the number of active connections to a fragile backend to prevent it from crashing under load.</li> <li> <strong>Security Filtering:</strong> How to block IPs at the TCP level and reject requests that are too large.</li> <li> <strong>Authentication:</strong> How to validate Bearer tokens and Basic Auth headers <em>at the edge</em>, offloading this work from your microservices.</li> </ul> <p>By the end of this module, your proxy will not just be a router; it will be a shield.</p> <h1> Lesson 36: Basic Rate Limiting (Fixed Window) </h1> <p>A proxy isn't just a router; it's a bouncer. Without limits, a single abusive client or a buggy script can overwhelm your backend services.</p> <p>In this lesson, we implement a <strong>Fixed Window Rate Limiter</strong>.</p> <ul> <li> <strong>The Rule:</strong> A client IP can send max <strong>5 requests</strong> in a <strong>1-second window</strong>.</li> <li> <strong>The Consequence:</strong> If they exceed this, the proxy rejects them immediately with <code>429 Too Many Requests</code>. The request never touches the upstream server.</li> </ul> <h2> Key Concepts </h2> <h3> 1. The <code>request_filter</code> Hook </h3> <p>Up until now, we have mostly focused on <code>upstream_peer</code>. However, for security logic, we need to intervene <em>before</em> we even select a server.<br> The <code>request_filter</code> method in the <code>ProxyHttp</code> trait allows us to inspect the request and make a go/no-go decision.</p> <ul> <li> <strong>Return <code>Ok(false)</code>:</strong> "Everything looks good, proceed to upstream."</li> <li> <strong>Return <code>Ok(true)</code>:</strong> "Stop here. I have handled the response (e.g., sent an error)."</li> </ul> <h3> 2. The <code>pingora-limits</code> Crate </h3> <p>Pingora provides a high-performance counting library called <code>pingora-limits</code>. It uses a "double-buffered" window implementation suitable for high-concurrency environments.</p> <ul> <li> <strong><code>Rate</code> Struct:</strong> The central counter.</li> <li> <strong><code>observe(key, count)</code>:</strong> Increments the counter for a specific key (IP address) and returns the <em>current</em> total for the active window.</li> </ul> <h2> The Code (<code>examples/36_basic_rate_limit.rs</code>) </h2> <p>This code initializes a global rate limiter and checks every request's IP address against it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">info</span><span class="p">,</span> <span class="n">warn</span><span class="p">};</span> <span class="k">use</span> <span class="nn">once_cell</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="n">Lazy</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::</span><span class="n">Server</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="c1">// Import the specific Rate struct from the limits crate</span> <span class="k">use</span> <span class="nn">pingora_limits</span><span class="p">::</span><span class="nn">rate</span><span class="p">::</span><span class="n">Rate</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::{</span><span class="n">LoadBalancer</span><span class="p">,</span> <span class="nn">selection</span><span class="p">::</span><span class="n">RoundRobin</span><span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">;</span> <span class="c1">// 1. Global Rate Limiter State</span> <span class="c1">// We use `Lazy` to initialize the rate limiter globally.</span> <span class="c1">// The `Rate` struct manages the sliding windows internally.</span> <span class="c1">// We set the window duration to 1 second.</span> <span class="k">static</span> <span class="n">RATE_LIMITER</span><span class="p">:</span> <span class="n">Lazy</span><span class="o">&lt;</span><span class="n">Rate</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nn">Lazy</span><span class="p">::</span><span class="nf">new</span><span class="p">(||</span> <span class="p">{</span> <span class="nn">Rate</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">))</span> <span class="p">});</span> <span class="c1">// The Threshold: 5 requests per second per IP</span> <span class="k">const</span> <span class="n">MAX_REQ_PER_SEC</span><span class="p">:</span> <span class="nb">isize</span> <span class="o">=</span> <span class="mi">5</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="nf">RateLimiterProxy</span><span class="p">(</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="n">LoadBalancer</span><span class="o">&lt;</span><span class="n">RoundRobin</span><span class="o">&gt;&gt;</span><span class="p">);</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">RateLimiterProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="c1">// 2. The Upstream Selection (Standard Round Robin)</span> <span class="c1">// This only runs if request_filter returns Ok(false).</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">upstream</span> <span class="o">=</span> <span class="k">self</span><span class="na">.0</span> <span class="nf">.select</span><span class="p">(</span><span class="s">b""</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"NoUpstreamAvailable"</span><span class="p">),</span> <span class="s">"Empty upstream pool"</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Selected upstream: {:?}"</span><span class="p">,</span> <span class="n">upstream</span><span class="p">);</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">upstream</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"rate-limited.cluster"</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// 3. The Security Filter (The Core Logic)</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">bool</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// IP Extraction Logic:</span> <span class="c1">// Pingora's SocketAddr is an enum (Inet or Unix). We expect TCP connections here.</span> <span class="c1">// We unwrap the Inet variant to get a hashable IP address.</span> <span class="k">let</span> <span class="n">client_ip</span> <span class="o">=</span> <span class="k">match</span> <span class="n">session</span><span class="nf">.client_addr</span><span class="p">()</span> <span class="p">{</span> <span class="nf">Some</span><span class="p">(</span><span class="n">addr</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="n">addr</span><span class="nf">.as_inet</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">()</span><span class="nf">.ip</span><span class="p">(),</span> <span class="nb">None</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"Could not determine client IP, allowing request."</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">false</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="c1">// 4. Observe and Check</span> <span class="c1">// .observe() increments the counter for this IP and returns the *current* total.</span> <span class="k">let</span> <span class="n">curr_req_count</span> <span class="o">=</span> <span class="n">RATE_LIMITER</span><span class="nf">.observe</span><span class="p">(</span><span class="o">&amp;</span><span class="n">client_ip</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> <span class="c1">// 5. Enforcement</span> <span class="k">if</span> <span class="n">curr_req_count</span> <span class="o">&gt;</span> <span class="n">MAX_REQ_PER_SEC</span> <span class="p">{</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"Rate Limit Exceeded for {}: {} req/s"</span><span class="p">,</span> <span class="n">client_ip</span><span class="p">,</span> <span class="n">curr_req_count</span><span class="p">);</span> <span class="c1">// Return standard HTTP 429 response</span> <span class="n">session</span><span class="nf">.respond_error</span><span class="p">(</span><span class="mi">429</span><span class="p">)</span><span class="k">.await</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Critical: Return `true` to tell Pingora to STOP processing this request.</span> <span class="c1">// The request will NOT be forwarded to the upstream_peer.</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">true</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Return `false` to continue normal processing</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">false</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// Standard Load Balancer setup (Blue/Green)</span> <span class="k">let</span> <span class="n">upstreams</span> <span class="o">=</span> <span class="nn">LoadBalancer</span><span class="p">::</span><span class="nf">try_from_iter</span><span class="p">([</span> <span class="s">"172.28.0.20:8080"</span><span class="p">,</span> <span class="s">"172.28.0.21:8080"</span><span class="p">,</span> <span class="p">])</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="nf">RateLimiterProxy</span><span class="p">(</span><span class="nn">Arc</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">upstreams</span><span class="p">)));</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6180"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Rate Limiter Proxy running on 0.0.0.0:6180"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Limit: {} requests per second per IP"</span><span class="p">,</span> <span class="n">MAX_REQ_PER_SEC</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We will confirm that the first 5 requests pass, and subsequent requests fail immediately.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 36_basic_rate_limit </code></pre> </div> <h3> 2. Burst Traffic Test </h3> <p>Run this loop in your client terminal to fire 10 requests rapidly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 bash <span class="nt">-c</span> <span class="s1">'for i in {1..10}; do curl -s -o /dev/null -w "%{http_code}\n" http://172.28.0.10:6180/; done'</span> </code></pre> </div> <h3> 3. Analyze Output </h3> <p>You will see a clean cutoff:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>200 &lt;- 1 (Allowed) 200 &lt;- 2 (Allowed) 200 &lt;- 3 (Allowed) 200 &lt;- 4 (Allowed) 200 &lt;- 5 (Allowed, bucket full) 429 &lt;- 6 (Blocked) 429 &lt;- 7 (Blocked) 429 &lt;- 8 (Blocked) 429 &lt;- 9 (Blocked) 429 &lt;- 10 (Blocked) </code></pre> </div> <h3> 4. Check Proxy Logs </h3> <p>The server logs confirm the interception logic works:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[WARN] Rate Limit Exceeded for 172.28.0.30: 6 req/s [WARN] Rate Limit Exceeded for 172.28.0.30: 7 req/s ... </code></pre> </div> <p>Notice there are <strong>no</strong> <code>Selected upstream</code> logs for requests 6–10. The <code>request_filter</code> successfully short-circuited the pipeline.</p> <h1> Lesson 37: Sliding Window Rate Limiting </h1> <p>The <strong>Fixed Window</strong> approach (Lesson 36) has a flaw known as the "boundary burst." If the window resets at 1.0s, a user could send 5 requests at 0.9s and 5 requests at 1.1s. In a 0.2s span, they sent 10 requests, effectively doubling the allowed rate, yet the limiter sees two separate valid windows.</p> <p>To solve this, we use a <strong>Sliding Window</strong> (smoothed) limiter. This algorithm calculates the request rate as a weighted average over time, preventing boundary gaming and allowing for more "elastic" traffic handling.</p> <h2> Key Concepts </h2> <h3> 1. <code>observe()</code> vs <code>rate()</code> </h3> <p>When using Pingora's <code>pingora_limits::rate::Rate</code>:</p> <ul> <li> <strong><code>observe(key, count)</code>:</strong> This acts as the "writer." It increments the counter for the current time bucket. You <strong>must</strong> call this for every request.</li> <li> <strong><code>rate(key)</code>:</strong> This acts as the "reader." It returns an <code>f64</code> representing the smoothed requests per second. It looks at both the current bucket and the previous bucket to interpolate the actual velocity of traffic.</li> </ul> <h3> 2. The Logic Flow </h3> <ol> <li><strong>Request arrives.</strong></li> <li> <strong>Increment:</strong> <code>observe(&amp;ip, 1)</code> (Record the event).</li> <li> <strong>Calculate:</strong> <code>rate(&amp;ip)</code> (Check the speed).</li> <li> <strong>Decide:</strong> If <code>rate &gt; 5.0</code>, block.</li> </ol> <h2> The Code (<code>examples/37_sliding_window.rs</code>) </h2> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">info</span><span class="p">,</span> <span class="n">warn</span><span class="p">};</span> <span class="k">use</span> <span class="nn">once_cell</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="n">Lazy</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::{</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">,</span> <span class="n">Server</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_limits</span><span class="p">::</span><span class="nn">rate</span><span class="p">::</span><span class="n">Rate</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::{</span><span class="n">LoadBalancer</span><span class="p">,</span> <span class="nn">selection</span><span class="p">::</span><span class="n">RoundRobin</span><span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">;</span> <span class="c1">// 1. Global Rate Limiter State</span> <span class="c1">// The Rate struct manages the sliding window logic (Red/Blue slots) internally.</span> <span class="c1">// A 1-second window allows us to calculate "Requests Per Second".</span> <span class="k">static</span> <span class="n">RATE_LIMITER</span><span class="p">:</span> <span class="n">Lazy</span><span class="o">&lt;</span><span class="n">Rate</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nn">Lazy</span><span class="p">::</span><span class="nf">new</span><span class="p">(||</span> <span class="p">{</span> <span class="nn">Rate</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">1</span><span class="p">))</span> <span class="p">});</span> <span class="c1">// Threshold: 5.0 requests per second (Smoothed)</span> <span class="k">const</span> <span class="n">MAX_REQ_PER_SEC</span><span class="p">:</span> <span class="nb">f64</span> <span class="o">=</span> <span class="mf">5.0</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="nf">SlidingWindowProxy</span><span class="p">(</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="n">LoadBalancer</span><span class="o">&lt;</span><span class="n">RoundRobin</span><span class="o">&gt;&gt;</span><span class="p">);</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">SlidingWindowProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="c1">// 2. The Security Filter</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">bool</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// IP Extraction Logic (Unwrap Inet address)</span> <span class="k">let</span> <span class="n">client_ip</span> <span class="o">=</span> <span class="k">match</span> <span class="n">session</span><span class="nf">.client_addr</span><span class="p">()</span> <span class="p">{</span> <span class="nf">Some</span><span class="p">(</span><span class="n">addr</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="n">addr</span><span class="nf">.as_inet</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">()</span><span class="nf">.ip</span><span class="p">(),</span> <span class="nb">None</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"Could not determine client IP, allowing request."</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">false</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="c1">// 3. Observe </span> <span class="c1">// Vital: We must increment the counter first.</span> <span class="c1">// .observe() returns the raw count (isize), but we ignore it here.</span> <span class="n">RATE_LIMITER</span><span class="nf">.observe</span><span class="p">(</span><span class="o">&amp;</span><span class="n">client_ip</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> <span class="c1">// 4. Check Rate</span> <span class="c1">// .rate() returns the smoothed requests per second as an f64.</span> <span class="c1">// This handles the interpolation between previous and current windows.</span> <span class="k">let</span> <span class="n">current_rate</span> <span class="o">=</span> <span class="n">RATE_LIMITER</span><span class="nf">.rate</span><span class="p">(</span><span class="o">&amp;</span><span class="n">client_ip</span><span class="p">);</span> <span class="c1">// 5. Enforcement</span> <span class="k">if</span> <span class="n">current_rate</span> <span class="o">&gt;</span> <span class="n">MAX_REQ_PER_SEC</span> <span class="p">{</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"Rate Limit Exceeded for {}: {:.2} req/s (Limit: {:.1})"</span><span class="p">,</span> <span class="n">client_ip</span><span class="p">,</span> <span class="n">current_rate</span><span class="p">,</span> <span class="n">MAX_REQ_PER_SEC</span><span class="p">);</span> <span class="n">session</span><span class="nf">.respond_error</span><span class="p">(</span><span class="mi">429</span><span class="p">)</span><span class="k">.await</span><span class="o">?</span><span class="p">;</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">true</span><span class="p">);</span> <span class="c1">// Short-circuit</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">false</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">upstream</span> <span class="o">=</span> <span class="k">self</span><span class="na">.0</span> <span class="nf">.select</span><span class="p">(</span><span class="s">b""</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"NoUpstreamAvailable"</span><span class="p">),</span> <span class="s">"Empty upstream pool"</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">upstream</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"sliding-window.cluster"</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="n">upstreams</span> <span class="o">=</span> <span class="nn">LoadBalancer</span><span class="p">::</span><span class="nf">try_from_iter</span><span class="p">([</span> <span class="s">"172.28.0.20:8080"</span><span class="p">,</span> <span class="s">"172.28.0.21:8080"</span><span class="p">,</span> <span class="p">])</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="nf">SlidingWindowProxy</span><span class="p">(</span><span class="nn">Arc</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">upstreams</span><span class="p">)));</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6181"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Sliding Window Rate Limiter running on 0.0.0.0:6181"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Limit: {:.1} requests per second (Smoothed)"</span><span class="p">,</span> <span class="n">MAX_REQ_PER_SEC</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>To verify the "smoothing" effect, we will run two tests: one exactly at the limit, and one slightly over.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 37_sliding_window </code></pre> </div> <h3> 2. Test A: Respecting the Limit (0.2s interval) </h3> <p>Requests sent every 0.20s equal exactly 5 req/s. The smoothed limiter should allow this indefinitely.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 bash <span class="nt">-c</span> <span class="s1">'for i in {1..15}; do curl -s -o /dev/null -w "%{http_code}\n" http://172.28.0.10:6181/; sleep 0.20; done'</span> </code></pre> </div> <ul> <li> <strong>Result:</strong> 15 <code>200 OK</code> responses.</li> </ul> <h3> 3. Test B: Overload (0.15s interval) </h3> <p>Requests sent every 0.15s equal ~6.6 req/s.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 bash <span class="nt">-c</span> <span class="s1">'for i in {1..15}; do curl -s -o /dev/null -w "%{http_code}\n" http://172.28.0.10:6181/; sleep 0.15; done'</span> </code></pre> </div> <ul> <li> <strong>Result:</strong> The first ~7 requests pass (burst allowance), but then the moving average crosses 5.0, and the rest return <code>429</code>.</li> <li> <strong>Logs:</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[WARN] Rate Limit Exceeded for 172.28.0.30: 7.00 req/s (Limit: 5.0) </code></pre> </div> <p>This confirms the limiter is successfully calculating velocity rather than just counting bucket hits.</p> <h1> Lesson 38: In-flight Concurrency Limiting </h1> <p><strong>Rate Limiting</strong> (Lessons 36-37) controls <em>how often</em> a user can knock on your door.<br> <strong>In-flight Limiting</strong> controls <em>how many</em> people can be inside the house at once.</p> <p>This distinction is vital. A heavy API endpoint (e.g., "Generate PDF Report") might take 5 seconds to process. Even if a user only sends 1 request every 5 seconds (low rate), if 100 users do it simultaneously, you have 100 active threads, which could crash your database.</p> <p>In this lesson, we implement a <strong>Concurrency Limiter</strong>.</p> <ul> <li> <strong>Rule:</strong> Max <strong>2 simultaneous requests</strong> allowed globally.</li> <li> <strong>Result:</strong> The 3rd simultaneous request gets rejected immediately with <code>429 Too Many Requests</code>.</li> </ul> <h2> Key Concepts </h2> <h3> 1. The <code>Inflight</code> Struct and <code>Guard</code> </h3> <p>The <code>pingora-limits</code> crate uses a semaphore-like pattern.</p> <ul> <li> <code>incr(key)</code>: Increments the counter and returns a <code>Guard</code>.</li> <li> <code>Guard</code>: This is a "ticket." As long as this object exists in memory, the "slot" is occupied.</li> <li> <strong>Automatic Cleanup:</strong> When the <code>Guard</code> is dropped (goes out of scope), the counter is automatically decremented.</li> </ul> <h3> 2. The Context (<code>CTX</code>) Bridge </h3> <p>Since a request takes time to complete, we need to hold onto the <code>Guard</code> from the beginning of the request until the end.<br> We define a custom Context struct (<code>InflightCtx</code>) to store this guard.</p> <ul> <li> <strong>Request Start (<code>request_filter</code>):</strong> We acquire the guard and move it into <code>ctx.guard</code>.</li> <li> <strong>Request End:</strong> Pingora drops the <code>ctx</code>, which drops the <code>guard</code>, which frees the slot.</li> </ul> <h2> The Code (<code>examples/38_inflight_limit.rs</code>) </h2> <p>We intentionally add a <strong>2-second sleep</strong> in <code>upstream_peer</code> to simulate a slow backend. This ensures requests overlap in time so we can verify the limit.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">info</span><span class="p">,</span> <span class="n">warn</span><span class="p">};</span> <span class="k">use</span> <span class="nn">once_cell</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="n">Lazy</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::{</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">,</span> <span class="n">Server</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_limits</span><span class="p">::</span><span class="nn">inflight</span><span class="p">::{</span><span class="n">Inflight</span><span class="p">,</span> <span class="n">Guard</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::{</span><span class="n">LoadBalancer</span><span class="p">,</span> <span class="nn">selection</span><span class="p">::</span><span class="n">RoundRobin</span><span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">;</span> <span class="c1">// 1. Global In-flight Limiter State</span> <span class="c1">// Counts active connections. Does not rely on time windows.</span> <span class="k">static</span> <span class="n">INFLIGHT_LIMITER</span><span class="p">:</span> <span class="n">Lazy</span><span class="o">&lt;</span><span class="n">Inflight</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nn">Lazy</span><span class="p">::</span><span class="nf">new</span><span class="p">(||</span> <span class="nn">Inflight</span><span class="p">::</span><span class="nf">new</span><span class="p">());</span> <span class="c1">// Limit: Max 2 simultaneous requests</span> <span class="k">const</span> <span class="n">MAX_CONCURRENT_REQ</span><span class="p">:</span> <span class="nb">isize</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> <span class="c1">// 2. The Context</span> <span class="c1">// This struct holds the "ticket" (Guard) for the duration of the request.</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">InflightCtx</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">guard</span><span class="p">:</span> <span class="nb">Option</span><span class="o">&lt;</span><span class="n">Guard</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">struct</span> <span class="nf">InflightLimitProxy</span><span class="p">(</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="n">LoadBalancer</span><span class="o">&lt;</span><span class="n">RoundRobin</span><span class="o">&gt;&gt;</span><span class="p">);</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">InflightLimitProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="n">InflightCtx</span><span class="p">;</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{</span> <span class="n">InflightCtx</span> <span class="p">{</span> <span class="n">guard</span><span class="p">:</span> <span class="nb">None</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// 3. The Security Filter</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">bool</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// Define the scope of the limit (Global vs Per-IP)</span> <span class="k">let</span> <span class="n">key</span> <span class="o">=</span> <span class="s">"global_limit"</span><span class="p">;</span> <span class="c1">// Increment the counter. Returns the guard and the *new* count.</span> <span class="k">let</span> <span class="p">(</span><span class="n">guard</span><span class="p">,</span> <span class="n">count</span><span class="p">)</span> <span class="o">=</span> <span class="n">INFLIGHT_LIMITER</span><span class="nf">.incr</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> <span class="c1">// 4. Check Limit</span> <span class="k">if</span> <span class="n">count</span> <span class="o">&gt;</span> <span class="n">MAX_CONCURRENT_REQ</span> <span class="p">{</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"In-flight Limit Exceeded {}/{}"</span><span class="p">,</span> <span class="n">count</span><span class="p">,</span> <span class="n">MAX_CONCURRENT_REQ</span><span class="p">);</span> <span class="n">session</span><span class="nf">.respond_error</span><span class="p">(</span><span class="mi">429</span><span class="p">)</span><span class="k">.await</span><span class="o">?</span><span class="p">;</span> <span class="c1">// CRITICAL: We do NOT put the guard into 'ctx'.</span> <span class="c1">// When this function returns, 'guard' goes out of scope here.</span> <span class="c1">// Rust calls drop(guard), which decrements the counter immediately.</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">true</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// 5. Acquire Slot</span> <span class="c1">// Move the guard into the context. It will stay there until the </span> <span class="c1">// request completes (success or failure).</span> <span class="n">ctx</span><span class="py">.guard</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="n">guard</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">false</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">upstream</span> <span class="o">=</span> <span class="k">self</span><span class="na">.0</span> <span class="nf">.select</span><span class="p">(</span><span class="s">b""</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"NoUpstreamAvailable"</span><span class="p">),</span> <span class="s">"Empty upstream pool"</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="c1">// SIMULATION: Artificial 2s delay.</span> <span class="c1">// This forces requests to overlap in time, triggering the concurrency limit.</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="nf">sleep</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">2</span><span class="p">))</span><span class="k">.await</span><span class="p">;</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">upstream</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"inflight.cluster"</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="n">upstreams</span> <span class="o">=</span> <span class="nn">LoadBalancer</span><span class="p">::</span><span class="nf">try_from_iter</span><span class="p">([</span> <span class="s">"172.28.0.20:8080"</span><span class="p">,</span> <span class="s">"172.28.0.21:8080"</span><span class="p">,</span> <span class="p">])</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="nf">InflightLimitProxy</span><span class="p">(</span><span class="nn">Arc</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">upstreams</span><span class="p">)));</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6182"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"In-flight Limiter running on 0.0.0.0:6182"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Max Concurrent Requests: {}"</span><span class="p">,</span> <span class="n">MAX_CONCURRENT_REQ</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Note: Upstream connection has artificial 2s delay to simulate load."</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>To verify this, we need to send requests faster than the server can finish them (which is easy, because the server takes 2 seconds).</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 38_inflight_limit </code></pre> </div> <h3> 2. Run Parallel Requests </h3> <p>We use a bash loop to fire 5 requests simultaneously into the background (<code>&amp;</code>) and then wait for them all to finish.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 bash <span class="nt">-c</span> <span class="s1">'for i in {1..5}; do curl -s -o /dev/null -w "%{http_code}\n" http://172.28.0.10:6182/ &amp; done; wait'</span> </code></pre> </div> <h3> 3. Analyze Output </h3> <p>You should see a mix of <code>200</code> and <code>429</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>429 429 429 200 200 </code></pre> </div> <ul> <li> <strong>200s:</strong> Two requests grabbed the slots and slept for 2 seconds.</li> <li> <strong>429s:</strong> Three requests arrived, saw the limit <code>3/2</code> (or <code>4/2</code>, <code>5/2</code>), and were rejected instantly.</li> </ul> <h3> 4. Check Logs </h3> <p>The logs confirm the rejection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[WARN] In-flight Limit Exceeded 3/2 [WARN] In-flight Limit Exceeded 3/2 [WARN] In-flight Limit Exceeded 3/2 </code></pre> </div> <p>This proves the proxy is actively protecting your backend from concurrency overload.</p> <h1> Lesson 39: IP Filtering (Access Control) </h1> <p>In network security, one of the most basic but effective defenses is the Access Control List (ACL). You simply maintain a list of who is allowed in and who is not.</p> <p>While specialized firewalls (like <code>iptables</code> or AWS Security Groups) often handle this, doing it at the proxy level gives you finer control. You can log the attempts, return custom error pages, or dynamically update the blocklist without touching the OS kernel.</p> <p>In this lesson, we implement a simple <strong>IP Blocklist</strong>:</p> <ul> <li> <strong>Client 1 (<code>172.28.0.30</code>):</strong> Allowed.</li> <li> <strong>Client 2 (<code>172.28.0.31</code>):</strong> Blocked.</li> </ul> <h2> Key Concepts </h2> <h3> 1. <code>request_filter</code> vs. <code>ConnectionFilter</code> </h3> <ul> <li> <strong><code>request_filter</code> (Layer 7):</strong> This runs after the TCP handshake and TLS termination. We have access to the full HTTP request.</li> <li> <em>Pros:</em> Can return a polite <code>403 Forbidden</code> HTML page. Can log detailed metadata (User-Agent, Path).</li> <li> <em>Cons:</em> Slightly more resource-intensive as we parse the request first.</li> <li><p><em>Usage:</em> We use this today.</p></li> <li><p><strong><code>ConnectionFilter</code> (Layer 4):</strong> This runs during the TCP handshake.</p></li> <li><p><em>Pros:</em> extremely fast. Drops the packet instantly.</p></li> <li><p><em>Cons:</em> The user sees a "Connection Reset" error, not a helpful HTTP message.</p></li> <li><p><em>Note:</em> While effective, the Layer 4 API in Pingora is advanced/experimental, so we will focus on Layer 7 filtering which is the standard for application proxies.</p></li> </ul> <h3> 2. Implementation Logic </h3> <ol> <li> <strong>Extract IP:</strong> Get the IP from the session.</li> <li> <strong>Match:</strong> Check against our "Bad Actor" list.</li> <li> <strong>Reject:</strong> If matched, send <code>403</code> and return <code>Ok(true)</code> to stop processing.</li> </ol> <h2> The Code (<code>examples/39_connection_filter.rs</code>) </h2> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">info</span><span class="p">,</span> <span class="n">warn</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::{</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">,</span> <span class="n">Server</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::{</span><span class="n">LoadBalancer</span><span class="p">,</span> <span class="nn">selection</span><span class="p">::</span><span class="n">RoundRobin</span><span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="nf">FirewallProxy</span><span class="p">(</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="n">LoadBalancer</span><span class="o">&lt;</span><span class="n">RoundRobin</span><span class="o">&gt;&gt;</span><span class="p">);</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">FirewallProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="c1">// 1. The Access Control Logic</span> <span class="c1">// This hook runs immediately after the request headers are parsed.</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">bool</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// Extract Client IP</span> <span class="c1">// We unwrap the Inet address to get a comparable IP object.</span> <span class="k">let</span> <span class="n">client_ip</span> <span class="o">=</span> <span class="k">match</span> <span class="n">session</span><span class="nf">.client_addr</span><span class="p">()</span> <span class="p">{</span> <span class="nf">Some</span><span class="p">(</span><span class="n">addr</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="n">addr</span><span class="nf">.as_inet</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">()</span><span class="nf">.ip</span><span class="p">(),</span> <span class="nb">None</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"Unknown client address, allowing..."</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">false</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="c1">// 2. Define Blocklist</span> <span class="c1">// In a production scenario, this would likely be an optimized</span> <span class="c1">// Set (HashSet) or an IP CIDR matcher (IpNet).</span> <span class="k">let</span> <span class="n">bad_actor_ip</span> <span class="o">=</span> <span class="s">"172.28.0.31"</span><span class="py">.parse</span><span class="p">::</span><span class="o">&lt;</span><span class="nn">std</span><span class="p">::</span><span class="nn">net</span><span class="p">::</span><span class="n">IpAddr</span><span class="o">&gt;</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="c1">// 3. Check and Block</span> <span class="k">if</span> <span class="n">client_ip</span> <span class="o">==</span> <span class="n">bad_actor_ip</span> <span class="p">{</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"Access Denied for IP: {}"</span><span class="p">,</span> <span class="n">client_ip</span><span class="p">);</span> <span class="c1">// Return 403 Forbidden</span> <span class="c1">// This sends a standard error page to the client.</span> <span class="n">session</span><span class="nf">.respond_error</span><span class="p">(</span><span class="mi">403</span><span class="p">)</span><span class="k">.await</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Short-circuit: Return `true` to signal that the request </span> <span class="c1">// has been fully handled and should NOT proceed to the upstream.</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">true</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Allow legitimate traffic</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">false</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">upstream</span> <span class="o">=</span> <span class="k">self</span><span class="na">.0</span> <span class="nf">.select</span><span class="p">(</span><span class="s">b""</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"NoUpstreamAvailable"</span><span class="p">),</span> <span class="s">"Empty upstream pool"</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">upstream</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"firewall.cluster"</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="n">upstreams</span> <span class="o">=</span> <span class="nn">LoadBalancer</span><span class="p">::</span><span class="nf">try_from_iter</span><span class="p">([</span> <span class="s">"172.28.0.20:8080"</span><span class="p">,</span> <span class="s">"172.28.0.21:8080"</span><span class="p">,</span> <span class="p">])</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="nf">FirewallProxy</span><span class="p">(</span><span class="nn">Arc</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">upstreams</span><span class="p">)));</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6183"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Firewall Proxy running on 0.0.0.0:6183"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Blocking Bad Actor: 172.28.0.31"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We will confirm that Client 1 is allowed and Client 2 is blocked.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 39_connection_filter </code></pre> </div> <h3> 2. Test Client 1 (Allowed) </h3> <p>Run this command from your host machine (assuming the docker setup):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6183/ </code></pre> </div> <ul> <li> <strong>Result:</strong> <code>HTTP/1.1 200 OK</code> </li> <li> <strong>Log:</strong> No warnings. Normal routing.</li> </ul> <h3> 3. Test Client 2 (Blocked) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> pingora_client_2 curl <span class="nt">-v</span> http://172.28.0.10:6183/ </code></pre> </div> <ul> <li> <strong>Result:</strong> <code>HTTP/1.1 403 Forbidden</code> </li> <li> <strong>Log:</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> [WARN] Access Denied for IP: 172.28.0.31 </code></pre> </div> <p>This confirms the IP filter is actively protecting your service.</p> <h1> Lesson 40: Request Size Limiting </h1> <p>Handling large file uploads is resource-intensive. If a client starts uploading a 10GB video to an endpoint meant for 1KB JSON payloads, your server waits, buffers, and eventually crashes or runs out of bandwidth.</p> <p>Pingora allows us to enforce limits at the edge. While <code>pingora-web</code> (the higher-level framework) has global settings for this, implementing it manually in <code>pingora-proxy</code> gives us fine-grained control—for example, allowing 500MB on <code>/upload</code> but only 2KB on <code>/login</code>.</p> <p>In this lesson, we implement a <strong>Dual-Layer Defense</strong>:</p> <ol> <li> <strong>Fast Path:</strong> Check the <code>Content-Length</code> header. If it says "1GB", reject immediately.</li> <li> <strong>Slow Path:</strong> If the client lies or uses <code>Transfer-Encoding: chunked</code> (no total size declared), we count the bytes as they stream in and cut the connection if they exceed the limit.</li> </ol> <h2> Key Concepts </h2> <h3> 1. <code>request_body_filter</code> </h3> <p>This is a new hook in the <code>ProxyHttp</code> trait. It runs <em>for every chunk</em> of data received from the client.</p> <ul> <li> <strong>Input:</strong> <code>body: &amp;mut Option&lt;Bytes&gt;</code>.</li> <li> <strong>Action:</strong> We inspect the size, increment a counter in our <code>CTX</code>, and decide whether to allow it or return an error.</li> </ul> <h3> 2. <code>fail_to_proxy</code> </h3> <p>If <code>request_body_filter</code> returns an error, Pingora aborts the upstream connection. However, by default, it might just close the socket or send a 502. To send a proper <code>413 Payload Too Large</code> to the client, we must implement the <code>fail_to_proxy</code> hook to catch our specific error and format the response.</p> <h2> The Code (<code>examples/40_request_size_limit.rs</code>) </h2> <p>We set an artificially low limit of <strong>100 bytes</strong> to make testing easy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="nn">bytes</span><span class="p">::</span><span class="n">Bytes</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">info</span><span class="p">,</span> <span class="n">warn</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::{</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">,</span> <span class="n">Server</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">proxy</span><span class="p">::</span><span class="n">FailToProxy</span><span class="p">;</span> <span class="k">use</span> <span class="nn">http</span><span class="p">::</span><span class="nn">header</span><span class="p">::</span><span class="n">CONTENT_LENGTH</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::{</span><span class="n">LoadBalancer</span><span class="p">,</span> <span class="nn">selection</span><span class="p">::</span><span class="n">RoundRobin</span><span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="c1">// Max 100 bytes (Artificially low for testing)</span> <span class="k">const</span> <span class="n">MAX_BODY_SIZE</span><span class="p">:</span> <span class="nb">usize</span> <span class="o">=</span> <span class="mi">100</span><span class="p">;</span> <span class="c1">// 1. Context to track streaming body size</span> <span class="c1">// This persists across multiple calls to request_body_filter</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">SizeCtx</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">bytes_read</span><span class="p">:</span> <span class="nb">usize</span><span class="p">,</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">struct</span> <span class="nf">SizeLimitProxy</span><span class="p">(</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="n">LoadBalancer</span><span class="o">&lt;</span><span class="n">RoundRobin</span><span class="o">&gt;&gt;</span><span class="p">);</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">SizeLimitProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="n">SizeCtx</span><span class="p">;</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{</span> <span class="n">SizeCtx</span> <span class="p">{</span> <span class="n">bytes_read</span><span class="p">:</span> <span class="mi">0</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// 2. Filter 1: Check Content-Length Header</span> <span class="c1">// This catches large requests EARLY, before we accept the body payload.</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">bool</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">value</span><span class="p">)</span> <span class="o">=</span> <span class="n">session</span><span class="nf">.req_header</span><span class="p">()</span><span class="py">.headers</span><span class="nf">.get</span><span class="p">(</span><span class="n">CONTENT_LENGTH</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">len_str</span><span class="p">)</span> <span class="o">=</span> <span class="n">value</span><span class="nf">.to_str</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">len</span><span class="p">)</span> <span class="o">=</span> <span class="n">len_str</span><span class="py">.parse</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">usize</span><span class="o">&gt;</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="n">len</span> <span class="o">&gt;</span> <span class="n">MAX_BODY_SIZE</span> <span class="p">{</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"Rejecting request by Header: Content-Length: {} &gt; {}"</span><span class="p">,</span> <span class="n">len</span><span class="p">,</span> <span class="n">MAX_BODY_SIZE</span><span class="p">);</span> <span class="n">session</span><span class="nf">.respond_error</span><span class="p">(</span><span class="mi">413</span><span class="p">)</span><span class="k">.await</span><span class="o">?</span><span class="p">;</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">true</span><span class="p">);</span> <span class="c1">// Short-circuit</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">false</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// 3. Filter 2: Check Streaming Body</span> <span class="c1">// This catches "Transfer-Encoding: chunked" or lying Content-Length headers.</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">request_body_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">body</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="nb">Option</span><span class="o">&lt;</span><span class="n">Bytes</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">_end_of_stream</span><span class="p">:</span> <span class="nb">bool</span><span class="p">,</span> <span class="n">ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">b</span><span class="p">)</span> <span class="o">=</span> <span class="n">body</span> <span class="p">{</span> <span class="n">ctx</span><span class="py">.bytes_read</span> <span class="o">+=</span> <span class="n">b</span><span class="nf">.len</span><span class="p">();</span> <span class="k">if</span> <span class="n">ctx</span><span class="py">.bytes_read</span> <span class="o">&gt;</span> <span class="n">MAX_BODY_SIZE</span> <span class="p">{</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"Rejecting request by Stream: Accumulated {} bytes &gt; {}"</span><span class="p">,</span> <span class="n">ctx</span><span class="py">.bytes_read</span><span class="p">,</span> <span class="n">MAX_BODY_SIZE</span><span class="p">);</span> <span class="c1">// We return a Custom error here. Standard errors would cause a 502.</span> <span class="c1">// We need `fail_to_proxy` to convert this into a 413.</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"BodyTooLarge"</span><span class="p">),</span> <span class="s">"Stream exceeded limit"</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">upstream</span> <span class="o">=</span> <span class="k">self</span><span class="na">.0</span> <span class="nf">.select</span><span class="p">(</span><span class="s">b""</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"NoUpstreamAvailable"</span><span class="p">),</span> <span class="s">"Empty upstream pool"</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">upstream</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"size-limit.cluster"</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// 4. Handle Streaming Errors</span> <span class="c1">// If request_body_filter raises an error, it ends up here.</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">fail_to_proxy</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">e</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Error</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="n">FailToProxy</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// Convert our custom error into a proper HTTP 413 response</span> <span class="k">if</span> <span class="k">let</span> <span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"BodyTooLarge"</span><span class="p">)</span> <span class="o">=</span> <span class="n">e</span><span class="py">.etype</span> <span class="p">{</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">session</span><span class="nf">.respond_error</span><span class="p">(</span><span class="mi">413</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="k">return</span> <span class="n">FailToProxy</span> <span class="p">{</span> <span class="n">error_code</span><span class="p">:</span> <span class="mi">413</span><span class="p">,</span> <span class="n">can_reuse_downstream</span><span class="p">:</span> <span class="k">false</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="n">FailToProxy</span> <span class="p">{</span> <span class="n">error_code</span><span class="p">:</span> <span class="mi">502</span><span class="p">,</span> <span class="n">can_reuse_downstream</span><span class="p">:</span> <span class="k">false</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="n">upstreams</span> <span class="o">=</span> <span class="nn">LoadBalancer</span><span class="p">::</span><span class="nf">try_from_iter</span><span class="p">([</span> <span class="s">"172.28.0.20:8080"</span><span class="p">,</span> <span class="s">"172.28.0.21:8080"</span><span class="p">,</span> <span class="p">])</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="nf">SizeLimitProxy</span><span class="p">(</span><span class="nn">Arc</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">upstreams</span><span class="p">)));</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6184"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Request Size Limiter running on 0.0.0.0:6184"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Max Body Size: {} bytes"</span><span class="p">,</span> <span class="n">MAX_BODY_SIZE</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We will verify both the fast header check and the slow streaming check.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 40_request_size_limit </code></pre> </div> <h3> 2. Valid Request </h3> <p>Send "tiny" (4 bytes).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-v</span> <span class="nt">-d</span> <span class="s2">"tiny"</span> http://172.28.0.10:6184/ </code></pre> </div> <ul> <li> <strong>Result:</strong> <code>200 OK</code>.</li> </ul> <h3> 3. Header Rejection (Fast Path) </h3> <p>We create a ~150 byte payload. <code>curl</code> automatically adds the <code>Content-Length: 150</code> header.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate 150 'a' characters</span> <span class="nv">payload</span><span class="o">=</span><span class="si">$(</span><span class="nb">printf</span> <span class="s1">'a%.0s'</span> <span class="o">{</span>1..150<span class="o">}</span><span class="si">)</span> curl <span class="nt">-v</span> <span class="nt">-d</span> <span class="s2">"</span><span class="nv">$payload</span><span class="s2">"</span> http://172.28.0.10:6184/ </code></pre> </div> <ul> <li> <strong>Result:</strong> <code>413 Payload Too Large</code> (Immediate).</li> <li> <strong>Logs:</strong> <code>Rejecting request by Header: Content-Length: 150 &gt; 100</code>.</li> </ul> <h3> 4. Streaming Rejection (Slow Path) </h3> <p>We force <code>chunked</code> encoding so <code>curl</code> does <em>not</em> send a <code>Content-Length</code>. Pingora must read the body to find the size.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-v</span> <span class="nt">-H</span> <span class="s2">"Transfer-Encoding: chunked"</span> <span class="nt">-d</span> <span class="s2">"</span><span class="nv">$payload</span><span class="s2">"</span> http://172.28.0.10:6184/ </code></pre> </div> <ul> <li> <strong>Result:</strong> <code>413 Payload Too Large</code> (After uploading).</li> <li> <strong>Logs:</strong> <code>Rejecting request by Stream: Accumulated 150 bytes &gt; 100</code>.</li> </ul> <p>This proves your proxy cannot be fooled by omitting the length header.</p> <h1> Lesson 41: Authentication (Bearer Token) </h1> <p>One of the most powerful patterns in modern architecture is <strong>Authentication Offloading</strong> (or "Auth at the Edge").</p> <p>Instead of requiring every single microservice to implement token validation, logic handling, and error formatting, you enforce it once at the Proxy/Gateway level. If a request reaches your upstream service, that service can assume the user is already authenticated.</p> <p>In this lesson, we implement a simple API Gateway authentication check:</p> <ul> <li> <strong>No Header?</strong> -&gt; <code>401 Unauthorized</code>.</li> <li> <strong>Wrong Token?</strong> -&gt; <code>403 Forbidden</code>.</li> <li> <strong>Correct Token?</strong> -&gt; Allowed (<code>200 OK</code>).</li> </ul> <h2> Key Concepts </h2> <h3> 1. HTTP 401 vs 403 </h3> <p>It is important to be semantically correct with HTTP errors:</p> <ul> <li> <strong>401 Unauthorized:</strong> The user has not provided credentials. The client should prompt the user to log in.</li> <li> <strong>403 Forbidden:</strong> The user provided credentials, but they are invalid or insufficient. Re-trying the same credentials will not work.</li> </ul> <h3> 2. Header Inspection </h3> <p>We use <code>session.req_header().headers.get("Authorization")</code> to access the raw header value.</p> <ul> <li> <strong>Performance Tip:</strong> We compare the value as <strong>bytes</strong> (<code>as_bytes()</code>) rather than converting it to a Rust <code>String</code> (<code>to_str()</code>). This avoids unnecessary memory allocation and UTF-8 validation overhead, which is crucial for high-throughput gateways.</li> </ul> <h2> The Code (<code>examples/41_auth_request.rs</code>) </h2> <p>We enforce a hardcoded token <code>Bearer super-secret-token</code>. In a real app, you might validate a JWT signature or query a Redis cache here.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">info</span><span class="p">,</span> <span class="n">warn</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::{</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">,</span> <span class="n">Server</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::{</span><span class="n">LoadBalancer</span><span class="p">,</span> <span class="nn">selection</span><span class="p">::</span><span class="n">RoundRobin</span><span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="c1">// The shared secret (Hardcoded for this lesson)</span> <span class="k">const</span> <span class="n">SECRET_TOKEN</span><span class="p">:</span> <span class="o">&amp;</span><span class="p">[</span><span class="nb">u8</span><span class="p">]</span> <span class="o">=</span> <span class="s">b"Bearer super-secret-token"</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="nf">AuthProxy</span><span class="p">(</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="n">LoadBalancer</span><span class="o">&lt;</span><span class="n">RoundRobin</span><span class="o">&gt;&gt;</span><span class="p">);</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">AuthProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="c1">// 1. Authentication Logic</span> <span class="c1">// Runs before upstream connection.</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">bool</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// Extract Authorization Header</span> <span class="k">let</span> <span class="n">auth_header</span> <span class="o">=</span> <span class="n">session</span><span class="nf">.req_header</span><span class="p">()</span><span class="py">.headers</span><span class="nf">.get</span><span class="p">(</span><span class="s">"Authorization"</span><span class="p">);</span> <span class="k">match</span> <span class="n">auth_header</span> <span class="p">{</span> <span class="c1">// Case A: Header Missing -&gt; 401 Unauthorized</span> <span class="nb">None</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"Auth Failed: Missing Authorization header"</span><span class="p">);</span> <span class="n">session</span><span class="nf">.respond_error</span><span class="p">(</span><span class="mi">401</span><span class="p">)</span><span class="k">.await</span><span class="o">?</span><span class="p">;</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">true</span><span class="p">);</span> <span class="c1">// Stop processing</span> <span class="p">}</span> <span class="c1">// Case B: Header Present -&gt; Check Token</span> <span class="nf">Some</span><span class="p">(</span><span class="n">value</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="c1">// Direct byte comparison (fast)</span> <span class="k">if</span> <span class="n">value</span><span class="nf">.as_bytes</span><span class="p">()</span> <span class="o">!=</span> <span class="n">SECRET_TOKEN</span> <span class="p">{</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"Auth Failed: Invalid Token"</span><span class="p">);</span> <span class="n">session</span><span class="nf">.respond_error</span><span class="p">(</span><span class="mi">403</span><span class="p">)</span><span class="k">.await</span><span class="o">?</span><span class="p">;</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">true</span><span class="p">);</span> <span class="c1">// Stop processing</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Case C: Valid Token -&gt; Allow</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Auth Success: Valid Token"</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">false</span><span class="p">)</span> <span class="c1">// Continue to upstream_peer</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">upstream</span> <span class="o">=</span> <span class="k">self</span><span class="na">.0</span> <span class="nf">.select</span><span class="p">(</span><span class="s">b""</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"NoUpstreamAvailable"</span><span class="p">),</span> <span class="s">"Empty upstream pool"</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">upstream</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"auth-protected.cluster"</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="n">upstreams</span> <span class="o">=</span> <span class="nn">LoadBalancer</span><span class="p">::</span><span class="nf">try_from_iter</span><span class="p">([</span> <span class="s">"172.28.0.20:8080"</span><span class="p">,</span> <span class="s">"172.28.0.21:8080"</span><span class="p">,</span> <span class="p">])</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="nf">AuthProxy</span><span class="p">(</span><span class="nn">Arc</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">upstreams</span><span class="p">)));</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6185"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Auth Proxy running on 0.0.0.0:6185"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Required Token: Bearer super-secret-token"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We will cycle through the three authentication states to ensure strict enforcement.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 41_auth_request </code></pre> </div> <h3> 2. Test A: Missing Header (401) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-v</span> <span class="nt">-o</span> /dev/null http://172.28.0.10:6185/ </code></pre> </div> <ul> <li> <strong>Result:</strong> <code>HTTP 401 Unauthorized</code>.</li> <li> <strong>Logs:</strong> <code>[WARN] Auth Failed: Missing Authorization header</code>.</li> </ul> <h3> 3. Test B: Invalid Token (403) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-v</span> <span class="nt">-o</span> /dev/null <span class="nt">-H</span> <span class="s2">"Authorization: Bearer bad-token"</span> http://172.28.0.10:6185/ </code></pre> </div> <ul> <li> <strong>Result:</strong> <code>HTTP 403 Forbidden</code>.</li> <li> <strong>Logs:</strong> <code>[WARN] Auth Failed: Invalid Token</code>.</li> </ul> <h3> 4. Test C: Valid Token (200) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-v</span> <span class="nt">-o</span> /dev/null <span class="nt">-H</span> <span class="s2">"Authorization: Bearer super-secret-token"</span> http://172.28.0.10:6185/ </code></pre> </div> <ul> <li> <strong>Result:</strong> <code>HTTP 200 OK</code>.</li> <li> <strong>Logs:</strong> <code>[INFO] Auth Success: Valid Token</code>.</li> </ul> <p>The upstream service is now protected. No request reaches the backend unless it has the secret key.</p> <h1> Lesson 42: Basic Authentication </h1> <p>In Lesson 41, we implemented Bearer Token authentication, where the client is expected to know the secret beforehand.</p> <p><strong>Basic Authentication</strong> follows a different flow called "Challenge-Response." If a user visits your site without credentials, the server must <strong>challenge</strong> them to provide a username and password. This is what triggers the native login popup in web browsers.</p> <p>In this lesson, we implement this flow:</p> <ol> <li> <strong>Challenge:</strong> If the request has no credentials, return <code>401 Unauthorized</code> <strong>AND</strong> a <code>WWW-Authenticate</code> header.</li> <li> <strong>Verify:</strong> If the request returns with credentials, valid them against our stored user (<code>admin:password</code>).</li> </ol> <h2> Key Concepts </h2> <h3> 1. The <code>WWW-Authenticate</code> Header </h3> <p>Simply returning <code>401</code> isn't enough. Without the <code>WWW-Authenticate</code> header, a browser will simply display a generic error page.</p> <ul> <li> <strong>Header:</strong> <code>WWW-Authenticate: Basic realm="PingoraProxy"</code> </li> <li> <strong>Behavior:</strong> This tells the browser, "I need Basic credentials for the realm 'PingoraProxy'." The browser then opens the username/password dialog.</li> </ul> <h3> 2. Manual Response Construction </h3> <p>The helper method <code>session.respond_error(401)</code> is convenient, but it doesn't allow us to inject custom headers like <code>WWW-Authenticate</code>.<br> To solve this, we must build the response manually using <code>ResponseHeader::build</code>, insert our custom header, and send it using <code>session.write_response_header</code>.</p> <h3> 3. Base64 Encoding </h3> <p>Basic Auth credentials are sent as <code>username:password</code> encoded in Base64.</p> <ul> <li> <strong>User:</strong> <code>admin</code> </li> <li> <strong>Pass:</strong> <code>password</code> </li> <li> <strong>String:</strong> <code>admin:password</code> </li> <li> <strong>Base64:</strong> <code>YWRtaW46cGFzc3dvcmQ=</code> </li> <li> <strong>Header:</strong> <code>Authorization: Basic YWRtaW46cGFzc3dvcmQ=</code> </li> </ul> <h2> The Code (<code>examples/42_basic_auth.rs</code>) </h2> <p>To keep our dependencies minimal, we perform a direct string comparison against the pre-calculated Base64 string rather than importing a Base64 library.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::{</span><span class="n">info</span><span class="p">,</span> <span class="n">warn</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::{</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">,</span> <span class="n">Server</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">http</span><span class="p">::</span><span class="n">ResponseHeader</span><span class="p">;</span> <span class="c1">// Required for building custom headers</span> <span class="k">use</span> <span class="nn">pingora_load_balancing</span><span class="p">::{</span><span class="n">LoadBalancer</span><span class="p">,</span> <span class="nn">selection</span><span class="p">::</span><span class="n">RoundRobin</span><span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">;</span> <span class="c1">// Expected Header: "Authorization: Basic YWRtaW46cGFzc3dvcmQ="</span> <span class="c1">// We compare the raw base64 string directly for performance, </span> <span class="c1">// avoiding the need to import a base64 decoding crate.</span> <span class="k">const</span> <span class="n">EXPECTED_AUTH</span><span class="p">:</span> <span class="o">&amp;</span><span class="p">[</span><span class="nb">u8</span><span class="p">]</span> <span class="o">=</span> <span class="s">b"Basic YWRtaW46cGFzc3dvcmQ="</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="nf">BasicAuthProxy</span><span class="p">(</span><span class="nb">Arc</span><span class="o">&lt;</span><span class="n">LoadBalancer</span><span class="o">&lt;</span><span class="n">RoundRobin</span><span class="o">&gt;&gt;</span><span class="p">);</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">BasicAuthProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">request_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">bool</span><span class="o">&gt;</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="k">let</span> <span class="n">auth_header</span> <span class="o">=</span> <span class="n">session</span><span class="nf">.req_header</span><span class="p">()</span><span class="py">.headers</span><span class="nf">.get</span><span class="p">(</span><span class="s">"Authorization"</span><span class="p">);</span> <span class="k">match</span> <span class="n">auth_header</span> <span class="p">{</span> <span class="c1">// Case A: Missing Credentials -&gt; Send Challenge</span> <span class="nb">None</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"Auth Failed: Missing Header. Sending Challenge"</span><span class="p">);</span> <span class="c1">// 1. Build a raw 401 response</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">header</span> <span class="o">=</span> <span class="nn">ResponseHeader</span><span class="p">::</span><span class="nf">build</span><span class="p">(</span><span class="mi">401</span><span class="p">,</span> <span class="nf">Some</span><span class="p">(</span><span class="mi">3</span><span class="p">))</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="c1">// 2. Inject the mandatory WWW-Authenticate header</span> <span class="c1">// This tells the client (browser) to prompt for "Basic" credentials.</span> <span class="n">header</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"WWW-Authenticate"</span><span class="p">,</span> <span class="s">"Basic realm=</span><span class="se">\"</span><span class="s">PingoraProxy</span><span class="se">\"</span><span class="s">"</span><span class="p">)</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="n">header</span><span class="nf">.insert_header</span><span class="p">(</span><span class="s">"Content-Length"</span><span class="p">,</span> <span class="s">"0"</span><span class="p">)</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="c1">// 3. Write response and close stream (true = End of Stream)</span> <span class="n">session</span><span class="nf">.write_response_header</span><span class="p">(</span><span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">header</span><span class="p">),</span> <span class="k">true</span><span class="p">)</span><span class="k">.await</span><span class="o">?</span><span class="p">;</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">true</span><span class="p">);</span> <span class="c1">// Stop processing</span> <span class="p">}</span> <span class="c1">// Case B: Header Present -&gt; Validate</span> <span class="nf">Some</span><span class="p">(</span><span class="n">value</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="n">value</span><span class="nf">.as_bytes</span><span class="p">()</span> <span class="o">!=</span> <span class="n">EXPECTED_AUTH</span> <span class="p">{</span> <span class="nd">warn!</span><span class="p">(</span><span class="s">"Auth Failed: Wrong Credentials"</span><span class="p">);</span> <span class="c1">// Return 403 to indicate credentials were received but rejected</span> <span class="n">session</span><span class="nf">.respond_error</span><span class="p">(</span><span class="mi">403</span><span class="p">)</span><span class="k">.await</span><span class="o">?</span><span class="p">;</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">true</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Case C: Success</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Auth Success: admin:password verified"</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">false</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">upstream</span> <span class="o">=</span> <span class="k">self</span><span class="na">.0</span> <span class="nf">.select</span><span class="p">(</span><span class="s">b""</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="nn">Error</span><span class="p">::</span><span class="nf">explain</span><span class="p">(</span><span class="nn">ErrorType</span><span class="p">::</span><span class="nf">Custom</span><span class="p">(</span><span class="s">"NoUpstreamAvailable"</span><span class="p">),</span> <span class="s">"Empty upstream pool"</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">upstream</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s">"basic-auth.cluster"</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="k">let</span> <span class="n">upstreams</span> <span class="o">=</span> <span class="nn">LoadBalancer</span><span class="p">::</span><span class="nf">try_from_iter</span><span class="p">([</span> <span class="s">"172.28.0.20:8080"</span><span class="p">,</span> <span class="s">"172.28.0.21:8080"</span><span class="p">,</span> <span class="p">])</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="nf">BasicAuthProxy</span><span class="p">(</span><span class="nn">Arc</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">upstreams</span><span class="p">)));</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6186"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Basic Auth Proxy running on 0.0.0.0:6186"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Credentials: admin / password"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We will verify the Challenge, the Failure, and the Success states.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 42_basic_auth </code></pre> </div> <h3> 2. Test A: The Challenge (Missing Credentials) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-v</span> http://172.28.0.10:6186/ </code></pre> </div> <ul> <li> <strong>Result:</strong> <code>401 Unauthorized</code>.</li> <li> <strong>Crucial Header:</strong> Look for <code>&lt; WWW-Authenticate: Basic realm="PingoraProxy"</code>. If this is missing, a browser will not show the login popup.</li> </ul> <h3> 3. Test B: The Rejection (Wrong Password) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-v</span> <span class="nt">-u</span> <span class="s2">"admin:wrong"</span> http://172.28.0.10:6186/ </code></pre> </div> <ul> <li> <strong>Result:</strong> <code>403 Forbidden</code>.</li> <li> <strong>Log:</strong> <code>[WARN] Auth Failed: Wrong Credentials</code>.</li> </ul> <h3> 4. Test C: The Success (Correct Password) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-v</span> <span class="nt">-u</span> <span class="s2">"admin:password"</span> http://172.28.0.10:6186/ </code></pre> </div> <ul> <li> <strong>Result:</strong> <code>200 OK</code>.</li> <li> <strong>Log:</strong> <code>[INFO] Auth Success: admin:password verified</code>.</li> </ul> <h1> Module 6: Caching </h1> <p>The fastest network request is the one you never make.</p> <p>In high-scale systems, 80% of the traffic often hits just 20% of the content. Repeatedly asking your backend database to "Get User Profile 123" or "Render Home Page" burns CPU cycles and latency unnecessarily.</p> <p><strong>Module 6</strong> introduces the <strong>Pingora Cache</strong> system. We will transform our proxy from a simple router into a high-performance content delivery node.</p> <p>We will cover:</p> <ul> <li> <strong>Storage Backends:</strong> How to store responses in memory (RAM) to serve them in microseconds.</li> <li> <strong>Cache Control:</strong> How to obey standard HTTP headers (<code>Cache-Control</code>, <code>Expires</code>) so the proxy knows <em>what</em> to cache and for <em>how long</em>.</li> <li> <strong>Request Coalescing:</strong> The "Thundering Herd" problem—what happens when 1,000 users ask for the same missing file at the exact same millisecond? We will learn how to "lock" the cache so only <em>one</em> request hits the origin while the others wait.</li> <li> <strong>Advanced Patterns:</strong> Implementing <code>PURGE</code> to instantly clear content and <code>stale-while-revalidate</code> to update content in the background without slowing down users.</li> </ul> <p>By the end of this module, you will have built a caching layer capable of drastically reducing the load on your upstream servers.</p> <h1> Lesson 43: In-Memory Caching </h1> <p>The fastest way to serve a request is to avoid sending it to the backend at all. <strong>Caching</strong> allows the proxy to store the response from an upstream server (like Blue or Green) and serve it to subsequent users directly from memory.</p> <p>In this lesson, we implement a <strong>Basic In-Memory Cache</strong>.<br> To demonstrate this reliably, we will spin up a small internal "Mock Upstream" that returns a response with <code>Cache-Control: max-age=60</code>.</p> <h2> Key Concepts </h2> <h3> 1. The Caching Lifecycle </h3> <p>Pingora does not cache by default. You must opt-in via two distinct hooks:</p> <ol> <li> <strong><code>request_cache_filter</code> (The Setup):</strong> <ul> <li>Runs <em>before</em> the upstream connection.</li> <li> <strong>Action:</strong> Call <code>session.cache.enable()</code>. This selects the storage backend (e.g., Memory) and sets the <strong>Cache Key</strong> (e.g., the URL path).</li> <li>If you skip this, caching is disabled for the request.</li> </ul> </li> <li> <strong><code>response_cache_filter</code> (The Decision):</strong> <ul> <li>Runs <em>after</em> the upstream responds but <em>before</em> sending headers to the client.</li> <li> <strong>Action:</strong> Determine if the response is worth keeping. Usually, this involves parsing the <code>Cache-Control</code> header.</li> </ul> </li> </ol> <h3> 2. <code>MemCache</code> Backend </h3> <p>Pingora provides <code>pingora_cache::memory::MemCache</code>, a high-performance in-memory storage. It is ephemeral (lost on restart) but extremely fast, making it ideal for hot content.</p> <h2> The Code (<code>examples/43_memory_cache.rs</code>) </h2> <p>We include a helper function <code>run_mock_upstream</code> that listens on port <code>6191</code>. It mimics a backend that explicitly allows caching via headers.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">once_cell</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="n">Lazy</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::{</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">,</span> <span class="n">Server</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">http</span><span class="p">::</span><span class="n">ResponseHeader</span><span class="p">;</span> <span class="c1">// Imports for Caching</span> <span class="k">use</span> <span class="nn">pingora_cache</span><span class="p">::{</span><span class="n">MemCache</span><span class="p">,</span> <span class="n">CacheKey</span><span class="p">,</span> <span class="n">CacheMetaDefaults</span><span class="p">,</span> <span class="n">RespCacheable</span><span class="p">,</span> <span class="n">CachePhase</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora_cache</span><span class="p">::</span><span class="nn">cache_control</span><span class="p">::</span><span class="n">CacheControl</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">net</span><span class="p">::</span><span class="n">TcpListener</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">io</span><span class="p">::{</span><span class="n">AsyncReadExt</span><span class="p">,</span> <span class="n">AsyncWriteExt</span><span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">borrow</span><span class="p">::</span><span class="n">Cow</span><span class="p">;</span> <span class="c1">// 1. Initialize Global Memory Storage</span> <span class="k">static</span> <span class="n">MEM_CACHE</span><span class="p">:</span> <span class="n">Lazy</span><span class="o">&lt;</span><span class="n">MemCache</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nn">Lazy</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">MemCache</span><span class="p">::</span><span class="n">new</span><span class="p">);</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">CacheProxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">CacheProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="c1">// 2. Enable Caching for the Request</span> <span class="k">fn</span> <span class="nf">request_cache_filter</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Define the lookup key: we use the URL path.</span> <span class="k">let</span> <span class="n">key</span> <span class="o">=</span> <span class="nn">CacheKey</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="s">""</span><span class="p">,</span> <span class="n">session</span><span class="nf">.req_header</span><span class="p">()</span><span class="py">.uri</span><span class="nf">.path</span><span class="p">(),</span> <span class="s">""</span><span class="p">);</span> <span class="c1">// Enable cache using our MemCache backend.</span> <span class="c1">// Args: (Storage, EvictionManager, Predictor, Lock, Stats)</span> <span class="n">session</span><span class="py">.cache</span><span class="nf">.enable</span><span class="p">(</span><span class="o">&amp;*</span><span class="n">MEM_CACHE</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">);</span> <span class="n">session</span><span class="py">.cache</span><span class="nf">.set_cache_key</span><span class="p">(</span><span class="n">key</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// Route to our internal mock upstream</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">((</span><span class="s">"127.0.0.1"</span><span class="p">,</span> <span class="mi">6191</span><span class="p">),</span> <span class="k">false</span><span class="p">,</span> <span class="s">"cache.local"</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// 3. Decide if Response is Cacheable</span> <span class="k">fn</span> <span class="nf">response_cache_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Session</span><span class="p">,</span> <span class="n">resp</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">ResponseHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">RespCacheable</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Parse the upstream headers (Cache-Control, Expires, etc.)</span> <span class="k">let</span> <span class="n">cc</span> <span class="o">=</span> <span class="nn">CacheControl</span><span class="p">::</span><span class="nf">from_resp_headers</span><span class="p">(</span><span class="n">resp</span><span class="p">);</span> <span class="c1">// Define defaults if headers are missing (e.g., cache 200 OK for 60s)</span> <span class="k">let</span> <span class="n">defaults</span> <span class="o">=</span> <span class="nn">CacheMetaDefaults</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="p">|</span><span class="n">status</span><span class="p">|</span> <span class="k">if</span> <span class="n">status</span><span class="nf">.as_u16</span><span class="p">()</span> <span class="o">==</span> <span class="mi">200</span> <span class="p">{</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">60</span><span class="p">))</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nb">None</span> <span class="p">},</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span> <span class="p">);</span> <span class="c1">// Return the decision</span> <span class="nf">Ok</span><span class="p">(</span><span class="nn">pingora_cache</span><span class="p">::</span><span class="nn">filters</span><span class="p">::</span><span class="nf">resp_cacheable</span><span class="p">(</span> <span class="n">cc</span><span class="nf">.as_ref</span><span class="p">(),</span> <span class="n">resp</span><span class="nf">.clone</span><span class="p">(),</span> <span class="k">false</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">defaults</span><span class="p">,</span> <span class="p">))</span> <span class="p">}</span> <span class="c1">// 4. Log Cache Status</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">logging</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_e</span><span class="p">:</span> <span class="nb">Option</span><span class="o">&lt;&amp;</span><span class="n">Error</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="p">{</span> <span class="k">match</span> <span class="n">session</span><span class="py">.cache</span><span class="nf">.phase</span><span class="p">()</span> <span class="p">{</span> <span class="nn">CachePhase</span><span class="p">::</span><span class="n">Hit</span> <span class="k">=&gt;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Cache Status: HIT (Served from Memory)"</span><span class="p">),</span> <span class="nn">CachePhase</span><span class="p">::</span><span class="n">Miss</span> <span class="k">=&gt;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Cache Status: MISS (Fetched from Upstream)"</span><span class="p">),</span> <span class="nn">CachePhase</span><span class="p">::</span><span class="n">Expired</span> <span class="k">=&gt;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Cache Status: EXPIRED (Revalidating)"</span><span class="p">),</span> <span class="n">_</span> <span class="k">=&gt;</span> <span class="p">{}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Internal Mock Server to ensure consistent Cache-Control headers</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">run_mock_upstream</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">listener</span> <span class="o">=</span> <span class="nn">TcpListener</span><span class="p">::</span><span class="nf">bind</span><span class="p">(</span><span class="s">"127.0.0.1:6191"</span><span class="p">)</span><span class="k">.await</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Mock Upstream started on 127.0.0.1:6191"</span><span class="p">);</span> <span class="k">loop</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Ok</span><span class="p">((</span><span class="k">mut</span> <span class="n">stream</span><span class="p">,</span> <span class="n">_</span><span class="p">))</span> <span class="o">=</span> <span class="n">listener</span><span class="nf">.accept</span><span class="p">()</span><span class="k">.await</span> <span class="p">{</span> <span class="nn">tokio</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(</span><span class="k">async</span> <span class="k">move</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">buf</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="mi">1024</span><span class="p">];</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.read</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">buf</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="k">let</span> <span class="n">body</span> <span class="o">=</span> <span class="s">"Response from Local Mock"</span><span class="p">;</span> <span class="k">let</span> <span class="n">response</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span> <span class="s">"HTTP/1.1 200 OK</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> Content-Length: {}</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> Cache-Control: public, max-age=60</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> Connection: close</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> </span><span class="se">\r\n</span><span class="err">\</span><span class="s"> {}"</span><span class="p">,</span> <span class="n">body</span><span class="nf">.len</span><span class="p">(),</span> <span class="n">body</span> <span class="p">);</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.write_all</span><span class="p">(</span><span class="n">response</span><span class="nf">.as_bytes</span><span class="p">())</span><span class="k">.await</span><span class="p">;</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="c1">// Required for cache metadata compression</span> <span class="nn">pingora_cache</span><span class="p">::</span><span class="nf">set_compression_dict_content</span><span class="p">(</span><span class="nn">Cow</span><span class="p">::</span><span class="nf">Borrowed</span><span class="p">(</span><span class="s">b""</span><span class="p">));</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// Start the mock upstream in a background thread</span> <span class="nn">std</span><span class="p">::</span><span class="nn">thread</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(||</span> <span class="p">{</span> <span class="k">let</span> <span class="n">rt</span> <span class="o">=</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">runtime</span><span class="p">::</span><span class="nn">Runtime</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="n">rt</span><span class="nf">.block_on</span><span class="p">(</span><span class="nf">run_mock_upstream</span><span class="p">());</span> <span class="p">});</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">CacheProxy</span><span class="p">);</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6190"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Memory Cache Proxy running on 0.0.0.0:6190"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We will verify the entire lifecycle: <strong>Miss</strong> (First fetch) -&gt; <strong>Hit</strong> (Memory serve) -&gt; <strong>Expired</strong> (Re-fetch).</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 43_memory_cache </code></pre> </div> <h3> 2. First Request (Miss) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6190/ </code></pre> </div> <ul> <li> <strong>Output:</strong> <code>Response from Local Mock</code> </li> <li> <strong>Log:</strong> <code>Cache Status: MISS (Fetched from Upstream)</code> </li> </ul> <h3> 3. Second Request (Hit) </h3> <p>Run the same command immediately.</p> <ul> <li> <strong>Output:</strong> <code>Response from Local Mock</code> </li> <li> <strong>Log:</strong> <code>Cache Status: HIT (Served from Memory)</code> </li> <li> <strong>Observation:</strong> The proxy did <em>not</em> connect to the backend (port 6191). It served the data instantly from RAM.</li> </ul> <h3> 4. Expired Request </h3> <p>Wait 60 seconds (the <code>max-age</code> defined in the mock), then run the command again.</p> <ul> <li> <strong>Output:</strong> <code>Response from Local Mock</code> </li> <li> <strong>Log:</strong> <code>Cache Status: EXPIRED (Revalidating)</code> </li> <li> <strong>Observation:</strong> Pingora detected the TTL had passed, fetched a fresh copy from the backend, and updated the cache.</li> </ul> <h2> Theory </h2> <p>The Pingora caching system transforms your proxy from a simple traffic router into a sophisticated content delivery engine. To effectively use it, we must understand the specific Rust structures that manage the "Hit or Miss" decision process.</p> <p>Here is a detailed breakdown of the key components and syntax used in our code.</p> <h3> 1. The Core Components </h3> <h4> <strong>MemCache</strong> </h4> <ul> <li> <strong>Definition:</strong> An in-memory implementation of the <code>Storage</code> trait provided by <code>pingora-cache</code>.</li> <li> <strong>Role:</strong> It acts as the backend "hard drive" for the cache, but stores data in RAM (using a specialized hash map) instead of on disk.</li> <li> <strong>Key Characteristics:</strong> <ul> <li> <strong>Volatile:</strong> Since it lives in RAM, all cache data is lost if the proxy process restarts.</li> <li> <strong>Fast:</strong> Lookups avoid disk I/O entirely, offering microsecond-level latency.</li> <li> <strong>Concurrency:</strong> It uses <code>RwLock</code> (Read-Write Lock) mechanisms to safely allow multiple concurrent readers while ensuring data integrity during writes.</li> <li> <strong>Storage Logic:</strong> It maps a hashed <code>CacheKey</code> to a <code>CacheObject</code>, which contains both the metadata header (expiry, headers) and the body payload.</li> </ul> </li> </ul> <h4> <strong>CacheKey</strong> </h4> <ul> <li> <strong>Definition:</strong> A struct that uniquely identifies a cacheable asset.</li> <li> <strong>Role:</strong> It functions as the lookup address for the storage backend. If two different user requests generate the same <code>CacheKey</code>, they will map to the same cached object.</li> <li> <p><strong>Composition:</strong></p> <ol> <li> <strong>Primary Key:</strong> Usually derived from the URL path (e.g., <code>/images/logo.png</code>).</li> <li> <strong>Namespace:</strong> An optional prefix to isolate distinct datasets (e.g., <code>v1</code> vs <code>v2</code> of an API).</li> <li> <strong>User Tag:</strong> An optional tag to shard storage by user (e.g., specific cache partitions for specific customers).</li> <li> <strong>Variance:</strong> Handles <code>Vary</code> headers. For example, it ensures a request with <code>Accept-Encoding: gzip</code> gets a compressed version, while <code>identity</code> gets a plain version, even if the URL is the same.</li> </ol> </li> <li><p><strong>Hashing:</strong> Internally, Pingora uses the <strong>Blake2b</strong> algorithm to generate a 128-bit binary hash from these components for efficient storage lookup.</p></li> </ul> <h4> <strong>CacheMetaDefaults</strong> </h4> <ul> <li> <strong>Definition:</strong> A configuration struct that defines the "fallback" behavior.</li> <li> <strong>Role:</strong> Upstream servers are often imperfect and forget to send <code>Cache-Control</code> headers. This struct acts as the proxy's internal policy engine to decide what to do in those cases.</li> <li> <strong>Key Fields:</strong> <ul> <li> <code>fresh_sec_fn</code>: A function mapping an HTTP Status Code to a Duration. (e.g., "If <code>200 OK</code>, cache for 60s. If <code>500 Error</code>, do not cache").</li> <li> <code>stale_while_revalidate_sec</code>: Defines the window where it is acceptable to serve expired content while a background fetch refreshes the data.</li> <li> <code>stale_if_error_sec</code>: Defines how long to serve old content if the upstream server goes down.</li> </ul> </li> </ul> <h4> <strong>RespCacheable</strong> </h4> <ul> <li> <strong>Definition:</strong> An enum representing the final verdict on whether a specific response <em>can</em> be cached.</li> <li> <strong>Role:</strong> This is the output of your logic in <code>response_cache_filter</code>.</li> <li> <strong>Variants:</strong> <ol> <li> <strong><code>Cacheable(CacheMeta)</code></strong>: The verdict is <strong>Yes</strong>. The struct contains the calculated metadata (expiry timestamp, headers to preserve).</li> <li> <strong><code>Uncacheable(NoCacheReason)</code></strong>: The verdict is <strong>No</strong>. It includes the specific reason (e.g., <code>OriginNotCache</code> if the upstream sent <code>no-store</code>, or <code>ResponseTooLarge</code>).</li> </ol> </li> </ul> <h4> <strong>CachePhase</strong> </h4> <ul> <li> <strong>Definition:</strong> An enum tracking the lifecycle state of a request relative to the cache system.</li> <li> <strong>Role:</strong> It acts as a state machine indicator, primarily useful for observability (logging/metrics) and debugging.</li> <li> <strong>Common States:</strong> <ul> <li> <code>Disabled</code>: The cache was never enabled for this request.</li> <li> <code>Miss</code>: Content was not found in storage; currently fetching from upstream.</li> <li> <code>Hit</code>: Content was found and is fresh; serving directly from cache.</li> <li> <code>Stale</code>: Content was found but has expired; a revalidation request is required.</li> <li> <code>Revalidated</code>: Stale content was confirmed as still valid by the upstream (via a <code>304 Not Modified</code> response).</li> </ul> </li> </ul> <h4> <strong>CacheControl</strong> </h4> <ul> <li> <strong>Definition:</strong> A parser for the standard HTTP <code>Cache-Control</code> header.</li> <li> <strong>Role:</strong> It takes raw header strings (e.g., <code>public, max-age=3600, no-transform</code>) and parses them into a structured <code>DirectiveMap</code>.</li> <li> <strong>Capabilities:</strong> <ul> <li>Extracts critical directives like <code>max-age</code>, <code>s-maxage</code>, <code>no-store</code>, and <code>private</code>.</li> <li>Handles edge cases like quoting and case-insensitivity (e.g., <code>Max-Age="60"</code>).</li> <li>Implements <code>InterpretCacheControl</code> to calculate actual Time-To-Live (TTL) durations according to strict RFC 9111 rules.</li> </ul> </li> </ul> <h3> 2. Explanation of <code>&amp;*</code> in <code>enable</code> </h3> <p>You may have noticed this specific syntax in the code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">static</span> <span class="n">MEM_CACHE</span><span class="p">:</span> <span class="n">Lazy</span><span class="o">&lt;</span><span class="n">MemCache</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nn">Lazy</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">MemCache</span><span class="p">::</span><span class="n">new</span><span class="p">);</span> <span class="c1">// ...</span> <span class="n">session</span><span class="py">.cache</span><span class="nf">.enable</span><span class="p">(</span><span class="o">&amp;*</span><span class="n">MEM_CACHE</span><span class="p">,</span> <span class="o">...</span><span class="p">);</span> </code></pre> </div> <p>This <code>&amp;*</code> pattern is a Rust idiom used to satisfy type coercion and lifetime requirements when dealing with <code>Lazy</code> static variables.</p> <ol> <li> <strong>The Type of <code>MEM_CACHE</code>:</strong> <code>MEM_CACHE</code> is declared as <code>Lazy&lt;MemCache&gt;</code>. It is not a <code>MemCache</code> struct directly; it is a wrapper that ensures initialization happens only on first access.</li> <li> <strong>The Dereference (<code>*</code>):</strong> <code>Lazy&lt;T&gt;</code> implements the <code>Deref</code> trait. <ul> <li> <code>*MEM_CACHE</code> dereferences the <code>Lazy</code> wrapper to access the underlying value.</li> <li>Effectively, this operation extracts the actual <code>MemCache</code> instance inside the static variable.</li> </ul> </li> <li> <strong>The Reference (<code>&amp;</code>):</strong> The <code>&amp;</code> operator then takes a reference to that dereferenced value. <ul> <li>So, <code>&amp;*MEM_CACHE</code> results in a reference of type <code>&amp;MemCache</code>.</li> </ul> </li> <li> <strong>The Target Type (<code>dyn Storage</code>):</strong> The <code>enable</code> function signature expects a reference to a Trait Object: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">enable</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="p">,</span> <span class="n">storage</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">'static</span> <span class="p">(</span><span class="k">dyn</span> <span class="n">Storage</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">),</span> <span class="o">...</span><span class="p">)</span> </code></pre> </div> <ul> <li>Since <code>MemCache</code> implements the <code>Storage</code> trait, Rust automatically coerces the concrete <code>&amp;MemCache</code> into the dynamic <code>&amp;dyn Storage</code> interface. <ol> <li> <strong>Why not just pass <code>&amp;MEM_CACHE</code>?</strong> If you tried to pass <code>&amp;MEM_CACHE</code>, you would be passing a reference to the wrapper itself (<code>&amp;Lazy&lt;MemCache&gt;</code>). The <code>Lazy</code> struct does <em>not</em> implement the <code>Storage</code> trait; only the inner <code>MemCache</code> does. Therefore, you must manually peel off the wrapper (<code>*</code>) and then reference the inner object (<code>&amp;</code>).</li> </ol> </li> </ul> <p><strong>Summary:</strong> <code>&amp;*MEM_CACHE</code> translates to: "Give me a reference to the <em>actual initialized cache</em> inside the global wrapper."</p> <h1> Lesson 44: Respecting Cache-Control Headers </h1> <p>In Lesson 43, we manually forced the proxy to cache everything for 60 seconds. While useful for testing, a production proxy should never do this. It should respect the <strong>origin server's</strong> instructions.</p> <p>If an upstream server sends <code>Cache-Control: no-store</code> (e.g., banking data) or <code>max-age=5</code> (e.g., stock tickers), the proxy must obey. Pingora provides built-in parsers to handle strict RFC compliance out of the box.</p> <p>In this lesson, we implement a <strong>Smart Caching Proxy</strong> that adapts its behavior based on the URL:</p> <ul> <li> <code>/short</code> -&gt; Cache for 5 seconds.</li> <li> <code>/long</code> -&gt; Cache for 60 seconds.</li> <li> <code>/no_store</code> -&gt; Do not cache at all.</li> </ul> <h2> Key Concepts </h2> <h3> 1. The <code>Cache-Control</code> Header </h3> <p>This is the standard mechanism for web caching.</p> <ul> <li> <code>max-age=N</code>: The content is fresh for N seconds.</li> <li> <code>no-store</code>: The content must <strong>never</strong> be stored in non-volatile storage.</li> <li> <code>private</code>: The content is for a specific user (e.g., a profile page) and should not be stored by a shared proxy.</li> </ul> <h3> 2. RFC Compliance via <code>resp_cacheable</code> </h3> <p>Pingora provides a helper function <code>pingora_cache::filters::resp_cacheable</code>.<br> Instead of writing complex <code>if</code> statements (e.g., "if header contains 'no-store'..."), you pass the parsed headers to this function. It returns:</p> <ul> <li> <code>RespCacheable::Cacheable(meta)</code>: If valid, with the calculated TTL.</li> <li> <code>RespCacheable::Uncacheable(reason)</code>: If invalid (e.g., <code>origin_no_store</code>, <code>response_too_large</code>).</li> </ul> <h2> The Code (<code>examples/44_cache_control.rs</code>) </h2> <p>We update our mock upstream to be "dynamic"—it reads the request path and changes the response headers accordingly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">once_cell</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="n">Lazy</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::{</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">,</span> <span class="n">Server</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">http</span><span class="p">::</span><span class="n">ResponseHeader</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_cache</span><span class="p">::{</span><span class="n">MemCache</span><span class="p">,</span> <span class="n">CacheKey</span><span class="p">,</span> <span class="n">CacheMetaDefaults</span><span class="p">,</span> <span class="n">RespCacheable</span><span class="p">,</span> <span class="n">CachePhase</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora_cache</span><span class="p">::</span><span class="nn">cache_control</span><span class="p">::</span><span class="n">CacheControl</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">borrow</span><span class="p">::</span><span class="n">Cow</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">net</span><span class="p">::</span><span class="n">TcpListener</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">io</span><span class="p">::{</span><span class="n">AsyncReadExt</span><span class="p">,</span> <span class="n">AsyncWriteExt</span><span class="p">};</span> <span class="k">static</span> <span class="n">MEM_CACHE</span><span class="p">:</span> <span class="n">Lazy</span><span class="o">&lt;</span><span class="n">MemCache</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nn">Lazy</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">MemCache</span><span class="p">::</span><span class="n">new</span><span class="p">);</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">CacheControlProxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">CacheControlProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="c1">// 1. Setup Storage</span> <span class="k">fn</span> <span class="nf">request_cache_filter</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">key</span> <span class="o">=</span> <span class="nn">CacheKey</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="s">""</span><span class="p">,</span> <span class="n">session</span><span class="nf">.req_header</span><span class="p">()</span><span class="py">.uri</span><span class="nf">.path</span><span class="p">(),</span> <span class="s">""</span><span class="p">);</span> <span class="n">session</span><span class="py">.cache</span><span class="nf">.enable</span><span class="p">(</span><span class="o">&amp;*</span><span class="n">MEM_CACHE</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">);</span> <span class="n">session</span><span class="py">.cache</span><span class="nf">.set_cache_key</span><span class="p">(</span><span class="n">key</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// Connect to our dynamic mock upstream</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">((</span><span class="s">"127.0.0.1"</span><span class="p">,</span> <span class="mi">6193</span><span class="p">),</span> <span class="k">false</span><span class="p">,</span> <span class="s">"header.test.local"</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// 2. The Decision Logic</span> <span class="k">fn</span> <span class="nf">response_cache_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Session</span><span class="p">,</span> <span class="n">resp</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">ResponseHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">RespCacheable</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Parse headers using Pingora's built-in parser</span> <span class="k">let</span> <span class="n">cc</span> <span class="o">=</span> <span class="nn">CacheControl</span><span class="p">::</span><span class="nf">from_resp_headers</span><span class="p">(</span><span class="n">resp</span><span class="p">);</span> <span class="c1">// Define empty defaults (Cache nothing if headers are missing)</span> <span class="k">let</span> <span class="n">defaults</span> <span class="o">=</span> <span class="nn">CacheMetaDefaults</span><span class="p">::</span><span class="nf">new</span><span class="p">(|</span><span class="n">_</span><span class="p">|</span> <span class="nb">None</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="c1">// Let Pingora decide based on RFC rules</span> <span class="nf">Ok</span><span class="p">(</span><span class="nn">pingora_cache</span><span class="p">::</span><span class="nn">filters</span><span class="p">::</span><span class="nf">resp_cacheable</span><span class="p">(</span> <span class="n">cc</span><span class="nf">.as_ref</span><span class="p">(),</span> <span class="n">resp</span><span class="nf">.clone</span><span class="p">(),</span> <span class="k">false</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">defaults</span> <span class="p">))</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">logging</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_e</span><span class="p">:</span> <span class="nb">Option</span><span class="o">&lt;&amp;</span><span class="n">Error</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">)</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="k">let</span> <span class="n">path</span> <span class="o">=</span> <span class="n">session</span><span class="nf">.req_header</span><span class="p">()</span><span class="py">.uri</span><span class="nf">.path</span><span class="p">();</span> <span class="k">match</span> <span class="n">session</span><span class="py">.cache</span><span class="nf">.phase</span><span class="p">()</span> <span class="p">{</span> <span class="nn">CachePhase</span><span class="p">::</span><span class="n">Hit</span> <span class="k">=&gt;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Path {}, Status: HIT"</span><span class="p">,</span> <span class="n">path</span><span class="p">),</span> <span class="nn">CachePhase</span><span class="p">::</span><span class="n">Miss</span> <span class="k">=&gt;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Path {}, Status: MISS"</span><span class="p">,</span> <span class="n">path</span><span class="p">),</span> <span class="nn">CachePhase</span><span class="p">::</span><span class="n">Expired</span> <span class="k">=&gt;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Path {}, Status: EXPIRED"</span><span class="p">,</span> <span class="n">path</span><span class="p">),</span> <span class="nn">CachePhase</span><span class="p">::</span><span class="nf">Disabled</span><span class="p">(</span><span class="n">_</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Path {}, Status: SKIP (Uncacheable)"</span><span class="p">,</span> <span class="n">path</span><span class="p">),</span> <span class="n">_</span> <span class="k">=&gt;</span> <span class="p">{}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// 3. Dynamic Mock Upstream</span> <span class="c1">// Returns different Cache-Control headers based on the request URL.</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">run_dynamic_upstream</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">listener</span> <span class="o">=</span> <span class="nn">TcpListener</span><span class="p">::</span><span class="nf">bind</span><span class="p">(</span><span class="s">"127.0.0.1:6193"</span><span class="p">)</span><span class="k">.await</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Dynamic Upstream running on 127.0.0.1:6193"</span><span class="p">);</span> <span class="k">loop</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Ok</span><span class="p">((</span><span class="k">mut</span> <span class="n">stream</span><span class="p">,</span> <span class="n">_</span><span class="p">))</span> <span class="o">=</span> <span class="n">listener</span><span class="nf">.accept</span><span class="p">()</span><span class="k">.await</span> <span class="p">{</span> <span class="nn">tokio</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(</span><span class="k">async</span> <span class="k">move</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">buf</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="mi">1024</span><span class="p">];</span> <span class="k">let</span> <span class="n">n</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.read</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">buf</span><span class="p">)</span><span class="k">.await</span><span class="nf">.unwrap_or</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="k">let</span> <span class="n">req</span> <span class="o">=</span> <span class="nn">String</span><span class="p">::</span><span class="nf">from_utf8_lossy</span><span class="p">(</span><span class="o">&amp;</span><span class="n">buf</span><span class="p">[</span><span class="o">..</span><span class="n">n</span><span class="p">]);</span> <span class="c1">// Determine Header based on Path</span> <span class="k">let</span> <span class="n">cc_header</span> <span class="o">=</span> <span class="k">if</span> <span class="n">req</span><span class="nf">.contains</span><span class="p">(</span><span class="s">"GET /short"</span><span class="p">)</span> <span class="p">{</span> <span class="s">"max-age=5"</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="n">req</span><span class="nf">.contains</span><span class="p">(</span><span class="s">"GET /long"</span><span class="p">)</span> <span class="p">{</span> <span class="s">"max-age=60"</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="n">req</span><span class="nf">.contains</span><span class="p">(</span><span class="s">"GET /no_store"</span><span class="p">)</span> <span class="p">{</span> <span class="s">"no-store"</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="s">"max-age=10"</span> <span class="p">};</span> <span class="k">let</span> <span class="n">body</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Content for {}"</span><span class="p">,</span> <span class="n">cc_header</span><span class="p">);</span> <span class="k">let</span> <span class="n">response</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span> <span class="s">"HTTP/1.1 200 OK</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> Content-Length: {}</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> Cache-Control: {}</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> Connection: close</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> </span><span class="se">\r\n</span><span class="err">\</span><span class="s"> {}</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">body</span><span class="nf">.len</span><span class="p">()</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="n">cc_header</span><span class="p">,</span> <span class="n">body</span> <span class="p">);</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.write_all</span><span class="p">(</span><span class="n">response</span><span class="nf">.as_bytes</span><span class="p">())</span><span class="k">.await</span><span class="p">;</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="nn">pingora_cache</span><span class="p">::</span><span class="nf">set_compression_dict_content</span><span class="p">(</span><span class="nn">Cow</span><span class="p">::</span><span class="nf">Borrowed</span><span class="p">(</span><span class="s">b""</span><span class="p">));</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="nn">std</span><span class="p">::</span><span class="nn">thread</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(||</span> <span class="p">{</span> <span class="k">let</span> <span class="n">rt</span> <span class="o">=</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">runtime</span><span class="p">::</span><span class="nn">Runtime</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="n">rt</span><span class="nf">.block_on</span><span class="p">(</span><span class="nf">run_dynamic_upstream</span><span class="p">());</span> <span class="p">});</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">CacheControlProxy</span><span class="p">);</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6192"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Cache Control Proxy running on 0.0.0.0:6192"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We will verify that Pingora adapts its caching strategy dynamically.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 44_cache_control </code></pre> </div> <h3> 2. Test A: <code>no-store</code> (Security Check) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6192/no_store docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6192/no_store </code></pre> </div> <ul> <li> <strong>Result:</strong> Both requests are fetched from the upstream.</li> <li> <strong>Log:</strong> <code>Path /no_store, Status: SKIP (Uncacheable)</code> </li> </ul> <h3> 3. Test B: <code>max-age=5</code> (Short Lived) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Request 1 (Miss)</span> docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6192/short <span class="c"># Request 2 (Hit) - Immediate</span> docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6192/short <span class="c"># Wait 6 seconds...</span> <span class="nb">sleep </span>6 <span class="c"># Request 3 (Expired)</span> docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6192/short </code></pre> </div> <ul> <li> <strong>Log:</strong> <code>MISS</code> -&gt; <code>HIT</code> -&gt; <code>EXPIRED</code> (because 6s &gt; 5s).</li> </ul> <h3> 4. Test C: <code>max-age=60</code> (Long Lived) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Request 1 (Miss)</span> docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6192/long <span class="c"># Wait 6 seconds...</span> <span class="nb">sleep </span>6 <span class="c"># Request 2 (Hit)</span> docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6192/long </code></pre> </div> <ul> <li> <strong>Log:</strong> <code>MISS</code> -&gt; <code>HIT</code> (because 6s &lt; 60s).</li> </ul> <p>This confirms the proxy is correctly parsing and enforcing the upstream's caching policies.</p> <h1> Lesson 45: Cache Locking (Request Coalescing) </h1> <p>Imagine you are running a news site. A major story breaks. 1,000 users click the link at the exact same millisecond. The story is not in your cache yet.</p> <p>Without protection, your proxy sends <strong>1,000 requests</strong> to your database simultaneously. Your database crashes. This is called the <strong>Thundering Herd</strong> problem (or "Cache Stampede").</p> <p><strong>Cache Locking</strong> (Request Coalescing) solves this.</p> <ol> <li> <strong>Request 1 arrives:</strong> The proxy sees a cache miss. It acquires a "Write Lock" on the URL. It contacts the backend.</li> <li> <strong>Requests 2-1000 arrive:</strong> The proxy sees a cache miss <em>but</em> sees the lock is held. These requests <strong>wait</strong> (sleep) at the proxy layer.</li> <li> <strong>Request 1 returns:</strong> The response is stored in the cache. The lock is released.</li> <li> <strong>Requests 2-1000 wake up:</strong> They instantly find the fresh data in the cache and return.</li> </ol> <p>Result: <strong>1 backend request.</strong> 1,000 happy users.</p> <h2> Key Concepts </h2> <h3> 1. <code>CacheLock</code> </h3> <p>Pingora provides <code>pingora_cache::lock::CacheLock</code>.</p> <ul> <li>It is a concurrent hash table of semaphores.</li> <li> <strong>Writer:</strong> The thread fetching from upstream.</li> <li> <strong>Reader:</strong> The threads waiting for the writer.</li> </ul> <h3> 2. Enabling the Lock </h3> <p>We pass the lock instance to <code>session.cache.enable()</code>. It is the 4th argument.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="n">session</span><span class="py">.cache</span><span class="nf">.enable</span><span class="p">(</span><span class="o">&amp;*</span><span class="n">MEM_CACHE</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nf">Some</span><span class="p">(</span><span class="o">&amp;*</span><span class="n">CACHE_LOCK</span><span class="p">),</span> <span class="nb">None</span><span class="p">);</span> </code></pre> </div> <h3> 3. Observable Metrics </h3> <p>Pingora tracks how long a request waited for a lock. We can log this using <code>session.cache.lock_duration()</code>.</p> <ul> <li> <strong>Writer:</strong> Wait time is <code>0ns</code>.</li> <li> <strong>Reader:</strong> Wait time is roughly equal to the upstream response time.</li> </ul> <h2> The Code (<code>examples/45_cache_lock.rs</code>) </h2> <p>We simulate a "Heavy" upstream that sleeps for <strong>2 seconds</strong> before responding. This allows us to manually fire multiple requests during that window and watch them coalesce.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">once_cell</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="n">Lazy</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::{</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">,</span> <span class="n">Server</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">http</span><span class="p">::</span><span class="n">ResponseHeader</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_cache</span><span class="p">::{</span><span class="n">MemCache</span><span class="p">,</span> <span class="n">CacheKey</span><span class="p">,</span> <span class="n">CacheMetaDefaults</span><span class="p">,</span> <span class="n">RespCacheable</span><span class="p">,</span> <span class="n">CachePhase</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora_cache</span><span class="p">::</span><span class="nn">cache_control</span><span class="p">::</span><span class="n">CacheControl</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_cache</span><span class="p">::</span><span class="nn">lock</span><span class="p">::</span><span class="n">CacheLock</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">borrow</span><span class="p">::</span><span class="n">Cow</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">net</span><span class="p">::</span><span class="n">TcpListener</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">io</span><span class="p">::{</span><span class="n">AsyncReadExt</span><span class="p">,</span> <span class="n">AsyncWriteExt</span><span class="p">};</span> <span class="c1">// 1. Initialize Global Lock Manager</span> <span class="k">static</span> <span class="n">MEM_CACHE</span><span class="p">:</span> <span class="n">Lazy</span><span class="o">&lt;</span><span class="n">MemCache</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nn">Lazy</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">MemCache</span><span class="p">::</span><span class="n">new</span><span class="p">);</span> <span class="k">static</span> <span class="n">CACHE_LOCK</span><span class="p">:</span> <span class="n">Lazy</span><span class="o">&lt;</span><span class="n">CacheLock</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nn">Lazy</span><span class="p">::</span><span class="nf">new</span><span class="p">(||</span> <span class="nn">CacheLock</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">5</span><span class="p">)));</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">CacheLockProxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">CacheLockProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="c1">// 2. Enable Caching WITH Locking</span> <span class="k">fn</span> <span class="nf">request_cache_filter</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">key</span> <span class="o">=</span> <span class="nn">CacheKey</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="s">""</span><span class="p">,</span> <span class="n">session</span><span class="nf">.req_header</span><span class="p">()</span><span class="py">.uri</span><span class="nf">.path</span><span class="p">(),</span> <span class="s">""</span><span class="p">);</span> <span class="n">session</span><span class="py">.cache</span><span class="nf">.enable</span><span class="p">(</span> <span class="o">&amp;*</span><span class="n">MEM_CACHE</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nf">Some</span><span class="p">(</span><span class="o">&amp;*</span><span class="n">CACHE_LOCK</span><span class="p">),</span> <span class="c1">// Pass the lock here</span> <span class="nb">None</span> <span class="p">);</span> <span class="n">session</span><span class="py">.cache</span><span class="nf">.set_cache_key</span><span class="p">(</span><span class="n">key</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">((</span><span class="s">"127.0.0.1"</span><span class="p">,</span> <span class="mi">6195</span><span class="p">),</span> <span class="k">false</span><span class="p">,</span> <span class="s">"heavy.local"</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">response_cache_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Session</span><span class="p">,</span> <span class="n">resp</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">ResponseHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">RespCacheable</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">cc</span> <span class="o">=</span> <span class="nn">CacheControl</span><span class="p">::</span><span class="nf">from_resp_headers</span><span class="p">(</span><span class="n">resp</span><span class="p">);</span> <span class="k">let</span> <span class="n">defaults</span> <span class="o">=</span> <span class="nn">CacheMetaDefaults</span><span class="p">::</span><span class="nf">new</span><span class="p">(|</span><span class="n">_</span><span class="p">|</span> <span class="nb">None</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(</span><span class="nn">pingora_cache</span><span class="p">::</span><span class="nn">filters</span><span class="p">::</span><span class="nf">resp_cacheable</span><span class="p">(</span><span class="n">cc</span><span class="nf">.as_ref</span><span class="p">(),</span> <span class="n">resp</span><span class="nf">.clone</span><span class="p">(),</span> <span class="k">false</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">defaults</span><span class="p">))</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">logging</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_e</span><span class="p">:</span> <span class="nb">Option</span><span class="o">&lt;&amp;</span><span class="n">Error</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">)</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// 3. Log Who was Writer and Who was Reader</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">match</span> <span class="n">session</span><span class="py">.cache</span><span class="nf">.phase</span><span class="p">()</span> <span class="p">{</span> <span class="nn">CachePhase</span><span class="p">::</span><span class="n">Hit</span> <span class="k">=&gt;</span> <span class="s">"HIT (READER)"</span><span class="p">,</span> <span class="nn">CachePhase</span><span class="p">::</span><span class="n">Miss</span> <span class="k">=&gt;</span> <span class="s">"MISS (WRITER)"</span><span class="p">,</span> <span class="n">_</span> <span class="k">=&gt;</span> <span class="s">"OTHER"</span> <span class="p">};</span> <span class="k">let</span> <span class="n">wait_time</span> <span class="o">=</span> <span class="n">session</span><span class="py">.cache</span><span class="nf">.lock_duration</span><span class="p">()</span><span class="nf">.unwrap_or</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="n">ZERO</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span> <span class="s">"Client Finished. Status: {}. Waited for lock: {:?}"</span><span class="p">,</span> <span class="n">status</span><span class="p">,</span> <span class="n">wait_time</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// 4. Heavy Mock Upstream</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">run_slow_upstream</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">listener</span> <span class="o">=</span> <span class="nn">TcpListener</span><span class="p">::</span><span class="nf">bind</span><span class="p">(</span><span class="s">"127.0.0.1:6195"</span><span class="p">)</span><span class="k">.await</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Slow Upstream running on 127.0.0.1:6195"</span><span class="p">);</span> <span class="k">loop</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Ok</span><span class="p">((</span><span class="k">mut</span> <span class="n">stream</span><span class="p">,</span> <span class="n">_</span><span class="p">))</span> <span class="o">=</span> <span class="n">listener</span><span class="nf">.accept</span><span class="p">()</span><span class="k">.await</span> <span class="p">{</span> <span class="nn">tokio</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(</span><span class="k">async</span> <span class="k">move</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">buf</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="mi">1024</span><span class="p">];</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.read</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">buf</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="c1">// Simulate heavy work</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"&gt;&gt; Processing expensive request (2s delay)..."</span><span class="p">);</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="nf">sleep</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">2</span><span class="p">))</span><span class="k">.await</span><span class="p">;</span> <span class="k">let</span> <span class="n">body</span> <span class="o">=</span> <span class="s">"Expensive Content Generated"</span><span class="p">;</span> <span class="k">let</span> <span class="n">response</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span> <span class="s">"HTTP/1.1 200 OK</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> Content-Length: {}</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> Cache-Control: public, max-age=60</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> Connection: close</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> </span><span class="se">\r\n</span><span class="err">\</span><span class="s"> {}"</span><span class="p">,</span> <span class="n">body</span><span class="nf">.len</span><span class="p">(),</span> <span class="n">body</span> <span class="p">);</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.write_all</span><span class="p">(</span><span class="n">response</span><span class="nf">.as_bytes</span><span class="p">())</span><span class="k">.await</span><span class="p">;</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="nn">pingora_cache</span><span class="p">::</span><span class="nf">set_compression_dict_content</span><span class="p">(</span><span class="nn">Cow</span><span class="p">::</span><span class="nf">Borrowed</span><span class="p">(</span><span class="s">b""</span><span class="p">));</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="nn">std</span><span class="p">::</span><span class="nn">thread</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(||</span> <span class="p">{</span> <span class="k">let</span> <span class="n">rt</span> <span class="o">=</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">runtime</span><span class="p">::</span><span class="nn">Runtime</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="n">rt</span><span class="nf">.block_on</span><span class="p">(</span><span class="nf">run_slow_upstream</span><span class="p">());</span> <span class="p">});</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">CacheLockProxy</span><span class="p">);</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6194"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Cache Lock Proxy running on 0.0.0.0:6194"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We will simulate a mini "Thundering Herd" using a bash loop.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 45_cache_lock </code></pre> </div> <h3> 2. Fire Concurrent Requests </h3> <p>Run this command to spawn 5 requests in the background simultaneously.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..5<span class="o">}</span><span class="p">;</span> <span class="k">do </span>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6194/resource &amp; <span class="k">done</span><span class="p">;</span> <span class="nb">wait</span> </code></pre> </div> <h3> 3. Observe the Logs </h3> <ul> <li> <strong>Upstream:</strong> You will see <code>&gt;&gt; Processing expensive request</code> exactly <strong>once</strong>.</li> <li> <strong>Proxy:</strong> <ul> <li>1 log entry: <code>Status: MISS (WRITER). Waited for lock: 0ns</code>.</li> <li>4 log entries: <code>Status: HIT (READER). Waited for lock: 2.00s</code>.</li> </ul> </li> </ul> <p>This confirms the lock worked perfectly. The backend was protected, and all clients got the correct data.</p> <h1> Lesson 46: Cache Purging </h1> <p>Sometimes, caching works <em>too</em> well. You fix a typo on your homepage, but the cache is set to expire in 5 minutes. Do you wait 5 minutes while users see the typo?</p> <p>No. You <strong>Purge</strong> the cache.</p> <p>In this lesson, we implement the <strong>HTTP PURGE</strong> method.</p> <ul> <li> <strong>Standard Flow:</strong> <code>GET /file</code> -&gt; Returns cached content.</li> <li> <strong>Admin Flow:</strong> <code>PURGE /file</code> -&gt; Deletes the content from the cache immediately.</li> </ul> <h2> Key Concepts </h2> <h3> 1. The <code>PURGE</code> Verb </h3> <p>It is important to note that <code>PURGE</code> is <strong>not a standard HTTP method</strong> (like GET, POST, DELETE). It is not defined in the core HTTP RFCs.<br> However, it has become a de-facto standard in the proxy world (popularized by Varnish, Squid, and Fastly) for administrative cache deletion. Browsers never send this method; it is strictly a tool for developers and sysadmins.</p> <h3> 2. The <code>is_purge</code> Hook </h3> <p>Pingora abstracts the complexity of locking and deleting items. You simply implement the <code>is_purge</code> method in your trait.</p> <ul> <li> <strong>Return <code>true</code>:</strong> Pingora will take the <code>CacheKey</code> (configured in <code>request_cache_filter</code>), remove it from the storage backend, and return a <code>200 OK</code> to the client. The request <strong>stops</strong> here; it is never sent upstream.</li> <li> <strong>Return <code>false</code>:</strong> Pingora processes the request normally (fetch or serve).</li> </ul> <h3> 3. Key Consistency </h3> <p>For a purge to work, the <strong>Cache Key</strong> generated during the <code>PURGE</code> request must match the key generated during the original <code>GET</code> request <strong>byte-for-byte</strong>.</p> <ul> <li>If your GET logic includes the <code>Accept-Encoding</code> header in the key...</li> <li>But your PURGE request doesn't send that header...</li> <li>The keys won't match, and the purge will fail (nothing gets deleted). In this lesson, we use the simple URL path for the key, ensuring consistency.</li> </ul> <h2> The Code (<code>examples/46_cache_purge.rs</code>) </h2> <p>Notice how <code>request_cache_filter</code> runs for <em>every</em> request. This is crucial because we need to calculate the key <em>before</em> we decide whether to fetch (GET) or delete (PURGE).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">once_cell</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="n">Lazy</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::{</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">,</span> <span class="n">Server</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">http</span><span class="p">::</span><span class="n">ResponseHeader</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_cache</span><span class="p">::{</span><span class="n">MemCache</span><span class="p">,</span> <span class="n">CacheKey</span><span class="p">,</span> <span class="n">CacheMetaDefaults</span><span class="p">,</span> <span class="n">RespCacheable</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora_cache</span><span class="p">::</span><span class="nn">cache_control</span><span class="p">::</span><span class="n">CacheControl</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">borrow</span><span class="p">::</span><span class="n">Cow</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">net</span><span class="p">::</span><span class="n">TcpListener</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">io</span><span class="p">::{</span><span class="n">AsyncReadExt</span><span class="p">,</span> <span class="n">AsyncWriteExt</span><span class="p">};</span> <span class="k">static</span> <span class="n">MEM_CACHE</span><span class="p">:</span> <span class="n">Lazy</span><span class="o">&lt;</span><span class="n">MemCache</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nn">Lazy</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">MemCache</span><span class="p">::</span><span class="n">new</span><span class="p">);</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">PurgeProxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">PurgeProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="c1">// 1. Setup the Key (Crucial: Must be identical for GET and PURGE)</span> <span class="k">fn</span> <span class="nf">request_cache_filter</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">path</span> <span class="o">=</span> <span class="n">session</span><span class="nf">.req_header</span><span class="p">()</span><span class="py">.uri</span><span class="nf">.path</span><span class="p">();</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"(1) Setup: Configuring CacheKey for path: '{}'"</span><span class="p">,</span> <span class="n">path</span><span class="p">);</span> <span class="k">let</span> <span class="n">key</span> <span class="o">=</span> <span class="nn">CacheKey</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="s">""</span><span class="p">,</span> <span class="n">path</span><span class="p">,</span> <span class="s">""</span><span class="p">);</span> <span class="n">session</span><span class="py">.cache</span><span class="nf">.enable</span><span class="p">(</span><span class="o">&amp;*</span><span class="n">MEM_CACHE</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">);</span> <span class="n">session</span><span class="py">.cache</span><span class="nf">.set_cache_key</span><span class="p">(</span><span class="n">key</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="c1">// 2. The Purge Decision</span> <span class="c1">// If we return true, Pingora deletes the key and stops processing.</span> <span class="k">fn</span> <span class="nf">is_purge</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">bool</span> <span class="p">{</span> <span class="k">let</span> <span class="n">method</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">session</span><span class="nf">.req_header</span><span class="p">()</span><span class="py">.method</span><span class="p">;</span> <span class="k">if</span> <span class="n">method</span><span class="nf">.as_str</span><span class="p">()</span> <span class="o">==</span> <span class="s">"PURGE"</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"(2) Decision: Method is PURGE. Hijacking request to delete item."</span><span class="p">);</span> <span class="k">return</span> <span class="k">true</span><span class="p">;</span> <span class="p">}</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"(2) Decision: Method is {}. Proceeding to Standard Cache Flow."</span><span class="p">,</span> <span class="n">method</span><span class="p">);</span> <span class="k">false</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"(3) Cache Miss: Connecting to Upstream to fetch fresh content..."</span><span class="p">);</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">((</span><span class="s">"127.0.0.1"</span><span class="p">,</span> <span class="mi">6197</span><span class="p">),</span> <span class="k">false</span><span class="p">,</span> <span class="s">"purge.local"</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">response_cache_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Session</span><span class="p">,</span> <span class="n">resp</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">ResponseHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">RespCacheable</span><span class="o">&gt;</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"(4) Validation: Examining Upstream Headers for Cache-Control..."</span><span class="p">);</span> <span class="k">let</span> <span class="n">cc</span> <span class="o">=</span> <span class="nn">CacheControl</span><span class="p">::</span><span class="nf">from_resp_headers</span><span class="p">(</span><span class="n">resp</span><span class="p">);</span> <span class="k">let</span> <span class="n">defaults</span> <span class="o">=</span> <span class="nn">CacheMetaDefaults</span><span class="p">::</span><span class="nf">new</span><span class="p">(|</span><span class="n">_</span><span class="p">|</span> <span class="nb">None</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(</span><span class="nn">pingora_cache</span><span class="p">::</span><span class="nn">filters</span><span class="p">::</span><span class="nf">resp_cacheable</span><span class="p">(</span><span class="n">cc</span><span class="nf">.as_ref</span><span class="p">(),</span> <span class="n">resp</span><span class="nf">.clone</span><span class="p">(),</span> <span class="k">false</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">defaults</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Mock Upstream: Returns content valid for 5 minutes (300s)</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">run_upstream</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">listener</span> <span class="o">=</span> <span class="nn">TcpListener</span><span class="p">::</span><span class="nf">bind</span><span class="p">(</span><span class="s">"127.0.0.1:6197"</span><span class="p">)</span><span class="k">.await</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Upstream running on 127.0.0.1:6197"</span><span class="p">);</span> <span class="k">loop</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Ok</span><span class="p">((</span><span class="k">mut</span> <span class="n">stream</span><span class="p">,</span> <span class="n">_</span><span class="p">))</span> <span class="o">=</span> <span class="n">listener</span><span class="nf">.accept</span><span class="p">()</span><span class="k">.await</span> <span class="p">{</span> <span class="nn">tokio</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(</span><span class="k">async</span> <span class="k">move</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">buf</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="mi">1024</span><span class="p">];</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.read</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">buf</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="k">let</span> <span class="n">body</span> <span class="o">=</span> <span class="s">"Cached Content (TTL 300s)"</span><span class="p">;</span> <span class="k">let</span> <span class="n">response</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span> <span class="s">"HTTP/1.1 200 OK</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> Content-Length: {}</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> Cache-Control: public, max-age=300</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> Connection: close</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> </span><span class="se">\r\n</span><span class="err">\</span><span class="s"> {}"</span><span class="p">,</span> <span class="n">body</span><span class="nf">.len</span><span class="p">(),</span> <span class="n">body</span> <span class="p">);</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.write_all</span><span class="p">(</span><span class="n">response</span><span class="nf">.as_bytes</span><span class="p">())</span><span class="k">.await</span><span class="p">;</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="nn">pingora_cache</span><span class="p">::</span><span class="nf">set_compression_dict_content</span><span class="p">(</span><span class="nn">Cow</span><span class="p">::</span><span class="nf">Borrowed</span><span class="p">(</span><span class="s">b""</span><span class="p">));</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="nn">std</span><span class="p">::</span><span class="nn">thread</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(||</span> <span class="p">{</span> <span class="k">let</span> <span class="n">rt</span> <span class="o">=</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">runtime</span><span class="p">::</span><span class="nn">Runtime</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="n">rt</span><span class="nf">.block_on</span><span class="p">(</span><span class="nf">run_upstream</span><span class="p">());</span> <span class="p">});</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">PurgeProxy</span><span class="p">);</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6196"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Purge Proxy running on 0.0.0.0:6196"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We will cache an item, verify it is cached, delete it, and verify it is gone.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 46_cache_purge </code></pre> </div> <h3> 2. Prime the Cache (Miss) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6196/file </code></pre> </div> <ul> <li> <strong>Log:</strong> <code>(3) Cache Miss: Connecting to Upstream...</code> </li> <li> <strong>Response Headers:</strong> <code>Cache-Control: public, max-age=300</code> </li> </ul> <h3> 3. Verify Hit </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6196/file </code></pre> </div> <ul> <li> <strong>Log:</strong> (No upstream connection log).</li> <li> <strong>Response Headers:</strong> <code>Age: 6</code> (Served from memory).</li> </ul> <h3> 4. Execute Purge </h3> <p>We use <code>-X PURGE</code> to change the HTTP verb.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-v</span> <span class="nt">-X</span> PURGE http://172.28.0.10:6196/file </code></pre> </div> <ul> <li> <strong>Log:</strong> <code>(2) Decision: Method is PURGE. Hijacking request to delete item.</code> </li> <li> <strong>Response:</strong> <code>200 OK</code> </li> </ul> <h3> 5. Verify Deletion (Miss) </h3> <p>Run the GET command again.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-v</span> http://172.28.0.10:6196/file </code></pre> </div> <ul> <li> <strong>Log:</strong> <code>(3) Cache Miss: Connecting to Upstream...</code> </li> <li> <strong>Result:</strong> The proxy went back to the upstream, proving the cache entry was deleted.</li> </ul> <h1> Lesson 47: Stale-While-Revalidate (SWR) </h1> <p>In a standard caching setup, when an item expires (TTL hits 0), the very next user to request it suffers a "Cache Miss." They must wait for the backend to generate a fresh response. If your backend takes 2 seconds, that user waits 2 seconds.</p> <p><strong>Stale-While-Revalidate (SWR)</strong> eliminates this latency.</p> <ul> <li> <strong>The Logic:</strong> If an item is expired but <em>recently</em> expired (e.g., within 10 seconds), serve the old data <strong>immediately</strong> (0ms latency).</li> <li> <strong>The Magic:</strong> While the user walks away happy with their (slightly old) data, the proxy triggers a <strong>background fetch</strong> to update the cache.</li> <li> <strong>The Result:</strong> The next user gets the fresh data, and <em>nobody</em> ever waited for the backend.</li> </ul> <h2> Key Concepts </h2> <h3> 1. The SWR Window </h3> <p>SWR introduces a "grace period" after the <code>max-age</code> expires.</p> <ul> <li> <strong>Fresh (0-5s):</strong> Serve from cache.</li> <li> <strong>Stale Window (5-15s):</strong> Serve stale content + Background Update.</li> <li> <strong>Dead (&gt;15s):</strong> Content is too old. Block and fetch.</li> </ul> <h3> 2. <code>should_serve_stale</code> Hook </h3> <p>This is the most critical part of the implementation. By default, Pingora is conservative; it will <em>not</em> serve stale data just because you configured a window. You must explicitly authorize it by implementing the <code>should_serve_stale</code> method in the <code>ProxyHttp</code> trait.</p> <ul> <li> <strong>Return <code>true</code>:</strong> "Yes, I accept the risk of serving old data to keep latency low."</li> </ul> <h3> 3. Cache Locking </h3> <p>SWR relies heavily on the <code>CacheLock</code>. When the item enters the Stale Window, Pingora needs to coordinate:</p> <ul> <li> <strong>Thread A:</strong> Gets the lock, triggers the background fetch.</li> <li> <strong>Thread B:</strong> Sees the lock is busy, sees that stale data is available, and serves it immediately.</li> </ul> <h2> The Code (<code>examples/47_stale_while_revalidate.rs</code>) </h2> <p>We configure a <strong>5s Fresh</strong> window and a <strong>10s SWR</strong> window. We also use a slow mock upstream (2s latency) to prove that the client does not wait during the SWR phase.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">once_cell</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="n">Lazy</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::{</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">,</span> <span class="n">Server</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">http</span><span class="p">::</span><span class="n">ResponseHeader</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_cache</span><span class="p">::{</span><span class="n">MemCache</span><span class="p">,</span> <span class="n">CacheKey</span><span class="p">,</span> <span class="n">CacheMetaDefaults</span><span class="p">,</span> <span class="n">RespCacheable</span><span class="p">,</span> <span class="n">CachePhase</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora_cache</span><span class="p">::</span><span class="nn">cache_control</span><span class="p">::</span><span class="n">CacheControl</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora_cache</span><span class="p">::</span><span class="nn">lock</span><span class="p">::</span><span class="n">CacheLock</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">borrow</span><span class="p">::</span><span class="n">Cow</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nn">atomic</span><span class="p">::{</span><span class="n">AtomicUsize</span><span class="p">,</span> <span class="n">Ordering</span><span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">net</span><span class="p">::</span><span class="n">TcpListener</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">io</span><span class="p">::{</span><span class="n">AsyncReadExt</span><span class="p">,</span> <span class="n">AsyncWriteExt</span><span class="p">};</span> <span class="k">static</span> <span class="n">MEM_CACHE</span><span class="p">:</span> <span class="n">Lazy</span><span class="o">&lt;</span><span class="n">MemCache</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nn">Lazy</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">MemCache</span><span class="p">::</span><span class="n">new</span><span class="p">);</span> <span class="k">static</span> <span class="n">CACHE_LOCK</span><span class="p">:</span> <span class="n">Lazy</span><span class="o">&lt;</span><span class="n">CacheLock</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nn">Lazy</span><span class="p">::</span><span class="nf">new</span><span class="p">(||</span> <span class="nn">CacheLock</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">5</span><span class="p">)));</span> <span class="k">static</span> <span class="n">CONTENT_VERSION</span><span class="p">:</span> <span class="n">AtomicUsize</span> <span class="o">=</span> <span class="nn">AtomicUsize</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">SWRProxy</span><span class="p">;</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">SWRProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="p">();</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{}</span> <span class="c1">// 1. Enable Cache with Locking</span> <span class="k">fn</span> <span class="nf">request_cache_filter</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">key</span> <span class="o">=</span> <span class="nn">CacheKey</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="s">""</span><span class="p">,</span> <span class="n">session</span><span class="nf">.req_header</span><span class="p">()</span><span class="py">.uri</span><span class="nf">.path</span><span class="p">(),</span> <span class="s">""</span><span class="p">);</span> <span class="n">session</span><span class="py">.cache</span><span class="nf">.enable</span><span class="p">(</span> <span class="o">&amp;*</span><span class="n">MEM_CACHE</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="nf">Some</span><span class="p">(</span><span class="o">&amp;*</span><span class="n">CACHE_LOCK</span><span class="p">),</span> <span class="c1">// Lock is required for SWR coordination</span> <span class="nb">None</span> <span class="p">);</span> <span class="n">session</span><span class="py">.cache</span><span class="nf">.set_cache_key</span><span class="p">(</span><span class="n">key</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">((</span><span class="s">"127.0.0.1"</span><span class="p">,</span> <span class="mi">6199</span><span class="p">),</span> <span class="k">false</span><span class="p">,</span> <span class="s">"swr.local"</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">response_cache_filter</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Session</span><span class="p">,</span> <span class="n">resp</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">ResponseHeader</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">RespCacheable</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">cc</span> <span class="o">=</span> <span class="nn">CacheControl</span><span class="p">::</span><span class="nf">from_resp_headers</span><span class="p">(</span><span class="n">resp</span><span class="p">);</span> <span class="c1">// 2. Configure Defaults</span> <span class="c1">// Fresh: 5s. </span> <span class="c1">// Stale-While-Revalidate: 10s.</span> <span class="k">let</span> <span class="n">defaults</span> <span class="o">=</span> <span class="nn">CacheMetaDefaults</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="p">|</span><span class="n">status</span><span class="p">|</span> <span class="k">if</span> <span class="n">status</span><span class="nf">.as_u16</span><span class="p">()</span> <span class="o">==</span> <span class="mi">200</span> <span class="p">{</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">5</span><span class="p">))</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nb">None</span> <span class="p">},</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">0</span> <span class="p">);</span> <span class="nf">Ok</span><span class="p">(</span><span class="nn">pingora_cache</span><span class="p">::</span><span class="nn">filters</span><span class="p">::</span><span class="nf">resp_cacheable</span><span class="p">(</span> <span class="n">cc</span><span class="nf">.as_ref</span><span class="p">(),</span> <span class="n">resp</span><span class="nf">.clone</span><span class="p">(),</span> <span class="k">false</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">defaults</span> <span class="p">))</span> <span class="p">}</span> <span class="c1">// 3. The Critical Hook: Authorize Serving Stale</span> <span class="k">fn</span> <span class="nf">should_serve_stale</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">,</span> <span class="n">error</span><span class="p">:</span> <span class="nb">Option</span><span class="o">&lt;&amp;</span><span class="n">Error</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">bool</span> <span class="p">{</span> <span class="c1">// If error is None, it means we are revalidating (expired but clean).</span> <span class="c1">// Return true to allow SWR.</span> <span class="k">match</span> <span class="n">error</span> <span class="p">{</span> <span class="nb">None</span> <span class="k">=&gt;</span> <span class="k">true</span><span class="p">,</span> <span class="nf">Some</span><span class="p">(</span><span class="n">_</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="k">false</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">logging</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_e</span><span class="p">:</span> <span class="nb">Option</span><span class="o">&lt;&amp;</span><span class="n">Error</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">)</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="k">let</span> <span class="n">phase</span> <span class="o">=</span> <span class="n">session</span><span class="py">.cache</span><span class="nf">.phase</span><span class="p">();</span> <span class="k">match</span> <span class="n">phase</span> <span class="p">{</span> <span class="nn">CachePhase</span><span class="p">::</span><span class="n">Hit</span> <span class="k">=&gt;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Status: HIT (Fresh) - Instant Response"</span><span class="p">),</span> <span class="nn">CachePhase</span><span class="p">::</span><span class="n">Miss</span> <span class="k">=&gt;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Status: MISS (Fetching) - Slow Response"</span><span class="p">),</span> <span class="c1">// This is the SWR State</span> <span class="nn">CachePhase</span><span class="p">::</span><span class="n">Stale</span> <span class="p">|</span> <span class="nn">CachePhase</span><span class="p">::</span><span class="n">StaleUpdating</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Status: SWR ACTIVATED (Serving Stale while Updating)"</span><span class="p">);</span> <span class="p">}</span> <span class="nn">CachePhase</span><span class="p">::</span><span class="n">Expired</span> <span class="k">=&gt;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Status: EXPIRED (Too Old) - Blocking Fetch"</span><span class="p">),</span> <span class="n">_</span> <span class="k">=&gt;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Status: {:?}"</span><span class="p">,</span> <span class="n">phase</span><span class="p">),</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// 4. Slow Upstream (2s latency)</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">run_slow_upstream</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">listener</span> <span class="o">=</span> <span class="nn">TcpListener</span><span class="p">::</span><span class="nf">bind</span><span class="p">(</span><span class="s">"127.0.0.1:6199"</span><span class="p">)</span><span class="k">.await</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Slow Upstream running on 127.0.0.1:6199"</span><span class="p">);</span> <span class="k">loop</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Ok</span><span class="p">((</span><span class="k">mut</span> <span class="n">stream</span><span class="p">,</span> <span class="n">_</span><span class="p">))</span> <span class="o">=</span> <span class="n">listener</span><span class="nf">.accept</span><span class="p">()</span><span class="k">.await</span> <span class="p">{</span> <span class="nn">tokio</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(</span><span class="k">async</span> <span class="k">move</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">buf</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="mi">1024</span><span class="p">];</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.read</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">buf</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="c1">// Simulate slow backend</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="nf">sleep</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">2</span><span class="p">))</span><span class="k">.await</span><span class="p">;</span> <span class="k">let</span> <span class="n">version</span> <span class="o">=</span> <span class="n">CONTENT_VERSION</span><span class="nf">.fetch_add</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="nn">Ordering</span><span class="p">::</span><span class="n">SeqCst</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> <span class="k">let</span> <span class="n">body</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Content Version {}"</span><span class="p">,</span> <span class="n">version</span><span class="p">);</span> <span class="k">let</span> <span class="n">response</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span> <span class="s">"HTTP/1.1 200 OK</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> Content-Length: {}</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> Cache-Control: public, max-age=5, stale-while-revalidate=10</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> Connection: close</span><span class="se">\r\n</span><span class="err">\</span><span class="s"> </span><span class="se">\r\n</span><span class="err">\</span><span class="s"> {}"</span><span class="p">,</span> <span class="n">body</span><span class="nf">.len</span><span class="p">(),</span> <span class="n">body</span> <span class="p">);</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.write_all</span><span class="p">(</span><span class="n">response</span><span class="nf">.as_bytes</span><span class="p">())</span><span class="k">.await</span><span class="p">;</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="nn">pingora_cache</span><span class="p">::</span><span class="nf">set_compression_dict_content</span><span class="p">(</span><span class="nn">Cow</span><span class="p">::</span><span class="nf">Borrowed</span><span class="p">(</span><span class="s">b""</span><span class="p">));</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="nn">std</span><span class="p">::</span><span class="nn">thread</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(||</span> <span class="p">{</span> <span class="k">let</span> <span class="n">rt</span> <span class="o">=</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">runtime</span><span class="p">::</span><span class="nn">Runtime</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="n">rt</span><span class="nf">.block_on</span><span class="p">(</span><span class="nf">run_slow_upstream</span><span class="p">());</span> <span class="p">});</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_proxy</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">SWRProxy</span><span class="p">);</span> <span class="n">my_proxy</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6198"</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"SWR Proxy running on 0.0.0.0:6198"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">my_proxy</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We will observe the transition from <strong>Miss</strong> (Slow) -&gt; <strong>Hit</strong> (Fast) -&gt; <strong>SWR</strong> (Fast &amp; Stale) -&gt; <strong>Hit</strong> (Fast &amp; Updated).</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 47_stale_while_revalidate </code></pre> </div> <h3> 2. Initial Fetch (Miss) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6198/ </code></pre> </div> <ul> <li> <strong>Time:</strong> ~2 seconds.</li> <li> <strong>Output:</strong> <code>Content Version 1</code> </li> <li> <strong>Log:</strong> <code>Status: MISS (Fetching)</code> </li> </ul> <h3> 3. Immediate Retry (Hit) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6198/ </code></pre> </div> <ul> <li> <strong>Time:</strong> Instant.</li> <li> <strong>Output:</strong> <code>Content Version 1</code> </li> <li> <strong>Log:</strong> <code>Status: HIT (Fresh)</code> </li> </ul> <h3> 4. Trigger SWR (Wait 7s) </h3> <p>The content is now 7 seconds old (Fresh limit was 5s).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sleep </span>7 docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6198/ </code></pre> </div> <ul> <li> <strong>Time:</strong> <strong>Instant!</strong> (This is the key victory).</li> <li> <strong>Output:</strong> <code>Content Version 1</code> (Stale data).</li> <li> <strong>Log:</strong> <code>Status: SWR ACTIVATED</code> </li> </ul> <h3> 5. Verify Background Update (Wait 3s) </h3> <p>Wait for the background fetch to finish, then check again.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sleep </span>3 docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6198/ </code></pre> </div> <ul> <li> <strong>Time:</strong> Instant.</li> <li> <strong>Output:</strong> <code>Content Version 2</code> (Fresh data).</li> <li> <strong>Log:</strong> <code>Status: HIT (Fresh)</code> </li> </ul> <h1> Module 7: Production Readiness &amp; Architecture </h1> <p>We have spent the last six modules building individual capabilities: Load Balancing, TLS termination, Upstream Health Checks, Traffic Control, and Caching. We have a collection of powerful scripts, but we don't yet have a cohesive <strong>platform</strong>.</p> <p>In this final module, we transition from writing "example code" to building <strong>production software</strong>. We will refactor our logic into reusable libraries, instrument the system with industry-standard observability tools, and finally assemble every concept we've learned into a single, unified API Gateway.</p> <p>We will cover:</p> <ul> <li> <strong>Observability:</strong> Implementing Prometheus metrics to visualize request rates, latency, and error codes in real-time. You can't manage what you can't measure.</li> <li> <strong>Modularity:</strong> Refactoring our monolithic <code>main.rs</code> files into a clean, reusable <code>gateway</code> library. This is how you structure Rust projects for scale.</li> <li> <strong>The Capstone:</strong> We will build the <strong>Final API Gateway</strong>. It will feature: <ul> <li>Zero-downtime reconfiguration.</li> <li>Weighted Load Balancing with Health Checks.</li> <li>Rate Limiting &amp; Authentication.</li> <li>In-Memory Caching with Stale-While-Revalidate.</li> <li>Prometheus Metrics export.</li> </ul> </li> </ul> <p>By the end of this module, you will have a template for a high-performance Rust proxy that is ready for deployment.</p> <h1> Lesson 48: Observability </h1> <p>You cannot optimize what you cannot measure. In a production environment, knowing <em>that</em> the server is running isn't enough; you need to know <em>how</em> it is running. Are requests taking 10ms or 10s? Is the error rate 0.1% or 5%?</p> <p>In this lesson, we add <strong>Prometheus Metrics</strong> to our proxy. We will implement two planes of operation:</p> <ol> <li> <strong>Traffic Plane (Port 6199):</strong> Where user traffic flows.</li> <li> <strong>Control Plane (Port 6200):</strong> Where metrics are scraped by your monitoring system.</li> </ol> <h2> Key Concepts </h2> <h3> 1. The "Two-Registry" Trap </h3> <p>This is the most common pitfall when adding metrics to Pingora.<br> Pingora uses the <code>prometheus</code> crate internally to expose its built-in server metrics. It exposes these via <code>Service::prometheus_http_service()</code>.</p> <p><strong>The Danger:</strong> If your <code>Cargo.toml</code> includes a version of the <code>prometheus</code> crate that differs from the one Pingora uses, Rust may compile <strong>two separate copies</strong> of the library.</p> <ul> <li> <strong>Copy A (Pingora's):</strong> Connected to the HTTP endpoint on port 6200.</li> <li> <strong>Copy B (Yours):</strong> Where you register your custom counters.</li> </ul> <p><strong>The Result:</strong> You register metrics, but the endpoint returns nothing.<br> <strong>The Fix:</strong> Always check which version Pingora depends on:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cargo tree <span class="nt">-p</span> pingora | <span class="nb">grep </span>prometheus </code></pre> </div> <p>Ensure your <code>Cargo.toml</code> matches this version exactly.</p> <h3> 2. The <code>CTX</code> Timer </h3> <p>To measure latency, we need state that persists from the <em>start</em> of the request to the <em>end</em>.</p> <ul> <li> <strong><code>new_ctx</code>:</strong> Runs when the request starts. We save <code>Instant::now()</code>.</li> <li> <strong><code>logging</code>:</strong> Runs when the request finishes (even if it failed). We calculate <code>elapsed()</code> and update the Histogram.</li> </ul> <h2> The Code (<code>examples/48_observability.rs</code>) </h2> <p>We simulate two upstreams: "Blue" (Fast, ~10ms) and "Green" (Slow, ~100ms) to generate interesting histogram data.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">async_trait</span><span class="p">::</span><span class="n">async_trait</span><span class="p">;</span> <span class="k">use</span> <span class="k">log</span><span class="p">::</span><span class="n">info</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">prelude</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">server</span><span class="p">::{</span><span class="nn">configuration</span><span class="p">::</span><span class="n">Opt</span><span class="p">,</span> <span class="n">Server</span><span class="p">};</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">upstreams</span><span class="p">::</span><span class="nn">peer</span><span class="p">::</span><span class="n">HttpPeer</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pingora</span><span class="p">::</span><span class="nn">services</span><span class="p">::</span><span class="nn">listening</span><span class="p">::</span><span class="n">Service</span><span class="p">;</span> <span class="k">use</span> <span class="nn">prometheus</span><span class="p">::{</span><span class="n">register_histogram</span><span class="p">,</span> <span class="n">register_int_counter</span><span class="p">,</span> <span class="n">Histogram</span><span class="p">,</span> <span class="n">IntCounter</span><span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::</span><span class="nn">atomic</span><span class="p">::{</span><span class="n">AtomicUsize</span><span class="p">,</span> <span class="n">Ordering</span><span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="n">Instant</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">net</span><span class="p">::</span><span class="n">TcpListener</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">io</span><span class="p">::{</span><span class="n">AsyncReadExt</span><span class="p">,</span> <span class="n">AsyncWriteExt</span><span class="p">};</span> <span class="k">static</span> <span class="n">REQUEST_COUNTER</span><span class="p">:</span> <span class="n">AtomicUsize</span> <span class="o">=</span> <span class="nn">AtomicUsize</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="c1">// 1. Context to track timing per-request</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">MetricsContext</span> <span class="p">{</span> <span class="n">start_time</span><span class="p">:</span> <span class="n">Instant</span><span class="p">,</span> <span class="p">}</span> <span class="c1">// 2. Struct holding our metric handles</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">ObservabilityProxy</span> <span class="p">{</span> <span class="n">req_counter</span><span class="p">:</span> <span class="n">IntCounter</span><span class="p">,</span> <span class="n">req_histogram</span><span class="p">:</span> <span class="n">Histogram</span><span class="p">,</span> <span class="p">}</span> <span class="nd">#[async_trait]</span> <span class="k">impl</span> <span class="n">ProxyHttp</span> <span class="k">for</span> <span class="n">ObservabilityProxy</span> <span class="p">{</span> <span class="k">type</span> <span class="n">CTX</span> <span class="o">=</span> <span class="n">MetricsContext</span><span class="p">;</span> <span class="k">fn</span> <span class="nf">new_ctx</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">{</span> <span class="n">MetricsContext</span> <span class="p">{</span> <span class="n">start_time</span><span class="p">:</span> <span class="nn">Instant</span><span class="p">::</span><span class="nf">now</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">upstream_peer</span><span class="p">(</span> <span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">_session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="n">HttpPeer</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="c1">// Round Robin between Blue (Fast) and Green (Slow)</span> <span class="k">let</span> <span class="n">count</span> <span class="o">=</span> <span class="n">REQUEST_COUNTER</span><span class="nf">.fetch_add</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="nn">Ordering</span><span class="p">::</span><span class="n">Relaxed</span><span class="p">);</span> <span class="k">let</span> <span class="p">(</span><span class="n">addr</span><span class="p">,</span> <span class="n">port</span><span class="p">,</span> <span class="n">label</span><span class="p">)</span> <span class="o">=</span> <span class="k">if</span> <span class="n">count</span> <span class="o">%</span> <span class="mi">2</span> <span class="o">==</span> <span class="mi">0</span> <span class="p">{</span> <span class="p">(</span><span class="s">"127.0.0.1"</span><span class="p">,</span> <span class="mi">6201</span><span class="p">,</span> <span class="s">"Blue"</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="p">(</span><span class="s">"127.0.0.1"</span><span class="p">,</span> <span class="mi">6202</span><span class="p">,</span> <span class="s">"Green"</span><span class="p">)</span> <span class="p">};</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Forwarding request #{} to {}"</span><span class="p">,</span> <span class="n">count</span><span class="p">,</span> <span class="n">label</span><span class="p">);</span> <span class="k">let</span> <span class="n">peer</span> <span class="o">=</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">HttpPeer</span><span class="p">::</span><span class="nf">new</span><span class="p">((</span><span class="n">addr</span><span class="p">,</span><span class="n">port</span><span class="p">),</span> <span class="k">false</span><span class="p">,</span> <span class="s">"metrics.local"</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">peer</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// 3. Record Metrics on Completion</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">logging</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">Session</span><span class="p">,</span> <span class="n">_e</span><span class="p">:</span> <span class="nb">Option</span><span class="o">&lt;&amp;</span><span class="n">Error</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">ctx</span><span class="p">:</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">)</span> <span class="k">where</span> <span class="k">Self</span><span class="p">::</span><span class="n">CTX</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span><span class="p">,</span> <span class="p">{</span> <span class="k">let</span> <span class="n">duration</span> <span class="o">=</span> <span class="n">ctx</span><span class="py">.start_time</span><span class="nf">.elapsed</span><span class="p">();</span> <span class="k">let</span> <span class="n">duration_secs</span> <span class="o">=</span> <span class="n">duration</span><span class="nf">.as_secs_f64</span><span class="p">();</span> <span class="c1">// Update Prometheus Registries</span> <span class="k">self</span><span class="py">.req_counter</span><span class="nf">.inc</span><span class="p">();</span> <span class="k">self</span><span class="py">.req_histogram</span><span class="nf">.observe</span><span class="p">(</span><span class="n">duration_secs</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span> <span class="s">"Request finished. Path: {}, Latency: {:.4}s, Total Request: {}"</span><span class="p">,</span> <span class="n">session</span><span class="nf">.req_header</span><span class="p">()</span><span class="py">.uri</span><span class="nf">.path</span><span class="p">(),</span> <span class="n">duration_secs</span><span class="p">,</span> <span class="k">self</span><span class="py">.req_counter</span><span class="nf">.get</span><span class="p">()</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Mock Upstream Helper (Blue/Green)</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">run_mock_upstream</span><span class="p">(</span><span class="n">port</span><span class="p">:</span> <span class="nb">u16</span><span class="p">,</span> <span class="n">name</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">,</span> <span class="n">delay_ms</span><span class="p">:</span> <span class="nb">u64</span><span class="p">)</span> <span class="p">{</span> <span class="k">let</span> <span class="n">listener</span> <span class="o">=</span> <span class="nn">TcpListener</span><span class="p">::</span><span class="nf">bind</span><span class="p">(</span><span class="nd">format!</span><span class="p">(</span><span class="s">"127.0.0.1:{}"</span><span class="p">,</span> <span class="n">port</span><span class="p">))</span><span class="k">.await</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"{} Upstream started on port {}"</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="n">port</span><span class="p">);</span> <span class="k">loop</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Ok</span><span class="p">((</span><span class="k">mut</span> <span class="n">stream</span><span class="p">,</span> <span class="n">_</span><span class="p">))</span> <span class="o">=</span> <span class="n">listener</span><span class="nf">.accept</span><span class="p">()</span><span class="k">.await</span> <span class="p">{</span> <span class="k">let</span> <span class="n">name</span> <span class="o">=</span> <span class="n">name</span><span class="nf">.to_string</span><span class="p">();</span> <span class="nn">tokio</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(</span><span class="k">async</span> <span class="k">move</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">buf</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="mi">1024</span><span class="p">];</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.read</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">buf</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="nf">sleep</span><span class="p">(</span><span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_millis</span><span class="p">(</span><span class="n">delay_ms</span><span class="p">))</span><span class="k">.await</span><span class="p">;</span> <span class="k">let</span> <span class="n">body</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Response from {}"</span><span class="p">,</span> <span class="n">name</span><span class="p">);</span> <span class="k">let</span> <span class="n">response</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span> <span class="s">"HTTP/1.1 200 OK</span><span class="se">\r\n</span><span class="s">Content-Length: {}</span><span class="se">\r\n</span><span class="s">Connection: close</span><span class="se">\r\n\r\n</span><span class="s">{}</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">body</span><span class="nf">.len</span><span class="p">()</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="n">body</span> <span class="p">);</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">stream</span><span class="nf">.write_all</span><span class="p">(</span><span class="n">response</span><span class="nf">.as_bytes</span><span class="p">())</span><span class="k">.await</span><span class="p">;</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="nn">std</span><span class="p">::</span><span class="nn">error</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="nn">env_logger</span><span class="p">::</span><span class="nf">init</span><span class="p">();</span> <span class="k">let</span> <span class="n">opt</span> <span class="o">=</span> <span class="nn">Opt</span><span class="p">::</span><span class="nf">parse_args</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">my_server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">opt</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="n">my_server</span><span class="nf">.bootstrap</span><span class="p">();</span> <span class="c1">// Start background mocks</span> <span class="nn">std</span><span class="p">::</span><span class="nn">thread</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(||</span> <span class="p">{</span> <span class="k">let</span> <span class="n">rt</span> <span class="o">=</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">runtime</span><span class="p">::</span><span class="nn">Runtime</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="n">rt</span><span class="nf">.block_on</span><span class="p">(</span><span class="k">async</span> <span class="p">{</span> <span class="nn">tokio</span><span class="p">::</span><span class="nd">join!</span><span class="p">(</span> <span class="nf">run_mock_upstream</span><span class="p">(</span><span class="mi">6201</span><span class="p">,</span> <span class="s">"Blue"</span><span class="p">,</span> <span class="mi">10</span><span class="p">),</span> <span class="nf">run_mock_upstream</span><span class="p">(</span><span class="mi">6202</span><span class="p">,</span> <span class="s">"Green"</span><span class="p">,</span> <span class="mi">100</span><span class="p">),</span> <span class="p">)</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// 4. Initialize and Register Metrics</span> <span class="c1">// We register them once here. The `ObservabilityProxy` will hold the handles.</span> <span class="k">let</span> <span class="n">proxy</span> <span class="o">=</span> <span class="n">ObservabilityProxy</span> <span class="p">{</span> <span class="n">req_counter</span><span class="p">:</span> <span class="nd">register_int_counter!</span><span class="p">(</span> <span class="s">"http_requests_total"</span><span class="p">,</span> <span class="s">"Total number of HTTP requests processed."</span> <span class="p">)</span><span class="nf">.unwrap</span><span class="p">(),</span> <span class="n">req_histogram</span><span class="p">:</span> <span class="nd">register_histogram!</span><span class="p">(</span> <span class="s">"http_request_duration_seconds"</span><span class="p">,</span> <span class="s">"The HTTP request latency in seconds."</span> <span class="p">)</span><span class="nf">.unwrap</span><span class="p">(),</span> <span class="p">};</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">proxy_service</span> <span class="o">=</span> <span class="nf">http_proxy_service</span><span class="p">(</span><span class="o">&amp;</span><span class="n">my_server</span><span class="py">.configuration</span><span class="p">,</span> <span class="n">proxy</span><span class="p">);</span> <span class="n">proxy_service</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6199"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">proxy_service</span><span class="p">);</span> <span class="c1">// 5. Add the Prometheus Endpoint Service</span> <span class="c1">// This exposes the /metrics endpoint on port 6200</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">prometheus_service</span> <span class="o">=</span> <span class="nn">Service</span><span class="p">::</span><span class="nf">prometheus_http_service</span><span class="p">();</span> <span class="n">prometheus_service</span><span class="nf">.add_tcp</span><span class="p">(</span><span class="s">"0.0.0.0:6200"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.add_service</span><span class="p">(</span><span class="n">prometheus_service</span><span class="p">);</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Proxy running on 6199, Metrics on 6200"</span><span class="p">);</span> <span class="n">my_server</span><span class="nf">.run_forever</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Verification </h2> <p>We will verify that traffic on the proxy port generates data on the metrics port.</p> <h3> 1. Start the Proxy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RUST_LOG</span><span class="o">=</span>info cargo run <span class="nt">--example</span> 48_observability </code></pre> </div> <h3> 2. Check Empty Metrics </h3> <p>Before sending traffic, ask Prometheus what it sees.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6200/ </code></pre> </div> <ul> <li> <strong>Result:</strong> You should see the HELP and TYPE lines, but the counter should be <code>0</code>.</li> </ul> <h3> 3. Generate Traffic </h3> <p>Send 3 requests. 2 will go to Blue (Fast), 1 to Green (Slow).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6199/ docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6199/ docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6199/ </code></pre> </div> <h3> 4. Verify Metrics </h3> <p>Check the metrics endpoint again.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec </span>pingora_client_1 curl <span class="nt">-s</span> http://172.28.0.10:6200/ </code></pre> </div> <p><strong>Analyze the Output:</strong></p> <ul> <li> <code>http_requests_total 3</code>: Confirms 3 requests were tracked.</li> <li><strong>Histograms:</strong></li> <li> <code>http_request_duration_seconds_bucket{le="0.025"} 2</code>: Two requests (Blue) finished in under 25ms.</li> <li> <code>http_request_duration_seconds_bucket{le="0.25"} 3</code>: All three requests finished in under 250ms (since Green takes ~100ms).</li> </ul> <p>This confirms we have granular visibility into the performance of our upstreams.</p> rust programming tutorial opensource Warren Jitsing Mon, 05 Jan 2026 07:56:52 +0000 https://dev.to/warren_jitsing_dd1c1d6fc6/vanilla-html-css-javascript-markdown-syntax-highlighting-mathjax-article-viewer-3f3e https://dev.to/warren_jitsing_dd1c1d6fc6/vanilla-html-css-javascript-markdown-syntax-highlighting-mathjax-article-viewer-3f3e <p>GitHub: <a href="https://github.com/InfiniteConsult/0003_html_css_javascript_article_viewer/" rel="noopener noreferrer">https://github.com/InfiniteConsult/0003_html_css_javascript_article_viewer/</a></p> <h1> Introduction </h1> <p>Writing deeply technical content for general-purpose platforms often feels like a compromise. Code snippets become unreadable blocks of poorly formatted text, complex mathematical equations are impossible to typeset, and the overall presentation can lack the clarity that the subject matter deserves. These limitations aren't just an inconvenience; they are a barrier to effective communication.</p> <p>This article rejects that compromise. Our goal is to build a high-quality, self-hosted, single-page application from first principles, giving us complete control over the reading experience. We will construct a professional-grade article viewer that renders Markdown, code, and mathematics exactly as they were intended to be seen.</p> <p>To achieve this, we will use a carefully selected, modern toolchain. For the backend, we'll use <strong>FastAPI</strong>, a high-performance Python framework perfect for building robust and efficient APIs. For the frontend, we will use <strong>vanilla HTML, CSS, and JavaScript</strong>. This framework-free approach will allow us to create a lean, fast, and universally understandable user interface while focusing on the fundamental building blocks of the web.</p> <h2> Why Not Use an Existing Tool? </h2> <p>Before building a system from scratch, it's worth asking if a tool already exists for the job. The closest solutions are <strong>static site generators</strong>, and for a Python developer, the most well-known is <strong>Sphinx</strong>.</p> <p>While Sphinx is the gold standard for Python project documentation, it's a heavyweight tool designed primarily for reStructuredText (rST). For our purposes, it presents a few challenges: rendering from Markdown requires extensions like MyST, and configuring beautiful math typesetting can be complex. Other excellent tools like <strong>MkDocs</strong>, <strong>Jekyll</strong>, or the incredibly fast <strong>Hugo</strong> are Markdown-native but still introduce their own build steps, plugins, and thematic abstractions.</p> <p>The goal of this article is not just to create a viewer, but to understand <em>how</em> such a system works from first principles. By building our own, we gain complete control and deconstruct the fundamental mechanics of a modern, API-driven web application, a skill that is far more valuable than learning the configuration for any single tool.</p> <h1> Foundations </h1> <h2> The Anatomy of a Modern Web Application </h2> <p>Before we write a single line of code, it's essential to understand the architectural patterns that govern modern web applications. Our viewer is built on three fundamental concepts: the client-server model, the single-page application, and the core technologies of the frontend.</p> <h3> The Client-Server Model </h3> <p>At its heart, our application uses a <strong>client-server model</strong>. The easiest way to visualize this is with an analogy:</p> <ul> <li>The <strong>backend</strong> (our FastAPI server) is the <strong>librarian</strong>. It sits in a vast library, managing the entire collection of books (the articles). The librarian doesn't care how the books are read; its sole job is to protect the collection, know where every book is, and provide a specific one when an authorized request is made.</li> <li>The <strong>frontend</strong> (our browser application) is the <strong>reading room</strong>. It has the tables, chairs, and lights—the entire user interface—but it has no books of its own. To show something to the user, it must send a request to the librarian.</li> </ul> <p>This separation is powerful. It allows the backend to focus purely on data management and business logic, while the frontend is free to focus entirely on creating the best possible user experience.</p> <h3> The Single-Page Application (SPA) </h3> <p>In a traditional website, clicking a link causes the browser to request an entirely new HTML page from the server, resulting in a full, disruptive page reload. Our viewer, however, is a <strong>Single-Page Application (SPA)</strong>.</p> <p>This means the user loads a single, lightweight HTML "shell" only once. From that point on, JavaScript takes over. When you click on a different article, the JavaScript code intercepts the action. Instead of requesting a whole new page, it makes a quiet, background data request to our backend API. When the new content arrives, the JavaScript dynamically rewrites the relevant parts of the current page. The result is a fast, fluid experience with no jarring reloads, feeling more like a native desktop application than a traditional website.</p> <h3> The Frontend Trinity: HTML, CSS, and JavaScript </h3> <p>The entire user interface—our "reading room"—is constructed from three core technologies. The best way to understand their distinct roles is with the "House Analogy."</p> <h4> HTML: The Structure &amp; Framing </h4> <p>HTML (HyperText Markup Language) is the <strong>blueprint and the physical structure</strong> of the house. It defines all the essential components and their hierarchy: the foundation, the walls that form the rooms, the ceilings, the doorways, and the window openings. It’s the raw, unadorned structure—the nouns of the house. Without it, there's nothing to see or interact with.</p> <h4> CSS: The Presentation &amp; Styling </h4> <p>CSS (Cascading Style Sheets) is the <strong>interior and exterior design</strong>. It’s the paint on the walls, the type of flooring, the style of the window frames, the furniture, the light fixtures, and the landscaping outside. It makes the structure visually appealing but doesn't change what the structure <em>is</em>. You can completely redecorate (change the CSS) without knocking down any walls (changing the HTML).</p> <h4> JavaScript: The Interactivity &amp; Utilities </h4> <p>JavaScript is the <strong>electricity, plumbing, and appliances</strong>. It’s what makes the house functional and interactive. It’s the light switches, the running water, the garage door opener, the security system, and the dishwasher. It allows the inhabitants to <em>do things</em> that change the state of the house—opening doors, turning on lights, and making things happen in response to an action. It's the verbs that bring the house to life.</p> <h2> Digging Deeper into the Frontend </h2> <h3> HTML: The Vocabulary of Structure </h3> <p>HTML tags are the vocabulary we use to describe the structure and meaning of a document. If HTML is the blueprint for our house, these tags are the specific labels for components like "wall," "window," and "door." They give the browser the instructions it needs to assemble the page correctly.</p> <h4> The Document Shell </h4> <p>Every HTML document has a fundamental structure.</p> <ul> <li> <strong><code>&lt;html&gt;</code></strong>: The root of the entire document. It's the plot of land upon which our entire house is built.</li> <li> <strong><code>&lt;body&gt;</code></strong>: This tag contains all the content that is visible to the user—the text, images, and links. In our house analogy, this is the entire physical house that sits on the plot of land.</li> </ul> <h4> Metadata and External Resources </h4> <p>These tags typically live inside a <code>&lt;head&gt;</code> tag (which is implicitly present) and provide information <em>about</em> the page or link to external files. They are like the house's blueprints, address, and utility connections—essential for the house to function but not part of the visible structure itself.</p> <ul> <li> <strong><code>&lt;meta&gt;</code></strong>: Provides metadata about the page, like its character encoding (<code>charset="UTF-8"</code>) and how it should be displayed on mobile devices (<code>viewport</code>).</li> <li> <strong><code>&lt;title&gt;</code></strong>: Sets the title of the browser tab. It's the name on the mailbox.</li> <li> <strong><code>&lt;link&gt;</code></strong>: Connects external resources. In our project, we use it exclusively to link our CSS stylesheet—the "interior design" plans for our house.</li> <li> <strong><code>&lt;script&gt;</code></strong>: Loads and executes scripts. We use this to bring in our "electricity and plumbing"—the external JavaScript libraries (<code>marked.js</code>, <code>highlight.js</code>) and our own <code>app.js</code>.</li> </ul> <h4> Semantic Sections </h4> <p>These tags define the major, meaningful regions of our user interface, much like naming the rooms in a house.</p> <ul> <li> <strong><code>&lt;nav&gt;</code></strong>: Represents a section dedicated to navigation. In our viewer, it's the sidebar containing the list of articles. It's the "hallway" that connects to all the other rooms.</li> <li> <strong><code>&lt;main&gt;</code></strong>: Represents the primary, dominant content of the page. For us, this is the area where the rendered article is displayed. It's the "living room" of our house.</li> </ul> <h4> Text and Content Structuring </h4> <p>These are the block-level tags used to organize the text and content that the user reads.</p> <ul> <li> <strong><code>&lt;h1&gt;</code>, <code>&lt;h2&gt;</code>, <code>&lt;h3&gt;</code></strong>: Heading tags. They create a document outline and a visual hierarchy, acting as the chapter titles and section headings of a book.</li> <li> <strong><code>&lt;p&gt;</code></strong>: The paragraph tag, used for standard blocks of text.</li> <li> <strong><code>&lt;ul&gt;</code></strong>, <strong><code>&lt;ol&gt;</code></strong>, and <strong><code>&lt;li&gt;</code></strong>: Used to create lists. <code>&lt;ul&gt;</code> is an <strong>u</strong>nordered <strong>l</strong>ist (bullet points), while <code>&lt;ol&gt;</code> is an <strong>o</strong>rdered <strong>l</strong>ist (numbers). In both cases, <code>&lt;li&gt;</code> represents a single <strong>l</strong>ist <strong>i</strong>tem.</li> <li> <strong><code>&lt;hr&gt;</code></strong>: A <strong>h</strong>orizontal <strong>r</strong>ule, used to create a thematic break or a dividing line between sections of content.</li> </ul> <h4> Code and Preformatted Text </h4> <p>These tags are specialized for displaying source code.</p> <ul> <li> <strong><code>&lt;code&gt;</code></strong>: An inline tag that semantically marks a piece of text as being a snippet of computer code.</li> <li> <strong><code>&lt;pre&gt;</code></strong>: A block-level tag that represents <strong>pre</strong>formatted text. The browser will render the content inside it exactly as it is written, preserving all whitespace, line breaks, and indentation. The combination <code>&lt;pre&gt;&lt;code&gt;...&lt;/code&gt;&lt;/pre&gt;</code> is the standard way to display a block of code.</li> </ul> <h4> Generic Containers </h4> <p>Sometimes, we need to group elements for styling or layout purposes without implying any specific meaning.</p> <ul> <li> <strong><code>&lt;div&gt;</code></strong>: The generic block-level container. It's an "empty box" used to group larger sections of content. Our two-column layout is created by placing the <code>&lt;nav&gt;</code> and <code>&lt;main&gt;</code> elements inside a parent <code>&lt;div&gt;</code>.</li> <li> <strong><code>&lt;span&gt;</code></strong>: The generic inline container. It's used to wrap a small piece of text <em>within</em> a larger block (like a paragraph) to apply specific styling, without creating a line break. It's like using a highlighter on a single word in a sentence.</li> </ul> <h3> CSS: The Language of Presentation </h3> <p>If HTML provides the structure of our house, CSS provides the interior and exterior design. It's a set of rules that tells the browser how every element—from the largest <code>&lt;div&gt;</code> to the smallest <code>&lt;span&gt;</code>—should look. A CSS rule has two main parts: a <strong>selector</strong> to target an element, and a set of <strong>declarations</strong> (properties and their values) to style it.</p> <h4> Selectors: Targeting the Right Elements </h4> <p>Before you can style something, you must select it. We've used simple selectors like tag names (<code>body</code>), IDs (<code>#content</code>), and classes (<code>.container</code>), but CSS also provides powerful "pseudo-selectors" that target elements based on their state or position.</p> <ul> <li> <p><strong><code>:hover</code> (Pseudo-class)</strong>: This applies styles only when the user's cursor is over an element. It's the primary way to create interactive feedback, like changing a link's color when you mouse over it.<br> </p> <pre class="highlight css"><code><span class="nt">a</span><span class="nd">:hover</span> <span class="p">{</span> <span class="nl">color</span><span class="p">:</span> <span class="n">var</span><span class="p">(</span><span class="n">--link-hover-color</span><span class="p">);</span> <span class="p">}</span> </code></pre> </li> <li> <p><strong><code>:nth-child(n)</code> (Pseudo-selector)</strong>: This selects elements based on their order within a parent. It's incredibly powerful for styling lists or tables without adding extra classes. For example, you could style every even-numbered list item:<br> </p> <pre class="highlight css"><code><span class="nt">li</span><span class="nd">:nth-child</span><span class="o">(</span><span class="nt">even</span><span class="o">)</span> <span class="p">{</span> <span class="nl">background-color</span><span class="p">:</span> <span class="m">#333</span><span class="p">;</span> <span class="p">}</span> </code></pre> </li> </ul> <h4> The Box Model: The Foundation of All Layout </h4> <p>Every single element on a webpage is a rectangular box. The <strong>CSS Box Model</strong> is the rule that governs how the size of that box and the space around it are calculated. Understanding this is the key to mastering CSS layout.</p> <p>Imagine a framed picture on a wall. The box is made of four layers, from the inside out:</p> <ol> <li> <strong>Content</strong>: The actual picture (or text/image). Its size is controlled by <code>width</code> and <code>height</code>.</li> <li> <strong><code>padding</code></strong>: The transparent space between the content and its border. This is the matting inside the picture frame. We use properties like <code>padding</code>, <code>padding-top</code>, <code>padding-left</code>, etc.</li> <li> <strong><code>border</code></strong>: A line that goes around the padding. This is the physical picture frame itself. We use properties like <code>border</code>, <code>border-left</code>, <code>border-radius</code>, etc.</li> <li> <strong><code>margin</code></strong>: The transparent space <em>outside</em> the border. This is what pushes other elements away. It's the space between this picture frame and the other frames on the wall. We use properties like <code>margin</code>, <code>margin-top</code>, etc.</li> </ol> <h4> Custom Properties (CSS Variables) </h4> <p>CSS Variables are a modern feature that allows us to define reusable values, which is essential for creating clean and maintainable stylesheets. In our <code>style.css</code>, we define them in the <code>:root</code> selector, making them globally available.</p> <ul> <li> <strong>Defining a variable</strong>: You use a double-dash prefix, like <code>--bg-color: #282c34;</code>.</li> <li> <strong>Using a variable</strong>: You use the <code>var()</code> function, like <code>background-color: var(--bg-color);</code>.</li> </ul> <p>The primary benefit is theming. If we want to change the entire site's color scheme, we only need to edit the values in the <code>:root</code> block, and the changes will apply everywhere the variables are used.</p> <h4> Typography: Styling the Text </h4> <p>Typography is the art of arranging type to make written language legible, readable, and appealing when displayed. These CSS properties give you full control over the appearance of your text.</p> <h4> Core Font Properties </h4> <p>These properties define the fundamental characteristics of the font itself.</p> <ul> <li> <strong><code>font-family</code></strong>: Sets the typeface for the text (e.g., <code>Arial</code>, <code>Times New Roman</code>). It's best practice to provide a comma-separated list, known as a "font stack." The browser will try the first font, and if it's not available, it will fall back to the next one in the list.</li> <li> <strong><code>font-size</code></strong>: Controls the size of the text, typically set in pixels (<code>px</code>), ems (<code>em</code>), or rems (<code>rem</code>).</li> <li> <strong><code>font-weight</code></strong>: Controls the thickness of the font characters. Common values are <code>normal</code>, <code>bold</code>, or numeric values like <code>400</code> (normal) and <code>700</code> (bold).</li> <li> <strong><code>font-style</code></strong>: Used to set text to <code>italic</code> or <code>oblique</code>.</li> <li> <strong><code>color</code></strong>: Sets the color of the text itself.</li> </ul> <h4> Paragraph and Spacing Properties </h4> <p>These properties control the arrangement and spacing of text within its container.</p> <ul> <li> <strong><code>line-height</code></strong>: Controls the vertical distance between lines of text. A value of around <code>1.5</code> or <code>1.6</code> (meaning 1.5 times the font size) is generally considered optimal for readability.</li> <li> <strong><code>text-align</code></strong>: Sets the horizontal alignment of text. Common values are <code>left</code>, <code>right</code>, <code>center</code>, and <code>justify</code>.</li> <li> <strong><code>letter-spacing</code></strong>: Adjusts the space between individual characters.</li> <li> <strong><code>word-spacing</code></strong>: Adjusts the space between whole words.</li> <li> <strong><code>text-indent</code></strong>: Indents the first line of text in a block element.</li> </ul> <h4> Text Decoration and Transformation </h4> <p>These properties apply decorative effects to the text.</p> <ul> <li> <strong><code>text-decoration</code></strong>: Adds a decorative line to text. It's most commonly used for <code>underline</code>, but can also be <code>overline</code> or <code>line-through</code>.</li> <li> <strong><code>text-transform</code></strong>: Changes the capitalization of text without altering the source HTML. Values include <code>uppercase</code>, <code>lowercase</code>, and <code>capitalize</code>.</li> </ul> <h4> Layout and Positioning: Arranging the Boxes </h4> <p>These properties are the tools of the architect, used to define the floor plan of our webpage. They control how elements flow, where they are placed, and how they interact with each other.</p> <h4> The <code>display</code> Property </h4> <p>This is the most fundamental layout property. It dictates how an element should behave and how it interacts with the elements around it. The most common values are:</p> <ul> <li> <strong><code>block</code></strong>: The element starts on a new line and takes up the full width available. Our <code>&lt;div&gt;</code>, <code>&lt;p&gt;</code>, and <code>&lt;h1&gt;</code> tags are block-level by default.</li> <li> <strong><code>inline</code></strong>: The element sits within the flow of text and does not start on a new line. <code>&lt;span&gt;</code>, <code>&lt;a&gt;</code>, and <code>&lt;code&gt;</code> are inline elements.</li> <li> <strong><code>grid</code></strong>: This turns an element into a grid container, allowing you to create complex, two-dimensional layouts. We use this on our main <code>.container</code> to create the sidebar and content areas.</li> <li> <strong><code>flex</code></strong>: Another powerful value that turns an element into a "flexbox" container, designed for creating flexible, one-dimensional layouts.</li> </ul> <h4> CSS Grid </h4> <p>We use CSS Grid for our main page layout. When you set <code>display: grid</code> on a container, you unlock a suite of properties to control its children.</p> <ul> <li> <strong><code>grid-template-columns</code></strong>: This property defines the number and width of the columns in the grid. In our stylesheet, <code>grid-template-columns: 280px 1fr;</code> creates two columns: the first is a fixed <code>280px</code> wide, and the second (<code>1fr</code>) takes up the remaining "one fraction" of the available space.</li> </ul> <h4> The <code>position</code> Property </h4> <p>By default, all elements are <code>position: static</code>, meaning they sit in the normal document flow. The <code>position</code> property allows you to change this behavior.</p> <ul> <li> <strong><code>relative</code></strong>: The element is positioned <em>relative to its normal position</em>. You can then use <code>top</code>, <code>left</code>, etc., to shift it without affecting the layout of other elements.</li> <li> <strong><code>absolute</code></strong>: The element is completely removed from the normal flow and is positioned <em>relative to its nearest positioned ancestor</em>. This is the key to creating overlays, tooltips, and pop-ups.</li> <li> <strong><code>fixed</code></strong>: The element is positioned <em>relative to the browser viewport</em>. It will stay in the same place even when the user scrolls the page, which is perfect for fixed headers or "Back to Top" buttons.</li> <li> <strong><code>top</code>, <code>right</code>, <code>bottom</code>, <code>left</code></strong>: These properties are used to specify the exact coordinates for any element with a position other than <code>static</code>.</li> <li> <strong><code>z-index</code></strong>: When elements overlap, <code>z-index</code> controls their stacking order (which one is on top). A higher <code>z-index</code> value brings an element closer to the viewer. It only works on positioned elements.</li> </ul> <h4> Visibility </h4> <ul> <li> <strong><code>visibility</code></strong>: Controls whether an element is visible. The value <code>hidden</code> makes the element invisible, but it still occupies its space in the layout. This is different from <code>display: none</code>, which completely removes the element from the page.</li> </ul> <h4> Historical Context: Older Layout Methods </h4> <p>Before Grid and Flexbox, layouts were built with clever workarounds. You will still encounter these in older code.</p> <ul> <li> <strong><code>float</code></strong>: With values <code>left</code> or <code>right</code>, this property was used to push an element to one side of its container, allowing text and other elements to wrap around it. It was the primary method for creating columns for many years.</li> <li> <strong><code>clear</code></strong>: This property was used to control the behavior of floats, forcing an element to appear "clear" of (below) any floated elements above it.</li> </ul> <h4> Visual Effects and Advanced Topics </h4> <p>These properties control the finer details of an element's appearance, interactivity, and how the browser should handle it.</p> <h4> Backgrounds, Borders, and Shadows </h4> <p>These properties style the "surface" of an element's box.</p> <ul> <li> <strong><code>background-color</code></strong>: Sets a solid background color for an element.</li> <li> <strong><code>background</code></strong>: A shorthand property that allows you to set all background styles (like <code>background-color</code>, <code>background-image</code>, etc.) in a single declaration.</li> <li> <strong><code>border-radius</code></strong>: Used to round the corners of an element's border. A value of <code>50%</code> on a square element will turn it into a circle.</li> <li> <strong><code>box-shadow</code></strong>: Adds shadow effects around an element's frame, which can be used to create a sense of depth or to highlight an element.</li> </ul> <h4> Overflow and Clipping </h4> <p>These properties control what happens when an element's content is larger than its container.</p> <ul> <li> <strong><code>overflow</code></strong>: Defines the behavior for overflowing content. The main values are: <ul> <li> <code>visible</code>: The default. The content overflows the box and is visible.</li> <li> <code>hidden</code>: The content is clipped, and the overflowing part is invisible.</li> <li> <code>scroll</code>: The content is clipped, and scrollbars are always visible, allowing the user to see the rest of the content.</li> <li> <code>auto</code>: The browser decides. Scrollbars are only added if the content actually overflows.</li> </ul> </li> <li> <strong><code>overflow-x</code></strong> and <strong><code>overflow-y</code></strong>: Allow you to control overflow behavior independently for the horizontal and vertical axes.</li> </ul> <h4> Transitions and Animations </h4> <ul> <li> <strong><code>transition</code></strong>: Applies a smooth animation to a property change over a given duration. For example, instead of a link's color changing instantly on hover, a <code>transition: color 0.2s;</code> will make it fade smoothly between the two colors over 0.2 seconds.</li> </ul> <h4> Interactivity and User Experience </h4> <ul> <li> <strong><code>cursor</code></strong>: Controls the appearance of the mouse pointer when it is over an element. Common values include <code>pointer</code> (a hand), <code>text</code> (an I-beam), and <code>wait</code> (a loading icon).</li> <li> <strong><code>user-select</code></strong>: Controls whether the user can select or highlight the text in an element. Setting it to <code>none</code> can be useful for interactive UI elements.</li> <li> <strong><code>outline</code></strong>: An outline is a line drawn <em>outside</em> an element's border. It is most often used to show that an element (like a button or link) has keyboard focus, which is a critical accessibility feature.</li> </ul> <h4> A Note on Vendor Prefixes </h4> <p>There are several properties with prefixes that you may notice from inspection of the rendered webpage code like <strong><code>-webkit-</code></strong>, <strong><code>-moz-</code></strong>, and <strong><code>-ms-</code></strong>. These are known as <strong>vendor prefixes</strong>.</p> <p>Years ago, browser makers (like Chrome/Safari using WebKit, Mozilla using Gecko) used these prefixes to implement experimental CSS features before they were officially standardized. For example, to use <code>border-radius</code>, you once had to write:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nt">-webkit-border-radius</span><span class="o">:</span> <span class="err">10</span><span class="nt">px</span><span class="o">;</span> <span class="nt">-moz-border-radius</span><span class="o">:</span> <span class="err">10</span><span class="nt">px</span><span class="o">;</span> <span class="nt">border-radius</span><span class="o">:</span> <span class="err">10</span><span class="nt">px</span><span class="o">;</span> </code></pre> </div> <p><strong>For modern web development, vendor prefixes are rarely needed.</strong> Properties like <code>border-radius</code>, <code>box-shadow</code>, and <code>transition</code> have long been standardized and are supported prefix-free in all current browsers. They are important to recognize when working on older codebases, but you should avoid using them for new projects unless you are using a truly cutting-edge, experimental feature.</p> <h3> JavaScript: Adding Interactivity </h3> <p>If HTML provides the structure and CSS the styling, JavaScript provides the <strong>interactivity</strong>. It is the engine that transforms our static document into a dynamic, responsive application. It handles user input, fetches data from our server, and updates the page in real-time.</p> <p>While the JavaScript language is vast, our approach will be practical and focused. Rather than creating an exhaustive reference, the following five parts will deconstruct the specific concepts used to build our article viewer. We will journey from the fundamental grammar of the language to the powerful asynchronous patterns that define modern web applications, giving you a complete, first-principles understanding of how our code works.</p> <h4> Part 1: JavaScript First Principles: The Core Language </h4> <p>Before we can make a webpage interactive, we must first understand the fundamental grammar and building blocks of the JavaScript language itself. This section covers the core components required to write any basic script, focusing on how we define variables, what types of data they can hold, and how we can use functions and logic to manipulate them.</p> <h5> Variables and Constants </h5> <p>A variable is a named container for storing a value that can be used and changed throughout a program. In modern JavaScript, we primarily use <code>const</code> to declare variables.</p> <ul> <li> <p><strong><code>const</code></strong>: Declares a <strong>constant</strong>, which is a variable whose value cannot be reassigned after it is first defined. This is a best practice for values that we don't intend to change, as it prevents accidental modifications and makes the code's intent clearer. In our <code>app.js</code>, we use it to store references to our HTML elements, which will not change:<br> </p> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">sidebar</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">article-list</span><span class="dl">'</span><span class="p">);</span> </code></pre> </li> </ul> <h5> Data Types </h5> <p>Every value in JavaScript has a type. The basic "primitive" types include:</p> <ul> <li> <code>string</code>: For text, enclosed in quotes (e.g., <code>'Hello World'</code>).</li> <li> <code>number</code>: For all numbers, including integers and decimals (e.g., <code>42</code>, <code>3.14</code>).</li> <li> <code>boolean</code>: Represents a logical value of either <code>true</code> or <code>false</code>. The <code>typeof</code> operator can be used to check a variable's type.</li> </ul> <h5> Objects and Arrays: Storing Collections of Data </h5> <ul> <li> <p><strong>Objects</strong>: An object is a collection of related data stored in <code>key: value</code> pairs. It's like a dictionary or a file cabinet drawer. In our code, each article's data is an object.<br> </p> <pre class="highlight javascript"><code><span class="c1">// A conceptual article object</span> <span class="p">{</span> <span class="nl">slug</span><span class="p">:</span> <span class="dl">"</span><span class="s2">0001_basic_fastapi</span><span class="dl">"</span><span class="p">,</span> <span class="nx">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Basic Fastapi</span><span class="dl">"</span> <span class="p">}</span> </code></pre> <p>We access the data inside an object using dot notation, such as <code>article.slug</code>.</p> </li> <li> <p><strong>Arrays</strong>: An array is an ordered list of values. The list of articles we receive from our API is an array.<br> </p> <pre class="highlight javascript"><code><span class="c1">// An array of article objects</span> <span class="p">[</span> <span class="p">{</span><span class="na">slug</span><span class="p">:</span> <span class="dl">"</span><span class="s2">...</span><span class="dl">"</span><span class="p">,</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="se">\"</span><span class="s2">...</span><span class="se">\"</span><span class="s2">}, {slug: </span><span class="se">\"</span><span class="s2">...</span><span class="se">\"</span><span class="s2">, title: </span><span class="se">\"</span><span class="s2">...</span><span class="se">\"</span><span class="s2">} ]</span><span class="dl">"</span> </code></pre> </li> </ul> <h5> Control Flow: Making Decisions </h5> <p>Control flow statements allow us to make decisions in our code.</p> <ul> <li> <p><strong><code>if</code> statements</strong>: The most common control flow statement. It executes a block of code only if a specified condition evaluates to <code>true</code>. In our viewer, we use it to check if a slug was provided before trying to load an article:<br> </p> <pre class="highlight javascript"><code><span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">slug</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// If no slug exists, show a message and stop.</span> <span class="nx">content</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">&lt;p&gt;Select an article...&lt;/p&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> </code></pre> </li> </ul> <h5> Functions: Reusable Blocks of Code </h5> <p>A function is a named, reusable set of instructions designed to perform a specific task. You define a function once and can then "call" or "invoke" it as many times as needed. Our <code>app.js</code> is built around two main functions: <code>loadArticleList()</code> and <code>loadArticleContent()</code>.</p> <ul> <li> <strong>The <code>return</code> statement</strong>: This statement ends the execution of a function. As seen in the <code>if</code> statement example above, <code>return;</code> is used to exit the <code>loadArticleContent</code> function early if no slug is provided.</li> </ul> <h5> Scope: Where Variables Live </h5> <p>Scope determines the accessibility of variables. In JavaScript, variables declared inside a function are generally "local" to that function and cannot be accessed from the outside. This is a crucial feature that prevents different parts of a program from accidentally interfering with each other. For example, the <code>articles</code> variable inside our <code>loadArticleList</code> function is only accessible within that function.</p> <h4> Part 2: JavaScript in the Browser: The DOM and Events </h4> <p>Now that we understand the core grammar of JavaScript, we can explore how it breathes life into a static HTML file. This is achieved by interacting with a live representation of the webpage called the Document Object Model (DOM) and by reacting to user actions through events.</p> <h5> The Document Object Model (DOM) </h5> <p>When a browser loads your HTML file, it doesn't just display it as static text. It creates an in-memory, tree-like structure that represents the document. This live, interactive model is the <strong>DOM</strong>. Every HTML tag, attribute, and piece of text becomes an "object" that JavaScript can access and manipulate. This is the fundamental mechanism that allows us to dynamically change what the user sees without ever reloading the page.</p> <h5> Selecting and Manipulating Elements </h5> <p>To make a page dynamic, our script first needs to get a reference to the HTML elements it wants to change.</p> <ul> <li> <p><strong><code>document.getElementById()</code></strong>: The most direct way to select a single element is by its unique <code>id</code> attribute. In our <code>app.js</code>, we use this to get a handle on our main layout components:<br> </p> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">sidebar</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">article-list</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">content</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">content</span><span class="dl">'</span><span class="p">);</span> </code></pre> </li> <li><p><strong><code>document.createElement()</code></strong>: This creates a new HTML element object in memory, which is not yet visible on the page. We use this to build our list items for the sidebar: <code>const li = document.createElement('li');</code>.</p></li> <li> <p><strong><code>.textContent</code> vs. <code>.innerHTML</code></strong>: These properties control the content inside an element.</p> <ul> <li> <code>.textContent</code> sets or gets only the raw text. It is a safe and efficient way to change text.</li> <li> <code>.innerHTML</code> sets or gets the full HTML structure within an element. We use this to render the article content returned by <code>marked.parse()</code>.</li> </ul> </li> <li><p><strong><code>.appendChild()</code></strong>: This method takes an element we created in memory and attaches it as a new child to an existing element in the DOM, making it visible on the page. We use this to add each new list item to our sidebar.</p></li> </ul> <h5> Storing Data on Elements </h5> <p>Sometimes we need to associate data with an element for our script to use later.</p> <ul> <li> <strong><code>.href</code></strong>: This is a standard property of an anchor (<code>&lt;a&gt;</code>) tag that gets or sets the URL it points to. We set this to a hash fragment like <code>href = '#0001_basic_fastapi'</code>.</li> <li> <strong><code>.dataset</code></strong>: This provides access to custom <code>data-*</code> attributes in HTML. It is a clean, modern way to store data directly on an element. We use it to keep a reference to an article's slug for our click handler.</li> </ul> <h5> Event Handling: Reacting to the User </h5> <p>A dynamic webpage must respond to user actions. These actions—like mouse clicks, key presses, or the page finishing its initial load—are called <strong>events</strong>.</p> <ul> <li> <strong><code>addEventListener()</code></strong>: This is the primary method for listening for events on an element. It takes the name of the event (e.g., <code>'click'</code> or <code>'DOMContentLoaded'</code>) and a "callback function" to execute when that event occurs.</li> <li> <strong><code>event.preventDefault()</code></strong>: When an event occurs, the browser often has a default action. For a click on a link (<code>&lt;a&gt;</code>), the default action is to navigate to the <code>href</code> URL. <code>event.preventDefault()</code> is a command we use inside our event listener to stop this default browser behavior, allowing our script to take full control and handle the navigation dynamically.</li> </ul> <h4> Part 3: Modern Web Applications: Asynchronous JavaScript and APIs </h4> <p>The defining feature of a modern web application is its ability to communicate with a server in the background to fetch or send data without interrupting the user. This is made possible by JavaScript's asynchronous capabilities. Understanding this concept is the key to building fast, responsive applications.</p> <h5> Asynchronous by Nature </h5> <p>JavaScript in the browser runs on a single thread. If it were to execute tasks synchronously, a long-running operation like a network request would freeze the entire user interface until it completed. The user wouldn't be able to click, scroll, or interact with the page.</p> <p>To prevent this, JavaScript is <strong>asynchronous</strong> and <strong>non-blocking</strong>. It can start a time-consuming task (like fetching an article), and while it waits for the result, it can continue to handle other tasks, like responding to user input.</p> <h5> Fetching Data with Promises </h5> <p>The modern browser API for making network requests is <strong><code>fetch()</code></strong>. When you call <code>fetch()</code>, it does not immediately return the data. Instead, it returns a <strong>Promise</strong>.</p> <p>A Promise is a placeholder object representing the eventual result of an asynchronous operation. It's an "IOU" from the browser that says, "I've started your request, and I promise to give you a value back in the future." A Promise can be in one of three states: <code>pending</code> (the operation hasn't finished), <code>fulfilled</code> (it succeeded), or <code>rejected</code> (it failed).</p> <ul> <li> <strong><code>fetch()</code></strong>: Initiates a network request and returns a Promise that resolves to a <code>Response</code> object.</li> <li> <strong><code>response.ok</code></strong>: A simple boolean property on the <code>Response</code> object that is <code>true</code> if the HTTP status code was successful (e.g., 200 OK).</li> <li> <strong><code>.json()</code></strong> and <strong><code>.text()</code></strong>: These methods are used to read the body of the response. They are also asynchronous and return a new Promise that resolves with the content parsed as either JSON or plain text.</li> </ul> <h5> <code>async/await</code>: Writing Readable Asynchronous Code </h5> <p>While you can work with Promises directly, modern JavaScript provides a much cleaner syntax called <strong><code>async/await</code></strong>.</p> <ul> <li> <strong><code>async</code></strong>: Placing this keyword before a function declaration allows that function to use <code>await</code>.</li> <li> <p><strong><code>await</code></strong>: This keyword can be placed before any expression that returns a Promise. It pauses the execution of the <code>async</code> function until the Promise is fulfilled and "unwraps" the value, allowing you to write asynchronous code that looks and reads like synchronous code. Our <code>loadArticleList</code> function is a perfect example:<br> </p> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">loadArticleList</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/articles</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">articles</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// ...</span> <span class="p">}</span> </code></pre> </li> </ul> <p>Without <code>async/await</code>, this would require more complex, nested code.</p> <h5> Graceful Error Handling </h5> <p>Things can go wrong, especially with network requests. <code>async/await</code> allows us to handle these errors using the standard <code>try...catch</code> block.</p> <ul> <li> <strong><code>try...catch</code></strong>: You wrap the code that might fail in a <code>try</code> block. If an error occurs (e.g., the network is down, or the server returns an error), the code execution jumps to the <code>catch</code> block, where you can handle the error gracefully instead of crashing the application.</li> <li> <strong><code>throw new Error()</code></strong>: We can manually trigger an error. In our code, <code>if (!response.ok)</code> we <code>throw</code> a new <code>Error</code>, which will immediately be caught by our <code>catch</code> block.</li> <li> <strong><code>console.error()</code></strong>: This is the standard way to log error messages to the browser's developer console, which is an invaluable tool for debugging.</li> </ul> <h4> Part 4: Writing Clean Code: Modern ES6+ Syntax and Idioms </h4> <p>The previous sections covered the core mechanics of how JavaScript works. This section focuses on the modern syntax—often called "syntactic sugar"—that allows us to write that same logic in a cleaner, more expressive, and more efficient way. These features were introduced in a major update to the language called ES6 (ECMAScript 2015) and are now standard in all modern browsers.</p> <h5> Template Literals </h5> <p>Template literals provide an enhanced way to create strings, using backticks (<code>`</code>) instead of single or double quotes. Their main advantage is <strong>string interpolation</strong>.</p> <p>This allows you to embed variables and expressions directly into a string using the <code>${...}</code> syntax. This is much cleaner than traditional string concatenation with the <code>+</code> operator. We use this in our error handling:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// The modern way with template literals</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`HTTP error! Status: </span><span class="p">${</span><span class="nx">response</span><span class="p">.</span><span class="nx">status</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// The old way with concatenation</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">HTTP error! Status: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">response</span><span class="p">.</span><span class="nx">status</span><span class="p">);</span> </code></pre> </div> <h5> Arrow Functions </h5> <p>Arrow functions (<code>=&gt;</code>) offer a more concise syntax for writing function expressions. They are especially useful for short, anonymous functions, such as the callbacks used in event listeners or array methods.</p> <p>Consider the event listener in our <code>app.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// The modern way with an arrow function</span> <span class="nx">a</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">click</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">event</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">();</span> <span class="nf">loadArticleContent</span><span class="p">(</span><span class="nx">article</span><span class="p">.</span><span class="nx">slug</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// The old way with a traditional function expression</span> <span class="nx">a</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">click</span><span class="dl">'</span><span class="p">,</span> <span class="kd">function</span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="p">{</span> <span class="nx">event</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">();</span> <span class="nf">loadArticleContent</span><span class="p">(</span><span class="nx">article</span><span class="p">.</span><span class="nx">slug</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>The arrow function is more compact and is the standard in modern JavaScript codebases.</p> <h5> The Ternary Operator </h5> <p>The ternary operator is a compact, inline <code>if/else</code> statement. It takes three operands: a condition, an expression to execute if the condition is true, and an expression to execute if the condition is false.</p> <p>The syntax is: <code>condition ? expressionIfTrue : expressionIfFalse</code>.</p> <p>While not used in our <code>app.js</code>, it is common in the libraries we depend on and is useful for simple conditional assignments. For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Using an if/else statement</span> <span class="kd">let</span> <span class="nx">message</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">isLoggedIn</span><span class="p">)</span> <span class="p">{</span> <span class="nx">message</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Welcome back</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">message</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Please log in</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Using the equivalent ternary operator</span> <span class="kd">let</span> <span class="nx">message</span> <span class="o">=</span> <span class="nx">isLoggedIn</span> <span class="p">?</span> <span class="dl">"</span><span class="s2">Welcome back</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">Please log in</span><span class="dl">"</span><span class="p">;</span> </code></pre> </div> <h5> Modern Array Methods </h5> <p>Instead of using traditional <code>for</code> loops to iterate over arrays, modern JavaScript provides a powerful set of built-in methods that are more declarative and readable.</p> <ul> <li> <p><strong><code>.forEach()</code></strong>: This method executes a provided function once for each element in an array. It is a clean way to loop over an array when you want to perform an action for each item but do not need to create a new array. We use this to build our sidebar navigation:<br> </p> <pre class="highlight javascript"><code><span class="nx">articles</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">article</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Create and append an &lt;li&gt; for each article</span> <span class="p">});</span> </code></pre> </li> </ul> <p>Other common methods include <code>.map()</code> (which creates a new array by transforming each element) and <code>.filter()</code> (which creates a new array containing only the elements that pass a certain test).</p> <h4> Part 5: Under the Hood: How Professional Libraries are Built </h4> <p>Our application's ability to render Markdown, code, and math is powered by sophisticated third-party libraries. By briefly examining the patterns used to build these tools, we can gain insight into how robust, portable, and professional JavaScript is written.</p> <h5> Leveraging the Ecosystem: Using Third-Party Libraries </h5> <p>A core principle of modern development is to not "reinvent the wheel." Complex, solved problems like parsing Markdown are best handled by specialized, community-vetted tools. In our code, we leverage this principle by delegating tasks to these libraries:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">content</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">marked</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">markdown</span><span class="p">);</span> <span class="c1">// Handles Markdown parsing</span> <span class="nx">hljs</span><span class="p">.</span><span class="nf">highlightAll</span><span class="p">();</span> <span class="c1">// Handles syntax highlighting</span> <span class="nx">MathJax</span><span class="p">.</span><span class="nf">typeset</span><span class="p">();</span> <span class="c1">// Handles math typesetting</span> </code></pre> </div> <p>Knowing when to build from scratch and when to use a well-tested library is a critical skill for any developer.</p> <h5> Code Organization and Portability </h5> <p>When you include multiple scripts on a webpage, they all share the same "global namespace." If two different libraries create a variable with the same name, they can conflict and break the application. Professional libraries use several patterns to prevent this.</p> <ul> <li> <strong>IIFE (Immediately Invoked Function Expression)</strong>: Most libraries wrap their entire code in a special function that they immediately execute, like <code>(function() { ... })();</code>. This pattern creates a private scope for all the library's variables, preventing them from "leaking" out and polluting the global namespace.</li> <li> <strong>UMD (Universal Module Definition)</strong>: A library needs to work in different environments (like the browser, or in a backend Node.js server). The UMD pattern is a set of <code>if/else</code> checks that allows the code to detect which module system is being used (e.g., CommonJS, AMD, or none) and export its functionality in the correct way for that environment.</li> <li> <strong><code>"use strict";</code></strong>: This is a directive placed at the top of a script that enables a stricter set of rules for the JavaScript interpreter. It helps prevent common coding errors by changing "silent errors" into thrown errors and disallowing the use of some unsafe language features.</li> </ul> <h5> Regular Expressions: The Language of Pattern Matching </h5> <p><strong>Regular Expressions</strong> (or RegExp) are a powerful mini-language for finding and manipulating patterns in text. Libraries like <code>marked.js</code> are powered by complex regular expressions that can identify the syntax for headings, lists, links, code blocks, and other Markdown features. They can be created with a literal syntax (<code>/pattern/</code>) or a constructor (<code>new RegExp()</code>).</p> <h5> Advanced and Safe Object Handling </h5> <p>Libraries must be written defensively to handle any kind of input without crashing.</p> <ul> <li> <strong><code>Object.prototype.hasOwnProperty.call(obj, 'prop')</code></strong>: This is the safest way to check if an object truly has its own property. It is used instead of the simpler <code>obj.hasOwnProperty()</code> to protect against edge cases where an object might have been created with a conflicting property of the same name.</li> <li> <strong><code>Object.defineProperty()</code></strong>: This method gives a developer precise control over the properties of an object. It can be used to create read-only properties, prevent properties from being deleted, or hide them from loops, which is essential for creating robust APIs.</li> </ul> <h2> Digging Deeper into the Backend </h2> <p>Our <a href="https://www.linkedin.com/pulse/first-principles-guide-http-websockets-fastapi-warren-jitsing-yoiaf/" rel="noopener noreferrer">previous article on FastAPI</a> established the first principles of building high-performance APIs. In this section, we will apply those core concepts to build the backend for our article viewer.</p> <p>We will demonstrate how to use foundational features like the <code>lifespan</code> handler for startup logic and then expand on that knowledge to tackle new, practical challenges, such as discovering content from the filesystem and serving a complete frontend application with Jinja2 templates.</p> <h3> Part 1: Architecting the Application: Serving a Full Frontend </h3> <p>A modern web application server must often do more than just respond to data queries with JSON. It also needs to deliver the client-side application itself—the initial HTML document, the CSS stylesheets, and the JavaScript logic. This section covers the high-level FastAPI features that allow our server to act as both a data API and a web server.</p> <h4> Serving Static Assets with <code>StaticFiles</code> </h4> <p>Our frontend application consists of several "static" files that do not change, such as <code>style.css</code> and <code>app.js</code>. The browser needs a way to request these files. The most efficient way to handle this in FastAPI is to "mount" an entire directory of files to a specific URL path.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># In server.py </span><span class="n">app</span><span class="p">.</span><span class="nf">mount</span><span class="p">(</span><span class="sh">"</span><span class="s">/static</span><span class="sh">"</span><span class="p">,</span> <span class="nc">StaticFiles</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="n">STATIC_DIR</span><span class="p">),</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">static</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>This single line of code instructs FastAPI to handle any incoming request whose URL begins with <code>/static</code>. The request is passed to a special <code>StaticFiles</code> application, which knows how to securely find and serve the corresponding file from the <code>STATIC_DIR</code> on our filesystem.</p> <h4> Serving the HTML Shell with <code>Jinja2Templates</code> </h4> <p>In addition to assets, we must serve the main <code>index.html</code> file, which is the entry point for our single-page application. While we could use a simple <code>FileResponse</code>, a more powerful and professional pattern is to use a templating engine.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># In server.py </span><span class="n">templates</span> <span class="o">=</span> <span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="n">TEMPLATES_DIR</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">serve_frontend</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Serves the main index.html single-page application.</span><span class="sh">"""</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">({</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">},</span> <span class="sh">"</span><span class="s">index.html</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>While our current <code>index.html</code> is a simple static file, using a templating engine like <strong>Jinja2</strong> is a deliberate choice for future-proofing. It establishes a pattern that would allow us to easily inject dynamic, server-generated data into our HTML if the application's requirements were to grow. The <code>TemplateResponse</code> renders the specified file and returns it as a standard HTML response.</p> <h4> Managing Application State with <code>app.state</code> </h4> <p>Our server needs to know which articles are available, but scanning the filesystem on every single API request would be extremely inefficient. The ideal solution is to scan the filesystem once when the server starts and then store that list of articles in memory.</p> <p>FastAPI provides a clean, dedicated object for this purpose: <code>app.state</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># From the lifespan function in server.py </span><span class="nd">@asynccontextmanager</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">lifespan</span><span class="p">(</span><span class="n">app</span><span class="p">:</span> <span class="n">FastAPI</span><span class="p">):</span> <span class="c1"># ... logic to scan filesystem and build 'articles' list ... </span> <span class="n">app</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">articles_catalog</span> <span class="o">=</span> <span class="p">{</span><span class="n">article</span><span class="p">[</span><span class="sh">"</span><span class="s">slug</span><span class="sh">"</span><span class="p">]:</span> <span class="n">article</span> <span class="k">for</span> <span class="n">article</span> <span class="ow">in</span> <span class="n">articles</span><span class="p">}</span> <span class="k">yield</span> </code></pre> </div> <p>The <code>app.state</code> object is a simple namespace that persists for the entire lifecycle of the application. By attaching our <code>articles_catalog</code> to it during the startup phase of the <code>lifespan</code> handler, we make this data instantly and efficiently available to all subsequent API requests without any performance penalty.</p> <h3> Part 2: Advanced Routing and Responses </h3> <p>With the overall application structure in place, we can now zoom in on the specific techniques used within our API endpoints. These features allow us to handle more complex URL structures and provide the browser with precise information about the data being served, which are hallmarks of a robust API.</p> <h4> Capturing Complex URL Paths with Path Converters </h4> <p>A standard URL path parameter in FastAPI, like <code>{param}</code>, will match any text up to the next slash (<code>/</code>). This presents a problem for our static file endpoint, as a file could be nested in a subdirectory (e.g., <code>images/diagram.png</code>).</p> <p>To solve this, FastAPI supports <strong>path converters</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># In server.py </span><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/articles/{article_slug}/static/{file_path:path}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>By adding <code>:path</code> after the parameter name (<code>file_path:path</code>), we instruct FastAPI to match the entire remaining URL segment, including any slashes it may contain. This allows our endpoint to correctly capture the full relative path to any static file, no matter how deeply it is nested.</p> <h4> Accessing the <code>Request</code> Object </h4> <p>While endpoints primarily deal with processing and returning data, they sometimes need access to information about the incoming HTTP request itself, such as its headers or the client's IP address. FastAPI provides this through the <code>Request</code> object.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># In server.py </span><span class="k">async</span> <span class="k">def</span> <span class="nf">serve_frontend</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">({</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">},</span> <span class="sh">"</span><span class="s">index.html</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>By adding a parameter to our endpoint and type-hinting it as <code>request: Request</code>, FastAPI will automatically "inject" the full request object into that parameter. In our case, this is a requirement for the Jinja2 templating engine, which needs the request context to function correctly.</p> <h4> Controlling Response Headers with <code>media_type</code> </h4> <p>Every HTTP response includes a <code>Content-Type</code> header (also known as a MIME type). This header is the "label on the box" that tells the browser what kind of data it is receiving (e.g., <code>text/html</code>, <code>image/png</code>, <code>application/json</code>).</p> <p>While FastAPI is excellent at inferring the correct <code>Content-Type</code>, sometimes we need to be explicit. When we serve our raw <code>README.md</code> files, we want to ensure the browser interprets them as plain text intended as Markdown. <code>FileResponse</code> allows us to set this header directly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># In server.py </span><span class="k">return</span> <span class="nc">FileResponse</span><span class="p">(</span><span class="n">file_path</span><span class="p">,</span> <span class="n">media_type</span><span class="o">=</span><span class="sh">"</span><span class="s">text/markdown; charset=utf-8</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>The <code>media_type</code> argument gives us precise control over the response headers. This ensures that clients, browsers, and proxies all handle the data correctly, which is a fundamental aspect of building a well-behaved and predictable web server.</p> <h3> Part 3: Pythonic Power-Ups </h3> <p>Beyond the web framework, the elegance of our backend comes from leveraging modern Python features and its powerful standard library. This section highlights a few of these "Pythonic" patterns that help us write clean, readable, and efficient code.</p> <h4> Advanced Filesystem Navigation with <code>pathlib</code> </h4> <p>Instead of working with filesystem paths as simple strings, modern Python encourages the use of the <code>pathlib</code> library, which provides an object-oriented interface for paths.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># In server.py </span><span class="n">HOME_DIR</span> <span class="o">=</span> <span class="n">Path</span><span class="p">.</span><span class="nf">home</span><span class="p">()</span> <span class="c1"># ... </span><span class="k">for</span> <span class="n">item</span> <span class="ow">in</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">ARTICLES_DIR</span><span class="p">.</span><span class="nf">iterdir</span><span class="p">()):</span> <span class="c1"># ... </span></code></pre> </div> <p>Two key features are used here:</p> <ul> <li> <strong><code>Path.home()</code></strong>: A clean, cross-platform method to get the path to the current user's home directory.</li> <li> <strong><code>.iterdir()</code></strong>: An elegant way to iterate over all items within a directory. It returns <code>Path</code> objects, which we can then easily inspect with methods like <code>.is_dir()</code> and <code>.is_file()</code>.</li> </ul> <h4> Powerful Text Manipulation with the <code>re</code> Module </h4> <p>For complex text processing, Python's built-in <code>re</code> module provides access to regular expressions. We use this in our <code>format_title</code> function to create clean titles from directory names.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># In server.py </span><span class="n">cleaned_slug</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">sub</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">^\d+_</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">,</span> <span class="n">slug</span><span class="p">)</span> </code></pre> </div> <p>The function <code>re.sub(pattern, replacement, string)</code> finds all substrings that match the <code>pattern</code> and replaces them. The pattern <code>r"^\d+_"</code> is a regular expression that means:</p> <ul> <li> <strong><code>^</code></strong>: Match at the beginning of the string.</li> <li> <strong><code>\d+</code></strong>: Match one or more digits (0-9).</li> <li> <strong><code>_</code></strong>: Match a literal underscore. This pattern finds and removes the <code>0001_</code> prefix from our article slugs.</li> </ul> <h4> Elegant Data Transformation with List Comprehensions </h4> <p>List comprehensions are a concise and highly readable way to create a list based on an existing iterable. They are a hallmark of idiomatic Python code. We use one to prepare our article index for the API response.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># In server.py </span><span class="k">return</span> <span class="p">[</span> <span class="p">{</span><span class="sh">"</span><span class="s">slug</span><span class="sh">"</span><span class="p">:</span> <span class="n">data</span><span class="p">[</span><span class="sh">"</span><span class="s">slug</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">:</span> <span class="n">data</span><span class="p">[</span><span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">]}</span> <span class="k">for</span> <span class="n">data</span> <span class="ow">in</span> <span class="n">app</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">articles_catalog</span><span class="p">.</span><span class="nf">values</span><span class="p">()</span> <span class="p">]</span> </code></pre> </div> <p>This single line of code iterates through all the article data stored in our application state and builds a new, cleaned-up list of dictionaries. This is a much more compact and expressive alternative to a traditional <code>for</code> loop.</p> <h4> Safe Attribute Access with <code>hasattr</code> </h4> <p><code>hasattr()</code> is a defensive programming function that checks if an object has a given attribute before you try to access it, preventing potential <code>AttributeError</code> exceptions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># In server.py </span><span class="k">if</span> <span class="ow">not</span> <span class="nf">hasattr</span><span class="p">(</span><span class="n">app</span><span class="p">.</span><span class="n">state</span><span class="p">,</span> <span class="sh">"</span><span class="s">articles_catalog</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">app</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">articles_catalog</span><span class="p">:</span> <span class="k">return</span> <span class="p">[]</span> </code></pre> </div> <p>In our <code>get_articles_index</code> endpoint, we use <code>hasattr()</code> to safely check that the <code>lifespan</code> function has successfully created the <code>articles_catalog</code> on our <code>app.state</code> object. This makes the code more robust against potential startup issues.</p> <h1> The Blueprint: A Dual-Component Architecture </h1> <p>Before implementing our application, we'll first create its architectural blueprint. This is a high-level plan that defines the responsibilities of each component and the contract for how they will communicate.</p> <p>The core of our design is a <strong>decoupled architecture</strong>. The backend server will act as a standalone data provider, and the frontend will be a standalone data consumer, responsible for all presentation logic. This separation of concerns is a fundamental principle that makes the application clean, scalable, and easy to maintain.</p> <h2> Part I: The Backend Blueprint (The Librarian) </h2> <p>The FastAPI server's primary job is to find content on the filesystem and expose it to the world through a well-defined API.</p> <ul> <li><p><strong>Dynamic Content Discovery</strong>: The server will not have a hardcoded list of articles. Instead, on startup (using the <code>lifespan</code> handler), it will dynamically scan the filesystem for any directories that match the <code>0xxx_&lt;name&gt;</code> pattern and contain a <code>README.md</code> file. The metadata for these articles will be loaded into an in-memory "catalog" for high-performance access.</p></li> <li> <p><strong>The API Contract</strong>: The server will provide three crucial endpoints:</p> <ol> <li> <strong>Article Index (<code>GET /api/articles</code>)</strong>: This endpoint will return a JSON list of all discovered articles, containing only the <code>slug</code> and <code>title</code> for each.</li> <li> <strong>Article Content (<code>GET /api/articles/{slug}</code>)</strong>: This endpoint will return the raw, unmodified Markdown content for a specific article.</li> <li> <strong>Article-Specific Assets (<code>GET /articles/{slug}/static/{path}</code>)</strong>: This endpoint is our solution for handling relative image paths. It will serve static files (like images) from within a specific article's own <code>static</code> sub-directory.</li> </ol> </li> <li><p><strong>The Frontend Serving Role</strong>: In addition to its data API, the backend is also responsible for serving the initial <code>index.html</code> shell and the core static assets (<code>app.js</code>, <code>style.css</code>) that make up the frontend application.</p></li> </ul> <h2> Part II: The Frontend Blueprint (The Reading Room) </h2> <p>The client-side application's primary job is to provide the user interface, fetch data from the backend, and render it for the user.</p> <ul> <li><p><strong>The Application Shell</strong>: The frontend is a Single-Page Application (SPA) built from a single, static <code>index.html</code> file. This file provides the basic layout structure—a sidebar and a main content area—and uses <code>&lt;script&gt;</code> tags to load all necessary third-party libraries and our own application logic.</p></li> <li><p><strong>Dynamic Navigation</strong>: On page load, the frontend will first make an API call to the <code>GET /api/articles</code> endpoint. It will then use the returned JSON data to dynamically build the navigation links in the sidebar. This ensures the viewer automatically updates whenever new articles are added to the repository.</p></li> <li> <p><strong>The Rendering Pipeline</strong>: When a user selects an article, the frontend will execute a precise, four-step rendering pipeline:</p> <ol> <li> <strong>Fetch</strong>: Make an API call to <code>GET /api/articles/{slug}</code> to retrieve the raw Markdown text.</li> <li> <strong>Parse</strong>: Pass the Markdown string to the <strong><code>marked.js</code></strong> library to convert it into an HTML string. We will configure <code>marked.js</code> to correctly resolve relative image and link paths using our dedicated asset endpoint.</li> <li> <strong>Inject</strong>: Place the generated HTML into the main content area of the page.</li> <li> <strong>Enhance</strong>: After the new content is in the DOM, make two final calls: first to <strong><code>highlight.js</code></strong> to apply syntax highlighting to all code blocks, and second to <strong><code>MathJax</code></strong> to find and typeset any mathematical formulas.</li> </ol> </li> </ul> <h1> Environment Setup </h1> <p>Before we dive into the implementation, we must prepare a clean, isolated Python environment for our viewer application. All of the following commands should be run from a terminal inside the running Docker container.</p> <p>The goal is to use Python's built-in <code>venv</code> module to create a self-contained environment. This ensures that the packages we install for this project will not conflict with system-wide packages or other projects you may be working on inside the container.</p> <h2> 1. Define Project Dependencies </h2> <p>First, we will list all the required Python packages in a <code>requirements.txt</code> file. This file allows us to install all dependencies with a single command and ensures a reproducible setup.</p> <p><strong>Action</strong>: Create the file <code>articles/0003_html_css_javascript_article_viewer/requirements.txt</code> with the following content.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>fastapi uvicorn httpx pytest pytest-cov jinja2 python-multipart pytest-playwright </code></pre> </div> <h2> 2. Create and Activate the Virtual Environment </h2> <p>We will create our virtual environment inside the <code>articles/0003_html_css_javascript_article_viewer</code> directory using the custom-built Python 3.12 that exists in our container.</p> <p><strong>Action</strong>: Navigate to the <code>articles/0003_html_css_javascript_article_viewer</code> directory and run the following commands.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Navigate to the live application's directory</span> <span class="nb">cd </span>articles/0003_html_css_javascript_article_viewer <span class="c"># Create a virtual environment named .venv using our custom Python 3.12</span> python3.12 <span class="nt">-m</span> venv .venv <span class="c"># Activate the environment. Your shell prompt should now change.</span> <span class="nb">source</span> .venv/bin/activate </code></pre> </div> <h2> 3. Install Python Dependencies </h2> <p>With the virtual environment active, we can now install all the packages from our <code>requirements.txt</code> file.</p> <p><strong>Action</strong>: Run the following command.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 <span class="nt">-m</span> pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt </code></pre> </div> <p><strong>A Note on <code>python3 -m pip</code></strong>: Using <code>python3 -m pip</code> is a robust and explicit way to run <code>pip</code>. It guarantees that we are using the <code>pip</code> executable associated with the <code>python3</code> interpreter from our currently active virtual environment, which prevents common issues related to system path configurations.</p> <h2> 4. Install Playwright Browsers and Dependencies </h2> <p>The <code>pytest-playwright</code> package requires a final setup step to download the browser binaries (Chromium, Firefox, WebKit) and their system-level dependencies. We can encapsulate this in a simple shell script.</p> <p><strong>Action</strong>: Create the file <code>playwright-install.sh</code> and then run it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="nb">.</span> .venv/bin/activate playwright install-deps playwright <span class="nb">install</span> </code></pre> </div> <p>Now, make the script executable and run it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x playwright-install.sh bash playwright-install.sh </code></pre> </div> <p>This script will first activate our virtual environment, then run <code>playwright install-deps</code> (which may ask for your <code>sudo</code> password to install system libraries), and finally run <code>playwright install</code> to download the browser binaries.</p> <p>With our isolated environment fully configured and all dependencies installed, we are now ready to proceed with the implementation.</p> <h1> Implementation </h1> <p>With our architectural blueprint and environment complete, we can now translate it into functional code. This section will walk through the implementation of each file, connecting the code directly back to the design decisions we made. We will build the application from the backend to the frontend.</p> <h2> Part I: The FastAPI Backend (<code>server.py</code>) </h2> <h3> Imports and Configuration </h3> <p>Our entire backend logic is contained within a single file, <code>server.py</code>. We will begin by examining its foundational components: the necessary imports, path configurations, and helper functions that make the application aware of its environment.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">re</span> <span class="kn">import</span> <span class="n">uvicorn</span> <span class="kn">from</span> <span class="n">contextlib</span> <span class="kn">import</span> <span class="n">asynccontextmanager</span> <span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">HTTPException</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">fastapi.responses</span> <span class="kn">import</span> <span class="n">FileResponse</span> <span class="kn">from</span> <span class="n">fastapi.staticfiles</span> <span class="kn">import</span> <span class="n">StaticFiles</span> <span class="kn">from</span> <span class="n">fastapi.templating</span> <span class="kn">import</span> <span class="n">Jinja2Templates</span> <span class="c1"># --- Configuration --- # All paths are relative to the user's home directory inside the container. </span><span class="n">HOME_DIR</span> <span class="o">=</span> <span class="n">Path</span><span class="p">.</span><span class="nf">home</span><span class="p">()</span> <span class="n">ARTICLES_DIR</span> <span class="o">=</span> <span class="n">HOME_DIR</span> <span class="o">/</span> <span class="sh">"</span><span class="s">articles</span><span class="sh">"</span> <span class="n">VIEWER_DIR</span> <span class="o">=</span> <span class="n">HOME_DIR</span> <span class="o">/</span> <span class="sh">"</span><span class="s">articles</span><span class="sh">"</span> <span class="o">/</span> <span class="sh">"</span><span class="s">0003_html_css_javascript_article_viewer</span><span class="sh">"</span> <span class="n">DATA_DIR</span> <span class="o">=</span> <span class="n">HOME_DIR</span> <span class="o">/</span> <span class="sh">"</span><span class="s">data</span><span class="sh">"</span> <span class="n">TEMPLATES_DIR</span> <span class="o">=</span> <span class="n">VIEWER_DIR</span> <span class="o">/</span> <span class="sh">"</span><span class="s">templates</span><span class="sh">"</span> <span class="n">STATIC_DIR</span> <span class="o">=</span> <span class="n">VIEWER_DIR</span> <span class="o">/</span> <span class="sh">"</span><span class="s">static</span><span class="sh">"</span> <span class="n">CERT_FILE</span> <span class="o">=</span> <span class="n">DATA_DIR</span> <span class="o">/</span> <span class="sh">"</span><span class="s">cert.pem</span><span class="sh">"</span> <span class="n">KEY_FILE</span> <span class="o">=</span> <span class="n">DATA_DIR</span> <span class="o">/</span> <span class="sh">"</span><span class="s">key.pem</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">format_title</span><span class="p">(</span><span class="n">slug</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Converts a directory slug into a human-readable title.</span><span class="sh">"""</span> <span class="c1"># Remove leading digits and underscores, replace underscores with spaces, and title case. </span> <span class="c1"># e.g., "0001_basic_fastapi" -&gt; "Basic Fastapi" </span> <span class="n">cleaned_slug</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">sub</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">^\d+_</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">,</span> <span class="n">slug</span><span class="p">)</span> <span class="k">return</span> <span class="n">cleaned_slug</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="s">_</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s"> </span><span class="sh">"</span><span class="p">).</span><span class="nf">title</span><span class="p">()</span> </code></pre> </div> <h4> Deconstruction: Imports and Configuration </h4> <ul> <li> <strong>Imports</strong>: We begin by importing all the necessary tools. From Python's standard library, we import <code>re</code> for regular expressions and <code>pathlib</code> for an object-oriented way of handling filesystem paths. From our installed packages, we import <code>FastAPI</code> itself, along with specific classes for handling responses (<code>FileResponse</code>), static files, and templates (<code>Jinja2Templates</code>).</li> <li> <strong>Path Constants</strong>: We define a set of global constants for all important directory paths. Using the <code>pathlib</code> library instead of simple strings is a modern best practice that makes path manipulation safer and more readable. <code>Path.home()</code> provides a reliable way to get the current user's home directory, which serves as the root for all our operations inside the container.</li> <li> <strong>The <code>format_title</code> Helper</strong>: This utility function is a practical example of text manipulation. It takes a directory name like <code>0001_basic_fastapi</code> and uses a regular expression (<code>re.sub(r"^\d+_", "", slug)</code>) to strip the leading numbers and underscore. It then replaces the remaining underscores with spaces and title-cases the result to produce a clean, human-readable title like "Basic Fastapi".</li> </ul> <h3> Lifespan </h3> <p>We will now examine the <code>lifespan</code> handler, which is the heart of the server's content discovery mechanism.</p> <p>This function implements the "Dynamic Content Discovery" from our blueprint. Its purpose is to scan the filesystem once when the server starts, creating an in-memory catalog of all available articles. This is far more efficient than re-scanning the disk every time a user makes a request.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@asynccontextmanager</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">lifespan</span><span class="p">(</span><span class="n">app</span><span class="p">:</span> <span class="n">FastAPI</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> On startup, scan the articles directory and build a catalog of available articles. This catalog is stored in the application</span><span class="sh">'</span><span class="s">s state for quick access. </span><span class="sh">"""</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Server is starting up, building article catalog...</span><span class="sh">"</span><span class="p">)</span> <span class="n">articles</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">if</span> <span class="n">ARTICLES_DIR</span><span class="p">.</span><span class="nf">is_dir</span><span class="p">():</span> <span class="k">for</span> <span class="n">item</span> <span class="ow">in</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">ARTICLES_DIR</span><span class="p">.</span><span class="nf">iterdir</span><span class="p">()):</span> <span class="k">if</span> <span class="n">item</span><span class="p">.</span><span class="nf">is_dir</span><span class="p">()</span> <span class="ow">and</span> <span class="p">(</span><span class="n">item</span> <span class="o">/</span> <span class="sh">"</span><span class="s">README.md</span><span class="sh">"</span><span class="p">).</span><span class="nf">is_file</span><span class="p">():</span> <span class="n">slug</span> <span class="o">=</span> <span class="n">item</span><span class="p">.</span><span class="n">name</span> <span class="n">articles</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">slug</span><span class="sh">"</span><span class="p">:</span> <span class="n">slug</span><span class="p">,</span> <span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">:</span> <span class="nf">format_title</span><span class="p">(</span><span class="n">slug</span><span class="p">),</span> <span class="sh">"</span><span class="s">path</span><span class="sh">"</span><span class="p">:</span> <span class="n">item</span> <span class="o">/</span> <span class="sh">"</span><span class="s">README.md</span><span class="sh">"</span> <span class="p">})</span> <span class="n">app</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">articles_catalog</span> <span class="o">=</span> <span class="p">{</span><span class="n">article</span><span class="p">[</span><span class="sh">"</span><span class="s">slug</span><span class="sh">"</span><span class="p">]:</span> <span class="n">article</span> <span class="k">for</span> <span class="n">article</span> <span class="ow">in</span> <span class="n">articles</span><span class="p">}</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Found </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">articles</span><span class="p">)</span><span class="si">}</span><span class="s"> articles.</span><span class="sh">"</span><span class="p">)</span> <span class="k">yield</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Server is shutting down.</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># --- FastAPI Application --- </span><span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">(</span><span class="n">lifespan</span><span class="o">=</span><span class="n">lifespan</span><span class="p">)</span> </code></pre> </div> <h4> Deconstruction: The <code>lifespan</code> Handler </h4> <p>A <code>lifespan</code> handler is a special function that FastAPI executes during its startup and shutdown sequence.</p> <ul> <li> <strong><code>@asynccontextmanager</code></strong>: This decorator from Python's standard library turns our function into an "asynchronous context manager," which is the required format for a <code>lifespan</code> handler.</li> <li> <strong>Startup Logic</strong>: All the code <strong>before the <code>yield</code> statement</strong> is executed once when the server starts. Our logic here iterates through the <code>ARTICLES_DIR</code>, validates that each item is a directory containing a <code>README.md</code> file, and builds a list of dictionaries containing the article metadata.</li> <li> <strong>Storing the Catalog</strong>: The crucial line is <code>app.state.articles_catalog = ...</code>. This takes our list of articles and stores it in the <code>app.state</code> object, a shared space where we can hold data for the entire lifetime of the application.</li> <li> <strong>The <code>yield</code> Statement</strong>: This is where the <code>lifespan</code> handler pauses. The server is now running and will process requests until it receives a shutdown signal.</li> <li> <strong>Shutdown Logic</strong>: All the code <strong>after the <code>yield</code> statement</strong> is executed once when the server is shutting down. While we only have a <code>print</code> statement, this is the correct place for cleanup logic, such as closing database connections.</li> <li> <strong>Connecting to the App</strong>: Finally, we pass our function to the <code>FastAPI</code> constructor: <code>app = FastAPI(lifespan=lifespan)</code>. This tells FastAPI to use our handler to manage its lifecycle.</li> </ul> <h3> Application and API Endpoints </h3> <p>With the article catalog loaded into <code>app.state</code> by the <code>lifespan</code> handler, we can now define the application's core logic. This involves two primary responsibilities: serving the frontend application itself (the HTML, CSS, and JavaScript files) and exposing the data API that the frontend will use to fetch article content.</p> <h4> Serving the Frontend Application </h4> <p>First, we must configure the server to deliver the static files that constitute our single-page application.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Mount the static directory to serve CSS and JavaScript files. </span><span class="n">app</span><span class="p">.</span><span class="nf">mount</span><span class="p">(</span><span class="sh">"</span><span class="s">/static</span><span class="sh">"</span><span class="p">,</span> <span class="nc">StaticFiles</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="n">STATIC_DIR</span><span class="p">),</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">static</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Configure Jinja2 for HTML templating. </span><span class="n">templates</span> <span class="o">=</span> <span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="n">TEMPLATES_DIR</span><span class="p">)</span> <span class="c1"># --- Frontend Serving --- </span><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">serve_frontend</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Serves the main index.html single-page application.</span><span class="sh">"""</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">({</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">},</span> <span class="sh">"</span><span class="s">index.html</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h5> Deconstruction: Serving the Frontend </h5> <ul> <li> <strong><code>app.mount()</code></strong>: This operation attaches a self-contained application to a specific URL path. Here, we mount a <code>StaticFiles</code> instance to the <code>/static</code> path. This tells FastAPI that any request starting with <code>/static</code> should be handled by serving a file directly from our <code>STATIC_DIR</code> on the filesystem.</li> <li> <strong><code>Jinja2Templates</code></strong>: This line initializes the Jinja2 templating engine, telling it where to find our HTML files.</li> <li> <strong><code>@app.get("/")</code></strong>: This is the root endpoint for our application. When a user navigates to the base URL, this function is called. It uses <code>templates.TemplateResponse</code> to render our <code>index.html</code> file and send it to the browser. This single file is the entire shell for our application.</li> </ul> <h4> The Data API </h4> <p>Next, we define the data endpoints that our JavaScript frontend will call to get the article index and content.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># --- API Endpoints --- </span><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/articles</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_articles_index</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Returns a list of all discovered articles (slug and title).</span><span class="sh">"""</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">hasattr</span><span class="p">(</span><span class="n">app</span><span class="p">.</span><span class="n">state</span><span class="p">,</span> <span class="sh">"</span><span class="s">articles_catalog</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">app</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">articles_catalog</span><span class="p">:</span> <span class="k">return</span> <span class="p">[]</span> <span class="c1"># Return a list of dicts, excluding the server-side file path. </span> <span class="k">return</span> <span class="p">[</span> <span class="p">{</span><span class="sh">"</span><span class="s">slug</span><span class="sh">"</span><span class="p">:</span> <span class="n">data</span><span class="p">[</span><span class="sh">"</span><span class="s">slug</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">:</span> <span class="n">data</span><span class="p">[</span><span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">]}</span> <span class="k">for</span> <span class="n">data</span> <span class="ow">in</span> <span class="n">app</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">articles_catalog</span><span class="p">.</span><span class="nf">values</span><span class="p">()</span> <span class="p">]</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/articles/{article_slug}/static/{file_path:path}</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">serve_article_static</span><span class="p">(</span><span class="n">article_slug</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">file_path</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Serves a static file from within a specific article</span><span class="sh">'</span><span class="s">s directory.</span><span class="sh">"""</span> <span class="k">if</span> <span class="n">article_slug</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">app</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">articles_catalog</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">404</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Article not found</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Construct the full path to the static file </span> <span class="n">article_dir</span> <span class="o">=</span> <span class="n">app</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">articles_catalog</span><span class="p">[</span><span class="n">article_slug</span><span class="p">][</span><span class="sh">"</span><span class="s">path</span><span class="sh">"</span><span class="p">].</span><span class="n">parent</span> <span class="n">static_file_path</span> <span class="o">=</span> <span class="n">article_dir</span> <span class="o">/</span> <span class="sh">"</span><span class="s">static</span><span class="sh">"</span> <span class="o">/</span> <span class="n">file_path</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">static_file_path</span><span class="p">.</span><span class="nf">is_file</span><span class="p">():</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">404</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Static file not found</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nc">FileResponse</span><span class="p">(</span><span class="n">static_file_path</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/articles/{article_slug}</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_article_content</span><span class="p">(</span><span class="n">article_slug</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Returns the raw Markdown content of a specific article.</span><span class="sh">"""</span> <span class="k">if</span> <span class="n">article_slug</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">app</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">articles_catalog</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">404</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Article not found</span><span class="sh">"</span><span class="p">)</span> <span class="n">file_path</span> <span class="o">=</span> <span class="n">app</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">articles_catalog</span><span class="p">[</span><span class="n">article_slug</span><span class="p">][</span><span class="sh">"</span><span class="s">path</span><span class="sh">"</span><span class="p">]</span> <span class="k">return</span> <span class="nc">FileResponse</span><span class="p">(</span><span class="n">file_path</span><span class="p">,</span> <span class="n">media_type</span><span class="o">=</span><span class="sh">"</span><span class="s">text/markdown; charset=utf-8</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h5> Deconstruction: The Data API </h5> <ul> <li> <strong><code>/api/articles</code></strong>: This endpoint serves as the index. It reads the article catalog from <code>app.state</code>, uses a list comprehension to format it into a clean list of slugs and titles, and returns it as a JSON response.</li> <li> <strong><code>/api/articles/{article_slug}</code></strong>: This endpoint retrieves the content for a single article. It looks up the provided <code>article_slug</code> in our in-memory catalog to find the path to the <code>README.md</code> file and then uses <code>FileResponse</code> to efficiently stream that file's content to the client.</li> <li> <strong><code>/articles/{article_slug}/static/{file_path:path}</code></strong>: This is the endpoint that solves our relative image path problem. It takes both an <code>article_slug</code> and a <code>file_path</code> (which, thanks to the <code>:path</code> converter, can contain slashes) to construct the exact location of a static asset within an article's subdirectory and serves it.</li> </ul> <h3> The Main Entry Point </h3> <p>The final piece of our <code>server.py</code> file is a special block that allows the application to be run directly as a script. This makes our server self-contained and easy to launch.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># --- Main Entry Point --- </span><span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Allows the server to be run with `python3 server.py`. Configures Uvicorn to use the shared TLS certificates. </span><span class="sh">"""</span> <span class="n">uvicorn</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="sh">"</span><span class="s">server:app</span><span class="sh">"</span><span class="p">,</span> <span class="n">host</span><span class="o">=</span><span class="sh">"</span><span class="s">0.0.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">8889</span><span class="p">,</span> <span class="c1"># Matches the port exposed in the Dockerfile </span> <span class="nb">reload</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">ssl_keyfile</span><span class="o">=</span><span class="nf">str</span><span class="p">(</span><span class="n">KEY_FILE</span><span class="p">),</span> <span class="n">ssl_certfile</span><span class="o">=</span><span class="nf">str</span><span class="p">(</span><span class="n">CERT_FILE</span><span class="p">),</span> <span class="p">)</span> </code></pre> </div> <h4> Deconstruction: The <code>__main__</code> Block </h4> <ul> <li><p><strong><code>if __name__ == "__main__":</code></strong>: This is a standard Python construct. The code inside this <code>if</code> block will only run when the script is executed directly from the command line (e.g., <code>python3 server.py</code>). It will not run if the script is imported as a module into another file, such as our test suite.</p></li> <li> <p><strong><code>uvicorn.run(...)</code></strong>: This function programmatically starts the Uvicorn ASGI server, which is responsible for running our FastAPI application. We provide it with several key configuration arguments:</p> <ul> <li> <strong><code>"server:app"</code></strong>: This string tells Uvicorn how to find our application. It means: "in the file named <code>server.py</code>, find the instance of the FastAPI application named <code>app</code>."</li> <li> <strong><code>host="0.0.0.0"</code></strong>: This is a critical setting for running inside a Docker container. It tells the server to listen for connections on all available network interfaces, which is necessary for the port mapping from the host machine to reach the container.</li> <li> <strong><code>reload=True</code></strong>: This is a convenience feature for development. It tells Uvicorn to monitor the source files for changes and automatically restart the server when a file is saved.</li> <li> <strong><code>ssl_keyfile</code> and <code>ssl_certfile</code></strong>: These arguments enable HTTPS by pointing Uvicorn to the TLS certificate and private key files that our <code>entrypoint.sh</code> script generates.</li> </ul> </li> </ul> <p>This concludes the deconstruction of our backend server. We now have a complete understanding of how it discovers content, serves a data API, and delivers the frontend application.</p> <h2> Part II: The Vanilla JS Frontend </h2> <p>The frontend is responsible for everything the user sees and interacts with. It's the "reading room" of our application, built from three core files: <code>index.html</code> for structure, <code>style.css</code> for presentation, and <code>app.js</code> for interactivity.</p> <h3> The HTML Shell (<code>index.html</code>) </h3> <p>The <code>index.html</code> file is the skeleton of our single-page application. Its primary role is not to contain the article content itself, but to provide the basic page structure and to load all the CSS and JavaScript assets that will bring the application to life.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html</span> <span class="na">lang=</span><span class="s">"en"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"UTF-8"</span><span class="nt">&gt;</span> <span class="nt">&lt;meta</span> <span class="na">name=</span><span class="s">"viewport"</span> <span class="na">content=</span><span class="s">"width=device-width, initial-scale=1.0"</span><span class="nt">&gt;</span> <span class="nt">&lt;title&gt;</span>Article Viewer<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"https://cdn.jsdelivr.net/npm/marked/marked.min.js"</span><span class="nt">&gt;&lt;/script&gt;</span> <span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"https://cdn.jsdelivr.net/npm/marked-base-url"</span><span class="nt">&gt;&lt;/script&gt;</span> <span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"stylesheet"</span> <span class="na">href=</span><span class="s">"https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.9.0/styles/atom-one-dark.min.css"</span><span class="nt">&gt;</span> <span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.9.0/highlight.min.js"</span><span class="nt">&gt;&lt;/script&gt;</span> <span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.9.0/languages/python.min.js"</span><span class="nt">&gt;&lt;/script&gt;</span> <span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.9.0/languages/bash.min.js"</span><span class="nt">&gt;&lt;/script&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nx">MathJax</span> <span class="o">=</span> <span class="p">{</span> <span class="cm">/* ... configuration ... */</span> <span class="p">};</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;script </span><span class="na">id=</span><span class="s">"MathJax-script"</span> <span class="na">async</span> <span class="na">src=</span><span class="s">"https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js"</span><span class="nt">&gt;&lt;/script&gt;</span> <span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"stylesheet"</span> <span class="na">href=</span><span class="s">"/static/style.css"</span><span class="nt">&gt;</span> <span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"/static/app.js"</span> <span class="na">defer</span><span class="nt">&gt;&lt;/script&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"container"</span><span class="nt">&gt;</span> <span class="nt">&lt;nav</span> <span class="na">id=</span><span class="s">"sidebar"</span><span class="nt">&gt;</span> <span class="nt">&lt;h1&gt;</span>Articles<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;ul</span> <span class="na">id=</span><span class="s">"article-list"</span><span class="nt">&gt;</span> <span class="nt">&lt;/ul&gt;</span> <span class="nt">&lt;/nav&gt;</span> <span class="nt">&lt;main</span> <span class="na">id=</span><span class="s">"content"</span><span class="nt">&gt;</span> <span class="nt">&lt;p&gt;</span>Select an article from the sidebar to begin reading.<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/main&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h4> Deconstruction: The HTML Shell </h4> <ul> <li> <strong>The <code>&lt;head&gt;</code> Section</strong>: This section is the "control panel" for our page. It contains metadata and, most importantly, links to all the external resources our application needs. <ul> <li> <strong><code>&lt;link&gt;</code> Tags</strong>: These pull in our stylesheets. We load the <code>atom-one-dark.min.css</code> theme for our code blocks, followed by our own <code>style.css</code> for the main layout.</li> <li> <strong><code>&lt;script&gt;</code> Tags</strong>: These load the JavaScript. The order is critical: the third-party libraries (<code>marked</code>, <code>highlight.js</code>, <code>MathJax</code>, etc.) must be loaded <em>before</em> our own <code>app.js</code> script, which depends on them. The <code>defer</code> attribute on <code>app.js</code> tells the browser to wait until the HTML document is fully parsed before executing our script.</li> </ul> </li> <li> <strong>The <code>&lt;body&gt;</code> Section</strong>: The body defines the visible structure. It is kept minimal and semantic. <ul> <li> <strong><code>&lt;nav id="sidebar"&gt;</code></strong> and <strong><code>&lt;main id="content"&gt;</code></strong>: We define two primary containers for our layout. Their <code>id</code> attributes are the crucial "hooks" that our <code>app.js</code> script will use to select these elements and dynamically inject content into them. They begin with simple placeholder text, which will be replaced as soon as our JavaScript runs.</li> </ul> </li> </ul> <h3> The CSS Styling (<code>style.css</code>) </h3> <p>The <code>style.css</code> file is the "interior design" for our HTML structure. Its purpose is to control the layout, colors, and typography, transforming the raw HTML into a clean, readable, and polished user interface. Our stylesheet is built on a few key, modern CSS principles.</p> <h4> 1. Theming with CSS Variables </h4> <p>At the top of the file, we define all our recurring colors and fonts inside a <code>:root</code> block.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nd">:root</span> <span class="p">{</span> <span class="py">--bg-color</span><span class="p">:</span> <span class="m">#282c34</span><span class="p">;</span> <span class="py">--sidebar-bg</span><span class="p">:</span> <span class="m">#21252b</span><span class="p">;</span> <span class="py">--text-color</span><span class="p">:</span> <span class="m">#abb2bf</span><span class="p">;</span> <span class="py">--header-color</span><span class="p">:</span> <span class="m">#ffffff</span><span class="p">;</span> <span class="py">--link-color</span><span class="p">:</span> <span class="m">#61afef</span><span class="p">;</span> <span class="py">--font-family</span><span class="p">:</span> <span class="n">-apple-system</span><span class="p">,</span> <span class="n">BlinkMacSystemFont</span><span class="p">,</span> <span class="s1">"Segoe UI"</span><span class="p">,</span> <span class="n">Roboto</span><span class="p">,</span> <span class="n">Helvetica</span><span class="p">,</span> <span class="n">Arial</span><span class="p">,</span> <span class="nb">sans-serif</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>This is a powerful feature known as <strong>CSS Custom Properties</strong>, or variables. By defining these values once and reusing them throughout the stylesheet (e.g., <code>color: var(--text-color);</code>), we make our application's theme incredibly easy to manage. To change the entire color scheme, we only need to edit the values in this single location.</p> <h4> 2. Two-Column Layout with CSS Grid </h4> <p>The core of our page layout is achieved with a simple but powerful CSS Grid definition.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nc">.container</span> <span class="p">{</span> <span class="nl">display</span><span class="p">:</span> <span class="n">grid</span><span class="p">;</span> <span class="py">grid-template-columns</span><span class="p">:</span> <span class="m">280px</span> <span class="m">1</span><span class="n">fr</span><span class="p">;</span> <span class="nl">height</span><span class="p">:</span> <span class="m">100vh</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>By setting <code>display: grid</code> on our main container, we unlock the two-dimensional layout capabilities of CSS Grid. The <code>grid-template-columns</code> property defines our two columns: the first is a fixed <code>280px</code> wide (for the sidebar), and the second (<code>1fr</code>) is a flexible unit that automatically takes up the remaining "one fraction" of the available space.</p> <h4> 3. Handling Overflow and Scrolling </h4> <p>A crucial detail for a good user experience is managing content that is longer than the screen.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nf">#sidebar</span> <span class="p">{</span> <span class="nl">overflow-y</span><span class="p">:</span> <span class="nb">auto</span><span class="p">;</span> <span class="p">}</span> <span class="nf">#content</span> <span class="p">{</span> <span class="nl">overflow-y</span><span class="p">:</span> <span class="nb">auto</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>By setting <code>overflow-y: auto</code> on both our sidebar and main content areas, we ensure that if either the navigation list or the article content becomes too long, it will get its own independent, vertical scrollbar without breaking the overall page layout.</p> <h4> 4. Responsive Content </h4> <p>To prevent large images from breaking our layout, we apply a simple, global rule for all images within the content area.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nf">#content</span> <span class="nt">img</span> <span class="p">{</span> <span class="nl">max-width</span><span class="p">:</span> <span class="m">100%</span><span class="p">;</span> <span class="nl">height</span><span class="p">:</span> <span class="nb">auto</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>This rule ensures that an image will never be wider than its container. If a large image is loaded, it will automatically scale down to fit, while <code>height: auto</code> maintains its original aspect ratio.</p> <h3> The JavaScript Brain (<code>app.js</code>) </h3> <p>This file contains all the client-side logic that transforms our static HTML shell into a dynamic application. It is responsible for fetching data from our backend API, manipulating the DOM to display that data, and responding to user interaction.</p> <h4> Initialization and Event Listeners </h4> <p>The script begins by setting up a primary event listener that waits for the entire HTML document to be loaded and parsed before any of our code runs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nb">document</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">DOMContentLoaded</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sidebar</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">article-list</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">content</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">content</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// ... all functions are defined here ...</span> <span class="c1">// --- Initial Load ---</span> <span class="nf">loadArticleList</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">initialSlug</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">hash</span><span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">initialSlug</span><span class="p">)</span> <span class="p">{</span> <span class="nf">loadArticleContent</span><span class="p">(</span><span class="nx">initialSlug</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h5> Deconstruction: Initialization </h5> <ul> <li> <strong><code>DOMContentLoaded</code></strong>: By wrapping our code in this event listener, we ensure that we don't try to access elements like <code>#sidebar</code> before they are available, which prevents errors.</li> <li> <strong>Initial Calls</strong>: Once the page is ready, the script immediately calls <code>loadArticleList()</code> to populate the navigation menu. It then checks if the URL has a hash fragment (e.g., <code>#0001_basic_fastapi</code>) and, if so, calls <code>loadArticleContent()</code> to support deeplinking.</li> </ul> <h4> Building the Navigation (<code>loadArticleList</code>) </h4> <p>This function is responsible for communicating with our server to discover which articles are available and then building the sidebar navigation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">loadArticleList</span><span class="p">()</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/articles</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`HTTP error! Status: </span><span class="p">${</span><span class="nx">response</span><span class="p">.</span><span class="nx">status</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">articles</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nx">sidebar</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="c1">// Clear any existing content</span> <span class="nx">articles</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">article</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">li</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">li</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">a</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">a</span><span class="dl">'</span><span class="p">);</span> <span class="nx">a</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="s2">`#</span><span class="p">${</span><span class="nx">article</span><span class="p">.</span><span class="nx">slug</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">a</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">article</span><span class="p">.</span><span class="nx">title</span><span class="p">;</span> <span class="nx">a</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">click</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">event</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">();</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">hash</span> <span class="o">=</span> <span class="nx">article</span><span class="p">.</span><span class="nx">slug</span><span class="p">;</span> <span class="nf">loadArticleContent</span><span class="p">(</span><span class="nx">article</span><span class="p">.</span><span class="nx">slug</span><span class="p">);</span> <span class="p">});</span> <span class="nx">li</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">a</span><span class="p">);</span> <span class="nx">sidebar</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">li</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// ... error handling ...</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h5> Deconstruction: Building Navigation </h5> <p>Using <code>async/await</code>, the function first <code>fetch</code>es the article index from our <code>/api/articles</code> endpoint and parses the <code>json</code> response. It then iterates over the returned array using <code>forEach</code>, dynamically creating an <code>&lt;li&gt;</code> and <code>&lt;a&gt;</code> element for each article. A <code>'click'</code> event listener is attached to each link, which prevents the default browser navigation and instead calls our <code>loadArticleContent</code> function.</p> <h4> The Rendering Pipeline (<code>loadArticleContent</code>) </h4> <p>This function is the core of the user experience. It takes an article slug, fetches its content, and orchestrates the multi-step process of rendering it to the screen.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">loadArticleContent</span><span class="p">(</span><span class="nx">slug</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">slug</span><span class="p">)</span> <span class="p">{</span> <span class="cm">/* ... */</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">content</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">&lt;p&gt;Loading...&lt;/p&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/api/articles/</span><span class="p">${</span><span class="nx">slug</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">markdown</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">text</span><span class="p">();</span> <span class="c1">// The Rendering Pipeline</span> <span class="nx">marked</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">markedBaseUrl</span><span class="p">.</span><span class="nf">baseUrl</span><span class="p">(</span><span class="s2">`/articles/</span><span class="p">${</span><span class="nx">slug</span><span class="p">}</span><span class="s2">/`</span><span class="p">));</span> <span class="nx">content</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">marked</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">markdown</span><span class="p">);</span> <span class="nx">hljs</span><span class="p">.</span><span class="nf">highlightAll</span><span class="p">();</span> <span class="nx">MathJax</span><span class="p">.</span><span class="nf">typeset</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// ... error handling ...</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h5> Deconstruction: The Rendering Pipeline </h5> <ol> <li> <strong>Fetch</strong>: It makes an <code>async</code> call to <code>/api/articles/{slug}</code> to get the raw Markdown text.</li> <li> <strong>Configure</strong>: It calls <code>marked.use(markedBaseUrl.baseUrl(...))</code> to configure the renderer. This crucial step ensures that any relative image paths in the Markdown are correctly rewritten to point to our article-specific asset endpoint.</li> <li> <strong>Parse &amp; Inject</strong>: It calls <code>marked.parse(markdown)</code> to convert the Markdown to an HTML string and immediately injects it into the main content area's <code>innerHTML</code>.</li> <li> <strong>Enhance</strong>: After the new HTML is in the DOM, it makes two final calls: <code>hljs.highlightAll()</code> to apply syntax highlighting to any code blocks, and <code>MathJax.typeset()</code> to find and render any LaTeX formulas.</li> </ol> <p>This completes the walkthrough of our application's implementation. We have seen how the Python backend and vanilla JavaScript frontend work together to create a seamless user experience.</p> <h1> Testing and Verification </h1> <h2> A Professional's Workflow: Why We Test </h2> <p>Writing code that works is only the first step. Professional software engineering requires us to ensure that the code is correct and, just as importantly, that it <em>stays</em> correct as we add new features or refactor it in the future. Automated testing is the practice of writing code to verify our application's code, creating a safety net that catches regressions before they reach users.</p> <p>Our project employs a comprehensive, two-tiered testing strategy:</p> <ol> <li> <strong>Backend Unit Tests</strong>: To verify the API logic in a fast, isolated environment.</li> <li> <strong>Frontend End-to-End Tests</strong>: To verify the complete user experience in a real browser.</li> </ol> <h2> Part I: Backend Unit Testing with pytest (<code>test_server.py</code>) </h2> <p>The goal of our backend tests is to confirm that each API endpoint behaves as expected—returning the correct data for valid requests and the correct errors for invalid ones. We achieve this without needing to run a real web server or browser.</p> <h3> The Tools and The Challenge of Isolation </h3> <p>Our primary tools are <strong><code>pytest</code></strong>, a powerful and popular Python test runner, and FastAPI's built-in <strong><code>TestClient</code></strong>. The <code>TestClient</code> allows us to send simulated HTTP requests directly to our application in memory, which is incredibly fast and efficient.</p> <p>However, this presents a challenge: our server is designed to scan a real filesystem directory (<code>~/articles</code>) to discover content. How can we test this logic without our tests becoming fragile and dependent on the actual articles in the repository? If we added a new article, we wouldn't want our existing tests to suddenly fail. The solution is to create a temporary, isolated "laboratory" environment for each test.</p> <h3> The Solution: The <code>mock_fs</code> Fixture </h3> <p>To solve the isolation problem, we use <code>pytest</code>'s powerful <strong>fixture</strong> system. A fixture is a function that runs before each test function, providing it with data or setting up a specific state. Our <code>mock_fs</code> fixture creates a completely separate, temporary "laboratory" filesystem for each test to run in.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@pytest.fixture</span> <span class="k">def</span> <span class="nf">mock_fs</span><span class="p">(</span><span class="n">tmp_path</span><span class="p">,</span> <span class="n">monkeypatch</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> A pytest fixture to create a temporary, isolated filesystem for testing. It mocks the directory structure and patches the constants in the server module to use these temporary paths. This ensures tests are hermetic. </span><span class="sh">"""</span> <span class="c1"># 1. Create mock directories based on the real structure </span> <span class="n">mock_home</span> <span class="o">=</span> <span class="n">tmp_path</span> <span class="o">/</span> <span class="sh">"</span><span class="s">home</span><span class="sh">"</span> <span class="o">/</span> <span class="sh">"</span><span class="s">testuser</span><span class="sh">"</span> <span class="n">mock_articles_dir</span> <span class="o">=</span> <span class="n">mock_home</span> <span class="o">/</span> <span class="sh">"</span><span class="s">articles</span><span class="sh">"</span> <span class="n">mock_viewer_dir</span> <span class="o">=</span> <span class="n">mock_articles_dir</span> <span class="o">/</span> <span class="sh">"</span><span class="s">0003_html_css_javascript_article_viewer</span><span class="sh">"</span> <span class="n">mock_templates_dir</span> <span class="o">=</span> <span class="n">mock_viewer_dir</span> <span class="o">/</span> <span class="sh">"</span><span class="s">templates</span><span class="sh">"</span> <span class="n">mock_articles_dir</span><span class="p">.</span><span class="nf">mkdir</span><span class="p">(</span><span class="n">parents</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">mock_viewer_dir</span><span class="p">.</span><span class="nf">mkdir</span><span class="p">()</span> <span class="n">mock_templates_dir</span><span class="p">.</span><span class="nf">mkdir</span><span class="p">()</span> <span class="c1"># 2. Monkeypatch the server's global path constants to use our mock paths </span> <span class="n">monkeypatch</span><span class="p">.</span><span class="nf">setattr</span><span class="p">(</span><span class="n">viewer_server</span><span class="p">,</span> <span class="sh">"</span><span class="s">HOME_DIR</span><span class="sh">"</span><span class="p">,</span> <span class="n">mock_home</span><span class="p">)</span> <span class="n">monkeypatch</span><span class="p">.</span><span class="nf">setattr</span><span class="p">(</span><span class="n">viewer_server</span><span class="p">,</span> <span class="sh">"</span><span class="s">ARTICLES_DIR</span><span class="sh">"</span><span class="p">,</span> <span class="n">mock_articles_dir</span><span class="p">)</span> <span class="n">monkeypatch</span><span class="p">.</span><span class="nf">setattr</span><span class="p">(</span><span class="n">viewer_server</span><span class="p">,</span> <span class="sh">"</span><span class="s">VIEWER_DIR</span><span class="sh">"</span><span class="p">,</span> <span class="n">mock_viewer_dir</span><span class="p">)</span> <span class="n">monkeypatch</span><span class="p">.</span><span class="nf">setattr</span><span class="p">(</span><span class="n">viewer_server</span><span class="p">,</span> <span class="sh">"</span><span class="s">TEMPLATES_DIR</span><span class="sh">"</span><span class="p">,</span> <span class="n">mock_templates_dir</span><span class="p">)</span> <span class="c1"># 3. Create a dummy index.html needed by the serve_frontend endpoint </span> <span class="p">(</span><span class="n">mock_templates_dir</span> <span class="o">/</span> <span class="sh">"</span><span class="s">index.html</span><span class="sh">"</span><span class="p">).</span><span class="nf">write_text</span><span class="p">(</span><span class="sh">"</span><span class="s">&lt;html&gt;Hello Test&lt;/html&gt;</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">mock_articles_dir</span> </code></pre> </div> <h4> Deconstruction: How the Fixture Works </h4> <p>This fixture uses two powerful, built-in <code>pytest</code> fixtures to achieve its goal:</p> <ol> <li><p><strong>Creating a Temporary Filesystem with <code>tmp_path</code></strong>: The <code>tmp_path</code> fixture provides a <code>pathlib.Path</code> object pointing to a unique temporary directory. This directory is created before the test runs and is completely destroyed after it finishes. We use this to build a clean, predictable mock directory structure (<code>mock_home</code>, <code>mock_articles_dir</code>, etc.) from scratch.</p></li> <li><p><strong>Rerouting the Server with <code>monkeypatch</code></strong>: The <code>monkeypatch</code> fixture allows us to safely modify variables, functions, or classes during a test and automatically restores the original state afterward. The crucial line is <code>monkeypatch.setattr(viewer_server, "ARTICLES_DIR", mock_articles_dir)</code>. This line dynamically changes the <code>ARTICLES_DIR</code> constant inside our <code>server.py</code> module, effectively "tricking" the server into looking at our temporary directory instead of the real one.</p></li> </ol> <p>By combining these two tools, our <code>mock_fs</code> fixture provides every test function with a perfectly clean, isolated, and predictable environment. This makes our tests fast, reliable, and completely independent of any external state.</p> <h3> Deconstructing the Test Cases </h3> <p>With the <code>mock_fs</code> fixture handling the complex setup, our test functions become clean, readable, and focused. Each test follows the standard <strong>Arrange-Act-Assert</strong> pattern.</p> <h4> Example 1: The Success Case </h4> <p>This test verifies that the main <code>/api/articles</code> endpoint works correctly when there are valid articles on the filesystem.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">test_get_articles_index_success</span><span class="p">(</span><span class="n">mock_fs</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Tests that the index endpoint returns a correctly formatted list of articles.</span><span class="sh">"""</span> <span class="c1"># Arrange: Create some dummy articles in the mocked filesystem </span> <span class="p">(</span><span class="n">mock_fs</span> <span class="o">/</span> <span class="sh">"</span><span class="s">0002_second_article</span><span class="sh">"</span><span class="p">).</span><span class="nf">mkdir</span><span class="p">()</span> <span class="p">(</span><span class="n">mock_fs</span> <span class="o">/</span> <span class="sh">"</span><span class="s">0002_second_article</span><span class="sh">"</span> <span class="o">/</span> <span class="sh">"</span><span class="s">README.md</span><span class="sh">"</span><span class="p">).</span><span class="nf">touch</span><span class="p">()</span> <span class="p">(</span><span class="n">mock_fs</span> <span class="o">/</span> <span class="sh">"</span><span class="s">0001_first_article</span><span class="sh">"</span><span class="p">).</span><span class="nf">mkdir</span><span class="p">()</span> <span class="p">(</span><span class="n">mock_fs</span> <span class="o">/</span> <span class="sh">"</span><span class="s">0001_first_article</span><span class="sh">"</span> <span class="o">/</span> <span class="sh">"</span><span class="s">README.md</span><span class="sh">"</span><span class="p">).</span><span class="nf">touch</span><span class="p">()</span> <span class="k">with</span> <span class="nc">TestClient</span><span class="p">(</span><span class="n">viewer_server</span><span class="p">.</span><span class="n">app</span><span class="p">)</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="c1"># Act </span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/articles</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Assert </span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span> <span class="n">data</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">assert</span> <span class="nf">len</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="o">==</span> <span class="mi">2</span> <span class="k">assert</span> <span class="n">data</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="sh">"</span><span class="s">slug</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">0001_first_article</span><span class="sh">"</span> <span class="k">assert</span> <span class="n">data</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">First Article</span><span class="sh">"</span> </code></pre> </div> <h5> Deconstruction: </h5> <ul> <li> <strong>Arrange</strong>: This is the setup phase. We take the empty <code>mock_fs</code> directory provided by our fixture and populate it with the specific subdirectories and dummy <code>README.md</code> files that this particular test requires.</li> <li> <strong>Act</strong>: This is where we perform the action we want to test. We instantiate the <code>TestClient</code> and send a <code>GET</code> request to the <code>/api/articles</code> endpoint. When the <code>TestClient</code> starts, it triggers our server's <code>lifespan</code> function, which now scans our temporary, arranged directory.</li> <li> <strong>Assert</strong>: This is the verification phase. We check that the <code>response.status_code</code> is <code>200 OK</code>, that the returned JSON data contains two articles, and that their content (slug and title) is correctly formatted and sorted.</li> </ul> <h4> Example 2: The Failure Case </h4> <p>It is just as important to test that our application handles errors correctly. This test verifies that requesting a non-existent article returns a <code>404 Not Found</code> error.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">test_get_article_content_not_found</span><span class="p">(</span><span class="n">mock_fs</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Tests that requesting a non-existent article slug returns a 404.</span><span class="sh">"""</span> <span class="k">with</span> <span class="nc">TestClient</span><span class="p">(</span><span class="n">viewer_server</span><span class="p">.</span><span class="n">app</span><span class="p">)</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/articles/non_existent_slug</span><span class="sh">"</span><span class="p">)</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">404</span> </code></pre> </div> <h5> Deconstruction: </h5> <p>This test is simpler. The <strong>Arrange</strong> step is handled entirely by the <code>mock_fs</code> fixture, which provides a clean slate. The <strong>Act</strong> step is to request a slug that we know does not exist. The <strong>Assert</strong> step is a single, clear check that the server responded with the correct <code>404</code> status code.</p> <p>The rest of the tests in <code>test_server.py</code> follow these same patterns, covering every success and failure branch for each endpoint. This gives us high confidence in our backend's reliability.</p> <h2> Part II: Frontend End-to-End Testing with Playwright (<code>test_e2e.py</code>) </h2> <p>While our backend unit tests give us confidence in our API's logic, they don't tell us if the application actually works from a user's perspective. To verify the complete system—from the JavaScript in the browser to the Python on the server—we use <strong>End-to-End (E2E) tests</strong>.</p> <p>The goal of E2E testing is to write a script that automates a real web browser to simulate a user's journey. Our tool for this is <strong>Playwright</strong>, a modern browser automation framework that we can control entirely from Python.</p> <h3> The Challenge of a Live Server </h3> <p>Unlike the <code>TestClient</code> which runs our app in memory, a browser-based test needs to connect to a real, live web server over the network. Our test suite needs a way to start our server before the tests run and shut it down cleanly afterward.</p> <h3> The Solution: The <code>live_server_process</code> Fixture </h3> <p>We solve this by creating a session-scoped <code>pytest</code> fixture that manages the server's lifecycle.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@pytest.fixture</span><span class="p">(</span><span class="n">scope</span><span class="o">=</span><span class="sh">"</span><span class="s">session</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">live_server_process</span><span class="p">():</span> <span class="sh">"""</span><span class="s"> A session-scoped fixture that starts the server in a detached tmux session and uses a robust polling loop to wait for it to be ready. </span><span class="sh">"""</span> <span class="n">start_cmd</span> <span class="o">=</span> <span class="sh">"</span><span class="s">tmux new -s test_server -d </span><span class="sh">'</span><span class="s">. .venv/bin/activate &amp;&amp; python3 server.py</span><span class="sh">'"</span> <span class="k">try</span><span class="p">:</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">start_cmd</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">cwd</span><span class="o">=</span><span class="sh">"</span><span class="s">..</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Wait for the server to be ready with a robust polling loop. </span> <span class="n">host</span><span class="p">,</span> <span class="n">port</span> <span class="o">=</span> <span class="sh">"</span><span class="s">127.0.0.1</span><span class="sh">"</span><span class="p">,</span> <span class="mi">8889</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">100</span><span class="p">):</span> <span class="c1"># Poll for up to 10 seconds </span> <span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="n">socket</span><span class="p">.</span><span class="nf">create_connection</span><span class="p">((</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">),</span> <span class="n">timeout</span><span class="o">=</span><span class="mf">0.1</span><span class="p">):</span> <span class="k">break</span> <span class="nf">except </span><span class="p">(</span><span class="nb">ConnectionRefusedError</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">timeout</span><span class="p">):</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">0.1</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">pytest</span><span class="p">.</span><span class="nf">fail</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Server at </span><span class="si">{</span><span class="n">host</span><span class="si">}</span><span class="s">:</span><span class="si">{</span><span class="n">port</span><span class="si">}</span><span class="s"> did not start within 10 seconds.</span><span class="sh">"</span><span class="p">)</span> <span class="k">yield</span> <span class="n">BASE_URL</span> <span class="c1"># The tests run at this point </span> <span class="k">finally</span><span class="p">:</span> <span class="c1"># Teardown: Cleanly kill the tmux session. </span> <span class="n">kill_cmd</span> <span class="o">=</span> <span class="sh">"</span><span class="s">tmux kill-session -t test_server</span><span class="sh">"</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">kill_cmd</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">stderr</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">DEVNULL</span><span class="p">)</span> </code></pre> </div> <h4> Deconstruction: </h4> <ul> <li> <strong><code>scope="session"</code></strong>: This decorator tells <code>pytest</code> to run this fixture only <strong>once</strong> for the entire test session, which is efficient.</li> <li> <strong><code>subprocess</code> and <code>tmux</code></strong>: The fixture uses Python's <code>subprocess</code> library to execute a <code>tmux</code> command, which starts our <code>server.py</code> in a detached, background session.</li> <li> <strong>The Polling Loop</strong>: Because the server takes a moment to start, the script immediately enters a polling loop. It repeatedly tries to open a socket connection to <code>127.0.0.1:8889</code>. This loop continues until a connection is successful, proving the server is up and ready. This is a robust way to handle process startup.</li> <li> <strong><code>yield</code> and Teardown</strong>: The <code>yield</code> keyword passes control to the tests. The <code>finally</code> block guarantees that after all tests have completed, the <code>tmux kill-session</code> command is run to cleanly terminate the server process.</li> </ul> <h3> Deconstructing an E2E Test Case </h3> <p>With the server running, an E2E test is simply a script that gives the browser instructions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">test_article_click_and_render</span><span class="p">(</span><span class="n">live_server_process</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Tests clicking an article and verifying its content is rendered.</span><span class="sh">"""</span> <span class="k">with</span> <span class="nf">sync_playwright</span><span class="p">()</span> <span class="k">as</span> <span class="n">p</span><span class="p">:</span> <span class="n">browser</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">chromium</span><span class="p">.</span><span class="nf">launch</span><span class="p">()</span> <span class="n">context</span> <span class="o">=</span> <span class="n">browser</span><span class="p">.</span><span class="nf">new_context</span><span class="p">(</span><span class="n">ignore_https_errors</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">page</span> <span class="o">=</span> <span class="n">context</span><span class="p">.</span><span class="nf">new_page</span><span class="p">()</span> <span class="n">page</span><span class="p">.</span><span class="nf">goto</span><span class="p">(</span><span class="n">BASE_URL</span><span class="p">)</span> <span class="n">page</span><span class="p">.</span><span class="nf">get_by_role</span><span class="p">(</span><span class="sh">"</span><span class="s">link</span><span class="sh">"</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">Docker Dev Environment</span><span class="sh">"</span><span class="p">).</span><span class="nf">click</span><span class="p">()</span> <span class="n">content_heading</span> <span class="o">=</span> <span class="n">page</span><span class="p">.</span><span class="nf">locator</span><span class="p">(</span><span class="sh">"</span><span class="s">#content h2</span><span class="sh">"</span><span class="p">,</span> <span class="n">has_text</span><span class="o">=</span><span class="sh">"</span><span class="s">A Primer on Isolation</span><span class="sh">"</span><span class="p">)</span> <span class="nf">expect</span><span class="p">(</span><span class="n">content_heading</span><span class="p">).</span><span class="nf">to_be_visible</span><span class="p">()</span> <span class="n">context</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="n">browser</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> </code></pre> </div> <h4> Deconstruction: </h4> <ul> <li> <strong><code>with sync_playwright()...</code></strong>: This block manages the browser lifecycle, starting it and ensuring it closes correctly.</li> <li> <strong><code>page.goto(...)</code></strong>: This command navigates the automated browser to our running server's URL.</li> <li> <strong><code>page.get_by_role(...).click()</code></strong>: This is the core of the user simulation. Playwright finds an element just like a user would (in this case, a link with the text "Docker Dev Environment") and simulates a click.</li> <li> <strong><code>expect(locator).to_be_visible()</code></strong>: This is the assertion. Playwright's <code>expect</code> function has a crucial feature: <strong>auto-waiting</strong>. It will automatically wait for a few seconds for the content to appear on the screen before checking the assertion, which makes the test extremely reliable and free of the flaky timing issues that plague older testing tools.</li> </ul> <h1> Conclusion </h1> <p>In this article, we've journeyed from a simple problem—the poor formatting of technical content on the web—to a complete, first-principles solution. We have successfully architected and built a production-grade, self-hosted article viewer, complete with a high-performance FastAPI backend, a dynamic vanilla JavaScript frontend, and a comprehensive, two-tiered automated testing suite to guarantee its reliability.</p> <p>More importantly than the final application, however, is the methodology we followed. By deliberately choosing a lean stack and deconstructing each component—from the server's <code>lifespan</code> handler to the frontend's rendering pipeline and the isolated test fixtures—we have revealed the fundamental patterns that power modern web development. You now have not just a functional application, but a deep, practical understanding of the client-server model, API design, the SPA lifecycle, and professional verification workflows.</p> <p>This blueprint is now yours to build upon. With this foundation, you have the knowledge to extend this viewer with new features, adapt its architecture for your own projects, or confidently build entirely new applications from scratch. What will you build next?</p> <h1> Markdown and MathJax Feature Demo </h1> <p>This section demonstrates the rendering capabilities of this article viewer. It includes various levels of headings, text formatting, lists, links, images, code blocks with syntax highlighting, and mathematical equations rendered with MathJax.</p> <h2> Text Formatting and Headings </h2> <p>This is a level 2 heading. You can create headings by starting a line with one or more <code>#</code> characters.</p> <h3> Level 3 Heading </h3> <p>Here is some standard paragraph text. Text can be formatted in various ways. For example, you can make text <strong>bold</strong>, <em>italic</em>, or even <strong><em>bold and italic</em></strong>. You can also use <code>strikethrough</code>.</p> <h4> Level 4 Heading </h4> <blockquote> <p>This is a blockquote. It's useful for quoting text from another source or for emphasizing a particular passage. Blockquotes can span multiple lines.</p> </blockquote> <h5> Level 5 Heading </h5> <p>And a final, level 6 heading is below.</p> <h6> Level 6 Heading </h6> <p>This demonstrates the full hierarchy of available headings.</p> <h2> Lists and Links </h2> <p>You can create both unordered and ordered lists.</p> <ul> <li>This is an item in an unordered list. <ul> <li>You can nest lists by indenting.</li> <li>This is another nested item.</li> </ul> </li> <li>This is a second top-level item.</li> </ul> <ol> <li> This is an item in an ordered list.</li> <li> The numbering is handled automatically.</li> <li> Here is a link to the <a href="https://marked.js.org/" rel="noopener noreferrer">official Marked.js documentation</a>.</li> </ol> <h2> Images and Code </h2> <p>Images with relative paths are handled correctly by the server.</p> <p>Inline code, like <code>const app = FastAPI()</code>, is rendered with a distinct background. For larger blocks of code, fenced code blocks with syntax highlighting are used.</p> <h3> Python Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">read_root</span><span class="p">():</span> <span class="sh">"""</span><span class="s">A simple root endpoint.</span><span class="sh">"""</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Server is running</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <h3> JavaScript Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nb">document</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">DOMContentLoaded</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">The document is ready!</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> Shell/Bash Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Update all packages and clean up</span> apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="se">\</span> cowsay <span class="se">\</span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> cowsay <span class="s2">"Hello World"</span> </code></pre> </div> <h3> C++ Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="cp">#include</span> <span class="cpf">&lt;iostream&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;vector&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;string&gt;</span><span class="cp"> </span> <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">std</span><span class="o">::</span><span class="n">vector</span><span class="o">&lt;</span><span class="n">std</span><span class="o">::</span><span class="n">string</span><span class="o">&gt;</span> <span class="n">msg</span> <span class="p">{</span><span class="s">"Hello"</span><span class="p">,</span> <span class="s">"C++"</span><span class="p">,</span> <span class="s">"World"</span><span class="p">,</span> <span class="s">"from"</span><span class="p">,</span> <span class="s">"a"</span><span class="p">,</span> <span class="s">"container!"</span><span class="p">};</span> <span class="k">for</span> <span class="p">(</span><span class="k">const</span> <span class="n">std</span><span class="o">::</span><span class="n">string</span><span class="o">&amp;</span> <span class="n">word</span> <span class="o">:</span> <span class="n">msg</span><span class="p">)</span> <span class="p">{</span> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="n">word</span> <span class="o">&lt;&lt;</span> <span class="s">" "</span><span class="p">;</span> <span class="p">}</span> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> Tables </h2> <p>Markdown tables are also supported.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Status</th> <th>Implemented By</th> </tr> </thead> <tbody> <tr> <td>Markdown Rendering</td> <td>Complete</td> <td><code>marked.js</code></td> </tr> <tr> <td>Syntax Highlighting</td> <td>Complete</td> <td><code>highlight.js</code></td> </tr> <tr> <td>Math Typesetting</td> <td>Complete</td> <td><code>MathJax</code></td> </tr> </tbody> </table></div> <h2> Mathematical Equations with MathJax </h2> <p>Thanks to MathJax, we can render complex mathematical formulas written in LaTeX. This can be done inline, such as Einstein's famous equation, $E = mc^2$.</p> <p>For larger, display-style equations, we can use block-level rendering. Here is the probability density function for the normal distribution:</p> <p>$$f(x) = \frac{1}{\sigma\sqrt{2\pi}} \exp\left( -\frac{(x - \mu)^2}{2\sigma^2} \right)$$</p> <p>And here is the integral form of the Fourier Transform:</p> <p>$$X(\omega) = \int_{-\infty}^{\infty} x(t) e^{-j\omega t} dt$$</p> webdev html css javascript Warren Jitsing Wed, 31 Dec 2025 10:28:03 +0000 https://dev.to/warren_jitsing_dd1c1d6fc6/basic-fastapi-pko https://dev.to/warren_jitsing_dd1c1d6fc6/basic-fastapi-pko <p>GitHub: <a href="https://github.com/InfiniteConsult/0001_basic_fastapi" rel="noopener noreferrer">https://github.com/InfiniteConsult/0001_basic_fastapi</a></p> <p>This was the first article I wrote and my most gentle post so far.</p> <h1> Introduction </h1> <p>In the landscape of Python web frameworks, FastAPI distinguishes itself through its high performance and modern, type-driven design. It is an indispensable tool not only for building production-grade APIs but also for the critical task of verifying the conformance of low-level, handwritten network protocols.</p> <p>This guide provides a first-principles walkthrough for setting up a combined HTTP and WebSocket server, covering the complete lifecycle from environment setup to automated testing.</p> <h1> Foundations </h1> <h2> HTTP </h2> <p>The Hypertext Transfer Protocol (HTTP) is the bedrock of data communication on the web, powering everything from browser requests to complex REST APIs. This guide will focus specifically on HTTP/1.1, as its human-readable, text-based format is ideal for understanding the protocol's fundamental mechanics.</p> <p>HTTP/1.1 operates on a strict request-response cycle. A client always initiates communication by sending a request to a server, and the server's sole job is to return a single response. The server cannot spontaneously send data; it must wait for a client's request. Our examples will concentrate on the two most common request types: GET to retrieve resources and POST to submit data.</p> <p>A critical feature of HTTP/1.1 is that it is a text-based protocol, unlike the complex binary framing used in HTTP/2. Every message is constructed as a simple string of characters, which is then encoded as a raw sequence of bytes for transmission. At a low level, you can think of this data as a <code>bytes</code> object in Python, an <code>unsigned char*</code> buffer in C, a <code>std::vector&lt;std::byte&gt;</code> in C++, or a <code>Vec&lt;u8&gt;</code> in Rust.</p> <h3> GET request </h3> <p>The HTTP GET method is designed for a single purpose: to retrieve a representation of a specified resource. As a read-only operation, it is considered "safe," meaning it should not alter the state of the resource.</p> <p>A key characteristic of a GET request is that it contains no message body. While parameters can be sent to the server through the URL's query string (e.g., <code>GET /search?topic=api&amp;page=2 HTTP/1.1</code>), the request itself carries no payload.</p> <p>Like all HTTP/1.1 messages, each line is terminated by a carriage return and newline (<code>\r\n</code>). A final blank line (<code>\r\n</code> on its own) signals the end of the headers.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET / HTTP/1.1\r\n Host: www.example.com\r\n Connection: close\r\n User-Agent: SimpleClient/1.0\r\n \r\n </code></pre> </div> <h3> POST request </h3> <p>The HTTP POST method is used to submit an entity to the specified resource, often causing a change in state or the creation of a new resource on the server. It is the primary method for sending user-generated data to a web server.</p> <p>Unlike GET, a POST request is defined by its inclusion of a payload in the message body. To ensure the server can correctly process this payload, two headers are critical:</p> <ul> <li>Content-Type: Specifies the media type of the body (e.g., application/json, multipart/form-data).</li> <li>Content-Length: Indicates the exact size of the body in bytes.</li> </ul> <p>Because POST is designed to create or update resources, it is neither "safe" nor "idempotent"—meaning that sending the same request multiple times may have additional side effects, such as creating duplicate entries.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>POST /api/users HTTP/1.1\r\n Host: api.example.com\r\n Content-Type: application/json\r\n Content-Length: 25\r\n Connection: close\r\n \r\n {"name": "monday","id": 7} </code></pre> </div> <h3> Headers </h3> <p>HTTP headers are the key-value pairs that carry metadata and control information for both requests and responses. Think of them as the instructions on the outside of a package; they describe the contents, specify the destination, and provide handling directives without altering the package's contents (the message body).</p> <p>Each header consists of a case-insensitive name, a colon (:), and a value. While there are hundreds of possible headers, they generally fall into a few key roles:</p> <ul> <li>Describing the Request: Headers like Host specify the server a request is for, while User-Agent identifies the client making the request.</li> <li>Describing the Body: For messages with a payload (like POST), Content-Type defines the data format and Content-Length specifies its size.</li> <li>Controlling Behavior: Headers can act as directives. For example, Connection: close tells the server to close the socket after the response, and Cache-Control dictates how the response should be cached by browsers and proxies.</li> </ul> <p>Together, this extensible system of headers governs everything from authentication and content negotiation to redirection and cookie management, forming the operational backbone of every HTTP message.</p> <h3> A Note on HTTPS and Security </h3> <p>HTTPS (Hypertext Transfer Protocol Secure) is not a separate protocol from HTTP. It is simply standard HTTP communication layered on top of a secure TLS socket. Think of it as sending the exact same plaintext HTTP messages you've already seen, but through a private, encrypted tunnel.</p> <p>A TLS (Transport Layer Security) socket is an enhanced network socket that uses a cryptographic protocol to secure the connection. Before any HTTP data is exchanged, the client and server perform a "TLS handshake." During this handshake, they:</p> <ol> <li>Negotiate which encryption ciphers to use.</li> <li>Verify the server's identity using its TLS certificate.</li> <li>Securely generate and exchange session keys for encrypting the data.</li> </ol> <p>The importance of using HTTPS is that it provides three critical security guarantees:</p> <ul> <li>Confidentiality: All traffic is encrypted, preventing eavesdroppers from reading sensitive information like passwords or credit card numbers.</li> <li>Authentication: The server's certificate proves that you are connected to the legitimate website and not an imposter.</li> <li>Integrity: TLS ensures that the data sent between the client and server has not been tampered with or altered in transit.</li> </ul> <h2> WebSockets </h2> <p>Where HTTP's request-response model is inefficient for real-time applications, the <strong>WebSocket protocol</strong> provides a persistent, <strong>full-duplex communication channel</strong> over a single TCP connection. This allows both the client and server to send data to each other independently and at any time, making it the ideal standard for applications like live chats, financial data streams, and multiplayer online games.</p> <h3> The Handshake: Upgrading the Connection </h3> <p>A WebSocket connection does not start on its own. It begins life as a standard HTTP/1.1 GET request, which includes special headers asking the server to "upgrade" the connection from HTTP to the WebSocket protocol.</p> <p>The client sends an <code>Upgrade</code> request with a unique key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET /chat HTTP/1.1 Host: server.example.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Sec-WebSocket-Version: 13 </code></pre> </div> <p>If the server supports WebSockets and agrees to the upgrade, it responds with a 101 Switching Protocols status. It also computes an acceptance key from the client's key to prove it understood the request.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo= </code></pre> </div> <h3> The Data Framing Protocol </h3> <p>Once the handshake is successful, the underlying TCP socket remains open, but the communication is no longer HTTP. Instead, data is exchanged as a sequence of <strong>frames</strong>. Each frame is a small piece of data with a header that describes its content.</p> <p>The frame header specifies:</p> <ul> <li> <strong>The Frame Type</strong>: Whether the payload is text, binary data, a ping/pong control message, or a request to close the connection.</li> <li> <strong>The Payload Length</strong>: The size of the data in the frame.</li> <li> <strong>Masking</strong>: Whether the data is masked (a security feature for client-to-server frames).</li> </ul> <p>This framing mechanism is highly efficient because it removes the overhead of HTTP headers from every message. Instead of a verbose, text-based request-response cycle, you have a lean, continuous stream of data flowing in both directions.</p> <ul> <li> <strong>FIN (1 bit)</strong>: The "final" bit. It's set to <code>1</code> for the final frame of a message, or <code>0</code> for intermediate frames of a fragmented message.</li> <li> <strong>RSV1, RSV2, RSV3 (1 bit each)</strong>: Three reserved bits. They must be <code>0</code> unless an extension is negotiated to define a meaning for them.</li> <li> <strong>Opcode (4 bits)</strong>: Defines the interpretation of the payload data. Common opcodes include: <ul> <li> <code>0x1</code>: Text Frame (the payload is UTF-8 text)</li> <li> <code>0x2</code>: Binary Frame (the payload is raw binary data)</li> <li> <code>0x8</code>: Connection Close Frame</li> <li> <code>0x9</code>: Ping Frame</li> <li> <code>0xA</code>: Pong Frame</li> </ul> </li> <li> <strong>MASK (1 bit)</strong>: Defines whether the payload is "masked" (XORed with a key). All frames sent from a client to a server <strong>must</strong> be masked.</li> <li> <strong>Payload Length (7, 7+16, or 7+64 bits)</strong>: A variable-length field describing the payload's size in bytes: <ul> <li> <strong>If the value is 0-125</strong>: This is the literal length of the payload.</li> <li> <strong>If the value is 126</strong>: The next 2 bytes (16 bits) are read as an unsigned integer to get the actual payload length.</li> <li> <strong>If the value is 127</strong>: The next 8 bytes (64 bits) are read as an unsigned integer to get the actual payload length.</li> </ul> </li> <li> <strong>Masking Key (4 bytes / 32 bits)</strong>: <em>(Optional)</em> If the <code>MASK</code> bit is set to <code>1</code>, this field is present and contains the key used to unmask the payload.</li> <li> <strong>Payload Data (N bytes)</strong>: The actual application data. If the frame was masked, the recipient must XOR this data with the masking key to retrieve the original content.</li> </ul> <h3> Securing WebSockets with WSS </h3> <p>Much like HTTPS, WebSocket Secure (wss://) is not a fundamentally different protocol. It is simply the standard WebSocket protocol running over a secure TLS connection.</p> <p>The relationship between ws:// and wss:// is directly analogous to that of http:// and https://. The initial HTTP Upgrade handshake for a wss:// connection must be sent over an established HTTPS connection. Once the handshake is complete, all subsequent WebSocket frames are transmitted through that same secure TLS tunnel.</p> <p>This provides the same three critical security benefits for your real-time communication. Any production application that sends sensitive information over a WebSocket must use the wss:// scheme to ensure data security.</p> <h1> Environment Setup </h1> <p>Before writing any code, we need to establish a clean, isolated development environment and install the necessary dependencies.</p> <h2> Dependencies </h2> <p>First, create a <code>requirements.txt</code> file in your project directory with the following contents. These packages provide the core framework, application server, and testing utilities.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>fastapi uvicorn websockets httpx pytest pytest-cov </code></pre> </div> <ul> <li> <strong>fastapi</strong>: The high-performance web framework we are using to build the API.</li> <li> <strong>uvicorn</strong>: A lightning-fast ASGI (Asynchronous Server Gateway Interface) server, required to run our FastAPI application.</li> <li> <strong>websockets</strong>: A high-performance WebSocket library that Uvicorn can use for its WebSocket implementation.</li> <li> <strong>httpx</strong>: A modern, async-capable HTTP client library. It is a required dependency for FastAPI's integrated <code>TestClient</code>.</li> <li> <strong>pytest</strong>: The powerful and popular framework we will use to write our automated tests.</li> <li> <strong>pytest-cov</strong>: Allows us to calculate the coverage of our application code by our test suite. It is a valuable metric for identifying parts of your codebase that are not exercised by your tests.</li> </ul> <h2> Installation </h2> <p>With the <code>requirements.txt</code> file in place, create and activate a Python virtual environment, then install the packages using <code>pip</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a virtual environment named .venv</span> python3 <span class="nt">-m</span> venv .venv <span class="c"># Activate the virtual environment (syntax for Linux/macOS)</span> <span class="nb">source</span> .venv/bin/activate <span class="c"># Confirm the venv's python is now on your PATH</span> which python3 <span class="c"># Expected output: /path/to/your/project/.venv/bin/python3</span> <span class="c"># Install all packages from the requirements file</span> python3 <span class="nt">-m</span> pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt </code></pre> </div> <p>Why do I put <code>python3 -m</code> in front of my <code>pip</code> command? Because I like to be as <code>explicit</code> as a single-argument C++ constructor should be.</p> <h2> Securing the Local Server with TLS </h2> <p>To enable HTTPS and WSS, our server needs a TLS certificate to handle encrypted traffic. While production servers require certificates issued by a trusted Certificate Authority (CA), we can generate a <strong>self-signed certificate</strong> for local development. This allows us to test our secure <code>https://</code> and <code>wss://</code> endpoints without purchasing a formal certificate, and crucially, without modern browser warnings.</p> <p>Run the following <code>openssl</code> command in your terminal. This command generates a modern certificate using Elliptic Curve Cryptography and includes a Subject Alternative Name (SAN) for broad browser compatibility. It will create a private key (<code>key.pem</code>) and a public certificate (<code>cert.pem</code>), valid for one year.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>openssl req <span class="nt">-x509</span> <span class="se">\</span> <span class="nt">-nodes</span> <span class="se">\</span> <span class="nt">-newkey</span> ed25519 <span class="se">\</span> <span class="nt">-keyout</span> key.pem <span class="se">\</span> <span class="nt">-out</span> cert.pem <span class="se">\</span> <span class="nt">-sha256</span> <span class="se">\</span> <span class="nt">-days</span> 365 <span class="se">\</span> <span class="nt">-subj</span> <span class="s1">'/CN=localhost'</span> <span class="se">\</span> <span class="nt">-addext</span> <span class="s2">"subjectAltName = DNS:localhost,IP:127.0.0.1"</span> </code></pre> </div> <p>Here is a brief breakdown of what these flags do:</p> <ul> <li> <strong><code>req -x509</code></strong>: Creates a self-signed certificate, suitable for development.</li> <li> <strong><code>-nodes</code></strong>: "No DES," meaning it creates a private key that is not encrypted with a passphrase.</li> <li> <strong><code>-newkey ed25519</code></strong>: Generates a new, highly efficient <strong>ED25519 Elliptic Curve private key</strong>. This is a modern alternative to RSA with equivalent security at smaller key sizes.</li> <li> <strong><code>-keyout key.pem</code></strong>: Specifies the output file for the private key.</li> <li> <strong><code>-out cert.pem</code></strong>: Specifies the output file for the certificate.</li> <li> <strong><code>-subj '/CN=localhost'</code></strong>: Sets the certificate's subject information non-interactively, with the "Common Name" set to <code>localhost</code>.</li> <li> <strong><code>-addext "subjectAltName = DNS:localhost,IP:127.0.0.1"</code></strong>: <strong>Crucially</strong>, this adds a Subject Alternative Name (SAN) extension. Modern browsers rely on SANs rather than the Common Name for hostname validation, ensuring your certificate is trusted for <code>localhost</code> and <code>127.0.0.1</code> without warnings.</li> </ul> <h1> Implementation </h1> <h2> The HTTP Layer </h2> <h3> The Basic Application Structure </h3> <p>We'll begin by creating the core of our application in a file named <code>main.py</code>. This initial version will focus on two things: instantiating the FastAPI application and setting up a "lifespan" event handler to manage resources needed by our server.</p> <h3> Managing Resources with <code>lifespan</code> </h3> <p>A <strong>lifespan handler</strong> is a function that FastAPI runs on startup and shutdown. It's the ideal place to manage resources that the application needs to operate, such as database connections, machine learning models, or, in our case, temporary files for demonstration purposes.</p> <p>We'll use this handler to create a static file when the server starts and cleanly remove it when the server stops.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">contextlib</span> <span class="kn">import</span> <span class="n">asynccontextmanager</span> <span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="c1"># Define the path for our static content </span><span class="n">STATIC_DIR</span> <span class="o">=</span> <span class="nc">Path</span><span class="p">(</span><span class="sh">"</span><span class="s">static</span><span class="sh">"</span><span class="p">)</span> <span class="n">DATA_FILE</span> <span class="o">=</span> <span class="n">STATIC_DIR</span> <span class="o">/</span> <span class="sh">"</span><span class="s">data.txt</span><span class="sh">"</span> <span class="nd">@asynccontextmanager</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">lifespan</span><span class="p">(</span><span class="n">app</span><span class="p">:</span> <span class="n">FastAPI</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> This function runs on application startup and shutdown. It creates a dummy file for our FileResponse example. </span><span class="sh">"""</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Server is starting up...</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Create the static directory and a test file </span> <span class="n">STATIC_DIR</span><span class="p">.</span><span class="nf">mkdir</span><span class="p">(</span><span class="n">exist_ok</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">DATA_FILE</span><span class="p">.</span><span class="nf">write_text</span><span class="p">(</span><span class="sh">"</span><span class="s">This is a test file served by FastAPI.</span><span class="sh">"</span><span class="p">)</span> <span class="k">yield</span> <span class="c1"># The application runs while the lifespan is in this state </span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Server is shutting down...</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Clean up the file and directory </span> <span class="n">DATA_FILE</span><span class="p">.</span><span class="nf">unlink</span><span class="p">()</span> <span class="n">STATIC_DIR</span><span class="p">.</span><span class="nf">rmdir</span><span class="p">()</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">(</span><span class="n">lifespan</span><span class="o">=</span><span class="n">lifespan</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">read_root</span><span class="p">():</span> <span class="sh">"""</span><span class="s">A simple root endpoint to confirm the server is running.</span><span class="sh">"""</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Server is running</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <p>This code sets up an <code>asynccontextmanager</code> named <code>lifespan</code>. Everything <strong>before the <code>yield</code> statement</strong> is executed on startup. The server then runs and processes requests. Once the server is shut down (e.g., with <code>Ctrl+C</code>), the code <strong>after the <code>yield</code></strong> is executed, ensuring our temporary file and directory are cleanly removed. We connect this handler to our application by passing it to the <code>FastAPI</code> constructor.</p> <h3> Core Concept: HTTP Status Codes </h3> <p>Before we implement our endpoints, it's crucial to understand <strong>HTTP status codes</strong>. Every response a server sends includes a three-digit code that tells the client the outcome of its request. Using the correct code is a fundamental part of building a well-behaved and predictable API.</p> <p>These codes are grouped into five classes, which are easy to remember by their first digit.</p> <h4> <strong><code>2xx</code>: Success</strong> </h4> <p>A <code>2xx</code> code means the request was successfully received, understood, and accepted.</p> <ul> <li> <strong><code>200 OK</code></strong>: The standard response for a successful GET request.</li> <li> <strong><code>201 Created</code></strong>: Indicates that a new resource was successfully created as a result of a POST request.</li> </ul> <h4> <strong><code>3xx</code>: Redirection</strong> </h4> <p>A <code>3xx</code> code indicates that the client must take additional action to complete the request, usually by making a new request to a different URL.</p> <ul> <li> <strong><code>307 Temporary Redirect</code></strong>: The requested resource has temporarily moved to a new URL.</li> </ul> <h4> <strong><code>4xx</code>: Client Error</strong> </h4> <p>A <code>4xx</code> code means there was an error, and it appears to be the client's fault.</p> <ul> <li> <strong><code>400 Bad Request</code></strong>: The server could not understand the request due to invalid syntax.</li> <li> <strong><code>404 Not Found</code></strong>: The server could not find the requested resource.</li> <li> <strong><code>422 Unprocessable Entity</code></strong>: The request was well-formed, but contained semantic errors (e.g., a required field was missing in a JSON payload). FastAPI uses this frequently for validation errors.</li> </ul> <h4> <strong><code>5xx</code>: Server Error</strong> </h4> <p>A <code>5xx</code> code indicates that the server failed to fulfill a valid request due to an error on its end.</p> <ul> <li> <strong><code>500 Internal Server Error</code></strong>: A generic error message given when an unexpected condition was encountered and no more specific message is suitable.</li> </ul> <p>Returning the correct status code is essential. It allows browsers, automated clients, and caching proxies to behave correctly. A common anti-pattern is to return a <code>200 OK</code> status with an error message in the body; the correct approach is to use a <code>4xx</code> or <code>5xx</code> code to signal the error at the protocol level.</p> <h3> Implementing the HTTP Endpoints </h3> <p>With our basic application structure and <code>lifespan</code> handler in place, we can now add the core logic for our HTTP server. We will implement three different endpoints to demonstrate FastAPI's primary capabilities: returning JSON data, serving static files, and handling application errors.</p> <p>Add the following imports to the top of your <code>main.py</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi.responses</span> <span class="kn">import</span> <span class="n">FileResponse</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">HTTPException</span> </code></pre> </div> <h4> Endpoint 1: Returning a JSON Response </h4> <p>The most common use case for a web API is returning structured data. FastAPI makes this incredibly simple. If you return a Python dictionary from an endpoint function, FastAPI will automatically serialize it into a JSON response and set the <code>Content-Type</code> header to <code>application/json</code>.</p> <p>Add the following endpoint to <code>main.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/status</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_status</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Returns the current status of the server.</span><span class="sh">"""</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <h4> Endpoint 2: Serving a Static File </h4> <p>To serve a static file, like the one we created in our <code>lifespan</code> handler, we use FastAPI's <code>FileResponse</code>. This response type is highly efficient as it <strong>streams the file from disk</strong> rather than loading it all into memory first. It also automatically determines the file's <code>Content-Type</code> from its extension and sets the <code>Content-Length</code> header.</p> <p>Add this endpoint to <code>main.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/static/data.txt</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_data_file</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Serves the static data.txt file.</span><span class="sh">"""</span> <span class="k">return</span> <span class="nc">FileResponse</span><span class="p">(</span><span class="n">DATA_FILE</span><span class="p">)</span> </code></pre> </div> <h4> Endpoint 3: Handling Errors </h4> <p>Proper error handling is critical for a robust API. When a client requests a resource that doesn't exist, the server should return a <code>404 Not Found</code> status code. FastAPI manages this through the <code>HTTPException</code> class.</p> <p>When you <strong>raise an <code>HTTPException</code></strong>, FastAPI stops processing the request and immediately sends an HTTP response with the specified status code and a JSON error body.</p> <p>Add this endpoint to <code>main.py</code> to simulate looking for an item that may not exist:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/items/{item_id}</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_item</span><span class="p">(</span><span class="n">item_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Returns a dummy item if the ID is valid, otherwise raises a 404. </span><span class="sh">"""</span> <span class="k">if</span> <span class="n">item_id</span> <span class="o">!=</span> <span class="mi">1</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">404</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">Item with ID </span><span class="si">{</span><span class="n">item_id</span><span class="si">}</span><span class="s"> not found.</span><span class="sh">"</span> <span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">item_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">item_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">The One Item</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <h4> Endpoint 4: Handling a POST Request </h4> <p>To handle a <code>POST</code> request and receive a JSON body, you define an endpoint using the <code>@app.post()</code> decorator. By type-hinting the function argument with the Pydantic model we just created (<code>CreateItemRequest</code>), you tell FastAPI to expect a body with that structure.</p> <p>FastAPI will then automatically:</p> <ol> <li> Read the body of the request as JSON.</li> <li> Validate that it matches the <code>CreateItemRequest</code> model.</li> <li> If validation fails, it returns a <code>422 Unprocessable Entity</code> error.</li> <li> If it succeeds, it passes the parsed data as the <code>item</code> argument.</li> </ol> <p>We also specify <code>status_code=201</code> in the decorator to return a <code>201 Created</code> status, which is the correct semantic response for a successful resource creation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">pydantic</span> <span class="kn">import</span> <span class="n">BaseModel</span> <span class="k">class</span> <span class="nc">CreateItemRequest</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">name</span><span class="p">:</span> <span class="nb">str</span> <span class="n">is_offer</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">|</span> <span class="bp">None</span> <span class="o">=</span> <span class="bp">None</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/items</span><span class="sh">"</span><span class="p">,</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">201</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">create_item</span><span class="p">(</span><span class="n">item</span><span class="p">:</span> <span class="n">CreateItemRequest</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Creates a new item from a request body.</span><span class="sh">"""</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Item created successfully</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">item_data</span><span class="sh">"</span><span class="p">:</span> <span class="n">item</span><span class="p">.</span><span class="nf">model_dump</span><span class="p">()}</span> </code></pre> </div> <h3> The Complete HTTP Server Code (Revised) </h3> <p>This final version of our <code>main.py</code> file includes an entry point to run the server directly using <code>uvicorn.run()</code>. This makes the application self-contained.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">contextlib</span> <span class="kn">import</span> <span class="n">asynccontextmanager</span> <span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="kn">import</span> <span class="n">uvicorn</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">HTTPException</span> <span class="kn">from</span> <span class="n">fastapi.responses</span> <span class="kn">import</span> <span class="n">FileResponse</span> <span class="kn">from</span> <span class="n">pydantic</span> <span class="kn">import</span> <span class="n">BaseModel</span> <span class="c1"># Define the path for our static content </span><span class="n">STATIC_DIR</span> <span class="o">=</span> <span class="nc">Path</span><span class="p">(</span><span class="sh">"</span><span class="s">static</span><span class="sh">"</span><span class="p">)</span> <span class="n">DATA_FILE</span> <span class="o">=</span> <span class="n">STATIC_DIR</span> <span class="o">/</span> <span class="sh">"</span><span class="s">data.txt</span><span class="sh">"</span> <span class="k">class</span> <span class="nc">CreateItemRequest</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">name</span><span class="p">:</span> <span class="nb">str</span> <span class="n">is_offer</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">|</span> <span class="bp">None</span> <span class="o">=</span> <span class="bp">None</span> <span class="nd">@asynccontextmanager</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">lifespan</span><span class="p">(</span><span class="n">app</span><span class="p">:</span> <span class="n">FastAPI</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Manages the creation and cleanup of a static file for demonstration. </span><span class="sh">"""</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Server is starting up...</span><span class="sh">"</span><span class="p">)</span> <span class="n">STATIC_DIR</span><span class="p">.</span><span class="nf">mkdir</span><span class="p">(</span><span class="n">exist_ok</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">DATA_FILE</span><span class="p">.</span><span class="nf">write_text</span><span class="p">(</span><span class="sh">"</span><span class="s">This is a test file served by FastAPI.</span><span class="sh">"</span><span class="p">)</span> <span class="k">yield</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Server is shutting down...</span><span class="sh">"</span><span class="p">)</span> <span class="n">DATA_FILE</span><span class="p">.</span><span class="nf">unlink</span><span class="p">()</span> <span class="n">STATIC_DIR</span><span class="p">.</span><span class="nf">rmdir</span><span class="p">()</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">(</span><span class="n">lifespan</span><span class="o">=</span><span class="n">lifespan</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">read_root</span><span class="p">():</span> <span class="sh">"""</span><span class="s">A simple root endpoint to confirm the server is running.</span><span class="sh">"""</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Server is running</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/status</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_status</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Returns the current status of the server.</span><span class="sh">"""</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/static/data.txt</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_data_file</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Serves the static data.txt file.</span><span class="sh">"""</span> <span class="k">return</span> <span class="nc">FileResponse</span><span class="p">(</span><span class="n">DATA_FILE</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/items/{item_id}</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_item</span><span class="p">(</span><span class="n">item_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Returns a dummy item if the ID is valid, otherwise raises a 404. </span><span class="sh">"""</span> <span class="k">if</span> <span class="n">item_id</span> <span class="o">!=</span> <span class="mi">1</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">404</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">Item with ID </span><span class="si">{</span><span class="n">item_id</span><span class="si">}</span><span class="s"> not found.</span><span class="sh">"</span> <span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">item_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">item_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">The One Item</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/items</span><span class="sh">"</span><span class="p">,</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">201</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">create_item</span><span class="p">(</span><span class="n">item</span><span class="p">:</span> <span class="n">CreateItemRequest</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Creates a new item from a request body.</span><span class="sh">"""</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Item created successfully</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">item_data</span><span class="sh">"</span><span class="p">:</span> <span class="n">item</span><span class="p">.</span><span class="nf">model_dump</span><span class="p">()}</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">uvicorn</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="sh">"</span><span class="s">main:app</span><span class="sh">"</span><span class="p">,</span> <span class="n">host</span><span class="o">=</span><span class="sh">"</span><span class="s">0.0.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">8000</span><span class="p">,</span> <span class="nb">reload</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">ssl_keyfile</span><span class="o">=</span><span class="sh">"</span><span class="s">key.pem</span><span class="sh">"</span><span class="p">,</span> <span class="n">ssl_certfile</span><span class="o">=</span><span class="sh">"</span><span class="s">cert.pem</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <h3> Running the Server </h3> <p>Because we have included the <code>if __name__ == "__main__"</code> block, which calls <code>uvicorn.run()</code> for us, we can now start the server directly using the Python interpreter.</p> <p>Make sure you are in the same directory as your <code>main.py</code>, <code>key.pem</code>, and <code>cert.pem</code> files, and run the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 main.py </code></pre> </div> <p>Your secure HTTP server will start on port 8000 and is now ready to accept requests.</p> <h3> Client-Side Testing Strategy </h3> <p>A critical part of developing a robust API is having an automated test suite. FastAPI provides a <code>TestClient</code> that makes it easy to test your application using frameworks like <code>pytest</code>. The <code>TestClient</code> allows you to send requests to your application in memory without needing to run a live server, resulting in fast and reliable tests.</p> <p>Create a new file named <code>test_http.py</code> in your project directory.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi.testclient</span> <span class="kn">import</span> <span class="n">TestClient</span> <span class="kn">from</span> <span class="n">main</span> <span class="kn">import</span> <span class="n">app</span><span class="p">,</span> <span class="n">DATA_FILE</span> <span class="k">def</span> <span class="nf">test_read_root</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Tests the root endpoint.</span><span class="sh">"""</span> <span class="k">with</span> <span class="nc">TestClient</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="o">==</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Server is running</span><span class="sh">"</span><span class="p">}</span> <span class="k">def</span> <span class="nf">test_read_status</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Tests the /status endpoint.</span><span class="sh">"""</span> <span class="k">with</span> <span class="nc">TestClient</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">/status</span><span class="sh">"</span><span class="p">)</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="o">==</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">}</span> <span class="k">def</span> <span class="nf">test_read_file</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Tests the static file serving endpoint.</span><span class="sh">"""</span> <span class="k">with</span> <span class="nc">TestClient</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">/static/data.txt</span><span class="sh">"</span><span class="p">)</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span> <span class="c1"># The file content is read from the original source for the assertion </span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">text</span> <span class="o">==</span> <span class="n">DATA_FILE</span><span class="p">.</span><span class="nf">read_text</span><span class="p">()</span> <span class="k">def</span> <span class="nf">test_get_item_found</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Tests the successful case for finding an item.</span><span class="sh">"""</span> <span class="k">with</span> <span class="nc">TestClient</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">/items/1</span><span class="sh">"</span><span class="p">)</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="o">==</span> <span class="p">{</span><span class="sh">"</span><span class="s">item_id</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">The One Item</span><span class="sh">"</span><span class="p">}</span> <span class="k">def</span> <span class="nf">test_get_item_not_found</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Tests the error case for not finding an item.</span><span class="sh">"""</span> <span class="k">with</span> <span class="nc">TestClient</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">/items/999</span><span class="sh">"</span><span class="p">)</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">404</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="o">==</span> <span class="p">{</span><span class="sh">"</span><span class="s">detail</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Item with ID 999 not found.</span><span class="sh">"</span><span class="p">}</span> <span class="k">def</span> <span class="nf">test_create_item_success</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Tests the successful creation of an item via POST.</span><span class="sh">"""</span> <span class="k">with</span> <span class="nc">TestClient</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="n">item_payload</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Test Item</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">is_offer</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sh">"</span><span class="s">/items</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">item_payload</span><span class="p">)</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">201</span> <span class="c1"># 201 Created </span> <span class="n">response_data</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">assert</span> <span class="n">response_data</span><span class="p">[</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">Item created successfully</span><span class="sh">"</span> <span class="k">assert</span> <span class="n">response_data</span><span class="p">[</span><span class="sh">"</span><span class="s">item_data</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="n">item_payload</span><span class="p">[</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">]</span> <span class="k">assert</span> <span class="n">response_data</span><span class="p">[</span><span class="sh">"</span><span class="s">item_data</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">is_offer</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="n">item_payload</span><span class="p">[</span><span class="sh">"</span><span class="s">is_offer</span><span class="sh">"</span><span class="p">]</span> <span class="k">def</span> <span class="nf">test_create_item_validation_error_missing_field</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Tests for a validation error when a required field is missing.</span><span class="sh">"""</span> <span class="k">with</span> <span class="nc">TestClient</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="c1"># The 'name' field is required by the Pydantic model, so this is invalid. </span> <span class="n">item_payload</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">is_offer</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sh">"</span><span class="s">/items</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">item_payload</span><span class="p">)</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">422</span> <span class="c1"># 422 Unprocessable Entity </span> <span class="k">def</span> <span class="nf">test_create_item_validation_error_wrong_type</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Tests for a validation error when a field has the wrong data type.</span><span class="sh">"""</span> <span class="k">with</span> <span class="nc">TestClient</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="c1"># The 'name' field should be a string, not an integer. </span> <span class="n">item_payload</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="mi">123</span><span class="p">,</span> <span class="sh">"</span><span class="s">is_offer</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sh">"</span><span class="s">/items</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">item_payload</span><span class="p">)</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">422</span> <span class="c1"># 422 Unprocessable Entity </span></code></pre> </div> <p>In this script, we import our <code>app</code> object from <code>main.py</code> and pass it to the <code>TestClient</code>. Each function follows the <code>pytest</code> convention of being named <code>test_*</code>. Inside each function, we use the <code>client</code> to make requests to our endpoints and then use <code>assert</code> statements to verify that the status code and response body are exactly what we expect.</p> <p>You will notice in our test suite that the <code>TestClient</code> is instantiated using a <code>with</code> statement inside each test function, rather than being created once at the top of the file. This is a deliberate and critical pattern.</p> <p>Using <code>with TestClient(app) as client:</code> creates a context manager that properly simulates the application's full <strong>lifespan</strong>. When the <code>with</code> block is entered, FastAPI runs the startup portion of our <code>lifespan</code> handler (creating the <code>data.txt</code> file). When the block is exited, it runs the shutdown portion (cleaning up the file).</p> <p>This ensures that each test runs within a clean, predictable application state, which is essential for reliable and isolated testing, especially when dealing with resources like files or database connections.</p> <h3> Running the Tests </h3> <p>To execute the test suite, run <code>pytest</code> from your terminal. The <code>-v</code> flag provides more verbose output.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 <span class="nt">-m</span> pytest <span class="nt">-v</span> </code></pre> </div> <p>Pytest will automatically discover and run the functions in <code>test_http.py</code>, reporting the success or failure of each assertion.</p> <h3> Manual and Ad-Hoc Testing </h3> <p>While an automated test suite is essential for validation, it's also useful to interact with your server manually. This is a great way to perform quick, ad-hoc tests or inspect the raw responses from your endpoints while developing.</p> <h4> Testing with <code>curl</code> </h4> <p>The <code>curl</code> command is a powerful, ubiquitous tool for making HTTP requests from the command line. While your <code>uvicorn</code> server is running, you can open a new terminal to send <code>GET</code>, <code>POST</code>, or any other type of request to your endpoints.</p> <p>Because we are using a <strong>self-signed certificate</strong>, you must include the <code>-k</code> (or <code>--insecure</code>) flag. This tells <code>curl</code> to proceed with the request even though it cannot verify the certificate against a trusted Certificate Authority.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test the status endpoint</span> <span class="nv">$ </span>curl <span class="nt">-k</span> https://localhost:8000/status <span class="o">{</span><span class="s2">"status"</span>:<span class="s2">"ok"</span><span class="o">}</span> <span class="c"># Test the static file endpoint</span> <span class="nv">$ </span>curl <span class="nt">-k</span> https://localhost:8000/static/data.txt This is a <span class="nb">test </span>file served by FastAPI. <span class="c"># Test the item-not-found error case</span> <span class="nv">$ </span>curl <span class="nt">-k</span> https://localhost:8000/items/999 <span class="o">{</span><span class="s2">"detail"</span>:<span class="s2">"Item with ID 999 not found."</span><span class="o">}</span> <span class="c"># Test creating a new item via POST</span> <span class="nv">$ </span>curl <span class="nt">-k</span> <span class="nt">-X</span> POST https://localhost:8000/items <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"name": "My New Item", "is_offer": false}'</span> </code></pre> </div> <h4> Testing with a Web Browser </h4> <p>You can also test your <code>GET</code> endpoints directly in a web browser. When you navigate to the URLs, your browser will display a security warning page because the certificate is self-signed and not trusted by default. You will need to click "Advanced" and then "Proceed to localhost (unsafe)" to view the page.</p> <p>You can test the following URLs:</p> <ul> <li><code>https://localhost:8000/status</code></li> <li><code>https://localhost:8000/static/data.txt</code></li> <li><code>https://localhost:8000/items/1</code></li> </ul> <p>The primary script for generating certificates in the repository, <code>gen_certs.sh</code>, uses a modern ED25519 (ECC) key for efficiency. However, some browser and operating system combinations can be overly strict when validating self-signed ECC certificates, which may lead to TLS handshake errors like <code>PR_END_OF_FILE_ERROR</code>.</p> <p>For maximum compatibility, the repository also includes <code>gen_certs_legacy.sh</code>. This script generates a traditional RSA certificate, which is universally supported and provides a reliable fallback if you encounter browser connection issues with the primary ECC certificate.</p> <h2> The WebSocket Layer </h2> <h3> Basic WebSocket Usage </h3> <p>While the HTTP layer is ideal for traditional request-response interactions, it is inefficient for real-time applications that require the server to push data to the client. For this, we turn to WebSockets, which provide a persistent, <strong>bidirectional communication channel</strong> over a single TCP connection.</p> <p>FastAPI provides first-class support for WebSockets. Unlike an HTTP endpoint that processes a single request and returns a response, a WebSocket endpoint is a long-running asynchronous function that manages the entire lifecycle of a connection.</p> <p>You define a WebSocket endpoint using the <code>@app.websocket()</code> decorator. Instead of returning a value, the endpoint function receives a <code>WebSocket</code> object as an argument. This object is the primary interface for interacting with the client: accepting the connection, sending messages, and receiving messages until the connection is closed.</p> <p>First, add <code>WebSocket</code> and <code>WebSocketDisconnect</code> to your FastAPI imports at the top of <code>main.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">HTTPException</span><span class="p">,</span> <span class="n">WebSocket</span><span class="p">,</span> <span class="n">WebSocketDisconnect</span> </code></pre> </div> <h4> Endpoint 1: A Simple Echo Server </h4> <p>The best way to understand the WebSocket connection lifecycle is to build a simple <strong>echo server</strong>. This endpoint will accept a connection, wait for a message from the client, and immediately send that exact same message back.</p> <p>Add the following code to your <code>main.py</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.websocket</span><span class="p">(</span><span class="sh">"</span><span class="s">/ws/echo</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">websocket_echo</span><span class="p">(</span><span class="n">websocket</span><span class="p">:</span> <span class="n">WebSocket</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> A simple WebSocket endpoint that echoes back any message it receives. </span><span class="sh">"""</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">accept</span><span class="p">()</span> <span class="k">try</span><span class="p">:</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">message</span> <span class="o">=</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">receive_text</span><span class="p">()</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">send_text</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Echo: </span><span class="si">{</span><span class="n">message</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">WebSocketDisconnect</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Client disconnected from echo endpoint.</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h5> Deconstructing the Echo Server </h5> <p>This function demonstrates the fundamental pattern for managing a WebSocket connection in FastAPI:</p> <ol> <li> <strong><code>await websocket.accept()</code></strong>: This is the first and most crucial step. It performs the WebSocket handshake with the client. You must call <code>accept()</code> before any <code>send</code> or <code>receive</code> operations can occur.</li> <li> <strong><code>try...except WebSocketDisconnect</code></strong>: This block ensures we handle the client closing the connection gracefully. When the client disconnects, <code>receive_text()</code> will raise a <code>WebSocketDisconnect</code> exception, allowing us to catch it and cleanly exit the function.</li> <li> <strong><code>while True:</code></strong>: This loop keeps the connection alive after the initial handshake, allowing the server to continuously listen for new messages from the same client.</li> <li> <strong><code>await websocket.receive_text()</code></strong>: This line pauses execution and waits for a message to arrive from the client. Once a message is received, it's stored in the <code>message</code> variable.</li> <li> <strong><code>await websocket.send_text(...)</code></strong>: After receiving a message, this line sends a new message back to the client over the same persistent connection.</li> </ol> <h4> Endpoint 2: A Server-Side Data Streamer </h4> <p>Add the following imports to the top of <code>main.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">asyncio</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">UTC</span> </code></pre> </div> <p>The true power of WebSockets is the server's ability to <strong>proactively push data to the client</strong> without waiting for a request. This next endpoint demonstrates this by streaming the server's timestamp to the client every second.</p> <p>Add the following code to your <code>main.py</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.websocket</span><span class="p">(</span><span class="sh">"</span><span class="s">/ws/stream</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">websocket_stream</span><span class="p">(</span><span class="n">websocket</span><span class="p">:</span> <span class="n">WebSocket</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Streams the current server time to the client every second. </span><span class="sh">"""</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">accept</span><span class="p">()</span> <span class="k">try</span><span class="p">:</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="c1"># Generate the data to send </span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">UTC</span><span class="p">).</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">This is a periodic update from the server.</span><span class="sh">"</span> <span class="p">}</span> <span class="c1"># Send the data as JSON </span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">send_json</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="c1"># Wait for one second </span> <span class="k">await</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">except</span> <span class="n">WebSocketDisconnect</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Client disconnected from stream endpoint.</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h5> Deconstructing the Data Streamer </h5> <p>This endpoint builds on the pattern of the echo server but with a key difference: the <code>while True</code> loop is not blocked waiting for <code>receive_text()</code>.</p> <ol> <li> <strong>Server-Initiated Communication</strong>: After accepting the connection, the server immediately enters a loop where it is the one initiating communication. It constructs a JSON payload and sends it to the client using <code>await websocket.send_json()</code>.</li> <li> <strong>Controlled Pacing</strong>: The <code>await asyncio.sleep(1)</code> line is crucial. It pauses the loop for one second, creating a steady, paced stream of data. Without this, the server would flood the client with messages as fast as possible.</li> <li> <strong>Graceful Disconnects</strong>: The <code>try...except WebSocketDisconnect</code> block is especially important here. If the client disconnects, the next call to <code>websocket.send_json()</code> will raise this exception, allowing the server to gracefully stop the streaming task for that connection.</li> </ol> <h4> Endpoint 3: A Simulated Authentication Flow </h4> <p>First, add the necessary imports for cryptographic operations to the top of <code>main.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">hmac</span> <span class="kn">import</span> <span class="n">base64</span> <span class="kn">import</span> <span class="n">hashlib</span> </code></pre> </div> <p>This final WebSocket endpoint demonstrates a more realistic, stateful interaction: a private endpoint that requires clients to authenticate before proceeding. We will simulate the server-side validation of a signature-based login, a common pattern used by cryptocurrency exchanges like OKX.</p> <p>The server will expect a login message containing an API key, a timestamp, and a signature. It will then re-compute the signature on its end using a secret key and compare the two to verify the client's identity.</p> <p>Add the following code to your <code>main.py</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># --- DUMMY CREDENTIALS FOR DEMONSTRATION --- # In a real application, these would be stored securely in a database. </span><span class="n">DUMMY_API_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">abc</span><span class="sh">"</span> <span class="n">DUMMY_API_SECRET</span> <span class="o">=</span> <span class="sh">"</span><span class="s">def</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">_verify_signature</span><span class="p">(</span><span class="n">payload</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Verifies the signature from a client login message.</span><span class="sh">"""</span> <span class="c1"># Extract the arguments from the payload </span> <span class="k">try</span><span class="p">:</span> <span class="n">args</span> <span class="o">=</span> <span class="n">payload</span><span class="p">[</span><span class="sh">"</span><span class="s">args</span><span class="sh">"</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="n">api_key</span> <span class="o">=</span> <span class="n">args</span><span class="p">[</span><span class="sh">"</span><span class="s">apiKey</span><span class="sh">"</span><span class="p">]</span> <span class="n">timestamp</span> <span class="o">=</span> <span class="n">args</span><span class="p">[</span><span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">]</span> <span class="n">client_sign</span> <span class="o">=</span> <span class="n">args</span><span class="p">[</span><span class="sh">"</span><span class="s">sign</span><span class="sh">"</span><span class="p">]</span> <span class="nf">except </span><span class="p">(</span><span class="nb">KeyError</span><span class="p">,</span> <span class="nb">IndexError</span><span class="p">):</span> <span class="k">return</span> <span class="bp">False</span> <span class="c1"># Check if the API key is valid </span> <span class="k">if</span> <span class="n">api_key</span> <span class="o">!=</span> <span class="n">DUMMY_API_KEY</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="c1"># Re-create the signature on the server side </span> <span class="n">message</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="n">timestamp</span><span class="p">)</span> <span class="o">+</span> <span class="sh">'</span><span class="s">GET</span><span class="sh">'</span> <span class="o">+</span> <span class="sh">'</span><span class="s">/users/self/verify</span><span class="sh">'</span> <span class="n">mac</span> <span class="o">=</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span> <span class="nf">bytes</span><span class="p">(</span><span class="n">DUMMY_API_SECRET</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="sh">'</span><span class="s">utf8</span><span class="sh">'</span><span class="p">),</span> <span class="nf">bytes</span><span class="p">(</span><span class="n">message</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">),</span> <span class="n">digestmod</span><span class="o">=</span><span class="sh">'</span><span class="s">sha256</span><span class="sh">'</span> <span class="p">)</span> <span class="n">server_sign</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64encode</span><span class="p">(</span><span class="n">mac</span><span class="p">.</span><span class="nf">digest</span><span class="p">()).</span><span class="nf">decode</span><span class="p">()</span> <span class="c1"># Securely compare the client's signature with the server's </span> <span class="k">return</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">compare_digest</span><span class="p">(</span><span class="n">server_sign</span><span class="p">,</span> <span class="n">client_sign</span><span class="p">)</span> <span class="nd">@app.websocket</span><span class="p">(</span><span class="sh">"</span><span class="s">/ws/v5/private</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">websocket_private</span><span class="p">(</span><span class="n">websocket</span><span class="p">:</span> <span class="n">WebSocket</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> A simulated private endpoint requiring signature authentication. </span><span class="sh">"""</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">accept</span><span class="p">()</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Wait for the initial login message </span> <span class="n">login_payload</span> <span class="o">=</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">receive_json</span><span class="p">()</span> <span class="k">if</span> <span class="n">login_payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">op</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">login</span><span class="sh">"</span> <span class="ow">and</span> <span class="nf">_verify_signature</span><span class="p">(</span><span class="n">login_payload</span><span class="p">):</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">send_json</span><span class="p">({</span><span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">login</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">})</span> <span class="c1"># --- AUTHENTICATED LOOP --- </span> <span class="c1"># The client is now authenticated. </span> <span class="c1"># You could enter another loop here to handle private data. </span> <span class="c1"># For this example, we will just close after login. </span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">else</span><span class="p">:</span> <span class="c1"># If login fails, send an error and close the connection </span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">send_json</span><span class="p">({</span><span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">login</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Authentication failed</span><span class="sh">"</span><span class="p">})</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">except</span> <span class="n">WebSocketDisconnect</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Client disconnected from private endpoint.</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="c1"># Handle potential errors like malformed JSON </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">An error occurred in the private endpoint: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h5> Deconstructing the Authentication Logic </h5> <ol> <li> <strong>Dummy Credentials</strong>: We define a <code>DUMMY_API_KEY</code> and <code>DUMMY_API_SECRET</code> at the top of the file. In a real system, the server would look up the secret key based on the API key provided by the client.</li> <li> <strong>Signature Verification</strong>: The <code>_verify_signature</code> helper function encapsulates the core logic. It re-creates the exact same <code>message</code> string the client used, generates the HMAC-SHA256 signature with the stored secret key, and base64-encodes it.</li> <li> <strong>Secure Comparison</strong>: It uses <code>hmac.compare_digest()</code> to check if the client's signature matches the one generated by the server. This function is essential for preventing timing attacks.</li> <li> <strong>Handshake Flow</strong>: The main endpoint function waits for a single JSON message. It calls the verification function, sends back a success or failure response, and then closes the connection for this example. In a real application, a successful login would typically lead into another <code>while True</code> loop to handle subsequent private messages.</li> </ol> <h3> The Complete WebSocket Code </h3> <p>To finalize our server, we'll add the WebSocket logic to the existing <code>main.py</code> file. This involves adding several new imports for WebSockets and cryptography, along with the code for our three distinct WebSocket endpoints.</p> <h5> New Imports </h5> <p>Add the following imports to the top of your <code>main.py</code> file alongside the existing ones.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">asyncio</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">hmac</span> <span class="kn">import</span> <span class="n">base64</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">WebSocket</span><span class="p">,</span> <span class="n">WebSocketDisconnect</span> </code></pre> </div> <h4> WebSocket Endpoints and Logic </h4> <p>Add this entire block of code to the end of your <code>main.py</code> file, before the <code>if __name__ == "__main__"</code> block.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># --- DUMMY CREDENTIALS FOR DEMONSTRATION --- </span><span class="n">DUMMY_API_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">abc</span><span class="sh">"</span> <span class="n">DUMMY_API_SECRET</span> <span class="o">=</span> <span class="sh">"</span><span class="s">def</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">_verify_signature</span><span class="p">(</span><span class="n">payload</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Verifies the signature from a client login message.</span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="n">args</span> <span class="o">=</span> <span class="n">payload</span><span class="p">[</span><span class="sh">"</span><span class="s">args</span><span class="sh">"</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="n">api_key</span> <span class="o">=</span> <span class="n">args</span><span class="p">[</span><span class="sh">"</span><span class="s">apiKey</span><span class="sh">"</span><span class="p">]</span> <span class="n">timestamp</span> <span class="o">=</span> <span class="n">args</span><span class="p">[</span><span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">]</span> <span class="n">client_sign</span> <span class="o">=</span> <span class="n">args</span><span class="p">[</span><span class="sh">"</span><span class="s">sign</span><span class="sh">"</span><span class="p">]</span> <span class="nf">except </span><span class="p">(</span><span class="nb">KeyError</span><span class="p">,</span> <span class="nb">IndexError</span><span class="p">):</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">if</span> <span class="n">api_key</span> <span class="o">!=</span> <span class="n">DUMMY_API_KEY</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="n">message</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="n">timestamp</span><span class="p">)</span> <span class="o">+</span> <span class="sh">'</span><span class="s">GET</span><span class="sh">'</span> <span class="o">+</span> <span class="sh">'</span><span class="s">/users/self/verify</span><span class="sh">'</span> <span class="n">mac</span> <span class="o">=</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span> <span class="nf">bytes</span><span class="p">(</span><span class="n">DUMMY_API_SECRET</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="sh">'</span><span class="s">utf8</span><span class="sh">'</span><span class="p">),</span> <span class="nf">bytes</span><span class="p">(</span><span class="n">message</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">),</span> <span class="n">digestmod</span><span class="o">=</span><span class="sh">'</span><span class="s">sha256</span><span class="sh">'</span> <span class="p">)</span> <span class="n">server_sign</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64encode</span><span class="p">(</span><span class="n">mac</span><span class="p">.</span><span class="nf">digest</span><span class="p">()).</span><span class="nf">decode</span><span class="p">()</span> <span class="k">return</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">compare_digest</span><span class="p">(</span><span class="n">server_sign</span><span class="p">,</span> <span class="n">client_sign</span><span class="p">)</span> <span class="nd">@app.websocket</span><span class="p">(</span><span class="sh">"</span><span class="s">/ws/echo</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">websocket_echo</span><span class="p">(</span><span class="n">websocket</span><span class="p">:</span> <span class="n">WebSocket</span><span class="p">):</span> <span class="sh">"""</span><span class="s">A simple WebSocket endpoint that echoes back any message it receives.</span><span class="sh">"""</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">accept</span><span class="p">()</span> <span class="k">try</span><span class="p">:</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">message</span> <span class="o">=</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">receive_text</span><span class="p">()</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">send_text</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Echo: </span><span class="si">{</span><span class="n">message</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">WebSocketDisconnect</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Client disconnected from echo endpoint.</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.websocket</span><span class="p">(</span><span class="sh">"</span><span class="s">/ws/stream</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">websocket_stream</span><span class="p">(</span><span class="n">websocket</span><span class="p">:</span> <span class="n">WebSocket</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Streams the current server time to the client every second.</span><span class="sh">"""</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">accept</span><span class="p">()</span> <span class="k">try</span><span class="p">:</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">UTC</span><span class="p">).</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">This is a periodic update from the server.</span><span class="sh">"</span> <span class="p">}</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">send_json</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="k">await</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">except</span> <span class="n">WebSocketDisconnect</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Client disconnected from stream endpoint.</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.websocket</span><span class="p">(</span><span class="sh">"</span><span class="s">/ws/v5/private</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">websocket_private</span><span class="p">(</span><span class="n">websocket</span><span class="p">:</span> <span class="n">WebSocket</span><span class="p">):</span> <span class="sh">"""</span><span class="s">A simulated private endpoint requiring signature authentication.</span><span class="sh">"""</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">accept</span><span class="p">()</span> <span class="k">try</span><span class="p">:</span> <span class="n">login_payload</span> <span class="o">=</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">receive_json</span><span class="p">()</span> <span class="k">if</span> <span class="n">login_payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">op</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">login</span><span class="sh">"</span> <span class="ow">and</span> <span class="nf">_verify_signature</span><span class="p">(</span><span class="n">login_payload</span><span class="p">):</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">send_json</span><span class="p">({</span><span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">login</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">})</span> <span class="c1"># In a real app, a loop would follow for private data exchange. </span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">else</span><span class="p">:</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">send_json</span><span class="p">({</span><span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">login</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Authentication failed</span><span class="sh">"</span><span class="p">})</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">except</span> <span class="n">WebSocketDisconnect</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Client disconnected from private endpoint.</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">An error occurred in the private endpoint: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> Testing the WebSocket Endpoints </h3> <p>Testing WebSockets requires a different approach than testing HTTP endpoints. We need a client that can establish a persistent connection and exchange messages. We will cover two methods: an automated suite using <code>pytest</code> and FastAPI's <code>TestClient</code>, and a manual script for ad-hoc interactive testing.</p> <h4> Automated Testing with Pytest </h4> <p>FastAPI's <code>TestClient</code> provides a <code>websocket_connect()</code> context manager that allows us to test our WebSocket endpoints just as easily as our HTTP endpoints.</p> <p>Create a new file named <code>test_websockets.py</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">hmac</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">import</span> <span class="n">base64</span> <span class="kn">from</span> <span class="n">fastapi.testclient</span> <span class="kn">import</span> <span class="n">TestClient</span> <span class="kn">from</span> <span class="n">main</span> <span class="kn">import</span> <span class="n">app</span> <span class="c1"># --- Test Data for Private Endpoint --- </span><span class="n">DUMMY_API_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">abc</span><span class="sh">"</span> <span class="n">DUMMY_API_SECRET</span> <span class="o">=</span> <span class="sh">"</span><span class="s">def</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">get_auth_payload</span><span class="p">(</span><span class="n">api_key</span><span class="p">,</span> <span class="n">api_secret</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Generates a valid login payload for the private endpoint.</span><span class="sh">"""</span> <span class="n">timestamp</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">)</span> <span class="n">message</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="n">timestamp</span><span class="p">)</span> <span class="o">+</span> <span class="sh">'</span><span class="s">GET</span><span class="sh">'</span> <span class="o">+</span> <span class="sh">'</span><span class="s">/users/self/verify</span><span class="sh">'</span> <span class="n">mac</span> <span class="o">=</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span> <span class="nf">bytes</span><span class="p">(</span><span class="n">api_secret</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="sh">'</span><span class="s">utf8</span><span class="sh">'</span><span class="p">),</span> <span class="nf">bytes</span><span class="p">(</span><span class="n">message</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">),</span> <span class="n">digestmod</span><span class="o">=</span><span class="sh">'</span><span class="s">sha256</span><span class="sh">'</span> <span class="p">)</span> <span class="n">sign</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64encode</span><span class="p">(</span><span class="n">mac</span><span class="p">.</span><span class="nf">digest</span><span class="p">()).</span><span class="nf">decode</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">op</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">login</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">args</span><span class="sh">"</span><span class="p">:</span> <span class="p">[{</span> <span class="sh">"</span><span class="s">apiKey</span><span class="sh">"</span><span class="p">:</span> <span class="n">api_key</span><span class="p">,</span> <span class="sh">"</span><span class="s">passphrase</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">dummy_passphrase</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Not used in our server logic </span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">timestamp</span><span class="p">),</span> <span class="sh">"</span><span class="s">sign</span><span class="sh">"</span><span class="p">:</span> <span class="n">sign</span> <span class="p">}]</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">test_websocket_echo</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Tests the /ws/echo endpoint.</span><span class="sh">"""</span> <span class="k">with</span> <span class="nc">TestClient</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="k">with</span> <span class="n">client</span><span class="p">.</span><span class="nf">websocket_connect</span><span class="p">(</span><span class="sh">"</span><span class="s">/ws/echo</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">websocket</span><span class="p">:</span> <span class="n">test_message</span> <span class="o">=</span> <span class="sh">"</span><span class="s">Hello, WebSocket!</span><span class="sh">"</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">send_text</span><span class="p">(</span><span class="n">test_message</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">receive_text</span><span class="p">()</span> <span class="k">assert</span> <span class="n">response</span> <span class="o">==</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Echo: </span><span class="si">{</span><span class="n">test_message</span><span class="si">}</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">test_websocket_stream</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Tests the /ws/stream endpoint for a few messages.</span><span class="sh">"""</span> <span class="k">with</span> <span class="nc">TestClient</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="k">with</span> <span class="n">client</span><span class="p">.</span><span class="nf">websocket_connect</span><span class="p">(</span><span class="sh">"</span><span class="s">/ws/stream</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">websocket</span><span class="p">:</span> <span class="c1"># Receive the first 3 messages from the stream </span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">3</span><span class="p">):</span> <span class="n">response</span> <span class="o">=</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">receive_json</span><span class="p">()</span> <span class="k">assert</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">response</span> <span class="k">assert</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">response</span> <span class="c1"># The test client automatically closes the connection here. </span> <span class="k">def</span> <span class="nf">test_websocket_private_auth_success</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Tests a successful authentication on the private endpoint.</span><span class="sh">"""</span> <span class="k">with</span> <span class="nc">TestClient</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="k">with</span> <span class="n">client</span><span class="p">.</span><span class="nf">websocket_connect</span><span class="p">(</span><span class="sh">"</span><span class="s">/ws/v5/private</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">websocket</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="nf">get_auth_payload</span><span class="p">(</span><span class="n">DUMMY_API_KEY</span><span class="p">,</span> <span class="n">DUMMY_API_SECRET</span><span class="p">)</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">send_json</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">receive_json</span><span class="p">()</span> <span class="k">assert</span> <span class="n">response</span> <span class="o">==</span> <span class="p">{</span><span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">login</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">}</span> <span class="k">def</span> <span class="nf">test_websocket_private_auth_failure</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Tests a failed authentication with a bad secret.</span><span class="sh">"""</span> <span class="k">with</span> <span class="nc">TestClient</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="k">with</span> <span class="n">client</span><span class="p">.</span><span class="nf">websocket_connect</span><span class="p">(</span><span class="sh">"</span><span class="s">/ws/v5/private</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">websocket</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="nf">get_auth_payload</span><span class="p">(</span><span class="n">DUMMY_API_KEY</span><span class="p">,</span> <span class="sh">"</span><span class="s">BAD_SECRET</span><span class="sh">"</span><span class="p">)</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">send_json</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">receive_json</span><span class="p">()</span> <span class="k">assert</span> <span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">login</span><span class="sh">"</span> <span class="k">assert</span> <span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">]</span> <span class="ow">is</span> <span class="bp">False</span> </code></pre> </div> <p>To run these tests, use the same <code>pytest</code> command as before:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pytest <span class="nt">-v</span> </code></pre> </div> <h4> Manual Testing with a Client Script </h4> <p>For interactive testing, we can create a small client using the <code>websockets</code> library. This allows us to connect to our running server and see the message exchange in real-time.</p> <p>Create a new file named <code>manual_ws_client.py</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">asyncio</span> <span class="kn">import</span> <span class="n">ssl</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">argparse</span> <span class="kn">import</span> <span class="n">websockets</span> <span class="c1"># Include the same auth payload generator from our tests </span><span class="kn">import</span> <span class="n">hmac</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">import</span> <span class="n">base64</span> <span class="n">DUMMY_API_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">abc</span><span class="sh">"</span> <span class="n">DUMMY_API_SECRET</span> <span class="o">=</span> <span class="sh">"</span><span class="s">def</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">get_auth_payload</span><span class="p">(</span><span class="n">api_key</span><span class="p">,</span> <span class="n">api_secret</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="n">timestamp</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">)</span> <span class="n">message</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="n">timestamp</span><span class="p">)</span> <span class="o">+</span> <span class="sh">'</span><span class="s">GET</span><span class="sh">'</span> <span class="o">+</span> <span class="sh">'</span><span class="s">/users/self/verify</span><span class="sh">'</span> <span class="n">mac</span> <span class="o">=</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="nf">bytes</span><span class="p">(</span><span class="n">api_secret</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="sh">'</span><span class="s">utf8</span><span class="sh">'</span><span class="p">),</span> <span class="nf">bytes</span><span class="p">(</span><span class="n">message</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">),</span> <span class="n">digestmod</span><span class="o">=</span><span class="sh">'</span><span class="s">sha256</span><span class="sh">'</span><span class="p">)</span> <span class="n">sign</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64encode</span><span class="p">(</span><span class="n">mac</span><span class="p">.</span><span class="nf">digest</span><span class="p">()).</span><span class="nf">decode</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">op</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">login</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">args</span><span class="sh">"</span><span class="p">:</span> <span class="p">[{</span><span class="sh">"</span><span class="s">apiKey</span><span class="sh">"</span><span class="p">:</span> <span class="n">api_key</span><span class="p">,</span> <span class="sh">"</span><span class="s">passphrase</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">pw</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">timestamp</span><span class="p">),</span> <span class="sh">"</span><span class="s">sign</span><span class="sh">"</span><span class="p">:</span> <span class="n">sign</span><span class="p">}]}</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="n">parser</span> <span class="o">=</span> <span class="n">argparse</span><span class="p">.</span><span class="nc">ArgumentParser</span><span class="p">(</span><span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Manual WebSocket client.</span><span class="sh">"</span><span class="p">)</span> <span class="n">parser</span><span class="p">.</span><span class="nf">add_argument</span><span class="p">(</span><span class="sh">"</span><span class="s">endpoint</span><span class="sh">"</span><span class="p">,</span> <span class="n">choices</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">echo</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">stream</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">private</span><span class="sh">"</span><span class="p">],</span> <span class="n">help</span><span class="o">=</span><span class="sh">"</span><span class="s">The endpoint to connect to.</span><span class="sh">"</span><span class="p">)</span> <span class="n">args</span> <span class="o">=</span> <span class="n">parser</span><span class="p">.</span><span class="nf">parse_args</span><span class="p">()</span> <span class="c1"># Create an SSL context that trusts our self-signed certificate </span> <span class="n">ssl_context</span> <span class="o">=</span> <span class="n">ssl</span><span class="p">.</span><span class="nc">SSLContext</span><span class="p">(</span><span class="n">ssl</span><span class="p">.</span><span class="n">PROTOCOL_TLS_CLIENT</span><span class="p">)</span> <span class="n">ssl_context</span><span class="p">.</span><span class="n">check_hostname</span> <span class="o">=</span> <span class="bp">False</span> <span class="n">ssl_context</span><span class="p">.</span><span class="n">verify_mode</span> <span class="o">=</span> <span class="n">ssl</span><span class="p">.</span><span class="n">CERT_NONE</span> <span class="n">uri</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">wss://localhost:8000/ws/</span><span class="si">{</span><span class="n">args</span><span class="p">.</span><span class="n">endpoint</span><span class="si">}</span><span class="sh">"</span> <span class="k">if</span> <span class="n">args</span><span class="p">.</span><span class="n">endpoint</span> <span class="o">==</span> <span class="sh">'</span><span class="s">private</span><span class="sh">'</span><span class="p">:</span> <span class="n">uri</span> <span class="o">=</span> <span class="sh">"</span><span class="s">wss://localhost:8000/ws/v5/private</span><span class="sh">"</span> <span class="k">async</span> <span class="k">with</span> <span class="n">websockets</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="n">uri</span><span class="p">,</span> <span class="n">ssl</span><span class="o">=</span><span class="n">ssl_context</span><span class="p">)</span> <span class="k">as</span> <span class="n">websocket</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Connected to </span><span class="si">{</span><span class="n">uri</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">args</span><span class="p">.</span><span class="n">endpoint</span> <span class="o">==</span> <span class="sh">"</span><span class="s">echo</span><span class="sh">"</span><span class="p">:</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">message</span> <span class="o">=</span> <span class="nf">input</span><span class="p">(</span><span class="sh">"</span><span class="s">Message to send (or </span><span class="sh">'</span><span class="s">exit</span><span class="sh">'</span><span class="s">): </span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">message</span><span class="p">.</span><span class="nf">lower</span><span class="p">()</span> <span class="o">==</span> <span class="sh">'</span><span class="s">exit</span><span class="sh">'</span><span class="p">:</span> <span class="k">break</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="n">message</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">recv</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">&lt; Received: </span><span class="si">{</span><span class="n">response</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">elif</span> <span class="n">args</span><span class="p">.</span><span class="n">endpoint</span> <span class="o">==</span> <span class="sh">"</span><span class="s">stream</span><span class="sh">"</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">recv</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">&lt; Received: </span><span class="si">{</span><span class="n">response</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">websockets</span><span class="p">.</span><span class="n">ConnectionClosed</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Stream connection closed by server.</span><span class="sh">"</span><span class="p">)</span> <span class="k">elif</span> <span class="n">args</span><span class="p">.</span><span class="n">endpoint</span> <span class="o">==</span> <span class="sh">"</span><span class="s">private</span><span class="sh">"</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="nf">get_auth_payload</span><span class="p">(</span><span class="n">DUMMY_API_KEY</span><span class="p">,</span> <span class="n">DUMMY_API_SECRET</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">&gt; Sending login request: </span><span class="si">{</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">payload</span><span class="p">))</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">websocket</span><span class="p">.</span><span class="nf">recv</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">&lt; Received: </span><span class="si">{</span><span class="n">response</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="nf">main</span><span class="p">())</span> </code></pre> </div> <p>To use this script, make sure your FastAPI server is running. Then, from a new terminal, run one of the following commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test the echo server interactively</span> python3 manual_ws_client.py <span class="nb">echo</span> <span class="c"># Connect to the data stream</span> python3 manual_ws_client.py stream <span class="c"># Test the private endpoint authentication</span> python3 manual_ws_client.py private </code></pre> </div> <h3> Measuring Test Coverage </h3> <p>While our test suite validates our endpoints, <strong>test coverage</strong> is a metric that tells us which lines of our application code were actually executed during the test run. It's a valuable tool for identifying parts of your codebase that are not tested at all.</p> <p>First, you'll need to install the <code>pytest-cov</code> plugin (included in requirements.txt:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 <span class="nt">-m</span> pip <span class="nb">install </span>pytest-cov </code></pre> </div> <p>Now, you can run <code>pytest</code> with the <code>--cov</code> flag to generate a coverage report. We'll target our <code>main</code> module.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 <span class="nt">-m</span> pytest <span class="nt">--cov</span><span class="o">=</span>main <span class="nt">-v</span> </code></pre> </div> <p>After the tests complete, you will see a report similar to this at the bottom of the output, showing that our tests exercised 100% of our application code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>================================================== test session starts ================================================== platform linux -- Python 3.11.2, pytest-8.4.1, pluggy-1.6.0 -- xxx cachedir: .pytest_cache rootdir: xxx plugins: cov-6.2.1, anyio-4.10.0 collected 12 items test_http.py::test_read_root PASSED [ 8%] test_http.py::test_read_status PASSED [ 16%] test_http.py::test_read_file PASSED [ 25%] test_http.py::test_get_item_found PASSED [ 33%] test_http.py::test_get_item_not_found PASSED [ 41%] test_http.py::test_create_item_success PASSED [ 50%] test_http.py::test_create_item_validation_error_missing_field PASSED [ 58%] test_http.py::test_create_item_validation_error_wrong_type PASSED [ 66%] test_websockets.py::test_websocket_echo PASSED [ 75%] test_websockets.py::test_websocket_stream PASSED [ 83%] test_websockets.py::test_websocket_private_auth_success PASSED [ 91%] test_websockets.py::test_websocket_private_auth_failure PASSED [100%] ==================================================== tests coverage ===================================================== ____________________________________ coverage: platform linux, python 3.11.2-final-0 ____________________________________ Name Stmts Miss Cover ----------------------------- main.py 93 9 90% ----------------------------- TOTAL 93 9 90% ================================================== 12 passed in 2.30s =================================================== </code></pre> </div> <h1> Conclusion </h1> <p>In this guide, we have built a complete, dual-protocol server from the ground up. You have moved from the foundational theory of HTTP and WebSockets to implementing a secure, tested, and robust application using FastAPI. This server is not just a simple example; it is a solid foundation that correctly handles application state, serves different of content, manages errors gracefully, and provides real-time communication capabilities.</p> <p>This guide presents one approach to building and testing a dual-protocol server, but there are many valid techniques and architectures. I'm keen to hear about your own experiences and preferred stacks. What challenges have you encountered when working with WebSockets in a production environment, and what tools have you found indispensable for testing and validation? Share your thoughts and questions in the comments below. </p> fastapi webdev testing programming Warren Jitsing Tue, 30 Dec 2025 09:04:58 +0000 https://dev.to/warren_jitsing_dd1c1d6fc6/part-09-building-a-sovereign-software-factory-monitoring-with-prometheus-grafana-227k https://dev.to/warren_jitsing_dd1c1d6fc6/part-09-building-a-sovereign-software-factory-monitoring-with-prometheus-grafana-227k <p>GitHub: <a href="https://github.com/InfiniteConsult/0013_cicd_part09_prometheus_grafana" rel="noopener noreferrer">https://github.com/InfiniteConsult/0013_cicd_part09_prometheus_grafana</a></p> <p><strong>TL;DR:</strong> In this installment, we solve the "Black Box" problem where we cannot see the health of our infrastructure. We construct the <strong>"Observatory"</strong> by deploying <strong>Prometheus</strong> (The Brain) and <strong>Grafana</strong> (The Face). We implement a "Pull" monitoring architecture, deploying <strong>Exporters</strong> to translate the opaque internal states of our Host, Docker Engine, and legacy applications into standardized metrics. We navigate complex <strong>Integration Hurdles</strong>, using "Architect Scripts" to inject secrets and pre-configure dashboards, and we solve the "Trust Gap" by embedding our Root CA directly into Grafana's provisioning logic, achieving full-stack visibility over our encrypted <code>cicd-net</code> city.</p> <p><strong>The Sovereign Software Factory Series:</strong></p> <ol> <li> <strong>Part 01:</strong> Building a Sovereign Software Factory: Docker Networking &amp; Persistence</li> <li> <strong>Part 02:</strong> Building a Sovereign Software Factory: The Local Root CA &amp; Trust Chains</li> <li> <strong>Part 03:</strong> Building a Sovereign Software Factory: Self-Hosted GitLab &amp; Secrets Management</li> <li> <strong>Part 04:</strong> Building a Sovereign Software Factory: Jenkins Configuration as Code (JCasC)</li> <li> <strong>Part 05:</strong> Building a Sovereign Software Factory: Artifactory &amp; The "Strict TLS" Trap</li> <li> <strong>Part 06:</strong> Building a Sovereign Software Factory: SonarQube Quality Gates</li> <li> <strong>Part 07:</strong> Building a Sovereign Software Factory: ChatOps with Mattermost</li> <li> <strong>Part 08:</strong> Building a Sovereign Software Factory: Observability with the ELK Stack</li> <li> <strong>Part 09: Building a Sovereign Software Factory: Monitoring with Prometheus &amp; Grafana</strong> (You are here)</li> <li> <strong>Part 10:</strong> Building a Sovereign Software Factory: The Python API Package (Capstone)</li> </ol> <h1> Chapter 1: The Challenge - The Opaque Infrastructure </h1> <h2> 1.1 The "Black Box" City </h2> <p>In the previous eight articles, we have meticulously constructed a sovereign, end-to-end Software Supply Chain. We started with the bedrock of <strong>Docker</strong> and a custom <strong>Certificate Authority</strong>, then built a <strong>Library</strong> (GitLab) to store our blueprints, a <strong>Factory</strong> (Jenkins) to manufacture our products, an <strong>Inspector</strong> (SonarQube) to certify their quality, a <strong>Warehouse</strong> (Artifactory) to store them securely, a <strong>Command Center</strong> (Mattermost) to coordinate our teams, and an <strong>Investigation Office</strong> (ELK Stack) to analyze our logs.</p> <p>Technically, our city is operational. The pipelines run, the code is analyzed, the artifacts are shipped, and the logs are indexed.</p> <p>Functionally, however, our city is opaque. It is a "Black Box."</p> <p>We know <em>that</em> the factory is running, but we do not know if the engines are overheating. We know the warehouse is accepting packages, but we do not know if the shelves are 99% full. When a build suddenly takes 15 minutes instead of 5, we are forced to guess the cause. Is the Jenkins container CPU-starved? Is the GitLab database locking up? Is the host machine running out of memory?</p> <p>Currently, the only way to answer these questions is manual intervention. We have to SSH into the host, run <code>top</code> to check load averages, install <code>iotop</code> to check disk usage, and grepping through application-specific status pages. We are flying a complex spaceship with no instrument panel, relying on the sound of the engine to detect trouble.</p> <p>In a professional environment, this lack of visibility is a critical risk. We cannot wait for a crash to know we are in danger. We need a centralized <strong>Observatory</strong>—a single pane of glass that constantly measures the vital signs of every component in our stack, alerting us to degradation <em>before</em> it becomes a disaster.</p> <p>To achieve this, we will deploy the industry-standard cloud-native monitoring stack: <strong>Prometheus</strong> (The Brain) and <strong>Grafana</strong> (The Face).</p> <h2> 1.2 The Technical Barrier: Troubleshooting by Flashlight </h2> <p>The fundamental flaw in our current architecture is not a lack of data; it is a lack of <strong>aggregation</strong>.</p> <p>Currently, when a developer reports that "the pipeline is stuck," diagnosing the root cause requires a manual, multi-step investigation that resembles troubleshooting by flashlight in a dark room.</p> <ol> <li> <strong>Is it the Host?</strong> We must SSH into the server and run <code>htop</code>. We might see high load averages, but we cannot tell <em>history</em>. Was the load high 10 minutes ago when the build failed, or is it high now because we are running diagnostics? We lack temporal context.</li> <li> <strong>Is it the Factory?</strong> We log into the Jenkins UI to check the build queue. We might see executors are busy, but we cannot see if the JVM heap is exhausted or if Garbage Collection is pausing the system.</li> <li> <strong>Is it the Library?</strong> We check GitLab logs. We might see slow SQL queries, but we cannot easily correlate them with the exact timestamp of the Jenkins build spike.</li> </ol> <p>This disconnected workflow forces us to hold the entire state of the distributed system in our heads. We are trying to manually correlate a CPU spike on the host (Infrastructure Layer) with a slow database query in GitLab (Application Layer) and a timeout in Jenkins (Service Layer). This cognitive load is unsustainable. As our city grows, the complexity of these interactions increases exponentially, turning every minor incident into a major forensic investigation.</p> <h2> 1.3 The Solution: The Observatory </h2> <p>To solve this, we must decouple <strong>Metric Generation</strong> from <strong>Metric Analysis</strong>. We need a system that passively collects the vital signs of our city and aggregates them into a single, unified view. We need to move from reactive troubleshooting to proactive observability.</p> <p>We will achieve this by deploying the industry-standard "Cloud Native" monitoring stack:</p> <ol> <li> <strong>The Sensors (Exporters):</strong> We will deploy small, lightweight agents alongside our services. These agents act as translators, converting the opaque internal state of a service (Linux Kernel stats, Docker cgroups, JVM memory pools) into a standardized, machine-readable format.</li> <li> <strong>The Brain (Prometheus):</strong> This is our Time-Series Database (TSDB). Unlike traditional monitoring tools that wait for agents to "push" data to them, Prometheus actively "pulls" (scrapes) data from our sensors on a strict schedule. This architectural inversion makes the brain incredibly resilient; if a sensor dies, the brain knows immediately because the scrape fails.</li> <li> <strong>The Face (Grafana):</strong> This is our visualization engine. It connects to the Brain, queries the historical data, and renders it into intuitive, real-time dashboards.</li> </ol> <p>However, deploying this stack in our environment introduces a specific <strong>Integration Hurdle</strong>. We have built a "Zero Trust" city. Our services communicate over strict HTTPS channels using a private Certificate Authority. We cannot simply drop a default Prometheus container into the network and expect it to work. It will be blocked by our security layers. We must engineer our Observatory to possess the same cryptographic identity as the rest of our city, enabling it to peer inside our secure HTTPS enclaves without breaking the chain of trust.</p> <h1> Chapter 2: Architecture - The Pull Model &amp; The Chain of Trust </h1> <h2> 2.1 The Theory: "Push" vs. "Pull" Monitoring </h2> <p>Before we write code, we must understand the fundamental architectural shift that Prometheus represents. Traditional monitoring systems (like Nagios or older ELK setups) rely on a <strong>"Push"</strong> model. In this model, you install an intelligent agent on every server. This agent collects data and actively transmits it to a central collector.</p> <p>This model has significant fragility. If the central server goes down, every agent in your fleet panics. They must buffer data locally, consuming RAM on your production servers, or drop data, creating gaps in your history. Furthermore, configuration is decentralized; if you want to change the reporting interval, you often have to update the config on hundreds of agents.</p> <p>Prometheus inverts this architecture. It uses a <strong>"Pull"</strong> (Scrape) model.</p> <p>In our stack, the agents (which we call Exporters) are dumb. They do not know Prometheus exists. They simply expose a lightweight HTTP endpoint (<code>/metrics</code>) that displays their current state. Prometheus is the active initiator. It wakes up on a defined schedule (e.g., every 15 seconds), reaches out to every target in its configuration, and "scrapes" the current data.</p> <p>This inversion creates a highly resilient system. If Prometheus goes down for maintenance, the agents don't care; they just keep serving their endpoint. There is no buffering pressure on our production services. If a target dies, Prometheus knows instantly because the network connection fails—there is no waiting for a "heartbeat" to timeout. We control the entire monitoring cadence from one central configuration file (<code>prometheus.yml</code>), rather than managing config files scattered across the city.</p> <h2> 2.2 The Components: Sensors, Brain, and Face </h2> <p>Our Observatory is built on three specialized pillars, each performing a single function with high efficiency.</p> <ol> <li> <strong>The Sensors (Exporters &amp; Native Endpoints):</strong> These are the translators and signals of our city. In a perfect world, every piece of software would speak Prometheus natively. In reality, we deal with a mix of modern applications and legacy systems. To handle this, we employ two distinct strategies for data collection: <ul> <li> <strong>Native Instrumentation:</strong> Many of our "Cloud Native" tools—<strong>GitLab</strong>, <strong>Artifactory</strong>, <strong>SonarQube</strong>, and <strong>Mattermost</strong>—have internalized the need for observability. They expose their own <code>/metrics</code> endpoints directly. We do not need to install extra software to monitor them; we simply need to configure Prometheus to scrape their built-in API. Even <strong>Jenkins</strong>, essentially a legacy Java application, joins this category thanks to its Prometheus plugin.</li> <li> <strong>The Exporter Pattern (Translators):</strong> Other components—specifically the <strong>Linux Kernel</strong>, the <strong>Docker Daemon</strong>, and <strong>Elasticsearch</strong>—do not natively speak Prometheus. For these, we deploy "Exporters." These are lightweight sidecar processes that query the target (e.g., reading <code>/proc</code> files or hitting the Elasticsearch <code>_cluster/health</code> API) and translate that raw data into the standardized Prometheus format on the fly. We use <strong>Node Exporter</strong> for host hardware, <strong>cAdvisor</strong> for container stats, and the <strong>Elasticsearch Exporter</strong> for log cluster health.</li> <li> <em>Architectural Note:</em> You will notice we are <em>not</em> deploying a PostgreSQL exporter. This is a deliberate scope decision. While a dedicated DB exporter offers deep insight into lock contention and buffer pools, our primary focus is "Service Health" as seen by the application. If GitLab is slow, its native metrics will reveal slow database transaction times, often giving us enough context without the added complexity of managing database credentials for a dedicated exporter.</li> </ul> </li> <li> <strong>The Brain (Prometheus):</strong> This is the Time-Series Database (TSDB). It is the central authority. It holds the map of the city (<code>prometheus.yml</code>) and is responsible for reaching out to every sensor—whether Native or Exporter—to collect data. It stores this data in a highly optimized format on disk and evaluates alerting rules. It is optimized for write throughput and reliability.</li> <li> <strong>The Face (Grafana):</strong> This is the visualization engine. While Prometheus is excellent at storing data, its native UI is rudimentary. Grafana connects to Prometheus as a datasource. It executes queries (using PromQL) against the Brain and renders the results into rich, interactive dashboards. It is the single pane of glass where we will observe our city.</li> </ol> <h2> 2.3 The Security Architecture: The Chain of Trust </h2> <p>Security in a distributed system is usually a trade-off between purity and pragmatism. In our "City," our primary directive is <strong>"HTTPS Everywhere."</strong> We have established a private Certificate Authority, and for the vast majority of our citizens—<strong>GitLab, Jenkins, Artifactory, Mattermost, Prometheus, and Grafana</strong>—we strictly enforce encrypted communication. When Prometheus scrapes Jenkins, it validates the server's identity using our Root CA, ensuring that no intruder can spoof the factory's vital signs.</p> <p>However, we must address two specific architectural exceptions: <strong>SonarQube</strong> and <strong>cAdvisor</strong>.</p> <p>Unlike our modern "Cloud Native" tools, neither of these applications supports native TLS termination. They expect to sit behind a reverse proxy (like Nginx) that handles the encryption for them. In a high-compliance production environment, we would build custom Docker images that bundle an Nginx sidecar into the container to wrap these services in SSL. However, to keep our architecture lean and focused on the <em>principles</em> of observability rather than the nuances of Nginx configuration, we have elected to run these two specific endpoints over plain HTTP.</p> <p>We mitigate this risk through <strong>Isolation</strong> and <strong>Authentication</strong>:</p> <ol> <li> <strong>Network Isolation (cAdvisor):</strong> The cAdvisor container is a "Dark Service." It exposes <em>no ports</em> to the host machine. It lives entirely within the <code>cicd-net</code> Docker network. The only entity that can reach it is Prometheus, which resides on the same private virtual network. It is effectively air-gapped from the rest of the world.</li> <li> <strong>Strict Authentication (SonarQube):</strong> While SonarQube's metrics travel over HTTP, they are not open to the public. If a rogue process attempts to query the endpoint <code>http://sonarqube:9000/api/monitoring/metrics</code>, it will be rejected with an HTTP 403 error: <code>{"errors":[{"msg":"Insufficient privileges"}]}</code>. Access requires a high-entropy <strong>System Passcode</strong>, which we generate and inject strictly into the Prometheus configuration. We rely on strong identity (Who are you?) to compensate for the lack of transport encryption (Can anyone read this?) within our private network perimeter.</li> </ol> <h1> Chapter 3: The Architect - Preparing the Environment </h1> <h2> 3.1 The Pre-Computation Strategy </h2> <p>In many tutorials, you are asked to manually create a <code>prometheus.yml</code> file, copy-paste some YAML, and hope for the best. In our City, we reject this manual "Click-Ops" approach. It is error-prone, insecure, and hard to replicate.</p> <p>Instead, we employ a <strong>Pre-Computation Strategy</strong>. We use a shell script—The Architect (<code>01-setup-monitoring.sh</code>)—to dynamically generate our configuration files <em>before</em> the containers ever launch.</p> <p>This approach offers critical advantages for our complex environment:</p> <ol> <li> <strong>Secret Injection:</strong> We can securely inject high-entropy secrets (like the <code>SONAR_WEB_SYSTEMPASSCODE</code> or the <code>ARTIFACTORY_ADMIN_TOKEN</code>) directly into the configuration files without ever hardcoding them in our source repository.</li> <li> <strong>Path Consistency:</strong> We ensure that certificate paths match exactly between the host (where we manage files) and the container (where the app reads them).</li> <li> <strong>Permission Management:</strong> We can automate the complex permission hand-offs required to satisfy the strict UID requirements of Prometheus and Grafana.</li> </ol> <p>This script acts as the construction crew that lays the foundation, pours the concrete, and wires the electricity before the residents move in.</p> <h2> 3.2 The Map of the City (<code>prometheus.yml</code>) </h2> <p>The heart of our monitoring system is the <code>prometheus.yml</code> file. This file acts as the "Map of the City," telling the Brain exactly where every Sensor is located and how to talk to it.</p> <p>Our Architect script generates a configuration with <strong>9 distinct scrape jobs</strong>, covering every layer of our stack:</p> <ol> <li> <strong>Infrastructure:</strong> <ul> <li> <code>node-exporter</code>: Monitors the host hardware (CPU, RAM, Disk).</li> <li> <code>cadvisor</code>: Monitors Docker containers.</li> <li> <code>elasticsearch-exporter</code>: Monitors the log storage cluster.</li> </ul> </li> <li> <strong>Applications:</strong> <ul> <li> <code>jenkins</code>, <code>gitlab</code>, <code>artifactory</code>, <code>mattermost</code>: Monitor the service-level performance (HTTP request rates, build queues, transaction times).</li> </ul> </li> <li> <strong>Special Cases:</strong> <ul> <li> <code>sonarqube</code>: Uses a custom header (<code>X-Sonar-Passcode</code>) for authentication instead of a standard token.</li> <li> <code>prometheus</code>: The Brain monitors itself to ensure <em>it</em> isn't running out of memory.</li> </ul> </li> </ol> <p>Crucially, the script enforces our <strong>Zero Trust</strong> model. For every service capable of it (Jenkins, GitLab, Artifactory), we set <code>scheme: https</code> and point to the <code>ca_file</code>. This ensures that when Prometheus reaches out to scrape metrics, it is validating the cryptographic identity of the target. We are not just blindly trusting that the IP <code>172.30.0.x</code> belongs to Jenkins; we are verifying it against our Root CA.</p> <h2> 3.3 The Integration Hurdle: Embedded Trust (<code>datasources.yaml</code>) </h2> <p>While <code>prometheus.yml</code> defines how the Brain talks to the Sensors, <code>datasources.yaml</code> defines how the Face (Grafana) talks to the Brain (Prometheus).</p> <p>Since our Prometheus instance is secured with HTTPS, Grafana cannot simply connect to <code>http://prometheus:9090</code>. It must connect to <code>https://prometheus.cicd.local:9090</code>. This introduces a classic "Chicken and Egg" problem regarding trust. Grafana needs to trust the Certificate Authority (CA) that signed Prometheus's certificate.</p> <p>In a standard deployment, you might mount the <code>ca.pem</code> file into the Grafana container and point to it with a file path. However, this creates a hard dependency on the container's filesystem structure. If the mount fails or the path changes, Grafana breaks.</p> <p>Our Architect script takes a more robust approach: <strong>Certificate Embedding</strong>.</p> <p>Using <code>sed</code>, the script reads the content of our <code>ca.pem</code> on the host, indents it correctly for YAML, and injects the actual certificate data directly into the <code>datasources.yaml</code> file under the <code>secureJsonData.tlsCACert</code> field.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">secureJsonData</span><span class="pi">:</span> <span class="na">tlsCACert</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">-----BEGIN CERTIFICATE-----</span> <span class="s">MIIFVTCCAz2gAwIBAgIU...</span> <span class="s">...</span> <span class="s">-----END CERTIFICATE-----</span> </code></pre> </div> <p>This makes the configuration <strong>portable</strong> and <strong>self-contained</strong>. Grafana does not need to look for a file on disk; the trust store is baked directly into its provisioning logic. This ensures that the connection between the Face and the Brain is encrypted and verified from the very first millisecond of boot time.</p> <h2> 3.4 The Critical Barrier: File Permissions (UID 65534 &amp; 472) </h2> <p>The most common reason for a Prometheus or Grafana deployment to fail in a "hardened" environment is a permissions mismatch.</p> <p>By default, when you mount a host directory into a Docker container, the permissions are passed through verbatim. If your config files on the host are owned by <code>root</code> (because you used <code>sudo</code>) or your personal user, the process inside the container must have read access to those users' files.</p> <p>However, for security reasons, neither Prometheus nor Grafana runs as <code>root</code>.</p> <ul> <li> <strong>Prometheus</strong> runs as the <code>nobody</code> user (UID <strong>65534</strong>).</li> <li> <strong>Grafana</strong> runs as a specific <code>grafana</code> user (UID <strong>472</strong>).</li> </ul> <p>If we simply mount our generated configuration files into the containers, they will crash immediately with <code>permission denied</code> errors because UID 65534 cannot read a file owned by UID 1000 (your user) or UID 0 (root) with strict permissions.</p> <p>Our Architect script solves this via <strong>Surgical Ownership</strong>. In Phase 6, it performs a precise <code>chown</code> operation:</p> <ol> <li>It changes the ownership of the Prometheus configuration and certificate directories to <code>65534:65534</code>.</li> <li>It changes the ownership of the Grafana directories to <code>472:472</code>.</li> </ol> <p>This ensures that when the containers wake up, the files they need to breathe (configs) and the ground they need to walk on (data volumes) belong to them. This preemptive alignment prevents the "CrashLoopBackOff" nightmare that plagues so many manual deployments.</p> <h2> 3.5 The Source Code: 01-setup-monitoring.sh </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 01-setup-monitoring.sh</span> <span class="c">#</span> <span class="c"># The "Architect" script for Prometheus &amp; Grafana.</span> <span class="c">#</span> <span class="c"># 1. Secrets: Generates GRAFANA_ADMIN_PASSWORD &amp; SONAR_WEB_SYSTEMPASSCODE.</span> <span class="c"># 2. Certs: Stages existing certs into config dirs.</span> <span class="c"># 3. Configs: Generates prometheus.yml, grafana.ini, datasources.yaml.</span> <span class="c"># 4. Permissions: Sets surgical ownership for UID 65534 &amp; 472.</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># --- 1. Define Paths ---</span> <span class="nv">HOST_CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="nv">PROMETHEUS_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/prometheus"</span> <span class="nv">GRAFANA_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/grafana"</span> <span class="nv">MASTER_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/cicd.env"</span> <span class="c"># Source CA Paths</span> <span class="nv">CA_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/ca"</span> <span class="nv">SRC_CA_CRT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/certs/ca.pem"</span> <span class="nv">SRC_PROM_CRT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/services/prometheus.cicd.local/prometheus.cicd.local.crt.pem"</span> <span class="nv">SRC_PROM_KEY</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/services/prometheus.cicd.local/prometheus.cicd.local.key.pem"</span> <span class="nv">SRC_GRAF_CRT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/services/grafana.cicd.local/grafana.cicd.local.crt.pem"</span> <span class="nv">SRC_GRAF_KEY</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/services/grafana.cicd.local/grafana.cicd.local.key.pem"</span> <span class="nb">echo</span> <span class="s2">"🚀 Starting Monitoring 'Architect' Setup..."</span> <span class="c"># --- 2. Secrets Management ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 1: Secrets Management ---"</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Master env file not found at </span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># Load existing secrets</span> <span class="nb">set</span> <span class="nt">-a</span> <span class="nb">source</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">set</span> +a <span class="c"># Helper to append new secrets</span> append_secret<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">key</span><span class="o">=</span><span class="nv">$1</span> <span class="nb">local </span><span class="nv">val</span><span class="o">=</span><span class="nv">$2</span> <span class="k">if</span> <span class="o">!</span> <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"^</span><span class="nv">$key</span><span class="s2">="</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$key</span><span class="s2">=</span><span class="se">\"</span><span class="nv">$val</span><span class="se">\"</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" Generated </span><span class="nv">$key</span><span class="s2">"</span> <span class="nb">export</span> <span class="nv">$key</span><span class="o">=</span><span class="s2">"</span><span class="nv">$val</span><span class="s2">"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">" Found existing </span><span class="nv">$key</span><span class="s2">"</span> <span class="k">fi</span> <span class="o">}</span> generate_password<span class="o">()</span> <span class="o">{</span> openssl rand <span class="nt">-hex</span> 16<span class="p">;</span> <span class="o">}</span> generate_passcode<span class="o">()</span> <span class="o">{</span> openssl rand <span class="nt">-hex</span> 32<span class="p">;</span> <span class="o">}</span> <span class="c"># Generate missing monitoring secrets</span> append_secret <span class="s2">"GRAFANA_ADMIN_PASSWORD"</span> <span class="s2">"</span><span class="si">$(</span>generate_password<span class="si">)</span><span class="s2">"</span> append_secret <span class="s2">"SONAR_WEB_SYSTEMPASSCODE"</span> <span class="s2">"</span><span class="si">$(</span>generate_passcode<span class="si">)</span><span class="s2">"</span> <span class="c"># Validate dependencies</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$ARTIFACTORY_ADMIN_TOKEN</span><span class="s2">"</span> <span class="o">]</span> <span class="o">||</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$ELASTIC_PASSWORD</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"❌ ERROR: Missing dependency secrets (ARTIFACTORY_ADMIN_TOKEN or ELASTIC_PASSWORD)."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># --- 3. Directory &amp; Permission Prep ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 2: Directory Preparation ---"</span> <span class="c"># Take ownership to current user to allow writing configs without sudo</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> <span class="s2">"</span><span class="nv">$USER</span><span class="s2">"</span>:<span class="s2">"</span><span class="nv">$USER</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$PROMETHEUS_BASE</span><span class="s2">"</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> <span class="s2">"</span><span class="nv">$USER</span><span class="s2">"</span>:<span class="s2">"</span><span class="nv">$USER</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$GRAFANA_BASE</span><span class="s2">"</span> <span class="c"># Create config structures</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$PROMETHEUS_BASE</span><span class="s2">/config/certs"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$GRAFANA_BASE</span><span class="s2">/config/certs"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$GRAFANA_BASE</span><span class="s2">/provisioning/datasources"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$GRAFANA_BASE</span><span class="s2">/provisioning/dashboards"</span> <span class="c"># --- 4. Certificate Staging ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 3: Staging Certificates ---"</span> <span class="c"># Prometheus</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$SRC_CA_CRT</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$PROMETHEUS_BASE</span><span class="s2">/config/certs/ca.pem"</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$SRC_PROM_CRT</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$PROMETHEUS_BASE</span><span class="s2">/config/certs/prometheus.crt"</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$SRC_PROM_KEY</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$PROMETHEUS_BASE</span><span class="s2">/config/certs/prometheus.key"</span> <span class="c"># Grafana</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$SRC_CA_CRT</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$GRAFANA_BASE</span><span class="s2">/config/certs/ca.pem"</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$SRC_GRAF_CRT</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$GRAFANA_BASE</span><span class="s2">/config/certs/grafana.crt"</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$SRC_GRAF_KEY</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$GRAFANA_BASE</span><span class="s2">/config/certs/grafana.key"</span> <span class="nb">echo</span> <span class="s2">" Certificates staged."</span> <span class="c"># --- 5. Configuration Generation ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 4: Generating Configurations ---"</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$PROMETHEUS_BASE</span><span class="sh">/config/prometheus.yml" global: scrape_interval: 15s evaluation_interval: 15s scrape_configs: # 1. Prometheus (Self) - job_name: 'prometheus' scheme: https tls_config: ca_file: /etc/prometheus/certs/ca.pem static_configs: - targets: ['prometheus.cicd.local:9090'] # 2. Node Exporter (Host Hardware) - job_name: 'node-exporter' scheme: https tls_config: ca_file: /etc/prometheus/certs/ca.pem static_configs: - targets: ['172.30.0.1:9100'] # 3. cAdvisor (Container Stats) - job_name: 'cadvisor' static_configs: - targets: ['cadvisor.cicd.local:8080'] # 4. Elasticsearch Exporter - job_name: 'elasticsearch-exporter' scheme: https tls_config: ca_file: /etc/prometheus/certs/ca.pem static_configs: - targets: ['elasticsearch-exporter.cicd.local:9114'] # 5. GitLab - job_name: 'gitlab' metrics_path: /-/metrics scheme: https tls_config: ca_file: /etc/prometheus/certs/ca.pem static_configs: - targets: ['gitlab.cicd.local:10300'] # 6. Jenkins - job_name: 'jenkins' metrics_path: /prometheus/ scheme: https tls_config: ca_file: /etc/prometheus/certs/ca.pem static_configs: - targets: ['jenkins.cicd.local:10400'] # 7. SonarQube (Prometheus v3.x Syntax) - job_name: 'sonarqube' metrics_path: /api/monitoring/metrics static_configs: - targets: ['sonarqube.cicd.local:9000'] http_headers: X-Sonar-Passcode: values: ["</span><span class="nv">$SONAR_WEB_SYSTEMPASSCODE</span><span class="sh">"] # 8. Artifactory - job_name: 'artifactory' metrics_path: /artifactory/api/v1/metrics scheme: https tls_config: ca_file: /etc/prometheus/certs/ca.pem static_configs: - targets: ['artifactory.cicd.local:8443'] bearer_token: "</span><span class="nv">$ARTIFACTORY_ADMIN_TOKEN</span><span class="sh">" # 9. Mattermost - job_name: 'mattermost' static_configs: - targets: ['mattermost.cicd.local:8067'] </span><span class="no">EOF </span><span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$PROMETHEUS_BASE</span><span class="sh">/config/web-config.yml" tls_server_config: cert_file: /etc/prometheus/certs/prometheus.crt key_file: /etc/prometheus/certs/prometheus.key </span><span class="no">EOF </span><span class="c"># B. Grafana Config (grafana.ini)</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$GRAFANA_BASE</span><span class="sh">/config/grafana.ini" [server] protocol = https domain = grafana.cicd.local cert_file = /etc/grafana/certs/grafana.crt cert_key = /etc/grafana/certs/grafana.key http_port = 3000 [database] type = postgres host = postgres.cicd.local:5432 name = grafana user = grafana ssl_mode = require [security] admin_user = admin </span><span class="no">EOF </span><span class="c"># C. Grafana Provisioning (datasources.yaml)</span> <span class="c"># We embed the CA content directly into the YAML for the TLS connection to Prometheus</span> <span class="nv">CA_CONTENT</span><span class="o">=</span><span class="si">$(</span><span class="nb">cat</span> <span class="s2">"</span><span class="nv">$SRC_CA_CRT</span><span class="s2">"</span> | <span class="nb">sed</span> <span class="s1">'s/^/ /'</span><span class="si">)</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$GRAFANA_BASE</span><span class="sh">/provisioning/datasources/datasources.yaml" apiVersion: 1 datasources: - name: Prometheus type: prometheus access: proxy url: https://prometheus.cicd.local:9090 isDefault: true jsonData: tlsAuth: false tlsAuthWithCACert: true secureJsonData: tlsCACert: | </span><span class="nv">$CA_CONTENT</span><span class="sh"> </span><span class="no">EOF </span><span class="c"># --- 6. Scoped Environment Files ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 5: Generating Env Files ---"</span> <span class="c"># Grafana Env</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$GRAFANA_BASE</span><span class="sh">/grafana.env" GF_DATABASE_PASSWORD=</span><span class="nv">$GRAFANA_DB_PASSWORD</span><span class="sh"> GF_SECURITY_ADMIN_PASSWORD=</span><span class="nv">$GRAFANA_ADMIN_PASSWORD</span><span class="sh"> </span><span class="no">EOF </span><span class="c"># Elasticsearch Exporter Env</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$HOST_CICD_ROOT</span><span class="sh">/elk/elasticsearch-exporter.env" ES_URI=https://elastic:</span><span class="nv">$ELASTIC_PASSWORD</span><span class="sh">@elasticsearch.cicd.local:9200 ES_ALL=true ES_INDICES=true ES_CA=/certs/ca.pem ES_SSL_SKIP_VERIFY=false </span><span class="no">EOF </span><span class="c"># --- 7. Permissions Lockdown ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 6: Locking Down Permissions ---"</span> <span class="c"># Prometheus (UID 65534 - nobody)</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> 65534:65534 <span class="s2">"</span><span class="nv">$PROMETHEUS_BASE</span><span class="s2">"</span> <span class="c"># Grafana (UID 472 - grafana)</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> 472:472 <span class="s2">"</span><span class="nv">$GRAFANA_BASE</span><span class="s2">"</span> <span class="c"># Lock keys</span> <span class="nb">sudo chmod </span>600 <span class="s2">"</span><span class="nv">$PROMETHEUS_BASE</span><span class="s2">/config/certs/prometheus.key"</span> <span class="nb">sudo chmod </span>600 <span class="s2">"</span><span class="nv">$GRAFANA_BASE</span><span class="s2">/config/certs/grafana.key"</span> <span class="nb">sudo chmod </span>600 <span class="s2">"</span><span class="nv">$GRAFANA_BASE</span><span class="s2">/grafana.env"</span> <span class="nb">sudo chmod </span>600 <span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/elk/elasticsearch-exporter.env"</span> <span class="nb">echo</span> <span class="s2">"✅ Architect Setup Complete."</span> </code></pre> </div> <h2> 3.6 Deconstructing the Architect </h2> <p>The <code>01-setup-monitoring.sh</code> script is the physical implementation of the theory we just discussed. Let’s break down exactly how it enforces our architecture.</p> <h3> 1. Secrets &amp; Dependencies (Phase 1) </h3> <p>The script begins by sourcing the master <code>cicd.env</code> file. It validates that critical dependencies—specifically the <code>ARTIFACTORY_ADMIN_TOKEN</code> and <code>ELASTIC_PASSWORD</code>—already exist. This enforces the dependency chain: we cannot monitor the Warehouse or the Logs if those services haven't been built yet. It then programmatically generates new high-entropy secrets for Grafana and SonarQube, ensuring no default passwords ever exist in our system. This fulfills the <strong>Pre-Computation Strategy</strong> outlined in <strong>Section 3.1</strong>.</p> <h3> 2. The Map Generation (Phase 4 - Prometheus) </h3> <p>The script uses a heredoc (<code>cat &lt;&lt; EOF</code>) to write the <code>prometheus.yml</code> file. This isn't a static copy; it is dynamic. Notice how it injects the <code>$SONAR_WEB_SYSTEMPASSCODE</code> and <code>$ARTIFACTORY_ADMIN_TOKEN</code> variables directly into the scrape configuration. This creates the "Map of the City" discussed in <strong>Section 3.2</strong>, enabling Prometheus to authenticate with our secured endpoints immediately upon startup.</p> <h3> 3. The Embedded Trust (Phase 4 - Grafana) </h3> <p>In the Grafana provisioning section, the script performs a critical text manipulation operation:<br> <code>CA_CONTENT=$(cat "$SRC_CA_CRT" | sed 's/^/ /')</code>.<br> It reads the Root CA certificate from the host, indents it to match YAML syntax, and embeds it directly into <code>datasources.yaml</code>. This implements the <strong>Certificate Embedding</strong> strategy from <strong>Section 3.3</strong>, allowing Grafana to verify Prometheus's HTTPS identity without needing an external volume mount for trust stores.</p> <h3> 4. The Permission Fix (Phases 2 &amp; 6) </h3> <p>Finally, the script wraps the configuration generation with explicit permission handling. In Phase 2, it changes directory ownership to the current user to allow writing configs without <code>sudo</code>. In Phase 6, it performs the "Surgical Strike" discussed in <strong>Section 3.4</strong>, flipping ownership of the <code>prometheus</code> directory to UID <code>65534</code> and the <code>grafana</code> directory to UID <code>472</code>. This guarantees that when the containers launch in later chapters, they encounter a filesystem they can actually read.</p> <h2> 3.6 Deconstructing the Architect </h2> <p>The <code>01-setup-monitoring.sh</code> script is the physical implementation of the theory we just discussed. Let’s break down exactly how it enforces our architecture.</p> <h3> 1. Secrets &amp; Dependencies (Phase 1) </h3> <p>The script begins by sourcing the master <code>cicd.env</code> file. It validates that critical dependencies—specifically the <code>ARTIFACTORY_ADMIN_TOKEN</code> and <code>ELASTIC_PASSWORD</code>—already exist. This enforces the dependency chain: we cannot monitor the Warehouse or the Logs if those services haven't been built yet. It then programmatically generates new high-entropy secrets for Grafana and SonarQube, ensuring no default passwords ever exist in our system. This fulfills the <strong>Pre-Computation Strategy</strong> outlined in <strong>Section 3.1</strong>.</p> <h3> 2. The Map Generation (Phase 4 - Prometheus) </h3> <p>The script uses a heredoc (<code>cat &lt;&lt; EOF</code>) to write the <code>prometheus.yml</code> file. This isn't a static copy; it is dynamic. Notice how it injects the <code>$SONAR_WEB_SYSTEMPASSCODE</code> and <code>$ARTIFACTORY_ADMIN_TOKEN</code> variables directly into the scrape configuration. This creates the "Map of the City" discussed in <strong>Section 3.2</strong>, enabling Prometheus to authenticate with our secured endpoints immediately upon startup.</p> <h3> 3. The Embedded Trust (Phase 4 - Grafana) </h3> <p>In the Grafana provisioning section, the script performs a critical text manipulation operation:<br> <code>CA_CONTENT=$(cat "$SRC_CA_CRT" | sed 's/^/ /')</code>.<br> It reads the Root CA certificate from the host, indents it to match YAML syntax, and embeds it directly into <code>datasources.yaml</code>. This implements the <strong>Certificate Embedding</strong> strategy from <strong>Section 3.3</strong>, allowing Grafana to verify Prometheus's HTTPS identity without needing an external volume mount for trust stores.</p> <h3> 4. The Permission Fix (Phases 2 &amp; 6) </h3> <p>Finally, the script wraps the configuration generation with explicit permission handling. In Phase 2, it changes directory ownership to the current user to allow writing configs without <code>sudo</code>. In Phase 6, it performs the "Surgical Strike" discussed in <strong>Section 3.4</strong>, flipping ownership of the <code>prometheus</code> directory to UID <code>65534</code> and the <code>grafana</code> directory to UID <code>472</code>. This guarantees that when the containers launch in later chapters, they encounter a filesystem they can actually read.</p> <h1> Chapter 4: The Retrofit – Exposing the Metrics </h1> <h2> 4.1 The Hidden Pulse </h2> <p>We have successfully generated our "Map of the City" (<code>prometheus.yml</code>). The Brain knows where to look. However, if we were to launch Prometheus right now, it would be staring at a series of closed doors.</p> <p>Most enterprise software ships with observability <strong>disabled</strong> or strictly limited by default. This is a sound security practice known as "Information Hiding." A metrics endpoint is essentially a high-resolution blueprint of your internal operations. It reveals your query volume, your memory usage, your error rates, and even the topology of your internal network. Exposing this to the public internet—or even to the wrong subnet—is a vulnerability.</p> <p>Therefore, our services are currently holding their breath. GitLab's Nginx proxy blocks external access to <code>/-/metrics</code>. SonarQube demands a specific authentication header. Artifactory and Mattermost have the feature turned off entirely in their configuration files.</p> <p>To build our Observatory, we must perform a <strong>"Retrofit."</strong></p> <p>We are moving into the realm of <strong>Day 2 Operations</strong>. We are not deploying fresh containers; we are surgically modifying the state of <em>running</em> infrastructure. We need to open these specific ports and endpoints to our private <code>cicd-net</code> network without exposing them to the host or the outside world.</p> <p>This presents an engineering challenge: consistency. While our goal is the same for every service ("Open the <code>/metrics</code> endpoint"), the implementation varies wildly because each tool speaks a different configuration language:</p> <ul> <li> <strong>Jenkins:</strong> This is the exception that proves the rule. Because we installed the <code>prometheus</code> plugin in <strong>Article 8</strong>, Jenkins is already broadcasting. It exposes <code>/prometheus/</code> by default, requiring no further action from us today.</li> <li> <strong>The Monoliths (GitLab &amp; SonarQube):</strong> These legacy-style applications are configured via flat text files (<code>gitlab.rb</code>) or environment variables (<code>sonarqube.env</code>). We will manipulate them using <strong>Bash</strong>.</li> <li> <strong>The Modern Stack (Artifactory &amp; Mattermost):</strong> These newer applications store configuration in structured data formats (YAML) or internal databases accessible only via CLI APIs. We cannot safely edit these with <code>sed</code> or <code>echo</code>; we need the precision of <strong>Python</strong>.</li> </ul> <p>We will tackle these in two waves, starting with the text-based Monoliths.</p> <h2> 4.2 Patching the Monoliths (GitLab &amp; SonarQube) </h2> <p>Our first target is the legacy stack. These applications rely on traditional configuration files and environment variables. We will automate their reconfiguration using the <strong>Bash</strong> script <code>02-patch-services.sh</code>.</p> <p>This script performs two distinct operations: modifying a host-side text file for GitLab and injecting a secret into a container environment for SonarQube.</p> <h3> The Source Code: <code>02-patch-services.sh</code> </h3> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0013_cicd_part09_prometheus_grafana/02-patch-services.sh</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 02-patch-services.sh</span> <span class="c">#</span> <span class="c"># The "Retrofit" Script.</span> <span class="c"># Modifies running services to expose metrics endpoints.</span> <span class="c">#</span> <span class="c"># 1. GitLab: Updates host-side gitlab.rb &amp; triggers reconfigure.</span> <span class="c"># 2. SonarQube: Injects System Passcode into env &amp; redeploys.</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"🔧 Starting Service Retrofit..."</span> <span class="c"># --- 1. Load Secrets &amp; Paths ---</span> <span class="nv">HOST_CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="nv">MASTER_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/cicd.env"</span> <span class="c"># GitLab Paths</span> <span class="nv">GITLAB_CONFIG</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/gitlab/config/gitlab.rb"</span> <span class="c"># SonarQube Paths</span> <span class="nv">SONAR_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/sonarqube"</span> <span class="nv">SONAR_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$SONAR_BASE</span><span class="s2">/sonarqube.env"</span> <span class="c"># Determine deploy script location relative to this script or hardcoded</span> <span class="nv">SONAR_DEPLOY_SCRIPT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/Documents/FromFirstPrinciples/articles/0010_cicd_part06_sonarqube/03-deploy-sonarqube.sh"</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Master env file not found."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># Load SONAR_WEB_SYSTEMPASSCODE</span> <span class="nb">set</span> <span class="nt">-a</span><span class="p">;</span> <span class="nb">source</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span><span class="p">;</span> <span class="nb">set</span> +a <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$SONAR_WEB_SYSTEMPASSCODE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: SONAR_WEB_SYSTEMPASSCODE not found in cicd.env"</span> <span class="nb">echo</span> <span class="s2">" Did you run 01-setup-monitoring.sh?"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># --- 2. Patch GitLab (Host File Update) ---</span> <span class="nb">echo</span> <span class="s2">"--- Patching GitLab ---"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$GITLAB_CONFIG</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> <span class="c"># Idempotency check: Don't append if it exists</span> <span class="k">if</span> <span class="o">!</span> <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"monitoring_whitelist"</span> <span class="s2">"</span><span class="nv">$GITLAB_CONFIG</span><span class="s2">"</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" Appending monitoring whitelist to host config..."</span> <span class="c"># We need sudo because gitlab.rb is owned by root</span> <span class="nb">echo</span> <span class="s2">"gitlab_rails['monitoring_whitelist'] = ['172.30.0.0/24', '127.0.0.1']"</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> <span class="s2">"</span><span class="nv">$GITLAB_CONFIG</span><span class="s2">"</span> <span class="o">&gt;</span> /dev/null <span class="nb">echo</span> <span class="s2">" Config updated."</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">" Whitelist already present in gitlab.rb."</span> <span class="k">fi</span> <span class="c"># Trigger Reconfigure if container is running</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-q</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>gitlab<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" Triggering GitLab Reconfigure (this will take a minute)..."</span> docker <span class="nb">exec </span>gitlab gitlab-ctl reconfigure <span class="o">&gt;</span> /dev/null <span class="nb">echo</span> <span class="s2">"✅ GitLab Reconfigured."</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"⚠️ GitLab container is not running. Changes will apply on next start."</span> <span class="k">fi else </span><span class="nb">echo</span> <span class="s2">"❌ ERROR: </span><span class="nv">$GITLAB_CONFIG</span><span class="s2"> not found on host."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># --- 3. Patch SonarQube (Env Injection &amp; Redeploy) ---</span> <span class="nb">echo</span> <span class="s2">"--- Patching SonarQube ---"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$SONAR_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" Injecting System Passcode into sonarqube.env..."</span> <span class="k">if</span> <span class="o">!</span> <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"SONAR_WEB_SYSTEMPASSCODE"</span> <span class="s2">"</span><span class="nv">$SONAR_ENV_FILE</span><span class="s2">"</span><span class="p">;</span> <span class="k">then</span> <span class="c"># Ensure we can write (we likely own the dir, but file might be 600)</span> <span class="nb">chmod </span>600 <span class="s2">"</span><span class="nv">$SONAR_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$SONAR_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"# Metrics Access"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$SONAR_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"SONAR_WEB_SYSTEMPASSCODE=</span><span class="nv">$SONAR_WEB_SYSTEMPASSCODE</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$SONAR_ENV_FILE</span><span class="s2">"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">" Passcode already present."</span> <span class="k">fi </span><span class="nb">echo</span> <span class="s2">" Redeploying SonarQube to apply changes..."</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-x</span> <span class="s2">"</span><span class="nv">$SONAR_DEPLOY_SCRIPT</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> <span class="c"># Run the original deploy script from its directory context</span> <span class="o">(</span><span class="nb">cd</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">dirname</span> <span class="s2">"</span><span class="nv">$SONAR_DEPLOY_SCRIPT</span><span class="s2">"</span><span class="si">)</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> ./03-deploy-sonarqube.sh<span class="o">)</span> <span class="nb">echo</span> <span class="s2">"✅ SonarQube Patched and Redeploying."</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"❌ ERROR: Sonar deploy script not found at </span><span class="nv">$SONAR_DEPLOY_SCRIPT</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" Please check the path or ensure Article 10 files exist."</span> <span class="nb">exit </span>1 <span class="k">fi else </span><span class="nb">echo</span> <span class="s2">"❌ ERROR: sonarqube.env not found at </span><span class="nv">$SONAR_ENV_FILE</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"✨ Retrofit Complete."</span> </code></pre> </div> <h3> Deconstructing the Retrofit </h3> <p><strong>1. GitLab: The Whitelist (<code>monitoring_whitelist</code>)</strong><br> GitLab's integrated Prometheus exporter is protected by a strict IP whitelist. By default, it allows only <code>localhost</code>. Prometheus, however, lives at <code>172.30.0.x</code>.</p> <ul> <li> <strong>The Config:</strong> The script appends <code>gitlab_rails['monitoring_whitelist'] = ['172.30.0.0/24', '127.0.0.1']</code> to the host-side <code>gitlab.rb</code> file. This explicitly trusts our entire Docker subnet.</li> <li> <strong>The Execution:</strong> Instead of restarting the heavy GitLab container (which takes 5 minutes), we trigger <code>gitlab-ctl reconfigure</code> via <code>docker exec</code>. This recompiles the internal Nginx configuration on the fly, applying the whitelist in about 60 seconds.</li> </ul> <p><strong>2. SonarQube: The Secret Handshake (<code>SONAR_WEB_SYSTEMPASSCODE</code>)</strong><br> SonarQube handles metrics differently. It does not use IP whitelisting; it uses a shared secret.</p> <ul> <li> <strong>The Injection:</strong> The script reads the <code>SONAR_WEB_SYSTEMPASSCODE</code> (which we generated in <code>01-setup-monitoring.sh</code>) from the master <code>cicd.env</code> and injects it into the scoped <code>sonarqube.env</code> file.</li> <li> <strong>The Redeployment:</strong> Because Docker environment variables are immutable once a container is created, we cannot just "reload" SonarQube. We must destroy and recreate the container. The script automates this by calling the original <code>03-deploy-sonarqube.sh</code> script from 0010_cicd_part06_sonarqube, ensuring a clean state transition.</li> </ul> <h2> 4.2 Patching the Monoliths (GitLab &amp; SonarQube) </h2> <p>Our first target is the legacy stack. These applications rely on traditional configuration files and environment variables. We will automate their reconfiguration using the <strong>Bash</strong> script <code>02-patch-services.sh</code>.</p> <p>This script performs two distinct operations: modifying a host-side text file for GitLab and injecting a secret into a container environment for SonarQube.</p> <h3> The Source Code: <code>02-patch-services.sh</code> </h3> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0013_cicd_part09_prometheus_grafana/02-patch-services.sh</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 02-patch-services.sh</span> <span class="c">#</span> <span class="c"># The "Retrofit" Script.</span> <span class="c"># Modifies running services to expose metrics endpoints.</span> <span class="c">#</span> <span class="c"># 1. GitLab: Updates host-side gitlab.rb &amp; triggers reconfigure.</span> <span class="c"># 2. SonarQube: Injects System Passcode into env &amp; redeploys.</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"🔧 Starting Service Retrofit..."</span> <span class="c"># --- 1. Load Secrets &amp; Paths ---</span> <span class="nv">HOST_CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="nv">MASTER_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/cicd.env"</span> <span class="c"># GitLab Paths</span> <span class="nv">GITLAB_CONFIG</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/gitlab/config/gitlab.rb"</span> <span class="c"># SonarQube Paths</span> <span class="nv">SONAR_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/sonarqube"</span> <span class="nv">SONAR_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$SONAR_BASE</span><span class="s2">/sonarqube.env"</span> <span class="c"># Determine deploy script location relative to this script or hardcoded</span> <span class="nv">SONAR_DEPLOY_SCRIPT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/Documents/FromFirstPrinciples/articles/0010_cicd_part06_sonarqube/03-deploy-sonarqube.sh"</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Master env file not found."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># Load SONAR_WEB_SYSTEMPASSCODE</span> <span class="nb">set</span> <span class="nt">-a</span><span class="p">;</span> <span class="nb">source</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span><span class="p">;</span> <span class="nb">set</span> +a <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$SONAR_WEB_SYSTEMPASSCODE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: SONAR_WEB_SYSTEMPASSCODE not found in cicd.env"</span> <span class="nb">echo</span> <span class="s2">" Did you run 01-setup-monitoring.sh?"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># --- 2. Patch GitLab (Host File Update) ---</span> <span class="nb">echo</span> <span class="s2">"--- Patching GitLab ---"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$GITLAB_CONFIG</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> <span class="c"># Idempotency check: Don't append if it exists</span> <span class="k">if</span> <span class="o">!</span> <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"monitoring_whitelist"</span> <span class="s2">"</span><span class="nv">$GITLAB_CONFIG</span><span class="s2">"</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" Appending monitoring whitelist to host config..."</span> <span class="c"># We need sudo because gitlab.rb is owned by root</span> <span class="nb">echo</span> <span class="s2">"gitlab_rails['monitoring_whitelist'] = ['172.30.0.0/24', '127.0.0.1']"</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> <span class="s2">"</span><span class="nv">$GITLAB_CONFIG</span><span class="s2">"</span> <span class="o">&gt;</span> /dev/null <span class="nb">echo</span> <span class="s2">" Config updated."</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">" Whitelist already present in gitlab.rb."</span> <span class="k">fi</span> <span class="c"># Trigger Reconfigure if container is running</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-q</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>gitlab<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" Triggering GitLab Reconfigure (this will take a minute)..."</span> docker <span class="nb">exec </span>gitlab gitlab-ctl reconfigure <span class="o">&gt;</span> /dev/null <span class="nb">echo</span> <span class="s2">"✅ GitLab Reconfigured."</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"⚠️ GitLab container is not running. Changes will apply on next start."</span> <span class="k">fi else </span><span class="nb">echo</span> <span class="s2">"❌ ERROR: </span><span class="nv">$GITLAB_CONFIG</span><span class="s2"> not found on host."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># --- 3. Patch SonarQube (Env Injection &amp; Redeploy) ---</span> <span class="nb">echo</span> <span class="s2">"--- Patching SonarQube ---"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$SONAR_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" Injecting System Passcode into sonarqube.env..."</span> <span class="k">if</span> <span class="o">!</span> <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"SONAR_WEB_SYSTEMPASSCODE"</span> <span class="s2">"</span><span class="nv">$SONAR_ENV_FILE</span><span class="s2">"</span><span class="p">;</span> <span class="k">then</span> <span class="c"># Ensure we can write (we likely own the dir, but file might be 600)</span> <span class="nb">chmod </span>600 <span class="s2">"</span><span class="nv">$SONAR_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$SONAR_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"# Metrics Access"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$SONAR_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"SONAR_WEB_SYSTEMPASSCODE=</span><span class="nv">$SONAR_WEB_SYSTEMPASSCODE</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$SONAR_ENV_FILE</span><span class="s2">"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">" Passcode already present."</span> <span class="k">fi </span><span class="nb">echo</span> <span class="s2">" Redeploying SonarQube to apply changes..."</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-x</span> <span class="s2">"</span><span class="nv">$SONAR_DEPLOY_SCRIPT</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> <span class="c"># Run the original deploy script from its directory context</span> <span class="o">(</span><span class="nb">cd</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">dirname</span> <span class="s2">"</span><span class="nv">$SONAR_DEPLOY_SCRIPT</span><span class="s2">"</span><span class="si">)</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> ./03-deploy-sonarqube.sh<span class="o">)</span> <span class="nb">echo</span> <span class="s2">"✅ SonarQube Patched and Redeploying."</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"❌ ERROR: Sonar deploy script not found at </span><span class="nv">$SONAR_DEPLOY_SCRIPT</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" Please check the path or ensure Article 10 files exist."</span> <span class="nb">exit </span>1 <span class="k">fi else </span><span class="nb">echo</span> <span class="s2">"❌ ERROR: sonarqube.env not found at </span><span class="nv">$SONAR_ENV_FILE</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"✨ Retrofit Complete."</span> </code></pre> </div> <h3> Deconstructing the Retrofit </h3> <p><strong>1. GitLab: The Whitelist (<code>monitoring_whitelist</code>)</strong><br> GitLab's integrated Prometheus exporter is protected by a strict IP whitelist. By default, it allows only <code>localhost</code>. Prometheus, however, lives at <code>172.30.0.x</code>.</p> <ul> <li> <strong>The Config:</strong> The script appends <code>gitlab_rails['monitoring_whitelist'] = ['172.30.0.0/24', '127.0.0.1']</code> to the host-side <code>gitlab.rb</code> file. This explicitly trusts our entire Docker subnet.</li> <li> <strong>The Execution:</strong> Instead of restarting the heavy GitLab container (which takes 5 minutes), we trigger <code>gitlab-ctl reconfigure</code> via <code>docker exec</code>. This recompiles the internal Nginx configuration on the fly, applying the whitelist in about 60 seconds.</li> </ul> <p><strong>2. SonarQube: The Secret Handshake (<code>SONAR_WEB_SYSTEMPASSCODE</code>)</strong><br> SonarQube handles metrics differently. It does not use IP whitelisting; it uses a shared secret.</p> <ul> <li> <strong>The Injection:</strong> The script reads the <code>SONAR_WEB_SYSTEMPASSCODE</code> (which we generated in <code>01-setup-monitoring.sh</code>) from the master <code>cicd.env</code> and injects it into the scoped <code>sonarqube.env</code> file.</li> <li> <strong>The Redeployment:</strong> Because Docker environment variables are immutable once a container is created, we cannot just "reload" SonarQube. We must destroy and recreate the container. The script automates this by calling the original <code>03-deploy-sonarqube.sh</code> script from Article 10, ensuring a clean state transition.</li> </ul> <h2> 4.3 Patching the Modern Stack (Artifactory &amp; Mattermost) </h2> <p>For our modern, cloud-native applications, we cannot rely on simple text manipulation. Their configurations are stored in structured formats (YAML) or internal databases. We handle this complexity with the Python script <code>03-patch-additional-services.py</code>.</p> <h3> The Source Code: <code>03-patch-additional-services.py</code> </h3> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0013_cicd_part09_prometheus_grafana/03-patch-additional-services.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">import</span> <span class="n">subprocess</span> <span class="kn">import</span> <span class="n">yaml</span> <span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="c1"># --- Configuration --- </span><span class="n">HOME_DIR</span> <span class="o">=</span> <span class="nc">Path</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">HOME</span><span class="sh">"</span><span class="p">))</span> <span class="n">CICD_STACK_DIR</span> <span class="o">=</span> <span class="n">HOME_DIR</span> <span class="o">/</span> <span class="sh">"</span><span class="s">cicd_stack</span><span class="sh">"</span> <span class="c1"># Artifactory Paths </span><span class="n">ART_VAR_DIR</span> <span class="o">=</span> <span class="n">CICD_STACK_DIR</span> <span class="o">/</span> <span class="sh">"</span><span class="s">artifactory</span><span class="sh">"</span> <span class="o">/</span> <span class="sh">"</span><span class="s">var</span><span class="sh">"</span> <span class="n">ART_CONFIG_FILE</span> <span class="o">=</span> <span class="n">ART_VAR_DIR</span> <span class="o">/</span> <span class="sh">"</span><span class="s">etc</span><span class="sh">"</span> <span class="o">/</span> <span class="sh">"</span><span class="s">system.yaml</span><span class="sh">"</span> <span class="c1"># PATH TO ORIGINAL DEPLOY SCRIPT </span><span class="n">ART_DEPLOY_SCRIPT</span> <span class="o">=</span> <span class="n">HOME_DIR</span> <span class="o">/</span> <span class="sh">"</span><span class="s">Documents/FromFirstPrinciples/articles/0009_cicd_part05_artifactory/05-deploy-artifactory.sh</span><span class="sh">"</span> <span class="c1"># Mattermost Configuration </span><span class="n">MM_CONTAINER</span> <span class="o">=</span> <span class="sh">"</span><span class="s">mattermost</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">run_command</span><span class="p">(</span><span class="n">cmd_list</span><span class="p">,</span> <span class="n">description</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Runs a shell command and prints status.</span><span class="sh">"""</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> EXEC: </span><span class="si">{</span><span class="n">description</span><span class="si">}</span><span class="s">...</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="n">cmd_list</span><span class="p">,</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ✅ Success.</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">result</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="k">except</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">CalledProcessError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ❌ Failed: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">stderr</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">def</span> <span class="nf">patch_artifactory</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">--- Patching Artifactory Configuration (</span><span class="si">{</span><span class="n">ART_CONFIG_FILE</span><span class="si">}</span><span class="s">) ---</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">ART_CONFIG_FILE</span><span class="p">.</span><span class="nf">exists</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">❌ Error: Config file not found at </span><span class="si">{</span><span class="n">ART_CONFIG_FILE</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># 1. Read existing YAML </span> <span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">ART_CONFIG_FILE</span><span class="p">,</span> <span class="sh">'</span><span class="s">r</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">config</span> <span class="o">=</span> <span class="n">yaml</span><span class="p">.</span><span class="nf">safe_load</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> <span class="k">except</span> <span class="n">PermissionError</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">❌ Error: Cannot read config file. Try running: sudo chmod o+r </span><span class="sh">"</span> <span class="o">+</span> <span class="nf">str</span><span class="p">(</span><span class="n">ART_CONFIG_FILE</span><span class="p">))</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">except</span> <span class="n">yaml</span><span class="p">.</span><span class="n">YAMLError</span> <span class="k">as</span> <span class="n">exc</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">❌ Error parsing YAML: </span><span class="si">{</span><span class="n">exc</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># 2. Modify Structure (Idempotent) </span> <span class="k">if</span> <span class="sh">'</span><span class="s">shared</span><span class="sh">'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">config</span><span class="p">:</span> <span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">shared</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">if</span> <span class="sh">'</span><span class="s">metrics</span><span class="sh">'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">shared</span><span class="sh">'</span><span class="p">]:</span> <span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">shared</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">metrics</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">{}</span> <span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">shared</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">metrics</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">enabled</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="bp">True</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> &gt; Set shared.metrics.enabled = true</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="sh">'</span><span class="s">artifactory</span><span class="sh">'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">config</span><span class="p">:</span> <span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">artifactory</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">if</span> <span class="sh">'</span><span class="s">metrics</span><span class="sh">'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">artifactory</span><span class="sh">'</span><span class="p">]:</span> <span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">artifactory</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">metrics</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">{}</span> <span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">artifactory</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">metrics</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">enabled</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="bp">True</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> &gt; Set artifactory.metrics.enabled = true</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 3. Write to Temp File </span> <span class="n">tmp_path</span> <span class="o">=</span> <span class="nc">Path</span><span class="p">(</span><span class="sh">"</span><span class="s">/tmp/artifactory_system.yaml.tmp</span><span class="sh">"</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">tmp_path</span><span class="p">,</span> <span class="sh">'</span><span class="s">w</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">yaml</span><span class="p">.</span><span class="nf">safe_dump</span><span class="p">(</span><span class="n">config</span><span class="p">,</span> <span class="n">f</span><span class="p">,</span> <span class="n">default_flow_style</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">sort_keys</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="c1"># 4. Overwrite Protected File </span> <span class="nf">run_command</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">sudo</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">cp</span><span class="sh">"</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="n">tmp_path</span><span class="p">),</span> <span class="nf">str</span><span class="p">(</span><span class="n">ART_CONFIG_FILE</span><span class="p">)],</span> <span class="sh">"</span><span class="s">Overwriting system.yaml (sudo)</span><span class="sh">"</span> <span class="p">)</span> <span class="n">os</span><span class="p">.</span><span class="nf">remove</span><span class="p">(</span><span class="n">tmp_path</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ✅ Patched system.yaml</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 5. Redeploy using Original Script (Instead of Restart) </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">--- Redeploying Artifactory via Script ---</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">ART_DEPLOY_SCRIPT</span><span class="p">.</span><span class="nf">exists</span><span class="p">()</span> <span class="ow">and</span> <span class="n">os</span><span class="p">.</span><span class="nf">access</span><span class="p">(</span><span class="n">ART_DEPLOY_SCRIPT</span><span class="p">,</span> <span class="n">os</span><span class="p">.</span><span class="n">X_OK</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> EXEC: </span><span class="si">{</span><span class="n">ART_DEPLOY_SCRIPT</span><span class="p">.</span><span class="n">name</span><span class="si">}</span><span class="s"> ...</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Run relative to script directory so it finds its local env files </span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">./</span><span class="si">{</span><span class="n">ART_DEPLOY_SCRIPT</span><span class="p">.</span><span class="n">name</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">cwd</span><span class="o">=</span><span class="nf">str</span><span class="p">(</span><span class="n">ART_DEPLOY_SCRIPT</span><span class="p">.</span><span class="n">parent</span><span class="p">),</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> ✅ Artifactory Redeployed.</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">CalledProcessError</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> ❌ Failed to redeploy Artifactory.</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ⚠️ Deploy script not found or not executable at: </span><span class="si">{</span><span class="n">ART_DEPLOY_SCRIPT</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> Falling back to docker restart...</span><span class="sh">"</span><span class="p">)</span> <span class="nf">run_command</span><span class="p">([</span><span class="sh">"</span><span class="s">docker</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">restart</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">artifactory</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">Restarting container</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">patch_mattermost</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">--- Patching Mattermost Configuration (via mmctl) ---</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">([</span><span class="sh">"</span><span class="s">docker</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">inspect</span><span class="sh">"</span><span class="p">,</span> <span class="n">MM_CONTAINER</span><span class="p">],</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">DEVNULL</span><span class="p">)</span> <span class="k">except</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">CalledProcessError</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">⚠️ Mattermost container </span><span class="sh">'</span><span class="si">{</span><span class="n">MM_CONTAINER</span><span class="si">}</span><span class="sh">'</span><span class="s"> not running. Skipping.</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="k">def</span> <span class="nf">mmctl_set</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">value</span><span class="p">):</span> <span class="n">cmd</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">"</span><span class="s">docker</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">exec</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-i</span><span class="sh">"</span><span class="p">,</span> <span class="n">MM_CONTAINER</span><span class="p">,</span> <span class="sh">"</span><span class="s">mmctl</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--local</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">config</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">set</span><span class="sh">"</span><span class="p">,</span> <span class="n">key</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="n">value</span><span class="p">)</span> <span class="p">]</span> <span class="nf">run_command</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Setting </span><span class="si">{</span><span class="n">key</span><span class="si">}</span><span class="s"> = </span><span class="si">{</span><span class="n">value</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Enable Metrics &amp; Set Port </span> <span class="nf">mmctl_set</span><span class="p">(</span><span class="sh">"</span><span class="s">MetricsSettings.Enable</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">true</span><span class="sh">"</span><span class="p">)</span> <span class="nf">mmctl_set</span><span class="p">(</span><span class="sh">"</span><span class="s">MetricsSettings.ListenAddress</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">:8067</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Reload </span> <span class="n">reload_cmd</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">docker</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">exec</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-i</span><span class="sh">"</span><span class="p">,</span> <span class="n">MM_CONTAINER</span><span class="p">,</span> <span class="sh">"</span><span class="s">mmctl</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--local</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">config</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">reload</span><span class="sh">"</span><span class="p">]</span> <span class="nf">run_command</span><span class="p">(</span><span class="n">reload_cmd</span><span class="p">,</span> <span class="sh">"</span><span class="s">Reloading Mattermost Config</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">🔧 Starting Additional Services Patcher...</span><span class="sh">"</span><span class="p">)</span> <span class="nf">patch_artifactory</span><span class="p">()</span> <span class="nf">patch_mattermost</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">✨ All patches applied successfully.</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">main</span><span class="p">()</span> </code></pre> </div> <h3> Deconstructing the Retrofit </h3> <p><strong>1. Artifactory: YAML Surgery</strong><br> Artifactory 7 stores its configuration in <code>system.yaml</code>. This file is owned by UID 1030 and is often read-only to regular users.</p> <ul> <li> <strong>The Logic:</strong> We use Python's <code>PyYAML</code> library to load the file structure into memory. We navigate the nested dictionary to <code>shared.metrics.enabled</code> and <code>artifactory.metrics.enabled</code>, setting both to <code>True</code>. This ensures metrics are collected for both the shared microservices (Router/Access) and the core Artifactory service.</li> <li> <strong>The Execution:</strong> We write the modified config to a temporary file and use <code>sudo cp</code> to overwrite the protected original. We then trigger the original <code>05-deploy-artifactory.sh</code> script to force a clean restart of the Java process.</li> </ul> <p><strong>2. Mattermost: The CLI Override</strong><br> Mattermost offers a powerful command-line interface (<code>mmctl</code>) that can modify the server's configuration database in real-time.</p> <ul> <li> <strong>The Logic:</strong> We execute <code>mmctl config set MetricsSettings.Enable true</code> directly inside the container via <code>docker exec</code>. We also bind the listener to <code>:8067</code> to avoid port conflicts with the main web application.</li> <li> <strong>The Execution:</strong> We finalize the change with <code>mmctl config reload</code>. Mattermost is unique in our stack; it applies these changes <em>instantly</em> without killing the process, demonstrating true cloud-native behavior.</li> </ul> <h2> 4.4 Execution &amp; Verification </h2> <p>Now that we have built our tools, we run them in sequence.</p> <ol> <li> <strong>Run the Bash Patcher:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">chmod</span> +x 02-patch-services.sh ./02-patch-services.sh </code></pre> </div> <p><em>Result:</em> GitLab reconfigures (approx. 60s) and SonarQube restarts (approx. 2 mins).</p> <ol> <li> <strong>Run the Python Patcher:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">chmod</span> +x 03-patch-additional-services.py ./03-patch-additional-services.py </code></pre> </div> <p><em>Result:</em> Artifactory restarts (approx. 2 mins) and Mattermost updates immediately.</p> <p>Our applications are now broadcasting. The doors are open. In the next chapter, we will deploy the translators to handle the infrastructure layer.</p> <h1> Chapter 5: The Translators – Infrastructure Sensors </h1> <h2> 5.1 The "Translation" Problem </h2> <p>We have successfully retrofitted our applications. GitLab, Jenkins, Artifactory, and Mattermost are now broadcasting their internal metrics in the standardized Prometheus format. We know <em>what</em> the software is doing.</p> <p>But software does not run in a vacuum; it runs on infrastructure.</p> <p>If the Host Machine runs out of RAM, every container crashes. If the Docker Daemon hangs due to disk I/O throttling, the pipeline stops. If the Elasticsearch cluster splits its brain, the logs vanish.</p> <p>Crucially, <strong>Prometheus cannot speak to these components directly.</strong></p> <ul> <li>The <strong>Linux Kernel</strong> speaks in system calls and <code>/proc</code> files.</li> <li>The <strong>Docker Daemon</strong> speaks via a Unix Socket and Control Groups (cgroups).</li> <li> <strong>Elasticsearch</strong> speaks via a proprietary JSON REST API.</li> </ul> <p>Prometheus only speaks HTTP. It expects to hit a <code>/metrics</code> endpoint and receive a plain-text list of key-value pairs. It does not know how to read a <code>cgroup</code> or query a Unix socket.</p> <p>To bridge this gap, we must deploy <strong>Exporters</strong>.</p> <p>An Exporter is a lightweight "Translation Agent." It sits right next to the infrastructure component it is monitoring (often as a sidecar). Its job is simple:</p> <ol> <li> <strong>Query:</strong> It polls the opaque internal state of the system (e.g., reading <code>/proc/meminfo</code>).</li> <li> <strong>Translate:</strong> It converts that raw data into the standardized Prometheus exposition format (e.g., <code>node_memory_MemTotal_bytes</code>).</li> <li> <strong>Serve:</strong> It exposes a lightweight HTTP server so Prometheus can scrape the translated data.</li> </ol> <p>In this chapter, we will deploy three distinct translators to cover the blind spots in our city:</p> <ol> <li> <strong>Node Exporter:</strong> For the Host Hardware (CPU, RAM, Disk, Network).</li> <li> <strong>cAdvisor:</strong> For the Docker Engine (Container resource usage).</li> <li> <strong>Elasticsearch Exporter:</strong> For the Log Storage Cluster (Health and Indices).</li> </ol> <p>We will automate this deployment with <code>04-deploy-exporters.sh</code>. However, accessing the <em>Host</em> hardware from inside a <em>Container</em> requires us to break the very isolation rules we have spent eight articles enforcing.</p> <h2> 5.2 The Host Sensor: Node Exporter (The "Boundary Breaker") </h2> <p><strong>Node Exporter</strong> is the industry standard for hardware monitoring. It reads from the Linux <code>/proc</code> and <code>/sys</code> filesystems to report on CPU usage, memory distribution, disk I/O latency, and network traffic.</p> <p>However, deploying Node Exporter in a containerized environment introduces a fundamental paradox: we want to monitor the <strong>Host</strong>, but the container is explicitly designed to be isolated <em>from</em> the Host. A standard container sees only its own virtual CPU slices and its own virtual network interface. It has no visibility into the physical hardware.</p> <p>To bridge this gap, we must deliberately break the isolation model we have spent eight articles enforcing. In our deployment script, we apply two powerful flags that "tear down the walls" of the container:</p> <ol> <li> <strong><code>--network host</code>:</strong> We remove the network namespace isolation. This allows the exporter to see the host's actual physical network interfaces (eth0, wlan0), not just the virtual interface of the container.</li> <li> <strong><code>--pid host</code>:</strong> We share the Process ID namespace. This allows the exporter to see the host's process table, preventing the "blindness" typical of containerized monitoring tools where they can only see their own children.</li> </ol> <h3> The Security "Dragon": The LAN Exposure </h3> <p>Running a container in Host Mode (<code>--network host</code>) comes with a dangerous side effect: <strong>Port Exposure.</strong></p> <p>When a normal container listens on port 9100, that port is reachable only inside the Docker network unless we explicitly map it (<code>-p 9100:9100</code>). But when a Host Mode container listens on port 9100, it opens that port on <strong>every network interface of the physical machine</strong>.</p> <p>This means your detailed hardware metrics—potentially revealing kernel versions, running processes, and exact resource usage—would be instantly accessible to anyone on your office WiFi or corporate LAN. In a "Zero Trust" architecture, this information leakage is unacceptable.</p> <h3> The Solution: The Gateway Bind </h3> <p>We solve this by binding the exporter strictly to the <strong>Docker Gateway IP</strong>.</p> <p>In our network design (0005_cicd_part01_docker), we established <code>cicd-net</code> with a gateway of <strong><code>172.30.0.1</code></strong>. This IP address represents the "Host Machine" from the perspective of the containers. By configuring Node Exporter to listen <em>only</em> on this specific IP (<code>--web.listen-address=172.30.0.1:9100</code>), we create a "private door".</p> <ul> <li> <strong>From the LAN:</strong> The port 9100 is closed.</li> <li> <strong>From the Container Network:</strong> Prometheus can reach <code>172.30.0.1:9100</code> and scrape the metrics.</li> </ul> <h3> The Trust Gap: Certificates vs. IPs </h3> <p>This binding solution creates a new problem: <strong>TLS Identity</strong>.</p> <p>Standard SSL certificates are issued to <strong>Domain Names</strong> (e.g., <code>node-exporter.cicd.local</code>). However, because of our specific network binding, Prometheus must connect to this target via its <strong>IP Address</strong> (<code>172.30.0.1</code>), not a DNS name.</p> <p>If we used a standard certificate, the TLS handshake would fail because the address in the URL (<code>172.30.0.1</code>) does not match the Common Name in the certificate (<code>node-exporter...</code>).</p> <p>To fix this, our <code>04-deploy-exporters.sh</code> script includes a specialized function called <code>generate_node_exporter_cert</code>. This function dynamically generates a custom OpenSSL configuration that adds a specific <strong>Subject Alternative Name (SAN)</strong> entry:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[alt_names]</span> <span class="py">IP.2</span> <span class="p">=</span> <span class="s">172.30.0.1</span> </code></pre> </div> <p>By baking the Gateway IP directly into the cryptographic identity of the certificate, we ensure that Prometheus can connect securely to the raw IP address without breaking the chain of trust.</p> <h2> 5.3 The Container Sensor: cAdvisor (The "Introspector") </h2> <p>While Node Exporter gives us the "Landlord's View" of the building (total electricity used, total water consumed), it tells us nothing about the individual tenants. If the server is slow, Node Exporter can tell us <em>that</em> CPU usage is high, but it cannot tell us <em>who</em> is responsible. Is Jenkins compiling a massive C++ project? Is GitLab performing a database migration? Or has the Artifactory Java process gone rogue?</p> <p>To answer these questions, we need an <strong>Introspector</strong>. We need a tool that can look inside the Docker engine, identify every running container, and measure its specific resource consumption against the kernel's accounting ledgers.</p> <p>The industry standard for this is <strong>cAdvisor</strong> (Container Advisor) by Google.</p> <p>Deploying cAdvisor involves navigating the complex boundary between the Docker Daemon and the Linux Kernel. Unlike a standard web app that stays in its lane, cAdvisor is designed to be invasive. It essentially "spies" on its neighbors. To allow this, our deployment script grants it significant privileges.</p> <h3> The Privilege Hurdle </h3> <p>In <code>04-deploy-exporters.sh</code>, we launch cAdvisor with a specific set of flags that might look alarming to a security-conscious engineer:</p> <ol> <li> <strong><code>--privileged</code>:</strong> We grant the container extended privileges.</li> <li> <strong><code>--volume /:/rootfs:ro</code>:</strong> We mount the entire host filesystem as read-only.</li> <li> <strong><code>--volume /var/run:/var/run:ro</code>:</strong> We mount the Docker socket.</li> <li> <strong><code>--volume /sys:/sys:ro</code>:</strong> We mount the kernel's system directory.</li> </ol> <p>Why is this "God Mode" access necessary?</p> <p>It comes down to <strong>Control Groups (cgroups)</strong>. This is the Linux kernel feature that Docker uses to limit how much CPU and RAM a container can use. Every time a container writes to RAM or uses a CPU cycle, the kernel updates a counter in a virtual file located deep inside <code>/sys/fs/cgroup</code>.</p> <p>For cAdvisor to report that "Jenkins is using 2GB of RAM," it must be able to read these raw kernel counters directly from the host's <code>/sys</code> directory. Furthermore, to know that "cgroup ID 4f3a..." actually corresponds to the name "jenkins," it must talk to the Docker Socket to retrieve the container metadata.</p> <h3> The Security Mitigation </h3> <p>Granting a container access to the Docker socket is equivalent to giving it root access to the host. If cAdvisor were compromised, an attacker could use that socket to spawn new privileged containers and take over the machine.</p> <p>We mitigate this risk through <strong>Network Isolation</strong>.</p> <p>Unlike Node Exporter, which we deliberately exposed to the Host Network, cAdvisor is a "Dark Container."</p> <ul> <li>We do <strong>not</strong> use <code>--network host</code>. It lives inside <code>cicd-net</code>.</li> <li>We do <strong>not</strong> publish any ports (<code>-p 8080:8080</code>).</li> </ul> <p>This means cAdvisor is unreachable from the host machine, the LAN, or the internet. It listens on port 8080 <em>only</em> inside the private Docker network. The only entity that can talk to it is Prometheus (which is also on <code>cicd-net</code>). By combining high privilege (local access) with zero visibility (network access), we adhere to the Principle of Least Privilege in a containerized context.</p> <h2> 5.4 The Middleware Sensor: Elasticsearch Exporter (The "Bridge") </h2> <p>Our final infrastructure target is the <strong>Elasticsearch</strong> cluster we built in 0012_cicd_part08_elk. This is the "Memory" of our city, storing gigabytes of build logs and audit trails. If it fills up or slows down, our "Investigation Office" goes dark.</p> <p>Elasticsearch exposes a wealth of data via its API (<code>_cluster/health</code>, <code>_nodes/stats</code>), but it does so in hierarchical <strong>JSON</strong>. Prometheus cannot ingest JSON; it requires a flat, line-delimited format.</p> <p>To solve this, we deploy the <strong>Elasticsearch Exporter</strong>.</p> <p>This component functions as a <strong>Protocol Bridge</strong>. It sits between the Brain and the Memory.</p> <ol> <li> <strong>Incoming:</strong> It accepts a scrape request from Prometheus.</li> <li> <strong>Translation:</strong> It makes authenticated, encrypted API calls to the Elasticsearch cluster.</li> <li> <strong>Outgoing:</strong> It flattens the JSON response into metrics like <code>elasticsearch_cluster_health_status{color="green"}</code> and serves them to Prometheus.</li> </ol> <h3> The Authentication Chain </h3> <p>Deploying this bridge in a secured environment requires navigating a complex authentication chain. We effectively have two secured conversations happening simultaneously:</p> <ol> <li> <strong>Prometheus Exporter:</strong> Prometheus must trust the Exporter. We handle this by mounting our standard <code>web-config.yml</code> and the <code>elasticsearch-exporter</code> certificates we staged in Chapter 3.</li> <li> <strong>Exporter Elasticsearch:</strong> The Exporter must authenticate with the Database. It needs the <code>elastic</code> superuser credentials to query deep statistics.</li> </ol> <p>We solve the second link using the <strong>URI Injection</strong> pattern. In Chapter 3 (<code>01-setup-monitoring.sh</code>), we pre-computed a file named <code>elasticsearch-exporter.env</code> containing the full connection string:<br> <code>ES_URI=https://elastic:PASSWORD@elasticsearch.cicd.local:9200</code>.</p> <p>In our deployment script, we extract this URI and pass it to the container:<br> <code>--es.uri="$ES_URI"</code>.</p> <h3> The Trust Triangle </h3> <p>Finally, we must ensure the Exporter trusts the Database. Since Elasticsearch is serving a self-signed certificate (from our CA), the Exporter (written in Go) will reject the connection by default.</p> <p>We map our Root CA into the container at <code>/certs/ca.pem</code> and explicitly flag the application to use it:<br> <code>--es.ca=/certs/ca.pem</code>.</p> <p>This closes the loop. Prometheus verifies the Exporter; the Exporter verifies the Database. The Chain of Trust is unbroken.</p> <h2> 5.5 Execution &amp; Verification </h2> <p>With our three translators defined—Node Exporter for the Host, cAdvisor for the Containers, and ES Exporter for the Middleware—we are ready to deploy.</p> <p>We automate this using the <code>04-deploy-exporters.sh</code> script. This script orchestrates the entire process: generating the custom Gateway certificate, fixing permissions, and launching the containers with the necessary privilege flags.</p> <h3> The Source Code: <code>04-deploy-exporters.sh</code> </h3> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0013_cicd_part09_prometheus_grafana/04-deploy-exporters.sh</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 03-deploy-exporters.sh</span> <span class="c">#</span> <span class="c"># The "Translators" Script.</span> <span class="c"># Deploys metrics exporters for Host, Docker, and ES.</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"🚀 Deploying Exporters (The Translators)..."</span> <span class="c"># --- 1. Load Paths &amp; Secrets ---</span> <span class="nv">HOST_CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="nv">ELK_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/elk"</span> <span class="nv">PROMETHEUS_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/prometheus"</span> <span class="nv">CA_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/ca"</span> <span class="nv">CA_PASSWORD</span><span class="o">=</span><span class="s2">"password"</span> <span class="c"># Password for the Root CA Key</span> <span class="c"># Exporter Config Dirs</span> <span class="nv">NODE_CONF_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$PROMETHEUS_BASE</span><span class="s2">/node_exporter"</span> <span class="nv">ES_EXP_CONF_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/elasticsearch-exporter"</span> <span class="c"># --- 2. Permission Fix (The Host Takeover) ---</span> <span class="nb">echo</span> <span class="s2">"--- Preparing Directories ---"</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$NODE_CONF_DIR</span><span class="s2">/certs"</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$ES_EXP_CONF_DIR</span><span class="s2">/certs"</span> <span class="c"># Take ownership to current user for writing configs</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> <span class="s2">"</span><span class="nv">$USER</span><span class="s2">"</span>:<span class="s2">"</span><span class="nv">$USER</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$NODE_CONF_DIR</span><span class="s2">"</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> <span class="s2">"</span><span class="nv">$USER</span><span class="s2">"</span>:<span class="s2">"</span><span class="nv">$USER</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$ES_EXP_CONF_DIR</span><span class="s2">"</span> <span class="c"># --- 3. Custom Certificate Generation ---</span> ensure_generic_cert<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">service_name</span><span class="o">=</span><span class="nv">$1</span> <span class="nb">local </span><span class="nv">cert_path</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/services/</span><span class="nv">$service_name</span><span class="s2">/</span><span class="nv">$service_name</span><span class="s2">.crt.pem"</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$cert_path</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" ⚠️ Certificate for </span><span class="nv">$service_name</span><span class="s2"> not found. Generating..."</span> <span class="o">(</span> <span class="nb">cd</span> ../0006_cicd_part02_certificate_authority <span class="o">&amp;&amp;</span> ./02-issue-service-cert.sh <span class="s2">"</span><span class="nv">$service_name</span><span class="s2">"</span> <span class="o">)</span> <span class="nb">echo</span> <span class="s2">" ✅ Generated </span><span class="nv">$service_name</span><span class="s2">"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">" ℹ️ Certificate for </span><span class="nv">$service_name</span><span class="s2"> already exists."</span> <span class="k">fi</span> <span class="o">}</span> generate_node_exporter_cert<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"--- Generating Custom Certificate for Node Exporter ---"</span> <span class="nb">local </span><span class="nv">SERVICE</span><span class="o">=</span><span class="s2">"node-exporter"</span> <span class="nb">local </span><span class="nv">DOMAIN</span><span class="o">=</span><span class="s2">"node-exporter.cicd.local"</span> <span class="nb">local </span><span class="nv">GATEWAY_IP</span><span class="o">=</span><span class="s2">"172.30.0.1"</span> <span class="nb">local </span><span class="nv">KEY_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$NODE_CONF_DIR</span><span class="s2">/certs/node-exporter.key"</span> <span class="nb">local </span><span class="nv">CRT_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$NODE_CONF_DIR</span><span class="s2">/certs/node-exporter.crt"</span> <span class="nb">local </span><span class="nv">CSR_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$NODE_CONF_DIR</span><span class="s2">/certs/node-exporter.csr"</span> <span class="nb">local </span><span class="nv">EXT_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$NODE_CONF_DIR</span><span class="s2">/certs/v3.ext"</span> <span class="c"># Check if we need to generate (check if Gateway IP is in existing cert)</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$CRT_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then if </span>openssl x509 <span class="nt">-text</span> <span class="nt">-noout</span> <span class="nt">-in</span> <span class="s2">"</span><span class="nv">$CRT_FILE</span><span class="s2">"</span> 2&gt;/dev/null | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"</span><span class="nv">$GATEWAY_IP</span><span class="s2">"</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" ℹ️ Valid Node Exporter cert exists (IP </span><span class="nv">$GATEWAY_IP</span><span class="s2"> present)."</span> <span class="k">return else </span><span class="nb">echo</span> <span class="s2">" ⚠️ Old cert found without Gateway IP. Regenerating..."</span> <span class="k">fi fi </span><span class="nb">echo</span> <span class="s2">" 1. Generating Private Key..."</span> openssl genrsa <span class="nt">-out</span> <span class="s2">"</span><span class="nv">$KEY_FILE</span><span class="s2">"</span> 2048 <span class="nb">echo</span> <span class="s2">" 2. Generating CSR..."</span> openssl req <span class="nt">-new</span> <span class="nt">-key</span> <span class="s2">"</span><span class="nv">$KEY_FILE</span><span class="s2">"</span> <span class="nt">-out</span> <span class="s2">"</span><span class="nv">$CSR_FILE</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/C=ZA/ST=Gauteng/L=Johannesburg/O=Local CICD Stack/CN=</span><span class="nv">$DOMAIN</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" 3. Creating SAN Extension..."</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$EXT_FILE</span><span class="sh">" authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = </span><span class="nv">$DOMAIN</span><span class="sh"> DNS.2 = localhost IP.1 = 127.0.0.1 IP.2 = </span><span class="nv">$GATEWAY_IP</span><span class="sh"> </span><span class="no">EOF </span> <span class="nb">echo</span> <span class="s2">" 4. Signing with Root CA..."</span> <span class="nb">sudo </span>openssl x509 <span class="nt">-req</span> <span class="nt">-in</span> <span class="s2">"</span><span class="nv">$CSR_FILE</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-CA</span> <span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/certs/ca.pem"</span> <span class="se">\</span> <span class="nt">-CAkey</span> <span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/private/ca.key"</span> <span class="se">\</span> <span class="nt">-CAcreateserial</span> <span class="se">\</span> <span class="nt">-out</span> <span class="s2">"</span><span class="nv">$CRT_FILE</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-days</span> 825 <span class="se">\</span> <span class="nt">-sha256</span> <span class="se">\</span> <span class="nt">-extfile</span> <span class="s2">"</span><span class="nv">$EXT_FILE</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-passin</span> pass:<span class="s2">"</span><span class="nv">$CA_PASSWORD</span><span class="s2">"</span> <span class="nb">sudo chown</span> <span class="s2">"</span><span class="nv">$USER</span><span class="s2">"</span>:<span class="s2">"</span><span class="nv">$USER</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$CRT_FILE</span><span class="s2">"</span> <span class="nb">rm</span> <span class="s2">"</span><span class="nv">$CSR_FILE</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$EXT_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" ✅ Generated Custom Node Exporter Cert."</span> <span class="o">}</span> <span class="nb">echo</span> <span class="s2">"--- Verifying Certificates ---"</span> generate_node_exporter_cert ensure_generic_cert <span class="s2">"elasticsearch-exporter.cicd.local"</span> <span class="c"># --- 4. Stage Certificates ---</span> <span class="nb">echo</span> <span class="s2">"--- Staging Certificates ---"</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/services/elasticsearch-exporter.cicd.local/elasticsearch-exporter.cicd.local.crt.pem"</span> <span class="s2">"</span><span class="nv">$ES_EXP_CONF_DIR</span><span class="s2">/certs/elasticsearch-exporter.crt"</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/services/elasticsearch-exporter.cicd.local/elasticsearch-exporter.cicd.local.key.pem"</span> <span class="s2">"</span><span class="nv">$ES_EXP_CONF_DIR</span><span class="s2">/certs/elasticsearch-exporter.key"</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/certs/ca.pem"</span> <span class="s2">"</span><span class="nv">$ES_EXP_CONF_DIR</span><span class="s2">/certs/ca.pem"</span> <span class="c"># --- 5. Generate TLS Web Configs ---</span> <span class="nb">echo</span> <span class="s2">"--- Generating TLS Web Configs ---"</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$NODE_CONF_DIR</span><span class="sh">/web-config.yml" tls_server_config: cert_file: /etc/node_exporter/certs/node-exporter.crt key_file: /etc/node_exporter/certs/node-exporter.key </span><span class="no">EOF </span><span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$ES_EXP_CONF_DIR</span><span class="sh">/web-config.yml" tls_server_config: cert_file: /etc/elasticsearch_exporter/certs/elasticsearch-exporter.crt key_file: /etc/elasticsearch_exporter/certs/elasticsearch-exporter.key </span><span class="no">EOF </span><span class="c"># --- 6. Permission Lockdown (UID 65534) ---</span> <span class="nb">echo</span> <span class="s2">"--- Locking Permissions (UID 65534) ---"</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> 65534:65534 <span class="s2">"</span><span class="nv">$NODE_CONF_DIR</span><span class="s2">"</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> 65534:65534 <span class="s2">"</span><span class="nv">$ES_EXP_CONF_DIR</span><span class="s2">"</span> <span class="nb">sudo chmod </span>600 <span class="s2">"</span><span class="nv">$NODE_CONF_DIR</span><span class="s2">/certs/node-exporter.key"</span> <span class="nb">sudo chmod </span>600 <span class="s2">"</span><span class="nv">$ES_EXP_CONF_DIR</span><span class="s2">/certs/elasticsearch-exporter.key"</span> <span class="c"># --- 7. Deploy Node Exporter ---</span> <span class="nb">echo</span> <span class="s2">"--- Deploying Node Exporter (Host Hardware) ---"</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-q</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>node-exporter<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span>docker <span class="nb">rm</span> <span class="nt">-f</span> node-exporter<span class="p">;</span> <span class="k">fi </span>docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> node-exporter <span class="se">\</span> <span class="nt">--restart</span> always <span class="se">\</span> <span class="nt">--network</span> host <span class="se">\</span> <span class="nt">--pid</span> host <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"/:/host:ro,rslave"</span> <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$NODE_CONF_DIR</span><span class="s2">/web-config.yml"</span>:/etc/node_exporter/web-config.yml:ro <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$NODE_CONF_DIR</span><span class="s2">/certs"</span>:/etc/node_exporter/certs:ro <span class="se">\</span> quay.io/prometheus/node-exporter:latest <span class="se">\</span> <span class="nt">--path</span>.rootfs<span class="o">=</span>/host <span class="se">\</span> <span class="nt">--web</span>.listen-address<span class="o">=</span>172.30.0.1:9100 <span class="se">\</span> <span class="nt">--web</span>.config.file<span class="o">=</span>/etc/node_exporter/web-config.yml <span class="c"># --- 8. Deploy Elasticsearch Exporter ---</span> <span class="nb">echo</span> <span class="s2">"--- Deploying ES Exporter ---"</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-q</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>elasticsearch-exporter<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span>docker <span class="nb">rm</span> <span class="nt">-f</span> elasticsearch-exporter<span class="p">;</span> <span class="k">fi </span><span class="nv">ES_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/elk/elasticsearch-exporter.env"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$ES_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nv">ES_URI</span><span class="o">=</span><span class="si">$(</span><span class="nb">sudo grep </span>ES_URI <span class="s2">"</span><span class="nv">$ES_ENV_FILE</span><span class="s2">"</span> | <span class="nb">cut</span> <span class="nt">-d</span><span class="o">=</span> <span class="nt">-f2-</span><span class="si">)</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"❌ ERROR: ES env file not found at </span><span class="nv">$ES_ENV_FILE</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi </span>docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> elasticsearch-exporter <span class="se">\</span> <span class="nt">--restart</span> always <span class="se">\</span> <span class="nt">--network</span> cicd-net <span class="se">\</span> <span class="nt">--hostname</span> elasticsearch-exporter.cicd.local <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$ES_EXP_CONF_DIR</span><span class="s2">/web-config.yml"</span>:/web-config.yml:ro <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$ES_EXP_CONF_DIR</span><span class="s2">/certs"</span>:/etc/elasticsearch_exporter/certs:ro <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$ES_EXP_CONF_DIR</span><span class="s2">/certs/ca.pem"</span>:/certs/ca.pem:ro <span class="se">\</span> quay.io/prometheuscommunity/elasticsearch-exporter:latest <span class="se">\</span> <span class="nt">--web</span>.config.file<span class="o">=</span>/web-config.yml <span class="se">\</span> <span class="nt">--es</span>.uri<span class="o">=</span><span class="s2">"</span><span class="nv">$ES_URI</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--es</span>.ca<span class="o">=</span>/certs/ca.pem <span class="se">\</span> <span class="nt">--es</span>.all <span class="se">\</span> <span class="nt">--es</span>.indices <span class="c"># --- 9. Deploy cAdvisor ---</span> <span class="nb">echo</span> <span class="s2">"--- Deploying cAdvisor (Container Stats) ---"</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-q</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>cadvisor<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span>docker <span class="nb">rm</span> <span class="nt">-f</span> cadvisor<span class="p">;</span> <span class="k">fi </span>docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> cadvisor <span class="se">\</span> <span class="nt">--restart</span> always <span class="se">\</span> <span class="nt">--network</span> cicd-net <span class="se">\</span> <span class="nt">--hostname</span> cadvisor.cicd.local <span class="se">\</span> <span class="nt">--privileged</span> <span class="se">\</span> <span class="nt">--device</span> /dev/kmsg <span class="se">\</span> <span class="nt">--volume</span> /:/rootfs:ro <span class="se">\</span> <span class="nt">--volume</span> /var/run:/var/run:ro <span class="se">\</span> <span class="nt">--volume</span> /sys:/sys:ro <span class="se">\</span> <span class="nt">--volume</span> /var/lib/docker/:/var/lib/docker:ro <span class="se">\</span> <span class="nt">--volume</span> /dev/disk/:/dev/disk:ro <span class="se">\</span> ghcr.io/google/cadvisor:latest <span class="nb">echo</span> <span class="s2">"✅ Exporters Deployed."</span> <span class="nb">echo</span> <span class="s2">" - Node Exporter: https://172.30.0.1:9100/metrics (Gateway Bind)"</span> <span class="nb">echo</span> <span class="s2">" - ES Exporter: https://elasticsearch-exporter.cicd.local:9114/metrics"</span> <span class="nb">echo</span> <span class="s2">" - cAdvisor: http://cadvisor:8080/metrics"</span> </code></pre> </div> <p>Run the script from your host machine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x 04-deploy-exporters.sh ./04-deploy-exporters.sh </code></pre> </div> <p><strong>The Output Analysis:</strong><br> Watch the logs closely. You will see:</p> <ol> <li> <strong>Certificate Generation:</strong> The script detects the missing <code>node-exporter</code> cert and generates a new one with the Gateway IP SAN.</li> <li> <strong>Container Launch:</strong> Three containers spin up (<code>node-exporter</code>, <code>cadvisor</code>, <code>elasticsearch-exporter</code>).</li> <li> <strong>Access Points:</strong> The script concludes by printing the targets: <ul> <li>Node Exporter: <code>https://172.30.0.1:9100/metrics</code> (Gateway Access).</li> <li>ES Exporter: <code>https://elasticsearch-exporter.cicd.local:9114/metrics</code>.</li> <li>cAdvisor: <code>http://cadvisor:8080/metrics</code>.</li> </ul> </li> </ol> <p>Our sensors are deployed. The city is now broadcasting on all frequencies. Before we turn on the "Brain" to record this data, we must perform a connectivity audit to ensure the signals are reaching the control center.</p> <h1> Chapter 6: Quality Assurance – The Connectivity Verification </h1> <h2> 6.1 The "Blind Spot" Risk </h2> <p>We have generated our configurations, patched our services, and deployed our translators. On paper, our monitoring infrastructure is complete.</p> <p>However, if we were to launch Prometheus immediately, we would be taking a significant operational risk. In a complex distributed system like our "City," configuration does not guarantee connectivity.</p> <p>The moment Prometheus starts, it will attempt to scrape all nine targets simultaneously. If there is a single misconfiguration—a firewall rule blocking port 9100, a typo in a certificate Common Name, or a missing authentication token—Prometheus will flood its own logs with generic, unhelpful errors like <code>context deadline exceeded</code> or <code>connection refused</code>.</p> <p>Diagnosing these errors from <em>within</em> the Prometheus logs is difficult because Prometheus is a high-level aggregator. It tells you <em>that</em> it failed, but rarely <em>why</em> it failed in sufficient detail to debug a TLS handshake or a DNS resolution issue.</p> <p>This creates a <strong>Blind Spot</strong>. We have built the pipes, but we haven't checked if they flow.</p> <p>To mitigate this, we adopt the philosophy of <strong>"Trust but Verify."</strong> Before we deploy the "Brain" (Prometheus), we must audit the nervous system. We need to perform an integration test that simulates a Prometheus scrape from the exact network vantage point that Prometheus will occupy.</p> <p>Our verification scope covers three distinct layers of failure:</p> <ol> <li> <strong>Network Reachability:</strong> Can we route packets to the target IP/Port? (Is the door open?)</li> <li> <strong>Identity Verification:</strong> Does the internal DNS (<code>*.cicd.local</code>) resolve correctly, and does the SSL Certificate match that name? (Is this the right house?)</li> <li> <strong>Security Authorization:</strong> Does the target accept our credentials (<code>Bearer Token</code> or <code>Passcode</code>) and return a valid HTTP 200 payload? (Do we have the key?)</li> </ol> <p>Only when all three layers pass for every single service will we clear the "Brain" for deployment.</p> <h2> 6.2 The Vantage Point (Host vs. Container) </h2> <p>A common mistake in validating distributed systems is testing from the wrong vantage point. It is tempting to simply run <code>curl https://gitlab.cicd.local:10300/</code> from your host terminal. If it returns a 200 OK, you might assume the system is healthy.</p> <p>This assumption is dangerous because your <strong>Host Machine</strong> has superpowers that your containers do not.</p> <ol> <li> <strong>The <code>/etc/hosts</code> Cheat:</strong> Your host machine resolves <code>gitlab.cicd.local</code> to <code>127.0.0.1</code> because we manually edited the hosts file in Article 7. Containers, however, rely on the internal Docker DNS server (<code>127.0.0.11</code>). If Docker DNS fails, your host will still work, but your containers will be blind.</li> <li> <strong>The Network Bypass:</strong> Your host machine accesses the containers via <strong>Port Mapping</strong> (e.g., <code>127.0.0.1:10300</code>). Containers access each other via the <strong>Bridge Network</strong> (<code>172.30.0.x:10300</code>). Testing via <code>localhost</code> bypasses the entire software-defined network (SDN) layer, failing to catch firewall rules or routing errors inside the bridge.</li> <li> <strong>The Trust Store Divergence:</strong> Your host machine trusts the CA because we ran <code>sudo update-ca-certificates</code>. The containers trust the CA because we baked it into their images (or mounted it). These are two completely separate filesystems. A pass on the host does not guarantee a pass in the container.</li> </ol> <p>To perform a valid audit, we must simulate the perspective of Prometheus itself. We need to stand inside the <code>cicd-net</code> network, use the Docker DNS resolver, and rely on the container's internal CA bundle.</p> <p>We achieve this by executing our verification logic <strong>inside</strong> the <code>dev-container</code>. This container acts as our "Test Probe." It sits on the same network as Prometheus, uses the same DNS, and has the same CA certificate mounted. If the <code>dev-container</code> can see the targets, we can be confident that Prometheus will see them too.</p> <h2> 6.3 The Verifier Script (<code>05-verify-services.sh</code>) </h2> <p>To automate this audit, we utilize the <code>05-verify-services.sh</code> script. This tool acts as the "Integration Test" for the entire network mesh we have built over the last few articles. It bridges the gap between the host (where we hold the keys) and the container network (where the locks are).</p> <h3> Architectural Highlights </h3> <p><strong>1. The Secret Bridge (Memory Injection)</strong><br> We face a security dilemma: the authentication tokens (<code>SONAR_WEB_SYSTEMPASSCODE</code>, <code>ARTIFACTORY_ADMIN_TOKEN</code>) live in <code>cicd.env</code> on the Host. We need to use them inside the <code>dev-container</code> to run <code>curl</code>. We cannot simply <code>cp</code> the env file into the container, as that would risk leaving sensitive artifacts on the container's filesystem.</p> <p>The script solves this by reading the secrets into memory on the host and then injecting them directly into the environment of the <code>docker exec</code> process:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">SONAR_PASS</span><span class="o">=</span><span class="s2">"</span><span class="nv">$SONAR_PASS</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">ART_TOKEN</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ART_TOKEN</span><span class="s2">"</span> <span class="se">\</span> dev-container <span class="se">\</span> bash <span class="nt">-c</span> <span class="s1">'...'</span> </code></pre> </div> <p>This ensures the secrets exist only in the RAM of the running test process and vanish immediately after the test completes.</p> <p><strong>2. The Reusable Probe (<code>check_metric</code>)</strong><br> To avoid writing repetitive <code>curl</code> commands, the script defines a Bash function <code>check_metric</code> inside the container context. This function abstracts away the complexity of:</p> <ul> <li>Handling both HTTP and HTTPS.</li> <li>injecting arbitrary headers (Bearer Tokens vs. Sonar Passcodes).</li> <li>Parsing the output to verify that actual content was returned (preventing false positives from empty 200 OK responses).</li> </ul> <h3> The Source Code: <code>05-verify-services.sh</code> </h3> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0013_cicd_part09_prometheus_grafana/05-verify-services.sh</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 05-verify-services.sh</span> <span class="c">#</span> <span class="c"># The "Verifier" Script.</span> <span class="c"># Runs a test loop inside the dev-container to validate</span> <span class="c"># that all 8 endpoints are reachable and returning metrics.</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># --- 1. Load Secrets from Host ---</span> <span class="nv">ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack/cicd.env"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> <span class="c"># We source the file so Bash handles quote removal automatically.</span> <span class="c"># We run this in a subshell so we don't pollute the main script environment excessively.</span> <span class="nb">eval</span> <span class="si">$(</span> <span class="nb">set</span> <span class="nt">-a</span> <span class="nb">source</span> <span class="s2">"</span><span class="nv">$ENV_FILE</span><span class="s2">"</span> <span class="c"># Print the variables we need so the parent script can capture them</span> <span class="nb">echo</span> <span class="s2">"export SONAR_PASS='</span><span class="nv">$SONAR_WEB_SYSTEMPASSCODE</span><span class="s2">'"</span> <span class="nb">echo</span> <span class="s2">"export ART_TOKEN='</span><span class="nv">$ARTIFACTORY_ADMIN_TOKEN</span><span class="s2">'"</span> <span class="nb">set</span> +a <span class="si">)</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"❌ ERROR: cicd.env not found."</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"🚀 Starting Metrics Verification (Targeting: dev-container)..."</span> <span class="nb">echo</span> <span class="s2">"---------------------------------------------------"</span> <span class="c"># --- 2. Execute Loop Inside Container ---</span> <span class="c"># We pass the secrets as environment variables to the container command</span> docker <span class="nb">exec</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">SONAR_PASS</span><span class="o">=</span><span class="s2">"</span><span class="nv">$SONAR_PASS</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">ART_TOKEN</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ART_TOKEN</span><span class="s2">"</span> <span class="se">\</span> dev-container <span class="se">\</span> bash <span class="nt">-c</span> <span class="s1">' # Function to check a metric endpoint check_metric() { NAME=$1 URL=$2 HEADER_FLAG=${3:-} HEADER_VAL=${4:-} echo "🔍 $NAME" echo " URL: $URL" # We capture the output. If curl fails, it usually prints to stderr. # We use tail -2 to show the last few lines of the metric payload. if [ -n "$HEADER_FLAG" ]; then CONTENT=$(curl -s "$HEADER_FLAG" "$HEADER_VAL" "$URL" | tail -n 2) else CONTENT=$(curl -s "$URL" | tail -n 2) fi # Check if content is empty (curl failed silently or empty response) if [ -z "$CONTENT" ]; then echo " ❌ FAILED (No Content)" else echo "$CONTENT" echo " ✅ OK" fi echo "---------------------------------------------------" } # --- Infrastructure (The Translators) --- check_metric "Node Exporter" "https://172.30.0.1:9100/metrics" check_metric "ES Exporter" "https://elasticsearch-exporter.cicd.local:9114/metrics" check_metric "cAdvisor" "http://cadvisor.cicd.local:8080/metrics" # --- Applications (The Retrofit) --- check_metric "GitLab" "https://gitlab.cicd.local:10300/-/metrics" check_metric "Jenkins" "https://jenkins.cicd.local:10400/prometheus/" check_metric "Mattermost" "http://mattermost.cicd.local:8067/metrics" # Authenticated Checks check_metric "SonarQube" "http://sonarqube.cicd.local:9000/api/monitoring/metrics" \ "-H" "X-Sonar-Passcode: $SONAR_PASS" check_metric "Artifactory" "https://artifactory.cicd.local:8443/artifactory/api/v1/metrics" \ "-H" "Authorization: Bearer $ART_TOKEN" '</span> </code></pre> </div> <h2> 6.4 Execution &amp; Forensics </h2> <p>We are now ready to audit the city. Run the verification script from your host machine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x 05-verify-services.sh ./05-verify-services.sh </code></pre> </div> <p><strong>Pro Tip:</strong> The script defaults to showing only the last 2 lines of output (using <code>tail -n 2</code>) to keep the console clean. If you wish to inspect the full flood of telemetry—which spans thousands of lines—you can edit the script to remove the <code>| tail -n 2</code> pipe and then redirect the output to a file for manual review:<br> <code>./05-verify-services.sh &gt; full_metrics_dump.txt</code></p> <h3> The Evidence </h3> <p>When you run the standard script, you should see a cascade of green checks. This is your "Connectivity Certificate."<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>🚀 Starting Metrics Verification (Targeting: dev-container)... --------------------------------------------------- 🔍 Node Exporter URL: https://172.30.0.1:9100/metrics promhttp_metric_handler_requests_total{code="503"} 0 ✅ OK --------------------------------------------------- 🔍 cAdvisor URL: http://cadvisor.cicd.local:8080/metrics process_virtual_memory_max_bytes 1.8446744073709552e+19 ✅ OK --------------------------------------------------- 🔍 GitLab URL: https://gitlab.cicd.local:10300/-/metrics ruby_sampler_duration_seconds_total 499.7820231985699 ✅ OK --------------------------------------------------- 🔍 SonarQube URL: http://sonarqube.cicd.local:9000/api/monitoring/metrics sonarqube_health_web_status 1.0 ✅ OK ... </code></pre> </div> <p>If you see <code>✅ OK</code> for all 8 targets, you have proven three critical facts:</p> <ol> <li> <strong>Routing:</strong> The <code>cicd-net</code> bridge is correctly routing traffic between containers and the gateway.</li> <li> <strong>DNS:</strong> The internal names <code>gitlab.cicd.local</code> etc. are resolving to the correct internal IPs.</li> <li> <strong>Trust:</strong> The <code>dev-container</code> (and therefore Prometheus) successfully negotiated TLS handshakes with our internal Certificate Authority.</li> </ol> <p>But looking at these logs, you might wonder: <strong>What exactly are we looking at?</strong><br> What does <code>ruby_sampler_duration_seconds_total</code> actually mean? Why is <code>sonarqube_health_web_status</code> exactly 1.0?</p> <p>To move from "Verification" to "Understanding," we need to learn the language of Prometheus.</p> <h2> 6.5 Metric Anatomy: Understanding the Signal </h2> <p>The output we just witnessed is not random noise. It is a highly structured language known as the <strong>Prometheus Exposition Format</strong>. Every line follows a strict syntax that tells the database exactly how to store and index the data.</p> <p>To an uninitiated eye, it looks like a wall of text. But once you understand the four fundamental "Data Types," you can read the health of your server like a dashboard.</p> <h3> 1. The Counter (The "Odometer") </h3> <ul> <li> <strong>Identifier:</strong> Usually ends in <code>_total</code> (e.g., <code>node_cpu_seconds_total</code>, <code>http_requests_total</code>).</li> <li> <strong>Behavior:</strong> It starts at zero when the process launches and <strong>only goes up</strong>. It never decreases (unless the process crashes and restarts).</li> <li> <strong>The Analogy:</strong> Think of the odometer in a car. It tells you the car has driven 100,000 kilometers in its lifetime.</li> <li> <strong>The Usage:</strong> The raw number is mostly useless ("This server has handled 1 million requests since 2021"). The value lies in the <strong>Rate of Change</strong>. By comparing the counter now vs. 1 minute ago, Prometheus can calculate "Requests Per Second."</li> <li> <strong>Example from our Log:</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>node_network_transmit_drop_total 4671 </code></pre> </div> <p>This doesn't mean the network is failing <em>now</em>. It means 4,671 packets have been dropped since the machine turned on. If this number jumps to 5,000 in the next second, <em>then</em> we have a crisis.</p> <h3> 2. The Gauge (The "Speedometer") </h3> <ul> <li> <strong>Identifier:</strong> Standard nouns (e.g., <code>node_memory_MemFree_bytes</code>, <code>sonarqube_health_web_status</code>).</li> <li> <strong>Behavior:</strong> It can go up and down arbitrarily.</li> <li> <strong>The Analogy:</strong> Think of a speedometer or a fuel gauge. It tells you the state of the system <strong>right now</strong>.</li> <li> <strong>The Usage:</strong> You don't calculate the rate of a gauge; you look at its absolute value. Is the tank empty? Is the temperature too high?</li> <li> <strong>Example from our Log:</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>process_virtual_memory_max_bytes 1.84e+19 </code></pre> </div> <p>This is a snapshot. At this exact millisecond, the process has access to this much virtual memory.</p> <h3> 3. The Histogram (The "Heatmap") </h3> <ul> <li> <strong>Identifier:</strong> Appears as a triplet: <code>_bucket</code>, <code>_sum</code>, and <code>_count</code>.</li> <li> <strong>Behavior:</strong> It groups observations into "buckets" to track distribution, usually for latency.</li> <li> <strong>The Analogy:</strong> Imagine sorting mail into slots based on weight: "Under 10g", "Under 50g", "Under 100g".</li> <li> <strong>The Usage:</strong> This allows us to calculate <strong>Percentiles</strong> (e.g., the P99). It answers questions like "Do 99% of my users see a response time under 0.5 seconds?" even if the average is much lower.</li> <li> <strong>Example from our Log (Mattermost):</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>mattermost_api_time_bucket{le="0.1"} 15 mattermost_api_time_bucket{le="+Inf"} 20 </code></pre> </div> <p>This tells us that out of 20 total requests (<code>+Inf</code>), 15 of them completed in <strong>L</strong>ess than or <strong>E</strong>qual to (<code>le</code>) 0.1 seconds.</p> <h3> 4. The Summary (The "Pre-Calculated") </h3> <ul> <li> <strong>Identifier:</strong> Contains a <code>quantile</code> label (e.g., <code>quantile="0.9"</code>).</li> <li> <strong>Behavior:</strong> Similar to a Histogram, but the heavy math (calculating the P99) is done by the <strong>Client</strong> (the app), not the Server (Prometheus).</li> <li> <strong>The Usage:</strong> Useful for accurate snapshots of complex runtimes (like Go or Java garbage collection) without burdening the monitoring server with expensive calculations.</li> <li> <strong>Example from our Log (Jenkins/Java):</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>jvm_gc_collection_seconds{quantile="0.5"} 0.003 </code></pre> </div> <p>This tells us the median (0.5) garbage collection pause was 3 milliseconds. We cannot re-aggregate this (you cannot average an average), but it gives us an instant health check.</p> <h2> 6.6 Decoding the City's Voice (Practical Examples) </h2> <p>Now that we understand the grammar, we can translate the specific messages our city is sending. The <code>verification</code> script output provides a glimpse into the operational reality of our stack.</p> <p><strong>1. The Infrastructure Voice (Node Exporter &amp; cAdvisor)</strong></p> <ul> <li> <strong>The Resource Tank:</strong> <code>node_memory_MemFree_bytes</code> (Gauge). If this gauge drops near zero, the host is starving. In a Linux environment, "Free" memory is often low because the kernel caches files, so we usually combine this with <code>node_memory_Cached_bytes</code> to get the true "Available" memory.</li> <li> <strong>The OOM Killer:</strong> <code>container_memory_failures_total</code> (Counter). This is one of the most critical signals in the Docker ecosystem. If this counter increases, it means a container tried to grab more RAM than its limit allowed, and the kernel likely killed it (OOM Killed). If you see this incrementing for SonarQube, your Java Heap is too big for the container.</li> </ul> <p><strong>2. The Application Voice (GitLab, Jenkins, SonarQube)</strong></p> <ul> <li> <strong>GitLab's Heartbeat:</strong> <code>ruby_sampler_duration_seconds_total</code> (Counter). GitLab is a massive Ruby on Rails monolith. This metric tracks the time the Ruby runtime spends just managing itself (sampling stack traces for performance profiling). A spike here indicates the application is struggling under its own weight, independent of user traffic.</li> <li> <strong>SonarQube's Pulse:</strong> <code>sonarqube_health_web_status</code> (Gauge). This is a binary signal: <code>1.0</code> means healthy, <code>0.0</code> means dead. It’s simple, but vital. It tells us that the web server is not just running, but successfully connected to its Database and Elasticsearch backend.</li> <li> <strong>Jenkins' Throughput:</strong> <code>jvm_memory_pool_allocated_bytes_created</code> (Counter). Jenkins is memory-hungry. This counter shows the churn—how many bytes of temporary objects are being created. In a heavy build environment, this number skyrockets as pipelines instantiate thousands of short-lived variables.</li> </ul> <p><strong>3. The Storage Voice (Artifactory)</strong></p> <ul> <li> <strong>The Warehouse Capacity:</strong> <code>jfrt_stg_summary_repo_size_bytes</code> (Gauge). This tells us the physical disk consumption of a specific repository (e.g., <code>libs-release-local</code>). It allows us to set alerts: "Warn me when the Maven repository exceeds 50GB."</li> </ul> <h2> 6.7 Conclusion </h2> <p>We have done the hard work. We have retrofitted the endpoints, built the translators, pierced the isolation layers, and verified the signals.</p> <p>The nervous system is fully active. Every component of our architecture—from the silicon of the CPU to the Ruby code of GitLab—is now broadcasting a continuous stream of detailed telemetry.</p> <p>But currently, these signals are just vanishing into the void. We have no "Brain" to record them, analyze them, or alert us when they deviate from the norm.</p> <p>In the next chapter, we will deploy <strong>Prometheus</strong>. We will configure it to scrape these validated endpoints, storing the history of our city in a Time Series Database so we can finally visualize the invisible.</p> <h1> Chapter 7: The Brain – Deploying Prometheus </h1> <h2> 7.1 The Time-Series Database (TSDB) </h2> <p>We have successfully built a nervous system. Across our "City," sensors are firing—reporting CPU temperatures, garbage collection pauses, and API latency. However, these signals are ephemeral. If Node Exporter reports that CPU usage spiked to 100% at 3:00 AM, but no one was watching at that exact second, the information is lost forever.</p> <p>We need a memory. We need a system that can ingest these millions of fleeting data points, timestamp them, and store them efficiently for retrieval.</p> <p>You might ask: <em>Why not just use Postgres?</em> We already have a robust Postgres deployment running for SonarQube and GitLab.</p> <p>The answer lies in the shape of the data. Operational telemetry is fundamentally different from transactional data.</p> <ul> <li> <strong>Transactional Data (Postgres):</strong> "User A updated their profile." This is low volume, requires strict consistency (ACID), and often involves updating existing rows.</li> <li> <strong>Time-Series Data (Prometheus):</strong> "CPU is 40%... now 42%... now 45%." This is massive volume (thousands of writes per second), purely append-only (we never "update" history), and is queried by time ranges ("Show me the trend over the last hour").</li> </ul> <p>Prometheus is a specialized <strong>Time-Series Database (TSDB)</strong> designed exactly for this workload. It does not wait for agents to send it data (the "Push" model). Instead, it acts as the "Brain" of our architecture. It maintains a list of targets (the "Map" we built in Chapter 3), and every 15 seconds, it reaches out to every limb of the infrastructure to capture its current state (the "Pull" model).</p> <p>This Pull model is crucial for system reliability. If a service goes down, Prometheus knows immediately because the scrape fails. In a Push model, the monitoring system can't easily distinguish between "The service is down" and "The service is just quiet."</p> <p>To give our Brain long-term memory, we will mount a Docker volume (<code>prometheus-data</code>). This ensures that even if we destroy and redeploy the Prometheus container, the history of our city remains intact.</p> <h2> 7.2 Security by Design (The "Nobody" User) </h2> <p>Deploying Prometheus introduces a specific operational constraint that catches many engineers off guard: <strong>Identity</strong>.</p> <p>In the Docker ecosystem, laziness is common. Most containers default to running as <code>root</code> (UID 0) inside the container. This makes permission management easy—root can read and write anything—but it is a security nightmare. If a vulnerability is found in the application, the attacker gains root access to the container and potentially the host.</p> <p>Prometheus takes the high road. The official image is engineered to run as the <strong><code>nobody</code> user (UID 65534)</strong> by default. This is the standard "Least Privilege" identity on Linux systems. It has no shell, no home directory, and most importantly, it owns nothing.</p> <p>This creates a conflict with our deployment strategy.</p> <p>We are injecting our "Map" (<code>prometheus.yml</code>) and our "Shield" (<code>web-config.yml</code>) by <strong>Bind Mounting</strong> them from the Host machine into the container.</p> <ul> <li> <strong>Host Path:</strong> <code>~/cicd_stack/prometheus/config/prometheus.yml</code> (Owned by you, UID 1000).</li> <li> <strong>Container Path:</strong> <code>/etc/prometheus/prometheus.yml</code> (Read by Prometheus, UID 65534).</li> </ul> <p>If we simply mounted these files, the Prometheus process would crash with <code>Permission Denied</code> because the <code>nobody</code> user cannot read files owned by your personal account (assuming standard strict permissions).</p> <p>This explains the "Surgical Strike" we performed back in <strong>Chapter 3</strong> (<code>01-setup-monitoring.sh</code>). By running <code>sudo chown -R 65534:65534</code> on the configuration directory, we pre-aligned the file ownership. We ensured that when the Brain wakes up, it has the permission to read its own memories.</p> <p><em>Note: For the database itself (<code>/prometheus</code>), we utilize a **Named Volume</em>* (<code>prometheus-data</code>). Unlike the configuration files which we manage manually, the database storage is managed entirely by the Docker Engine, which handles the complex permissions required for high-throughput writes automatically.*</p> <h2> 7.3 Self-Defense (TLS for Prometheus) </h2> <p>We often think of Prometheus as a <strong>Client</strong>: it reaches out to scrape metrics from other services. But Prometheus is also a <strong>Server</strong>. It exposes a powerful HTTP API and a Web UI on port 9090.</p> <p>This interface is the "Brain's" primary output. It is where human operators write PromQL queries to diagnose outages, and it is where visualization tools like Grafana connect to fetch the data they need to draw charts.</p> <p>In a standard "quick start" tutorial, Prometheus runs on plain HTTP. This is acceptable for a hobby project, but in a production environment (and in our "City"), unencrypted HTTP is a vulnerability. It means that:</p> <ol> <li> <strong>Snooping:</strong> Anyone on the network can read the metric stream (which often contains sensitive business intelligence like build volumes or user counts).</li> <li> <strong>Spoofing:</strong> A malicious actor could impersonate the Prometheus server and feed false data to your dashboards.</li> </ol> <p>To prevent this, we apply the same <strong>Zero Trust</strong> standard to the monitoring system that we applied to the application stack. We configure Prometheus to speak <strong>HTTPS</strong> natively.</p> <p>This is handled by the <code>--web.config.file</code> flag in our deployment script. This flag points to the <code>web-config.yml</code> file we generated back in Chapter 3, which contains:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">tls_server_config</span><span class="pi">:</span> <span class="na">cert_file</span><span class="pi">:</span> <span class="s">/etc/prometheus/certs/prometheus.crt</span> <span class="na">key_file</span><span class="pi">:</span> <span class="s">/etc/prometheus/certs/prometheus.key</span> </code></pre> </div> <p>When Prometheus starts, it will load these certificates and open a secure listener on port 9090.</p> <p><strong>The Payoff: End-to-End Trust</strong></p> <p>Because we have meticulously managed our Public Key Infrastructure (PKI) throughout this series, we get two massive benefits immediately:</p> <ol> <li> <strong>The Host Browser:</strong> When you visit <code>https://prometheus.cicd.local:9090</code> from your host machine, you will see a green "Secure" padlock. This is because in 0006_cicd_part02_certificate_authority, we imported our custom Root CA into the host's system trust store. Your browser recognizes the signature and trusts the site instantly.</li> <li> <strong>The Future Connection (Grafana):</strong> In the upcoming chapters, we will deploy Grafana. Grafana will not talk to Prometheus over <code>http://localhost</code>. It will connect securely via <code>https://prometheus.cicd.local:9090</code>. Because we injected the Root CA into the Grafana container during the "Setup" phase (Chapter 3), this internal API connection will be fully encrypted and mutually trusted without any "insecure skip verify" hacks.</li> </ol> <p>We have now secured the Brain. It scrapes securely, and it serves securely.</p> <h2> 7.4 The Deployment Script (<code>06-deploy-prometheus.sh</code>) </h2> <p>We now have all the components: the User Identity (<code>nobody</code>), the Storage Volume (<code>prometheus-data</code>), the Configuration Map (<code>prometheus.yml</code>), and the TLS Shield (<code>web-config.yml</code>).</p> <p>We bring them together in the deployment script.</p> <p><strong>Analysis of the Script:</strong></p> <ul> <li> <strong>The Identity Flag (<code>--user 65534:65534</code>):</strong> This forces the container to run strictly as the unprivileged <code>nobody</code> user. It matches the file ownerships we set on the host config directories.</li> <li> <strong>The "Map" Mount:</strong> We mount our handcrafted <code>prometheus.yml</code> (from Chapter 3) to <code>/etc/prometheus/prometheus.yml</code>. This tells the Brain where the Limbs are.</li> <li> <strong>The "Shield" Mount:</strong> We mount the <code>web-config.yml</code> and the <code>certs</code> directory. This enables the HTTPS listener.</li> <li> <strong>The "Memories" Mount:</strong> We map the named volume <code>prometheus-data</code> to <code>/prometheus</code>. This is where the Time Series Database (TSDB) actually lives.</li> </ul> <h3> The Source Code: <code>06-deploy-prometheus.sh</code> </h3> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0013_cicd_part09_prometheus_grafana/06-deploy-prometheus.sh</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 06-deploy-prometheus.sh</span> <span class="c">#</span> <span class="c"># Deploys "The Brain".</span> <span class="c"># - Network: cicd-net</span> <span class="c"># - Identity: prometheus.cicd.local (Self-scraping)</span> <span class="c"># - Security: TLS on port 9090 via web-config.yml</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"🚀 Deploying Prometheus (The Brain)..."</span> <span class="c"># --- 1. Load Paths ---</span> <span class="nv">PROMETHEUS_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack/prometheus"</span> <span class="c"># --- 2. Cleanup Old Container ---</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-q</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>prometheus<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span>docker <span class="nb">rm</span> <span class="nt">-f</span> prometheus <span class="k">fi</span> <span class="c"># --- 3. Deploy ---</span> <span class="c"># Note: We run as UID 65534 ('nobody') which owns the mounted volumes.</span> docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> prometheus <span class="se">\</span> <span class="nt">--restart</span> always <span class="se">\</span> <span class="nt">--network</span> cicd-net <span class="se">\</span> <span class="nt">--hostname</span> prometheus.cicd.local <span class="se">\</span> <span class="nt">--publish</span> 127.0.0.1:9090:9090 <span class="se">\</span> <span class="nt">--user</span> 65534:65534 <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$PROMETHEUS_BASE</span><span class="s2">/config/prometheus.yml"</span>:/etc/prometheus/prometheus.yml:ro <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$PROMETHEUS_BASE</span><span class="s2">/config/web-config.yml"</span>:/etc/prometheus/web-config.yml:ro <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$PROMETHEUS_BASE</span><span class="s2">/config/certs"</span>:/etc/prometheus/certs:ro <span class="se">\</span> <span class="nt">--volume</span> prometheus-data:/prometheus <span class="se">\</span> prom/prometheus:latest <span class="se">\</span> <span class="nt">--config</span>.file<span class="o">=</span>/etc/prometheus/prometheus.yml <span class="se">\</span> <span class="nt">--storage</span>.tsdb.path<span class="o">=</span>/prometheus <span class="se">\</span> <span class="nt">--web</span>.config.file<span class="o">=</span>/etc/prometheus/web-config.yml <span class="se">\</span> <span class="nt">--web</span>.external-url<span class="o">=</span>https://prometheus.cicd.local:9090 <span class="nb">echo</span> <span class="s2">"✅ Prometheus Deployed."</span> <span class="nb">echo</span> <span class="s2">" URL: https://prometheus.cicd.local:9090"</span> <span class="nb">echo</span> <span class="s2">" Note: Browser will warn about CA unless installed."</span> </code></pre> </div> <h2> 7.5 First Breath (Target Verification) </h2> <p>It is time to turn on the machine.</p> <p>Run the deployment script from your host:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x 06-deploy-prometheus.sh ./06-deploy-prometheus.sh </code></pre> </div> <p>If the container starts successfully (check <code>docker ps</code>), we proceed to the "Moment of Truth."</p> <p>Open your web browser on the host and navigate to:<br> <strong><code>https://prometheus.cicd.local:9090/targets</code></strong></p> <p><em>Note: Because you installed the Root CA in the CA article you should see a secure padlock icon in the address bar. The browser trusts this internal site just as it trusts a public bank website.</em></p> <h3> The Goal: 9/9 UP </h3> <p>You will be greeted by the Prometheus Targets interface. This is the real-time status dashboard of the collector.</p> <p>You are looking for a table listing our 9 defined targets (Node Exporter, cAdvisor, Jenkins, GitLab, etc.).</p> <ul> <li> <strong>State:</strong> Every single target should be marked <strong>UP</strong> in green.</li> <li> <strong>Error:</strong> There should be no red text or "Context Deadline Exceeded" errors.</li> </ul> <p>This screen is the visual confirmation of everything we worked for. It proves that the Brain can reach the Limbs, authenticate, and parse the data.</p> <h3> The First Query </h3> <p>To prove that data is actually being recorded to the disk, click on <strong>Query</strong> in the top navigation bar.</p> <p>In the expression bar, type the simplest query possible:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>up </code></pre> </div> <p>Click <strong>Execute</strong>.</p> <p>You should see a list of results with a value of <code>1</code>.<br> In PromQL, <code>up</code> is a synthetic metric.</p> <ul> <li> <code>1</code> = The scrape was successful.</li> <li> <code>0</code> = The scrape failed.</li> </ul> <p>If you switch to the <strong>Graph</strong> tab (next to Table), you will see a flat line at <code>1</code>. This is the heartbeat of your city. As long as that line stays at 1, your infrastructure is alive.</p> <p>The Brain is active. The data is flowing. We are now ready to give this data a face. In the next chapter, we will deploy <strong>Grafana</strong> to transform these raw numbers into beautiful, actionable insights.</p> <h1> Chapter 8: The Face (Part 1) – Automated Provisioning </h1> <h2> 8.1 The "Infrastructure as Code" Philosophy </h2> <p>We have built the "Brain" (Prometheus) and verified the "Nervous System" (The Exporters). Now we must build the "Face" of our city: the <strong>Grafana</strong> visualization layer.</p> <p>In a traditional setup, an engineer would launch Grafana, log in to the web interface, manually click "Add Data Source," type in <code>http://prometheus:9090</code>, and then manually upload JSON files one by one to create dashboards.</p> <p>This manual approach is <strong>fragile</strong>.</p> <ul> <li> <strong>It is not reproducible:</strong> If you destroy the Grafana container to upgrade it, you lose your configurations unless you have perfectly managed your persistent volumes.</li> <li> <strong>It is tedious:</strong> We have nine distinct services to visualize. Configuring them by hand is prone to human error (e.g., typing <code>https</code> instead of <code>http</code>).</li> <li> <strong>It violates our principles:</strong> We are building a "City from Code." The state of our monitoring system should be defined in a script, not in the click-history of a web browser.</li> </ul> <p>To solve this, we utilize Grafana's <strong>Provisioning</strong> system.</p> <p>Grafana allows us to define "Providers" via configuration files (YAML) placed in specific directories. When the container starts, it scans these directories.</p> <ol> <li> <strong>Datasources:</strong> It automatically connects to Prometheus using the credentials and certificates we define in code.</li> <li> <strong>Dashboards:</strong> It automatically loads visualization definitions (JSON files) from a designated folder on the disk.</li> </ol> <p>This approach effectively turns our monitoring system into <strong>Stateless Code</strong>. We could burn down the entire monitoring stack, run our deployment scripts, and have the exact same beautiful dashboards appear within seconds, without ever touching a mouse.</p> <p>In this chapter, we will prepare these provisioning assets on our host machine so they are ready to be mounted into the Grafana container in Chapter 9.</p> <h2> 8.2 The Provider Configuration (<code>dashboards.yaml</code>) </h2> <p>The first step in automated provisioning is to tell Grafana <em>where</em> to look for our visualizations. We do this by creating a provider configuration file.</p> <p>This YAML file acts as a map. It instructs Grafana to watch a specific directory on the filesystem (<code>/etc/grafana/provisioning/dashboards/json</code>). Any JSON file dropped into this folder will be instantly ingested and rendered as a dashboard in the UI.</p> <p>We will automate the creation of this file in our provisioning script <code>07-provision-dashboards.sh</code>, but it is important to understand what we are writing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="m">1</span> <span class="na">providers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Default'</span> <span class="na">orgId</span><span class="pi">:</span> <span class="m">1</span> <span class="na">folder</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">type</span><span class="pi">:</span> <span class="s">file</span> <span class="na">disableDeletion</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">updateIntervalSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">allowUiUpdates</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">options</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/grafana/provisioning/dashboards/json</span> </code></pre> </div> <p><strong>Key Configuration Details:</strong></p> <ul> <li> <strong><code>path</code></strong>: This is the critical link. It points to a location <em>inside the container</em>. In Chapter 9, we will mount our host directory <code>~/cicd_stack/grafana/provisioning/dashboards/json</code> to this container path, bridging the gap between our code repo and the running application.</li> <li> <strong><code>updateIntervalSeconds: 10</code></strong>: This is a powerful feature for development. It tells Grafana to re-scan the folder every 10 seconds. If we edit a JSON file on our host machine, Grafana detects the change and updates the dashboard live, without requiring a container restart.</li> <li> <strong><code>allowUiUpdates: true</code></strong>: This permits us to make tweaks in the UI if necessary (though our goal is to keep everything in code).</li> </ul> <p>By defining this provider, we prepare the "empty vessel." Now we need to fill it with actual visualization definitions.</p> <h2> 8.3 The Dashboard Portfolio </h2> <p>We will deploy a balanced portfolio of visualizations, split into two distinct layers: the <strong>Infrastructure Layer</strong> (Standard) and the <strong>Application Layer</strong> (Bespoke).</p> <h3> 1. The Infrastructure Layer (Community Standards) </h3> <p>For standard tools like Docker and Linux, there is no need to reinvent the wheel. The open-source community has already built excellent dashboards. In our provisioning script, we will automate the downloading of these JSON definitions directly from Grafana.com:</p> <ul> <li> <strong>Node Exporter Full (ID: 1860):</strong> A comprehensive view of the Host Machine. It tracks CPU core usage, RAM saturation, Disk I/O latency, and Network bandwidth. If the host is slow, this dashboard proves it.</li> <li> <strong>cAdvisor Containers (ID: 14282):</strong> A granular view of the Docker Engine. It allows us to drill down into specific containers (e.g., "Why is <code>jenkins</code> using 4GB of RAM?").</li> <li> <strong>Elasticsearch (ID: 2322):</strong> A health check for our logging cluster. It visualizes JVM heap usage, garbage collection times, and index health statuses.</li> <li> <strong>Go Processes (ID: 6671):</strong> Since many of our components (Prometheus, Node Exporter, Mattermost) are written in Go, this dashboard gives us deep insight into their runtime behavior, specifically Goroutine counts and Garbage Collection pauses.</li> </ul> <h3> 2. The Application Layer (Bespoke Injection) </h3> <p>For our core CI/CD applications—GitLab, Jenkins, SonarQube, Artifactory, and Mattermost—standard community dashboards often fail. They might expect different job names (e.g., <code>job="kubernetes-pods"</code> instead of our <code>job="jenkins"</code>), or they might not track the specific custom metrics we verified in Chapter 6.</p> <p>To ensure accurate visibility, we will <strong>inject</strong> our own custom-tailored JSON definitions. These dashboards are designed to map perfectly to the specific metrics we are emitting:</p> <ul> <li> <strong>Jenkins:</strong> Visualizes the <code>jenkins_queue_size_value</code> to detect build backlogs and <code>jenkins_runs_failure_total</code> to track pipeline stability.</li> <li> <strong>SonarQube:</strong> Tracks the critical <code>sonarqube_health_web_status</code> and the depth of the Compute Engine queue (<code>pending_tasks</code>).</li> <li> <strong>GitLab:</strong> Monitors the Ruby on Rails runtime, specifically <code>puma_active_connections</code> and <code>http_requests_total</code> to measure traffic load.</li> <li> <strong>Artifactory:</strong> Visualizes storage consumption (<code>jfrt_stg_summary_repo_size_bytes</code>) so we know when our artifact warehouse is filling up.</li> <li> <strong>Mattermost:</strong> Tracks real-time user activity via <code>mattermost_active_users</code> and WebSocket connections.</li> </ul> <p>By combining downloaded standards with injected customs, we create a complete observability suite that covers everything from the silicon to the software.</p> <h2> 8.4 The Provisioning Script (<code>07-provision-dashboards.sh</code>) </h2> <p>We automate the entire setup process with <code>07-provision-dashboards.sh</code>. This script is the "Construction Crew" for our visualization layer. It performs four critical tasks:</p> <ol> <li> <strong>Preparation:</strong> It creates the directory structure and temporarily takes ownership of it (since the directory is normally owned by the Grafana user, UID 472).</li> <li> <strong>Configuration:</strong> It generates the <code>dashboards.yaml</code> provider file we discussed in Section 8.2.</li> <li> <strong>Downloading:</strong> It fetches the "Infrastructure Layer" dashboards directly from Grafana's API. Crucially, it uses <code>sed</code> to patch them on the fly, replacing variable datasource names (like <code>${DS_PROMETHEUS}</code>) with our hardcoded value <code>"Prometheus"</code> to prevent "Datasource not found" errors.</li> <li> <strong>Injection:</strong> It detects our "Application Layer" custom JSON files in the current directory and copies them into the provisioning folder.</li> </ol> <h3> The Source Code: <code>07-provision-dashboards.sh</code> </h3> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0013_cicd_part09_prometheus_grafana/07-provision-dashboards.sh</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 07-provision-dashboards.sh</span> <span class="c">#</span> <span class="c"># Configures Grafana Dashboard Provisioning.</span> <span class="c"># 1. Temporarily takes ownership of config dir.</span> <span class="c"># 2. Downloads Standard Dashboards.</span> <span class="c"># 3. Injects LOCAL Custom Dashboards (SonarQube, etc).</span> <span class="c"># 4. Restores ownership to Grafana (UID 472).</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"🎨 Provisioning Grafana Dashboards..."</span> <span class="c"># --- 1. Paths ---</span> <span class="nv">GRAFANA_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack/grafana"</span> <span class="nv">DASH_CONF_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$GRAFANA_BASE</span><span class="s2">/provisioning/dashboards"</span> <span class="nv">JSON_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$DASH_CONF_DIR</span><span class="s2">/json"</span> <span class="c"># --- 2. Prepare Permissions ---</span> <span class="nb">echo</span> <span class="s2">" 🔓 Temporarily unlocking permissions..."</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$JSON_DIR</span><span class="s2">"</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> <span class="s2">"</span><span class="nv">$USER</span><span class="s2">"</span>:<span class="s2">"</span><span class="nv">$USER</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$GRAFANA_BASE</span><span class="s2">/provisioning"</span> <span class="c"># --- 3. Create Provider Config ---</span> <span class="nb">echo</span> <span class="s2">" 📝 Writing Provider Config..."</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$DASH_CONF_DIR</span><span class="sh">/dashboards.yaml" apiVersion: 1 providers: - name: 'Default' orgId: 1 folder: '' type: file disableDeletion: false updateIntervalSeconds: 10 allowUiUpdates: true options: path: /etc/grafana/provisioning/dashboards/json </span><span class="no">EOF </span><span class="c"># --- 4. Download Standard Dashboards ---</span> download_dash<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">ID</span><span class="o">=</span><span class="nv">$1</span> <span class="nb">local </span><span class="nv">NAME</span><span class="o">=</span><span class="nv">$2</span> <span class="nb">local </span><span class="nv">FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$JSON_DIR</span><span class="s2">/</span><span class="k">${</span><span class="nv">NAME</span><span class="k">}</span><span class="s2">.json"</span> <span class="nb">echo</span> <span class="s2">" ⬇️ Downloading </span><span class="nv">$NAME</span><span class="s2"> (ID: </span><span class="nv">$ID</span><span class="s2">)..."</span> curl <span class="nt">-s</span> <span class="s2">"https://grafana.com/api/dashboards/</span><span class="nv">$ID</span><span class="s2">/revisions/latest/download"</span> | <span class="se">\</span> <span class="nb">sed</span> <span class="nt">-E</span> <span class="s1">'s/\$\{DS_PROMETHEUS[^}]*\}/Prometheus/g'</span> | <span class="se">\</span> <span class="nb">sed</span> <span class="s1">'s/"datasource":.*"\${.*}"/"datasource": "Prometheus"/g'</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$FILE</span><span class="s2">"</span> <span class="o">}</span> <span class="nb">echo</span> <span class="s2">"--- Infrastructure Layer ---"</span> download_dash <span class="s2">"1860"</span> <span class="s2">"node-exporter-full"</span> download_dash <span class="s2">"14282"</span> <span class="s2">"cadvisor-containers"</span> download_dash <span class="s2">"2322"</span> <span class="s2">"elasticsearch"</span> download_dash <span class="s2">"19105"</span> <span class="s2">"prometheus-modern"</span> <span class="nb">echo</span> <span class="s2">"--- Application Layer ---"</span> download_dash <span class="s2">"6671"</span> <span class="s2">"go-processes"</span> <span class="c"># --- 5. Inject Local Custom Dashboard ---</span> <span class="c"># The script checks for local files and copies them to the provisioning dir</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"sonarqube_dashboard.json"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" 📥 Injecting local 'sonarqube_dashboard.json'..."</span> <span class="nb">cp</span> <span class="s2">"sonarqube_dashboard.json"</span> <span class="s2">"</span><span class="nv">$JSON_DIR</span><span class="s2">/sonarqube-native.json"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">" ⚠️ WARNING: 'sonarqube_dashboard.json' not found."</span> <span class="k">fi if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"artifactory_dashboard.json"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" 📥 Injecting local 'artifactory_dashboard.json'..."</span> <span class="nb">cp</span> <span class="s2">"artifactory_dashboard.json"</span> <span class="s2">"</span><span class="nv">$JSON_DIR</span><span class="s2">/artifactory.json"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">" ⚠️ WARNING: 'artifactory_dashboard.json' not found."</span> <span class="k">fi if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"gitlab_dashboard.json"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" 📥 Injecting local 'gitlab_dashboard.json'..."</span> <span class="nb">cp</span> <span class="s2">"gitlab_dashboard.json"</span> <span class="s2">"</span><span class="nv">$JSON_DIR</span><span class="s2">/gitlab.json"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">" ⚠️ WARNING: 'gitlab_dashboard.json' not found."</span> <span class="k">fi if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"jenkins_dashboard.json"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" 📥 Injecting local 'jenkins_dashboard.json'..."</span> <span class="nb">cp</span> <span class="s2">"jenkins_dashboard.json"</span> <span class="s2">"</span><span class="nv">$JSON_DIR</span><span class="s2">/jenkins.json"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">" ⚠️ WARNING: 'jenkins_dashboard.json' not found."</span> <span class="k">fi if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"mattermost_dashboard.json"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" 📥 Injecting local 'mattermost_dashboard.json'..."</span> <span class="nb">cp</span> <span class="s2">"mattermost_dashboard.json"</span> <span class="s2">"</span><span class="nv">$JSON_DIR</span><span class="s2">/mattermost.json"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">" ⚠️ WARNING: 'mattermost_dashboard.json' not found."</span> <span class="k">fi</span> <span class="c"># --- 6. Restore Permissions ---</span> <span class="nb">echo</span> <span class="s2">" 🔒 Restoring permissions for Grafana (UID 472)..."</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> 472:472 <span class="s2">"</span><span class="nv">$GRAFANA_BASE</span><span class="s2">/provisioning"</span> <span class="nb">echo</span> <span class="s2">"✅ All Dashboards Provisioned."</span> </code></pre> </div> <h2> 8.5 Staging the Custom Assets </h2> <p>Before running the provisioning script, we must ensure our "Application Layer" assets are in place. The script expects five specific JSON files to exist in your current directory. It will copy these into the container's volume.</p> <p>Ensure you have the following files in <code>~/Documents/FromFirstPrinciples/articles/0013_cicd_part09_prometheus_grafana/</code>:</p> <ol> <li> <strong><code>sonarqube_dashboard.json</code></strong> (Maps to <code>sonarqube-native.json</code>)</li> <li> <strong><code>artifactory_dashboard.json</code></strong> (Maps to <code>artifactory.json</code>)</li> <li> <strong><code>gitlab_dashboard.json</code></strong> (Maps to <code>gitlab.json</code>)</li> <li> <strong><code>jenkins_dashboard.json</code></strong> (Maps to <code>jenkins.json</code>)</li> <li> <strong><code>mattermost_dashboard.json</code></strong> (Maps to <code>mattermost.json</code>)</li> </ol> <p><em>Note: These files contain the thousands of lines of JSON definition required to draw the specific charts we verified in Chapter 6. You can download them from the repository accompanying this article series.</em></p> <p>Once these files are staged, execute the provisioning script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x 07-provision-dashboards.sh ./07-provision-dashboards.sh </code></pre> </div> <p><strong>What to Watch For:</strong></p> <ul> <li>You should see <code>Downloading node-exporter-full...</code> as it hits the internet.</li> <li>You should see <code>Injecting local 'sonarqube_dashboard.json'...</code> as it detects your custom files.</li> <li>The script should finish with <code>✅ All Dashboards Provisioned.</code> </li> </ul> <p>If you see <code>⚠️ WARNING: ... not found</code>, it means you forgot to save the JSON file in the same folder as the script.</p> <p>With the provisioning complete, the visualization layer is essentially "pre-loaded" on the host disk. All that remains is to launch the Grafana container and let it mount these configurations. We will do this in the next chapter.</p> <h1> Chapter 9: The Face (Part 2) – Launching Grafana </h1> <h2> 9.1 The Visualization Layer </h2> <p>We have successfully built the "Brain" of our city. Prometheus is alive, scraping metrics every 15 seconds, and storing them in its time-series database. However, a brain without a face is difficult to interact with. While Prometheus does have a built-in web interface, it is designed for debugging queries, not for operational visibility. It gives you raw data, not insights.</p> <p>To solve this, we introduce <strong>Grafana</strong>.</p> <p>Grafana is the "Face" of our infrastructure. It connects to the Prometheus database, retrieves the raw time-series data, and transforms it into rich, interactive visualizations—graphs, gauges, heatmaps, and tables. If Prometheus tells you <em>what</em> happened at a specific microsecond, Grafana tells you <em>why</em> it matters by visualizing the trend over time.</p> <h3> The Shift to Statelessness </h3> <p>In many tutorials, Grafana is deployed as a "Pet." It uses an embedded SQLite database stored in a Docker volume. If you want to back up your users or sessions, you have to back up that specific file. If the volume corrupts, you lose your accounts.</p> <p>We are building a <strong>Production-Grade City</strong>, so we will take a more robust approach. We will treat the Grafana container as <strong>Stateless</strong>.</p> <ol> <li> <strong>State (Users &amp; Sessions):</strong> Instead of using a local SQLite file, we will connect Grafana to the <strong>PostgreSQL</strong> database we deployed in the Artifactory article. This creates a centralized "Source of Truth" for identity and session data that is independent of the visualization container.</li> <li> <strong>Configuration (Dashboards &amp; Settings):</strong> Instead of manually editing settings in the UI, we will inject our configuration and dashboard definitions from the host file system.</li> <li> <strong>Assets (Plugins):</strong> We will use a standard Docker volume strictly for installed plugins and temporary files.</li> </ol> <p>This architecture makes our Grafana container almost entirely disposable. If we destroy it and redeploy it (which we will do frequently in a CI/CD context), it simply reconnects to the database, re-reads the dashboard files, and picks up exactly where it left off.</p> <h3> The Identity Constraint (UID 472) </h3> <p>Just like Prometheus, Grafana adheres to strict security practices. The official Docker image runs as a non-privileged user named <code>grafana</code>, which corresponds to <strong>UID 472</strong>.</p> <p>This identity is critical for our storage strategy.</p> <ul> <li> <strong>The Config Maps:</strong> We will bind-mount our configuration files (<code>grafana.ini</code>, <code>provisioning/</code>) as <strong>Read-Only</strong>. Since standard Linux files are world-readable, the <code>grafana</code> user can read them but cannot change them. This enforces <strong>Immutability</strong>.</li> <li> <strong>The Plugin Volume:</strong> We will use a Docker Named Volume (<code>grafana-data</code>) for the <code>/var/lib/grafana</code> directory. Docker automatically manages the permissions of named volumes, ensuring UID 472 can write to it without us having to manually <code>chown</code> host directories.</li> </ul> <p>We have the architecture. Now, let's configure the connection to the database.</p> <h2> 9.2 Database Configuration (Environment Overrides) </h2> <p>Traditionally, configuring software involves editing a large file like <code>grafana.ini</code>. While we did generate a baseline configuration in Chapter 3, editing it now to add database passwords would violate our security principles. It would force us to bake cleartext secrets into a file on the disk.</p> <p>Instead, we will use the <strong>12-Factor App</strong> methodology.</p> <p>Grafana allows us to override <em>any</em> setting in its configuration file using <strong>Environment Variables</strong>. The syntax is predictable:<br> <code>GF_&lt;SectionName&gt;_&lt;KeyName&gt;</code></p> <p>We will use this mechanism to inject our PostgreSQL connection details at runtime. This keeps our static configuration files clean and our secrets strictly in memory (or passed securely by the container runtime).</p> <p>Here are the specific overrides we will apply:</p> <ul> <li> <strong><code>GF_DATABASE_TYPE=postgres</code></strong>: Explicitly tells Grafana to abandon its default SQLite engine.</li> <li> <strong><code>GF_DATABASE_HOST=postgres.cicd.local:5432</code></strong>: Points to the shared database cluster we built previously. Note that we use the internal Docker DNS name.</li> <li> <strong><code>GF_DATABASE_NAME=grafana</code></strong>: The specific database we created for this service.</li> <li> <strong><code>GF_DATABASE_USER=grafana</code></strong>: The dedicated user account.</li> <li> <strong><code>GF_DATABASE_SSL_MODE=require</code></strong>: This is <strong>critical</strong>. Our PostgreSQL cluster (configured in the Artifactory article) is set to reject any non-SSL connections from the network. If we omit this, Grafana will attempt a plain connection, and Postgres will immediately terminate it.</li> </ul> <p>By passing these variables, we turn a generic Grafana container into a specific, stateful node in our infrastructure.</p> <h2> 9.3 The Deployment Script (<code>08-deploy-grafana.sh</code>) </h2> <p>We now bring all these requirements together in our deployment script. This script acts as the bridge between our secure "City" infrastructure (Certificates, Secrets, Database) and the Grafana container.</p> <p><strong>Key features of this script:</strong></p> <ol> <li> <strong>Secret Loading:</strong> It sources <code>~/cicd_stack/cicd.env</code> to retrieve the <code>GRAFANA_DB_PASSWORD</code>. This allows us to pass the database credentials securely without hardcoding them in a visible config file.</li> <li> <strong>Environment Injection:</strong> It uses <code>--env-file "$GRAFANA_ENV"</code> to load the base Grafana configuration variables we set up in Chapter 3.</li> <li> <strong>Database Connection:</strong> It explicitly sets the <code>GF_DATABASE_*</code> variables in the <code>docker run</code> command to force the connection to our shared PostgreSQL cluster, ensuring the container remains stateless.</li> <li> <strong>SSL Enforcement:</strong> It sets <code>GF_DATABASE_SSL_MODE=require</code> to comply with the strict security policy we configured in <code>pg_hba.conf</code>.</li> </ol> <h3> The Source Code: <code>08-deploy-grafana.sh</code> </h3> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0013_cicd_part09_prometheus_grafana/08-deploy-grafana.sh</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 08-deploy-grafana.sh</span> <span class="c">#</span> <span class="c"># Deploys "The Face" (Grafana).</span> <span class="c"># - Network: cicd-net</span> <span class="c"># - Identity: grafana.cicd.local</span> <span class="c"># - Security: HTTPS (Port 3000) + UID 472 (Grafana User)</span> <span class="c"># - Backend: Connects to postgres.cicd.local (Stateless Container)</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># --- 1. Load Secrets ---</span> <span class="nv">ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack/cicd.env"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">source</span> <span class="s2">"</span><span class="nv">$ENV_FILE</span><span class="s2">"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"❌ ERROR: cicd.env not found."</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"🚀 Deploying Grafana (The Face)..."</span> <span class="c"># --- 2. Define Paths ---</span> <span class="nv">GRAFANA_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack/grafana"</span> <span class="nv">GRAFANA_ENV</span><span class="o">=</span><span class="s2">"</span><span class="nv">$GRAFANA_BASE</span><span class="s2">/grafana.env"</span> <span class="c"># --- 3. Permission Fix (Environment File) ---</span> <span class="c"># The Docker CLI needs to read this file to inject variables.</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$GRAFANA_ENV</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" 🔓 Unlocking env file permissions..."</span> <span class="nb">sudo chown</span> <span class="s2">"</span><span class="nv">$USER</span><span class="s2">"</span>:<span class="s2">"</span><span class="nv">$USER</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$GRAFANA_ENV</span><span class="s2">"</span> <span class="nb">sudo chmod </span>640 <span class="s2">"</span><span class="nv">$GRAFANA_ENV</span><span class="s2">"</span> <span class="k">fi</span> <span class="c"># --- 4. Cleanup Old Container ---</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-q</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>grafana<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" ♻️ Removing existing container..."</span> docker <span class="nb">rm</span> <span class="nt">-f</span> grafana <span class="k">fi</span> <span class="c"># --- 5. Deploy ---</span> <span class="c"># We inject the Postgres config via GF_DATABASE_* variables.</span> <span class="c"># We explicitly set SSL_MODE=require because our Postgres acts as a strict CA authority.</span> docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> grafana <span class="se">\</span> <span class="nt">--restart</span> always <span class="se">\</span> <span class="nt">--network</span> cicd-net <span class="se">\</span> <span class="nt">--hostname</span> grafana.cicd.local <span class="se">\</span> <span class="nt">--publish</span> 127.0.0.1:3000:3000 <span class="se">\</span> <span class="nt">--user</span> 472:472 <span class="se">\</span> <span class="nt">--env-file</span> <span class="s2">"</span><span class="nv">$GRAFANA_ENV</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">GF_DATABASE_TYPE</span><span class="o">=</span>postgres <span class="se">\</span> <span class="nt">-e</span> <span class="nv">GF_DATABASE_HOST</span><span class="o">=</span>postgres.cicd.local:5432 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">GF_DATABASE_NAME</span><span class="o">=</span>grafana <span class="se">\</span> <span class="nt">-e</span> <span class="nv">GF_DATABASE_USER</span><span class="o">=</span>grafana <span class="se">\</span> <span class="nt">-e</span> <span class="nv">GF_DATABASE_PASSWORD</span><span class="o">=</span><span class="s2">"</span><span class="nv">$GRAFANA_DB_PASSWORD</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">GF_DATABASE_SSL_MODE</span><span class="o">=</span>require <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$GRAFANA_BASE</span><span class="s2">/config/grafana.ini"</span>:/etc/grafana/grafana.ini:ro <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$GRAFANA_BASE</span><span class="s2">/config/certs"</span>:/etc/grafana/certs:ro <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$GRAFANA_BASE</span><span class="s2">/provisioning"</span>:/etc/grafana/provisioning:ro <span class="se">\</span> <span class="nt">--volume</span> grafana-data:/var/lib/grafana <span class="se">\</span> grafana/grafana:latest <span class="nb">echo</span> <span class="s2">"✅ Grafana Deployed."</span> <span class="nb">echo</span> <span class="s2">"---------------------------------------------------"</span> <span class="nb">echo</span> <span class="s2">" URL: https://grafana.cicd.local:3000"</span> <span class="nb">echo</span> <span class="s2">" User: admin"</span> <span class="nb">echo</span> <span class="s2">" Password: (Run the command below to see it)"</span> <span class="nb">echo</span> <span class="s2">" grep GRAFANA_ADMIN_PASSWORD ~/cicd_stack/cicd.env"</span> <span class="nb">echo</span> <span class="s2">"---------------------------------------------------"</span> </code></pre> </div> <h2> 9.4 First Contact (Verification) </h2> <p>It is time to turn on the face of our city.</p> <p>Run the deployment script from your host:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x 08-deploy-grafana.sh ./08-deploy-grafana.sh </code></pre> </div> <p>Wait about 15-30 seconds for the container to start and for the database migrations to complete. You can verify it is healthy with <code>docker ps</code>. If you want to confirm the database connection immediately, check the logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker logs grafana | <span class="nb">grep</span> <span class="s2">"Connecting to DB"</span> </code></pre> </div> <p><em>You should see a message confirming the connection to <code>postgres</code>.</em></p> <h3> The Moment of Truth </h3> <p>Open your web browser on the host and navigate to:<br> <strong><code>https://grafana.cicd.local:3000</code></strong></p> <ol> <li> <strong>Secure Lock:</strong> You should see the green padlock immediately. This confirms our Root CA trust chain is working for this new service.</li> <li><strong>Login:</strong></li> <li> <strong>User:</strong> <code>admin</code> </li> <li> <strong>Password:</strong> Retrieve it from your environment file: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">grep </span>GRAFANA_ADMIN_PASSWORD ~/cicd_stack/cicd.env </code></pre> </div> <h3> Verification 1: The Stateless Backend </h3> <p>We need to prove that we are actually using the shared PostgreSQL cluster and not a hidden SQLite file.</p> <ol> <li>In the Grafana sidebar, locate the <strong>Administration</strong> section (usually a gear or shield icon at the bottom).</li> <li>Click <strong>Settings</strong>.</li> <li>In the search bar or list, look for the <strong><code>[database]</code></strong> section.</li> <li>Verify the following line:</li> <li> <strong>type:</strong> <code>postgres</code> </li> <li> <strong>host:</strong> <code>postgres.cicd.local:5432</code> </li> </ol> <p>If this says <code>sqlite3</code>, the environment variable injection failed. If it says <code>postgres</code>, you have successfully deployed a stateless application.</p> <h3> Verification 2: The Provisioned Dashboards </h3> <p>We need to prove that our "Infrastructure as Code" provisioning worked.</p> <ol> <li>Click <strong>Dashboards</strong> in the left sidebar.</li> <li>You should see a populated list of dashboards ready to go. Unlike a manual installation which starts empty, your screen will be filled with the visualizations we defined in code:</li> <li><em>Artifactory Native Metrics</em></li> <li><em>Cadvisor exporter</em></li> <li><em>ElasticSearch</em></li> <li><em>GitLab Omnibus Complete</em></li> <li><em>Jenkins: Performance</em></li> <li><em>Node Exporter Full</em></li> <li><em>SonarQube Native Metrics</em></li> </ol> <p>Click on <strong>"Node Exporter Full"</strong>.<br> You should immediately see live graphs of your host's CPU, Memory, and Disk usage.</p> <p>Click on <strong>"Jenkins: Performance"</strong>.<br> If your Jenkins container is running, you will see the build queue status and executor counts populated.</p> <p>The face is active. The system is observing itself. We have achieved Full Stack Visibility.</p> <h1> Chapter 10: Conclusion – Full Stack Visibility </h1> <h2> 10.1 The Infrastructure Layer (The Streets &amp; Foundations) </h2> <p>We begin our tour at the foundation of our city. Just as a city planner monitors the power grid and road network, we must monitor the physical resources that power our applications. We use two key dashboards for this: <strong>Node Exporter Full</strong> and <strong>cAdvisor</strong>.</p> <h3> Node Exporter Full (The Host) </h3> <p>This dashboard is your "Check Engine" light. It tells you if the host machine itself is healthy, regardless of which specific container is consuming resources.</p> <p>Looking at our live metrics, we can verify the health of our host:</p> <ul> <li> <strong>System Load (8.9%):</strong> Our system load is extremely low compared to our capacity. With 24 cores available, an 8.9% load means we have massive headroom for scaling our CI/CD pipelines. We are nowhere near saturation.</li> <li> <strong>RAM Usage (85.4%):</strong> This looks high, but it is normal for a dedicated host running heavy Java applications (Jenkins, SonarQube, Artifactory) and Elasticsearch. Linux caches unused memory to speed up file access. Crucially, our <strong>Swap Used</strong> is only 4.6%, meaning the active working set fits comfortably in physical RAM.</li> <li> <strong>Root FS Used (33.6%):</strong> Our disk usage is healthy. We have ample space for Docker images, build artifacts, and logs.</li> </ul> <p><strong>The Insight:</strong> The physical host is stable. If an application feels slow, it is likely a software configuration issue (e.g., JVM heap limit), not a lack of raw hardware power.</p> <h3> cAdvisor (The Containers) </h3> <p>If Node Exporter is the view from a satellite, cAdvisor is the view from a drone hovering over each building. It breaks down resource usage <em>per container</em>.</p> <p>This dashboard allows us to answer the question: <em>"Who is eating the RAM?"</em></p> <ul> <li> <strong>GitLab:</strong> Unsurprisingly, GitLab is our heaviest resident, consuming an average of <strong>4.11 GiB</strong> of RAM and spiking to <strong>27.7% CPU</strong> usage. This is expected for a monolithic Rails application.</li> <li> <strong>Artifactory:</strong> Consuming <strong>2.71 GiB</strong>, typical for a Java-based artifact manager.</li> <li> <strong>Elasticsearch:</strong> Holding steady at <strong>2.65 GiB</strong>.</li> <li> <strong>Jenkins Controller:</strong> Surprisingly efficient at <strong>936 MiB</strong>. This likely indicates it is currently idle; if we triggered a build pipeline, we would expect to see this metric climb.</li> </ul> <p><strong>The Insight:</strong> We can see our resource allocation strategy in action. We have given the heavy lifters (GitLab, Artifactory, Elasticsearch) the room they need, while lighter services like <code>node-exporter</code> (11 MiB) and <code>coturn</code> (20.9 MiB) run with minimal footprint.</p> <p>This layer proves that our "City" has a solid foundation. The streets (Network), power (CPU), and land (RAM) are sufficient for the buildings we have constructed. Now, let's look inside the factories.</p> <h2> 10.2 The Application Layer (The Factories) </h2> <p>While the Infrastructure Layer monitors the "City," the Application Layer looks inside the "Factories." This is where we verify that our CI/CD business logic is actually functioning. We use our bespoke dashboards for this.</p> <h3> Jenkins: Performance (The Foreman) </h3> <p>This dashboard reveals the operational state of our automation server.</p> <p>Looking at the live metrics, we see a distinct architectural signature:</p> <ul> <li> <strong>Executors Free (0):</strong> In a traditional setup, "0 Free Executors" would be a critical alert implying a total blockage. However, in our <strong>Controller-Agent</strong> architecture (which we configured to spawn ephemeral Docker agents), this is <em>normal behavior</em>. The Controller itself has 0 executors because it delegates all work to agents.</li> <li> <strong>Build Queue Size (0):</strong> This is the true health indicator. Even though we just started a build, the queue is empty. This means the ephemeral agent provisioning infrastructure worked instantly. The job was picked up and is currently running.</li> <li> <strong>System Health Score (Healthy):</strong> Jenkins internal self-check is passing.</li> </ul> <p><strong>The Insight:</strong> The "0 Executors" metric confirms that we are adhering to the "Master does no work" best practice. We aren't burning CPU cycles on the controller for builds; we are outsourcing them to the Docker socket.</p> <h3> GitLab Omnibus (The Warehouse) </h3> <p>This dashboard is often the most revealing because GitLab is the heaviest component in our stack.</p> <ul> <li> <strong>RSS Memory (21.2 GiB):</strong> This single number explains the high memory usage we saw on the Host Dashboard (85.4%). GitLab's "Puma" (web server) and "Sidekiq" (background workers) workers are memory-hungry processes. This validates why we allocated a dedicated host for this stack.</li> <li> <strong>Latency P95 (496 ms):</strong> For a complex Rails application, a sub-500ms response time at the 95th percentile is acceptable.</li> <li> <strong>Total Request Rate (0.022 ops/s):</strong> The system is currently idle regarding user traffic, yet memory usage remains high. This is characteristic of Java and Ruby applications; they reserve memory upfront.</li> </ul> <p><strong>The Insight:</strong> If we ever need to scale, <strong>RAM</strong> will be our bottleneck, not CPU. We know this because GitLab is consuming ~70% of total system memory while the CPU sits idle.</p> <h3> SonarQube (The Inspector) </h3> <p>This dashboard verifies our code quality gatekeeper.</p> <ul> <li> <strong>DevOps Integrations (GitLab: OK):</strong> This green "OK" is technically profound. It confirms that the OAuth2/OIDC connection we configured in previous articles is active. SonarQube can talk to GitLab to decorate Pull Requests.</li> <li> <strong>Pending Tasks (0):</strong> The Compute Engine is keeping up with the workload. If we saw this number rise during a build, it would mean our Quality Gate analysis is slower than our CI pipeline.</li> </ul> <h2> 10.3 The "Ah-Ha" Moment (Correlation) </h2> <p>The true power of this stack isn't looking at one dashboard; it's looking at <strong>all of them simultaneously</strong>.</p> <p>Let's trace the "Pulse" of a single CI pipeline event through our monitoring city:</p> <ol> <li> <strong>The Trigger:</strong> A developer pushes code to GitLab.</li> <li><p><em>GitLab Dashboard:</em> <code>http_requests_total</code> spikes slightly as the webhook is fired.</p></li> <li><p><strong>The Job:</strong> Jenkins receives the webhook.</p></li> <li><p><em>Jenkins Dashboard:</em> <code>jenkins_queue_size</code> momentarily bumps to 1, then drops to 0 as an agent is spawned.</p></li> <li><p><strong>The Provisioning:</strong> The Ephemeral Agent starts.</p></li> <li><p><em>cAdvisor Dashboard:</em> A new container appears in the list. You see a sudden spike in CPU usage attributed to <code>docker</code> processes as the container spins up.</p></li> <li><p><strong>The Analysis:</strong> The build completes and sends code to SonarQube.</p></li> <li><p><em>SonarQube Dashboard:</em> <code>sonarqube_compute_engine_pending_tasks</code> moves from 0 to 1. The <code>Compute Engine Status</code> might briefly toggle states.</p></li> <li><p><strong>The Impact:</strong> The Host.</p></li> <li><p><em>Node Exporter Dashboard:</em> You see the aggregate effect. The "System Load" climbs, and "Network Traffic" spikes as artifacts move between GitLab (Registry), Jenkins (Build), and SonarQube (Analysis).</p></li> </ol> <p><strong>The Value:</strong> We have moved from "Something is slow" to "The Jenkins Agent is waiting on Disk I/O because GitLab is performing a heavy garbage collection cycle." That is the difference between guessing and engineering.</p> <h2> 10.4 Closing Thoughts </h2> <p>We started this series with a blank Linux server and a commitment to "First Principles." We didn't just install tools; we architected a city.</p> <ol> <li> <strong>Foundations:</strong> We built a "Control Center" to manage Docker securely (Article 1).</li> <li> <strong>Identity:</strong> We established a private Certificate Authority so every service could prove its identity (Article 2).</li> <li> <strong>The Districts:</strong> We constructed the Source Code Library (GitLab), the Factory (Jenkins), the Warehouse (Artifactory), the Inspection Office (SonarQube), the Public Address System (Mattermost), and the Investigation Bureau (ELK).</li> </ol> <p>Now, with <strong>Article 9</strong>, we have turned the lights on.</p> <p>By deploying Prometheus and Grafana, we have achieved <strong>Full Stack Visibility</strong>. We are no longer guessing why a build is slow; we can see the CPU spike on the host, the memory pressure in the container, and the queue depth in the application—all on one screen. We have moved from "managing tools" to "observing a system."</p> <p>This marks the completion of our infrastructure. The city is built. The roads are paved. The factories are running.</p> <h3> <strong>Next Steps</strong> </h3> <p>There is only one thing left to do.</p> <p>We have a powerful city, but we are currently operating it like manual laborers—clicking buttons in UIs and running shell scripts. To truly master this stack, we need to automate the <em>operation</em> of the city itself.</p> <p>In the final article of this series, <strong>Article 10: The Python API Package (Capstone)</strong>, we will build the "Master Control Package." We will write a professional Python library that wraps the APIs of every service we have deployed, allowing us to orchestrate our entire infrastructure—from creating GitLab repos to triggering Jenkins builds—programmatically from our Control Center.</p> prometheus grafana cicd devops Warren Jitsing Tue, 23 Dec 2025 05:45:13 +0000 https://dev.to/warren_jitsing_dd1c1d6fc6/part-08-building-a-sovereign-software-factory-observability-with-the-elk-stack-2159 https://dev.to/warren_jitsing_dd1c1d6fc6/part-08-building-a-sovereign-software-factory-observability-with-the-elk-stack-2159 <p>GitHub: <a href="https://github.com/InfiniteConsult/0012_cicd_part08_elk" rel="noopener noreferrer">https://github.com/InfiniteConsult/0012_cicd_part08_elk</a></p> <p><strong>TL;DR:</strong> In this installment, we solve the "Noise Problem" where fragmented logs make debugging impossible. We deploy the <strong>ELK Stack (Elasticsearch, Logstash, Kibana)</strong> as our <strong>"Radar System,"</strong> but first, we must navigate the <strong>"Abstraction Leak"</strong> of Elasticsearch by tuning the host kernel's <code>vm.max_map_count</code> via an architect script. We implement a sophisticated <strong>Ingest Pipeline</strong> to parse logs from GitLab, SonarQube, and Artifactory into structured data, and deploy <strong>Filebeat</strong> as a host-level collector to harvest logs without modifying our existing containers.</p> <p><strong>The Sovereign Software Factory Series:</strong></p> <ol> <li> <strong>Part 01:</strong> Building a Sovereign Software Factory: Docker Networking &amp; Persistence</li> <li> <strong>Part 02:</strong> Building a Sovereign Software Factory: The Local Root CA &amp; Trust Chains</li> <li> <strong>Part 03:</strong> Building a Sovereign Software Factory: Self-Hosted GitLab &amp; Secrets Management</li> <li> <strong>Part 04:</strong> Building a Sovereign Software Factory: Jenkins Configuration as Code (JCasC)</li> <li> <strong>Part 05:</strong> Building a Sovereign Software Factory: Artifactory &amp; The "Strict TLS" Trap</li> <li> <strong>Part 06:</strong> Building a Sovereign Software Factory: SonarQube Quality Gates</li> <li> <strong>Part 07:</strong> Building a Sovereign Software Factory: ChatOps with Mattermost</li> <li> <strong>Part 08: Building a Sovereign Software Factory: Observability with the ELK Stack</strong> (You are here)</li> <li> <strong>Part 09:</strong> Building a Sovereign Software Factory: Monitoring with Prometheus &amp; Grafana</li> <li> <strong>Part 10:</strong> Building a Sovereign Software Factory: The Python API Package (Capstone)</li> </ol> <h1> Chapter 1: The "Black Box" Problem </h1> <h2> 1.1 The 3 AM Scenario </h2> <p>We have spent the last seven articles building a robust "Software Factory." We have a Git server, a Build server, a Quality Gate, an Artifact Warehouse, and a Chat bot. The lights are on, the machines are humming, and the code is flowing.</p> <p>But we have a problem.</p> <p>Imagine it is 3:00 AM. You receive a frantic message from a developer: <em>"The build is failing, and I can't merge the hotfix."</em></p> <p>You log into Jenkins. The build status is red, but the console output just says <code>Build failed: Connection refused</code>. Connection to what? Is Artifactory down? Did the SonarQube token expire? Is the GitLab webhook failing?</p> <p>To find out, you have to perform the "Systems Administrator Dance":</p> <ol> <li> SSH into the host server.</li> <li> Run <code>docker ps</code> to find the container IDs.</li> <li> Run <code>docker logs -f jenkins-controller</code> and scroll through thousands of lines of Java stack traces.</li> <li> Open a second terminal.</li> <li> Run <code>docker logs -f gitlab</code> and grep for Nginx errors.</li> <li> Open a third terminal for SonarQube.</li> </ol> <p>You are manually correlating timestamps across three different windows, trying to guess if a log entry at <code>15:01:05</code> in Jenkins matches an error at <code>15:01:06</code> in GitLab.</p> <p>This is the <strong>"Black Box" Problem</strong>. We have built a distributed system, but we are managing it like a monolith. We have excellent components, but zero visibility into how they interact.</p> <p>In this article, we are going to fix this. We are going to stop treating logs as text files scattered across disk drives and start treating them as <strong>Data</strong>. We will build a Centralized Observability Pipeline that allows us to answer complex questions ("Show me all errors that happened in the last 5 minutes across <em>all</em> services") without ever touching the SSH command.</p> <h2> 1.2 Architecture from First Principles </h2> <p>To solve this, we need a "Central Investigation Office." In the industry, this is typically handled by the <strong>ELK Stack</strong>—an acronym for three open-source tools maintained by Elastic:</p> <ol> <li> <strong>Elasticsearch (The Brain):</strong> A search engine and database. It stores our logs not as text strings, but as structured JSON documents. It allows us to search terabytes of data in milliseconds.</li> <li> <strong>Logstash (The Parser):</strong> Historically, this was the middleman. It received messy text streams, used Regex to parse them into fields, and then sent the clean data to the database.</li> <li> <strong>Kibana (The Interface):</strong> The visualization layer. This is the dashboard where we will build graphs, charts, and maps to visualize the data stored in "The Brain."</li> </ol> <p>However, for our platform, we are going to make a crucial architectural deviation to keep our stack efficient.</p> <p><strong>We are removing Logstash.</strong></p> <p>In a massive enterprise with thousands of servers, Logstash is useful as a heavy-duty buffer and router. But for a single-node "Factory in a Box" like ours, Logstash is unnecessary overhead. It requires a heavy JVM (Java Virtual Machine) and adds latency and complexity to our deployment.</p> <p>Instead, we will use <strong>Filebeat</strong> as our shipping agent. Filebeat is lightweight, written in Go, and sits directly on the host. It will ship logs directly to Elasticsearch.</p> <p>But this creates a problem: if we remove the Parser (Logstash), who parses the logs? If Jenkins sends a raw text line, who turns it into a JSON object?</p> <p>The answer lies in <strong>Elasticsearch Ingest Pipelines</strong>. Modern Elasticsearch has the ability to run parsing logic (Grok patterns, Date parsing, GeoIP lookups) on the incoming data itself, just before it is indexed. This simplifies our stack significantly: fewer containers to manage, less RAM consumed, and a more direct data path. We are effectively moving the "intelligence" from the middleman to the destination.</p> <h2> 1.3 The "Zero-Privilege" Mandate </h2> <p>When deploying a log collector, you face a critical security choice: <strong>How do you access the data?</strong></p> <p>Option A is <strong>Dynamic Autodiscovery</strong>. This is a feature often used in large clusters where Filebeat automatically detects when a new container starts, identifies it via the Docker API, and begins harvesting its logs. To do this, Filebeat typically requires access to the <strong>Docker Socket</strong> (<code>/var/run/docker.sock</code>).</p> <p>We must treat the Docker Socket as a "Root Key." If a malicious actor compromises a container that has access to this socket, they can issue API commands to spin up new privileged containers, mount the host's root filesystem, and take over the entire server.</p> <p>Option B is <strong>Static File Ingestion</strong>. This is the "dumb," manual approach. We explicitly tell Filebeat: <em>"There are log files in this specific directory. Read them."</em></p> <p>We choose <strong>Option B</strong>.</p> <p>We will not mount the Docker socket. Instead, we will mount the host's volume directory (<code>/var/lib/docker/volumes</code>) into Filebeat as <strong>Read-Only</strong>. Filebeat will look at the disk, see the log files generated by Jenkins and Nginx, and ship them. It cannot query the Docker API, it cannot inspect container metadata, and most importantly, it cannot control the Docker daemon.</p> <p>This makes our configuration slightly more verbose (we have to map paths manually), but it ensures that our logging infrastructure cannot be weaponized against us.</p> <h1> Chapter 2: The Architect Script </h1> <h2> 2.1 The Kernel Barrier: <code>vm.max_map_count</code> (Again) </h2> <p>Before we can launch a single container, we must address the Operating System.</p> <p>If you recall from <strong>Article 6 (SonarQube)</strong>, we encountered a critical kernel tunable called <code>vm.max_map_count</code>. SonarQube failed to start because its embedded Elasticsearch engine required more memory map areas than the default Linux kernel allows.</p> <p>Now that we are running a dedicated, standalone Elasticsearch cluster, this requirement is even more strict.</p> <p>Elasticsearch relies heavily on <code>mmap</code> (memory-mapped files) to store its indices. This allows the database to map logical file contents directly into the process's virtual memory space, letting the OS handle the paging. It is a massive performance optimization.</p> <p>However, the default limit on most Linux distros (Debian included) is <code>65,530</code> maps. Elasticsearch requires at least <code>262,144</code>.</p> <p>If we ignore this, the Elasticsearch container will start, print a cryptic bootstrap check failure, and immediately die. Because this is a <strong>Kernel</strong> setting, we cannot fix it inside the <code>Dockerfile</code>; it must be applied to the <strong>Host</strong>.</p> <p>This necessitates a dedicated setup script. We cannot simply rely on <code>docker run</code> commands; we need an "Architect" script (<code>01-setup-elk.sh</code>) to prepare the physical ground before we pour the digital concrete.</p> <p>Here is the complete script. Save this as <code>01-setup-elk.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 01-setup-elk.sh</span> <span class="c">#</span> <span class="c"># The "Architect" script for the ELK Stack.</span> <span class="c">#</span> <span class="c"># 1. Kernel: Enforces vm.max_map_count=262144.</span> <span class="c"># 2. Secrets: Generates Passwords &amp; Encryption Keys.</span> <span class="c"># 3. Preparation: Temporarily owns config dirs for writing.</span> <span class="c"># 4. Configs: Generates configs for ES, Kibana, Filebeat.</span> <span class="c"># 5. Integration: Configures Jenkins sidecar logging &amp; redeploys.</span> <span class="c"># 6. Permissions: Enforces strict ownership (Root/UID 1000).</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># --- 1. Define Paths ---</span> <span class="nv">HOST_CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="nv">ELK_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/elk"</span> <span class="nv">MASTER_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/cicd.env"</span> <span class="c"># Jenkins Integration Paths</span> <span class="nv">JENKINS_MODULE_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/Documents/FromFirstPrinciples/articles/0008_cicd_part04_jenkins"</span> <span class="nv">JENKINS_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$JENKINS_MODULE_DIR</span><span class="s2">/jenkins.env"</span> <span class="nv">JENKINS_VOL_DATA</span><span class="o">=</span><span class="s2">"/var/lib/docker/volumes/jenkins-home/_data"</span> <span class="c"># Source Certificate Paths</span> <span class="nv">CA_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/ca"</span> <span class="nv">SRC_CA_CRT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/certs/ca.pem"</span> <span class="nv">SRC_ES_CRT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/services/elk/elasticsearch.cicd.local/elasticsearch.cicd.local.crt.pem"</span> <span class="nv">SRC_ES_KEY</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/services/elk/elasticsearch.cicd.local/elasticsearch.cicd.local.key.pem"</span> <span class="nv">SRC_KIB_CRT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/services/elk/kibana.cicd.local/kibana.cicd.local.crt.pem"</span> <span class="nv">SRC_KIB_KEY</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/services/elk/kibana.cicd.local/kibana.cicd.local.key.pem"</span> <span class="c"># Config Destinations</span> <span class="nv">ES_CONFIG_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/elasticsearch/config"</span> <span class="nv">KIBANA_CONFIG_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/kibana/config"</span> <span class="nv">FILEBEAT_CONFIG_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/filebeat/config"</span> <span class="nb">echo</span> <span class="s2">"🚀 Starting ELK 'Architect' Setup..."</span> <span class="c"># --- 2. Host Kernel Tuning ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 1: Kernel Tuning ---"</span> <span class="nv">REQUIRED_MAP_COUNT</span><span class="o">=</span>262144 <span class="nv">SYSCTL_CONF</span><span class="o">=</span><span class="s2">"/etc/sysctl.conf"</span> <span class="nv">CURRENT_MAP_COUNT</span><span class="o">=</span><span class="si">$(</span><span class="nb">sudo </span>sysctl <span class="nt">-n</span> vm.max_map_count<span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$CURRENT_MAP_COUNT</span><span class="s2">"</span> <span class="nt">-lt</span> <span class="s2">"</span><span class="nv">$REQUIRED_MAP_COUNT</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Updating runtime limit..."</span> <span class="nb">sudo </span>sysctl <span class="nt">-w</span> vm.max_map_count<span class="o">=</span><span class="nv">$REQUIRED_MAP_COUNT</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"Runtime limit sufficient."</span> <span class="k">fi if</span> <span class="o">!</span> <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"vm.max_map_count=</span><span class="nv">$REQUIRED_MAP_COUNT</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$SYSCTL_CONF</span><span class="s2">"</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Persisting limit in </span><span class="nv">$SYSCTL_CONF</span><span class="s2">..."</span> <span class="nb">sudo sed</span> <span class="nt">-i</span> <span class="s1">'/vm.max_map_count/d'</span> <span class="s2">"</span><span class="nv">$SYSCTL_CONF</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"vm.max_map_count=</span><span class="nv">$REQUIRED_MAP_COUNT</span><span class="s2">"</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> <span class="s2">"</span><span class="nv">$SYSCTL_CONF</span><span class="s2">"</span> <span class="o">&gt;</span> /dev/null <span class="k">fi</span> <span class="c"># --- 3. Directory &amp; Secrets Setup ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 2: Secrets &amp; Directories ---"</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$ES_CONFIG_DIR</span><span class="s2">/certs"</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$KIBANA_CONFIG_DIR</span><span class="s2">/certs"</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$FILEBEAT_CONFIG_DIR</span><span class="s2">/certs"</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">touch</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span><span class="p">;</span> <span class="k">fi </span>key_exists<span class="o">()</span> <span class="o">{</span> <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"^</span><span class="nv">$1</span><span class="s2">="</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span><span class="p">;</span> <span class="o">}</span> generate_secret<span class="o">()</span> <span class="o">{</span> openssl rand <span class="nt">-hex</span> 32<span class="p">;</span> <span class="o">}</span> generate_password<span class="o">()</span> <span class="o">{</span> openssl rand <span class="nt">-hex</span> 16<span class="p">;</span> <span class="o">}</span> <span class="nv">update_env</span><span class="o">=</span><span class="nb">false </span><span class="k">if</span> <span class="o">!</span> key_exists <span class="s2">"ELASTIC_PASSWORD"</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ELASTIC_PASSWORD=</span><span class="se">\"</span><span class="si">$(</span>generate_password<span class="si">)</span><span class="se">\"</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nv">update_env</span><span class="o">=</span><span class="nb">true </span><span class="k">fi if</span> <span class="o">!</span> key_exists <span class="s2">"KIBANA_PASSWORD"</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"KIBANA_PASSWORD=</span><span class="se">\"</span><span class="si">$(</span>generate_password<span class="si">)</span><span class="se">\"</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nv">update_env</span><span class="o">=</span><span class="nb">true </span><span class="k">fi if</span> <span class="o">!</span> key_exists <span class="s2">"XPACK_SECURITY_ENCRYPTIONKEY"</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"XPACK_SECURITY_ENCRYPTIONKEY=</span><span class="se">\"</span><span class="si">$(</span>generate_secret<span class="si">)</span><span class="se">\"</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY=</span><span class="se">\"</span><span class="si">$(</span>generate_secret<span class="si">)</span><span class="se">\"</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"XPACK_REPORTING_ENCRYPTIONKEY=</span><span class="se">\"</span><span class="si">$(</span>generate_secret<span class="si">)</span><span class="se">\"</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nv">update_env</span><span class="o">=</span><span class="nb">true </span><span class="k">fi if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$update_env</span><span class="s2">"</span> <span class="o">=</span> <span class="nb">true</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Secrets generated."</span><span class="p">;</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"Secrets loaded."</span><span class="p">;</span> <span class="k">fi </span><span class="nb">set</span> <span class="nt">-a</span><span class="p">;</span> <span class="nb">source</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span><span class="p">;</span> <span class="nb">set</span> +a <span class="c"># --- 4. Ownership Handoff ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 3: Ownership Handoff ---"</span> <span class="nv">CURRENT_USER</span><span class="o">=</span><span class="si">$(</span><span class="nb">id</span> <span class="nt">-u</span><span class="si">)</span> <span class="nv">CURRENT_GROUP</span><span class="o">=</span><span class="si">$(</span><span class="nb">id</span> <span class="nt">-g</span><span class="si">)</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> <span class="s2">"</span><span class="nv">$CURRENT_USER</span><span class="s2">:</span><span class="nv">$CURRENT_GROUP</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">"</span> <span class="c"># --- 5. Staging Certificates ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 4: Staging Certificates ---"</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$SRC_ES_CRT</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$ES_CONFIG_DIR</span><span class="s2">/certs/elasticsearch.crt"</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$SRC_ES_KEY</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$ES_CONFIG_DIR</span><span class="s2">/certs/elasticsearch.key"</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$SRC_CA_CRT</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$ES_CONFIG_DIR</span><span class="s2">/certs/ca.pem"</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$SRC_KIB_CRT</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$KIBANA_CONFIG_DIR</span><span class="s2">/certs/kibana.crt"</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$SRC_KIB_KEY</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$KIBANA_CONFIG_DIR</span><span class="s2">/certs/kibana.key"</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$SRC_CA_CRT</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$KIBANA_CONFIG_DIR</span><span class="s2">/certs/ca.pem"</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$SRC_CA_CRT</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$FILEBEAT_CONFIG_DIR</span><span class="s2">/certs/ca.pem"</span> <span class="c"># --- 6. Configuration Generation ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 5: Generating Config Files ---"</span> <span class="c"># A. Elasticsearch</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$ES_CONFIG_DIR</span><span class="sh">/elasticsearch.yml" cluster.name: "cicd-elk" node.name: "elasticsearch.cicd.local" network.host: 0.0.0.0 discovery.type: single-node path.data: /usr/share/elasticsearch/data path.logs: /usr/share/elasticsearch/logs xpack.security.enabled: true xpack.security.http.ssl: enabled: true key: /usr/share/elasticsearch/config/certs/elasticsearch.key certificate: /usr/share/elasticsearch/config/certs/elasticsearch.crt certificate_authorities: [ "/usr/share/elasticsearch/config/certs/ca.pem" ] xpack.security.transport.ssl: enabled: true key: /usr/share/elasticsearch/config/certs/elasticsearch.key certificate: /usr/share/elasticsearch/config/certs/elasticsearch.crt certificate_authorities: [ "/usr/share/elasticsearch/config/certs/ca.pem" ] ingest.geoip.downloader.enabled: false </span><span class="no">EOF </span><span class="c"># B. Kibana</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$KIBANA_CONFIG_DIR</span><span class="sh">/kibana.yml" server.host: "0.0.0.0" server.name: "kibana.cicd.local" server.publicBaseUrl: "https://kibana.cicd.local:5601" server.ssl.enabled: true server.ssl.certificate: "/usr/share/kibana/config/certs/kibana.crt" server.ssl.key: "/usr/share/kibana/config/certs/kibana.key" server.ssl.certificateAuthorities: ["/usr/share/kibana/config/certs/ca.pem"] elasticsearch.hosts: [ "https://elasticsearch.cicd.local:9200" ] elasticsearch.ssl.certificateAuthorities: [ "/usr/share/kibana/config/certs/ca.pem" ] elasticsearch.username: "kibana_system" elasticsearch.password: "</span><span class="se">\$</span><span class="sh">{ELASTICSEARCH_PASSWORD}" xpack.security.encryptionKey: "</span><span class="nv">$XPACK_SECURITY_ENCRYPTIONKEY</span><span class="sh">" xpack.encryptedSavedObjects.encryptionKey: "</span><span class="nv">$XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY</span><span class="sh">" xpack.reporting.encryptionKey: "</span><span class="nv">$XPACK_REPORTING_ENCRYPTIONKEY</span><span class="sh">" telemetry.enabled: false telemetry.optIn: false newsfeed.enabled: false map.includeElasticMapsService: false xpack.fleet.enabled: false xpack.apm.enabled: false xpack.actions.preconfigured: mattermost-webhook: name: "Mattermost CI/CD Channel" actionTypeId: .webhook config: url: "</span><span class="se">\$</span><span class="sh">{MATTERMOST_WEBHOOK_URL}" method: post hasAuth: false </span><span class="no">EOF </span><span class="c"># C. Filebeat</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$FILEBEAT_CONFIG_DIR</span><span class="sh">/filebeat.yml" filebeat.inputs: # 1. Jenkins (Sidecar File) # Reads the file generated by standard Java Logging - type: filestream id: jenkins-log paths: - /host_volumes/jenkins-home/_data/logs/jenkins.log* prospector.scanner.exclude_files: ['</span><span class="se">\.</span><span class="sh">lck</span><span class="nv">$'</span><span class="sh">] fields: { service_name: "jenkins" } fields_under_root: true multiline.type: pattern multiline.pattern: '^</span><span class="se">\[\d</span><span class="sh">{4}-</span><span class="se">\d</span><span class="sh">{2}-</span><span class="se">\d</span><span class="sh">{2}' multiline.negate: true multiline.match: after # 2. Host System Logs (Journald) # Reads binary logs directly from host journal directories - type: journald id: host-system paths: - /var/log/journal fields: { service_name: "system" } fields_under_root: true # 3. GitLab Nginx - type: filestream id: gitlab-nginx paths: - /host_volumes/gitlab-logs/_data/nginx/*access.log - /host_volumes/gitlab-logs/_data/nginx/*error.log fields: { service_name: "gitlab-nginx" } fields_under_root: true # 4. SonarQube CE - type: filestream id: sonarqube-ce paths: - /host_volumes/sonarqube-logs/_data/ce.log fields: { service_name: "sonarqube" } fields_under_root: true multiline.type: pattern multiline.pattern: '^</span><span class="se">\d</span><span class="sh">{4}.</span><span class="se">\d</span><span class="sh">{2}.</span><span class="se">\d</span><span class="sh">{2}' multiline.negate: true multiline.match: after # 5. Mattermost - type: filestream id: mattermost paths: - /host_volumes/mattermost-logs/_data/mattermost.log fields: { service_name: "mattermost" } fields_under_root: true # 6. Artifactory - type: filestream id: artifactory paths: - /host_volumes/artifactory-data/_data/log/artifactory-service.log - /host_volumes/artifactory-data/_data/log/artifactory-request.log - /host_volumes/artifactory-data/_data/log/access-service.log fields: { service_name: "artifactory" } fields_under_root: true multiline.type: pattern multiline.pattern: '^</span><span class="se">\d</span><span class="sh">{4}-</span><span class="se">\d</span><span class="sh">{2}-</span><span class="se">\d</span><span class="sh">{2}' multiline.negate: true multiline.match: after output.elasticsearch: hosts: ["https://elasticsearch.cicd.local:9200"] pipeline: "cicd-logs" protocol: "https" ssl.certificate_authorities: ["/usr/share/filebeat/certs/ca.pem"] username: "elastic" password: "</span><span class="nv">$ELASTIC_PASSWORD</span><span class="sh">" setup.ilm.enabled: false setup.template.enabled: false </span><span class="no">EOF </span><span class="c"># D. Jenkins Logging Configuration (Sidecar Strategy)</span> <span class="c"># 1. Create the Java logging properties file in the Jenkins volume</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$JENKINS_VOL_DATA</span><span class="s2">/logs"</span> <span class="nb">echo</span> <span class="s2">"--- Generating Jenkins logging.properties ---"</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> | sudo tee "</span><span class="nv">$JENKINS_VOL_DATA</span><span class="sh">/logging.properties" &gt; /dev/null handlers = java.util.logging.FileHandler .level = INFO # File Handler Configuration # Pattern: %h = user.home (jenkins_home), %g = generation number java.util.logging.FileHandler.pattern = %h/logs/jenkins.log java.util.logging.FileHandler.limit = 10485760 java.util.logging.FileHandler.count = 3 java.util.logging.FileHandler.formatter = java.util.logging.SimpleFormatter java.util.logging.FileHandler.append = true # Format: [YYYY-MM-DD HH:MM:SS] [LEVEL] Logger - Message java.util.logging.SimpleFormatter.format = [%1</span><span class="se">\$</span><span class="sh">tF %1</span><span class="se">\$</span><span class="sh">tT] [%4</span><span class="se">\$</span><span class="sh">s] %3</span><span class="se">\$</span><span class="sh">s - %5</span><span class="se">\$</span><span class="sh">s %6</span><span class="se">\$</span><span class="sh">s%n </span><span class="no">EOF </span><span class="c"># Ensure Jenkins User (UID 1000) owns the config</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> 1000:1000 <span class="s2">"</span><span class="nv">$JENKINS_VOL_DATA</span><span class="s2">/logs"</span> <span class="nb">sudo chown </span>1000:1000 <span class="s2">"</span><span class="nv">$JENKINS_VOL_DATA</span><span class="s2">/logging.properties"</span> <span class="c"># 2. Update Jenkins Environment to use this config</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$JENKINS_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then if</span> <span class="o">!</span> <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"java.util.logging.config.file"</span> <span class="s2">"</span><span class="nv">$JENKINS_ENV_FILE</span><span class="s2">"</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"--- Injecting JAVA_OPTS into jenkins.env ---"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$JENKINS_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"# ELK Integration: Sidecar Logging"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$JENKINS_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s1">'JAVA_OPTS=-Djava.util.logging.config.file=/var/jenkins_home/logging.properties'</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$JENKINS_ENV_FILE</span><span class="s2">"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"Jenkins env already configured for logging."</span> <span class="k">fi</span> <span class="c"># 3. Redeploy Jenkins to apply changes</span> <span class="nb">echo</span> <span class="s2">"--- Redeploying Jenkins Controller ---"</span> <span class="o">(</span><span class="nb">cd</span> <span class="s2">"</span><span class="nv">$JENKINS_MODULE_DIR</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> ./03-deploy-controller.sh<span class="o">)</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"⚠️ WARNING: Jenkins module not found at </span><span class="nv">$JENKINS_MODULE_DIR</span><span class="s2">."</span> <span class="nb">echo</span> <span class="s2">" Jenkins logging will not be active until deployed."</span> <span class="k">fi</span> <span class="c"># --- 7. Env Files ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 6: Scoped Env Files ---"</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$ELK_BASE</span><span class="sh">/elasticsearch/elasticsearch.env" ELASTIC_PASSWORD=</span><span class="nv">$ELASTIC_PASSWORD</span><span class="sh"> ES_JAVA_OPTS=-Xms1g -Xmx1g </span><span class="no">EOF </span><span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$ELK_BASE</span><span class="sh">/kibana/kibana.env" ELASTICSEARCH_PASSWORD=</span><span class="nv">$KIBANA_PASSWORD</span><span class="sh"> XPACK_SECURITY_ENCRYPTIONKEY=</span><span class="nv">$XPACK_SECURITY_ENCRYPTIONKEY</span><span class="sh"> XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY=</span><span class="nv">$XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY</span><span class="sh"> XPACK_REPORTING_ENCRYPTIONKEY=</span><span class="nv">$XPACK_REPORTING_ENCRYPTIONKEY</span><span class="sh"> MATTERMOST_WEBHOOK_URL=</span><span class="nv">$SONAR_MATTERMOST_WEBHOOK</span><span class="sh"> </span><span class="no">EOF </span><span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$ELK_BASE</span><span class="sh">/filebeat/filebeat.env" ELASTIC_PASSWORD=</span><span class="nv">$ELASTIC_PASSWORD</span><span class="sh"> </span><span class="no">EOF </span><span class="c"># --- 8. Final Permissions Lockdown ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 7: Locking Down Permissions ---"</span> <span class="nb">chmod </span>600 <span class="s2">"</span><span class="nv">$ES_CONFIG_DIR</span><span class="s2">/certs/"</span><span class="k">*</span>.key <span class="nb">chmod </span>600 <span class="s2">"</span><span class="nv">$KIBANA_CONFIG_DIR</span><span class="s2">/certs/"</span><span class="k">*</span>.key <span class="nb">chmod </span>644 <span class="s2">"</span><span class="nv">$ES_CONFIG_DIR</span><span class="s2">/certs/"</span><span class="k">*</span>.crt <span class="nb">chmod </span>644 <span class="s2">"</span><span class="nv">$KIBANA_CONFIG_DIR</span><span class="s2">/certs/"</span><span class="k">*</span>.crt <span class="nb">chmod </span>644 <span class="s2">"</span><span class="nv">$FILEBEAT_CONFIG_DIR</span><span class="s2">/certs/"</span><span class="k">*</span>.pem <span class="nb">chmod </span>600 <span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">"</span>/<span class="k">*</span>/<span class="k">*</span>.env <span class="nb">sudo chown</span> <span class="nt">-R</span> 1000:0 <span class="s2">"</span><span class="nv">$ES_CONFIG_DIR</span><span class="s2">"</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> 1000:0 <span class="s2">"</span><span class="nv">$KIBANA_CONFIG_DIR</span><span class="s2">"</span> <span class="nb">sudo chown </span>1000:0 <span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/elasticsearch/elasticsearch.env"</span> <span class="nb">sudo chown </span>1000:0 <span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/kibana/kibana.env"</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> root:root <span class="s2">"</span><span class="nv">$FILEBEAT_CONFIG_DIR</span><span class="s2">"</span> <span class="nb">sudo chown </span>root:root <span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/filebeat/filebeat.env"</span> <span class="nb">sudo chmod </span>644 <span class="s2">"</span><span class="nv">$FILEBEAT_CONFIG_DIR</span><span class="s2">/filebeat.yml"</span> <span class="nb">sudo chmod </span>644 <span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/elasticsearch/elasticsearch.env"</span> <span class="nb">sudo chmod </span>644 <span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/kibana/kibana.env"</span> <span class="nb">sudo chmod </span>644 <span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/filebeat/filebeat.env"</span> <span class="nb">echo</span> <span class="s2">"✅ Architect Setup Complete."</span> </code></pre> </div> <h2> 2.2 Secrets and Security Hygiene </h2> <p>In <strong>Phase 2</strong> of the script, we implement a "Generate Once, Keep Forever" logic to handle credentials securely.</p> <p>We do not hardcode passwords in our configuration files. Instead, the script performs a check:</p> <ol> <li> It looks for the <code>cicd.env</code> file.</li> <li> If the <code>ELASTIC_PASSWORD</code> key is missing, it uses <code>openssl rand -hex 16</code> to generate a high-entropy 32-character password.</li> <li> It appends this new secret to the environment file.</li> </ol> <p>This ensures that every deployment gets a unique, strong password that persists across restarts, without requiring manual intervention.</p> <p><strong>The XPACK Encryption Keys</strong><br> Beyond simple passwords, the script also generates three distinct 32-character strings for <strong>XPACK Security</strong>:</p> <ol> <li> <code>xpack.security.encryptionKey</code> </li> <li> <code>xpack.encryptedSavedObjects.encryptionKey</code> </li> <li> <code>xpack.reporting.encryptionKey</code> </li> </ol> <p>Kibana uses these keys to encrypt sensitive data at rest within its internal indices—specifically "Saved Objects" like dashboards, visualization settings, and alerting rules. It is critical that these keys remain constant. If you were to regenerate them (e.g., by deleting <code>cicd.env</code>), Kibana would lose the ability to decrypt your existing dashboards, rendering them inaccessible.</p> <p><strong>The Ownership Handoff</strong><br> Docker has a known friction point regarding file permissions. When you mount a host directory into a container, the container process sees the directory with the numeric UID of the host.</p> <ul> <li>Elasticsearch runs strictly as <strong>UID 1000</strong>.</li> <li>If we (the host user) create the <code>./elk/elasticsearch/data</code> folder, it is owned by our user (likely 1000), which allows the container to write.</li> <li> <strong>However</strong>, if we let Docker create the folder automatically during the first <code>docker run</code>, it is often created as <strong>Root</strong>. The Elasticsearch process will then crash immediately because it lacks permission to write to its own data directory.</li> </ul> <p>To prevent this race condition, <strong>Phase 3</strong> of our script preemptively creates the directory structure and explicitly executes <code>chown -R $CURRENT_USER:$CURRENT_GROUP</code>. This ensures the storage volume is correctly owned before the database attempts to initialize.</p> <h2> 2.3 Staging Certificates </h2> <p>In <strong>Article 2</strong>, we established a centralized Certificate Authority (CA) and generated certificates for all our services. These files currently reside in <code>~/cicd_stack/ca/pki</code>.</p> <p>However, we do not simply mount the entire <code>ca</code> directory into every container. That would violate the Principle of Least Privilege; Elasticsearch does not need to see GitLab's private key.</p> <p>In <strong>Phase 4</strong> of the script, we perform a "Staging" operation. We copy only the specific certificate (<code>crt</code>) and private key (<code>key</code>) required for each service into its respective configuration directory:</p> <ul> <li> <code>./elk/elasticsearch/config/certs/</code> gets <code>elasticsearch.crt</code> and <code>.key</code>.</li> <li> <code>./elk/kibana/config/certs/</code> gets <code>kibana.crt</code> and <code>.key</code>.</li> <li>Everyone gets <code>ca.pem</code> (the Trust Anchor).</li> </ul> <p>This physical separation ensures that if the Elasticsearch container were compromised, the attacker would only retrieve the Elasticsearch identity, not the keys to the entire kingdom.</p> <h2> 2.4 Dynamic Configuration Generation </h2> <p>Most tutorials ask you to manually edit <code>elasticsearch.yml</code> and <code>kibana.yml</code>. This is error-prone and tedious, especially when dealing with dynamic secrets like our encryption keys.</p> <p>In <strong>Phase 5</strong>, we use Bash "Heredocs" (<code>cat &lt;&lt; EOF</code>) to generate these configuration files programmatically. This allows us to inject the environment variables (<code>$ELASTIC_PASSWORD</code>, <code>$XPACK_SECURITY_ENCRYPTIONKEY</code>) directly into the configuration files at creation time.</p> <p><strong>Key Configuration Details:</strong></p> <ol> <li> <p><strong>Elasticsearch (<code>elasticsearch.yml</code>):</strong></p> <ul> <li> <code>xpack.security.enabled: true</code>: This turns on the security features (Authentication and TLS). Without this, anyone on the network could query the database.</li> <li> <code>network.host: 0.0.0.0</code>: Essential for Docker networking. If left at default (localhost), the container would be unreachable from Kibana.</li> </ul> </li> <li> <p><strong>Kibana (<code>kibana.yml</code>):</strong></p> <ul> <li> <code>elasticsearch.ssl.certificateAuthorities</code>: We explicitly tell Kibana to trust our self-signed CA. Without this, Kibana would refuse to connect to Elasticsearch over HTTPS.</li> <li> <code>xpack.actions.preconfigured</code>: We inject the Mattermost Webhook URL here. This pre-configures the alerting connector so we don't have to set it up manually in the UI later.</li> </ul> </li> <li> <p><strong>Filebeat (<code>filebeat.yml</code>):</strong></p> <ul> <li>This is where we define our "Inputs." Notice we have separate sections for <code>filestream</code> (reading log files) and <code>journald</code> (reading system logs).</li> <li>We also define the <code>setup.ilm.enabled: false</code>. Since we are a single node, we disable Index Lifecycle Management (ILM) setup to keep the configuration simple and prevent Filebeat from trying to manage cluster-wide policies.</li> </ul> </li> </ol> <h2> 2.5 The Jenkins "Sidecar" Injection </h2> <p>One of the most complex parts of this script is <strong>Phase 5-D</strong>, where we fix the Jenkins logging problem.</p> <p>Standard Jenkins logs are unstructured text printed to STDOUT. To make them parseable, we need Jenkins to write structured logs to a file. We achieve this without rebuilding the Jenkins image by using a "Configuration Injection" strategy:</p> <ol> <li> <strong>Generate Config:</strong> The script writes a <code>logging.properties</code> file to the Jenkins data volume. This file defines a <code>java.util.logging.FileHandler</code> that writes logs to <code>/var/jenkins_home/logs/jenkins.log</code>.</li> <li> <strong>Inject Env Var:</strong> The script appends <code>JAVA_OPTS=-Djava.util.logging.config.file=...</code> to <code>jenkins.env</code>.</li> <li> <strong>Redeploy:</strong> It triggers the Jenkins deploy script (<code>03-deploy-controller.sh</code>) to restart the container.</li> </ol> <p>When Jenkins restarts, it reads the new environment variable, loads the logging config, and begins writing clean, rotatable log files to the volume—which Filebeat is already configured to watch.</p> <h2> 2.6 Final Permissions Lockdown </h2> <p>In <strong>Phase 7</strong>, we enforce strict file permissions. This is critical because some components (like Elasticsearch) check permissions on startup and will refuse to run if their configuration files are too open (e.g., world-readable).</p> <ul> <li> <strong>Private Keys (<code>*.key</code>):</strong> set to <code>600</code> (Read/Write by owner only).</li> <li> <strong>Public Certs (<code>*.crt</code>):</strong> set to <code>644</code> (Readable by everyone).</li> <li> <strong>Elasticsearch/Kibana Configs:</strong> Owned by <code>1000:0</code> (User 1000, Root Group).</li> <li> <strong>Filebeat Configs:</strong> Owned by <code>root:root</code>. <strong>This is mandatory.</strong> Filebeat requires its configuration file to be owned by root and not writable by others (<code>chmod 644</code>). If you miss this, Filebeat will fail to start with a "config file permission error."</li> </ul> <p>With the Architect script complete, the foundation is laid. The kernel is tuned, secrets are generated, configs are written, and permissions are locked. We are ready to deploy the database.</p> <h1> Chapter 3: The Bedrock – Elasticsearch </h1> <h2> 3.1 The Deployment Script </h2> <p>With the "Architect" script complete, the kernel is tuned and the secrets are safely stored. We are now ready to lay the foundation of our observability stack: the Elasticsearch database.</p> <p>This is not a generic "Hello World" deployment. This script is designed to handle the specific startup requirements of a production-grade search engine, including memory locking, file descriptor management, and an automated security bootstrap process.</p> <p>Create <code>02-deploy-elasticsearch.sh</code> with the following content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 02-deploy-elasticsearch.sh</span> <span class="c">#</span> <span class="c"># The "Bedrock" script.</span> <span class="c"># Deploys Elasticsearch (v9.2.2) and bootstraps security.</span> <span class="c">#</span> <span class="c"># 1. Deploy: Runs ES with strict memory/ulimit guards.</span> <span class="c"># 2. Healthcheck: Waits for Green status via HTTPS (using CA).</span> <span class="c"># 3. Bootstrap: Sets 'kibana_system' password via API.</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"🚀 Deploying Elasticsearch (The Bedrock)..."</span> <span class="c"># --- 1. Load Secrets ---</span> <span class="nv">HOST_CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="nv">ELK_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/elk"</span> <span class="nv">SCOPED_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/elasticsearch/elasticsearch.env"</span> <span class="nv">MASTER_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/cicd.env"</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Scoped env file not found at </span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Please run 01-setup-elk.sh first."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># We need KIBANA_PASSWORD from master env for the bootstrap step</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Master env file not found."</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">set</span> <span class="nt">-a</span><span class="p">;</span> <span class="nb">source</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span><span class="p">;</span> <span class="nb">set</span> +a <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$KIBANA_PASSWORD</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: KIBANA_PASSWORD not found in cicd.env"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># --- 2. Clean Slate ---</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-q</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>elasticsearch<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Stopping existing 'elasticsearch'..."</span> docker stop elasticsearch <span class="k">fi if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-aq</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>elasticsearch<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Removing existing 'elasticsearch'..."</span> docker <span class="nb">rm </span>elasticsearch <span class="k">fi</span> <span class="c"># --- 3. Volume Management ---</span> <span class="nb">echo</span> <span class="s2">"Verifying elasticsearch-data volume..."</span> docker volume create elasticsearch-data <span class="o">&gt;</span> /dev/null <span class="c"># --- 4. Deploy ---</span> <span class="nb">echo</span> <span class="s2">"--- Launching Container ---"</span> <span class="c"># NOTES:</span> <span class="c"># - ulimit: Essential for ES performance (avoids bootstrap checks failure)</span> <span class="c"># - cap-add IPC_LOCK: Allows memory locking to prevent swapping</span> <span class="c"># - publish: 9200 bound to 127.0.0.1 (Host access only)</span> docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> elasticsearch <span class="se">\</span> <span class="nt">--restart</span> always <span class="se">\</span> <span class="nt">--network</span> cicd-net <span class="se">\</span> <span class="nt">--hostname</span> elasticsearch.cicd.local <span class="se">\</span> <span class="nt">--publish</span> 127.0.0.1:9200:9200 <span class="se">\</span> <span class="nt">--ulimit</span> <span class="nv">nofile</span><span class="o">=</span>65535:65535 <span class="se">\</span> <span class="nt">--ulimit</span> <span class="nv">memlock</span><span class="o">=</span><span class="nt">-1</span>:-1 <span class="se">\</span> <span class="nt">--cap-add</span><span class="o">=</span>IPC_LOCK <span class="se">\</span> <span class="nt">--env-file</span> <span class="s2">"</span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--volume</span> elasticsearch-data:/usr/share/elasticsearch/data <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/elasticsearch/config/elasticsearch.yml"</span>:/usr/share/elasticsearch/config/elasticsearch.yml <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/elasticsearch/config/certs"</span>:/usr/share/elasticsearch/config/certs <span class="se">\</span> docker.elastic.co/elasticsearch/elasticsearch:9.2.2 <span class="nb">echo</span> <span class="s2">"Container started. Waiting for healthcheck..."</span> <span class="c"># --- 5. Secure Bootstrap (The "Zero Touch" Logic) ---</span> <span class="nv">MAX_RETRIES</span><span class="o">=</span>60 <span class="nv">COUNT</span><span class="o">=</span>0 <span class="nv">ES_URL</span><span class="o">=</span><span class="s2">"https://127.0.0.1:9200"</span> <span class="c"># A. Extract ELASTIC_PASSWORD securely (Avoiding 'source' errors)</span> <span class="nv">ELASTIC_PASSWORD</span><span class="o">=</span><span class="si">$(</span><span class="nb">grep</span> <span class="s2">"^ELASTIC_PASSWORD="</span> <span class="s2">"</span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> | <span class="nb">cut</span> <span class="nt">-d</span><span class="s1">'='</span> <span class="nt">-f2</span> | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">'"'</span><span class="si">)</span> <span class="c"># Wait for "status" to be green OR yellow</span> <span class="c"># We removed --cacert because the host trusts the CA</span> <span class="k">until </span>curl <span class="nt">-s</span> <span class="nt">-u</span> <span class="s2">"elastic:</span><span class="nv">$ELASTIC_PASSWORD</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$ES_URL</span><span class="s2">/_cluster/health"</span> | <span class="nb">grep</span> <span class="nt">-qE</span> <span class="s1">'"status":"(green|yellow)"'</span><span class="p">;</span> <span class="k">do if</span> <span class="o">[</span> <span class="nv">$COUNT</span> <span class="nt">-ge</span> <span class="nv">$MAX_RETRIES</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"❌ Timeout waiting for Elasticsearch."</span> <span class="nb">echo</span> <span class="s2">"Check logs: docker logs elasticsearch"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">" [</span><span class="nv">$COUNT</span><span class="s2">/</span><span class="nv">$MAX_RETRIES</span><span class="s2">] Waiting for Green/Yellow status..."</span> <span class="nb">sleep </span>5 <span class="nv">COUNT</span><span class="o">=</span><span class="k">$((</span>COUNT+1<span class="k">))</span> <span class="k">done </span><span class="nb">echo</span> <span class="s2">"✅ Elasticsearch is Online."</span> <span class="c"># B. Set kibana_system Password</span> <span class="nb">echo</span> <span class="s2">"--- Bootstrapping Service Accounts ---"</span> <span class="c"># 1. Run the command and let it print directly to stdout</span> curl <span class="nt">-i</span> <span class="se">\</span> <span class="nt">-X</span> POST <span class="s2">"</span><span class="nv">$ES_URL</span><span class="s2">/_security/user/kibana_system/_password"</span> <span class="se">\</span> <span class="nt">-u</span> <span class="s2">"elastic:</span><span class="nv">$ELASTIC_PASSWORD</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s2">"{</span><span class="se">\"</span><span class="s2">password</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="nv">$KIBANA_PASSWORD</span><span class="se">\"</span><span class="s2">}"</span> <span class="c"># 2. Check the exit status of the curl command itself (simplified check)</span> <span class="k">if</span> <span class="o">[</span> <span class="nv">$?</span> <span class="nt">-eq</span> 0 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">""</span> <span class="c"># Newline for formatting</span> <span class="nb">echo</span> <span class="s2">"✅ 'kibana_system' password request sent."</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"❌ Failed to send password request."</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"--- Bedrock Deployed Successfully ---"</span> </code></pre> </div> <h2> 3.2 Performance Tuning &amp; System Limits </h2> <p>In the deployment script above, you will notice a set of aggressive flags passed to the <code>docker run</code> command. These are not optional; they are the difference between a database that runs for months and one that crashes under load.</p> <p><strong>1. Memory Locking (<code>bootstrap.memory_lock</code>)</strong><br> We pass <code>--cap-add=IPC_LOCK</code> and <code>--ulimit memlock=-1:-1</code> to the container.</p> <p>Elasticsearch is a Java application. If the host operating system decides to "swap" part of the Java Heap to the hard disk to save RAM, performance falls off a cliff. Even worse, the garbage collector can pause for seconds (or minutes) trying to read memory back from the disk. By granting <code>IPC_LOCK</code> capability, we allow Elasticsearch to "lock" its allocated memory in RAM, preventing the OS from ever swapping it out.</p> <p><strong>2. File Descriptors (<code>ulimit nofile</code>)</strong><br> We set <code>--ulimit nofile=65535:65535</code>.</p> <p>Under the hood, Elasticsearch uses the Lucene search library. Lucene creates thousands of tiny files to manage its indices. A standard Linux process is often limited to 1,024 open files. If we don't raise this limit, Elasticsearch will hit a "wall" during heavy indexing and crash with a <code>Too many open files</code> exception. We preemptively raise this to 65k.</p> <h2> 3.3 Network Security: The Localhost Bind </h2> <p>You might notice the port mapping looks different from previous articles:<br> <code>--publish 127.0.0.1:9200:9200</code></p> <p>In previous scripts, we mapped ports to <code>0.0.0.0</code> (all interfaces) or relied on the Docker bridge network. Here, we are explicitly binding port 9200 to <code>127.0.0.1</code> (localhost) only.</p> <p>This is a <strong>Defense in Depth</strong> strategy.</p> <p>Elasticsearch is the "Brain" of our stack. It holds all our logs, which may contain sensitive data. By binding strictly to localhost, we ensure that <strong>no external device</strong> on the network can talk directly to the database, even if our firewall rules fail.</p> <ul> <li> <strong>Who can talk to it?</strong> <ul> <li> <strong>Kibana:</strong> Yes, because it joins the same Docker network (<code>cicd-net</code>).</li> <li> <strong>Filebeat:</strong> Yes, via the Docker network.</li> <li> <strong>You (The Admin):</strong> Yes, via <code>curl</code> on the host machine.</li> </ul> </li> <li> <strong>Who cannot talk to it?</strong> <ul> <li>Another developer's laptop.</li> <li>A rogue device on the Wi-Fi.</li> </ul> </li> </ul> <p>This forces all human access to go through the visualized, authenticated layer (Kibana) rather than the raw data API.</p> <h2> 3.4 The "Bootstrap" Dance (Automating Service Accounts) </h2> <p>The most complex part of this script is <strong>Section 5: Secure Bootstrap</strong>.</p> <p>We have a "Chicken and Egg" problem.</p> <ol> <li> Kibana needs a password to log in to Elasticsearch (<code>kibana_system</code> user).</li> <li> Elasticsearch does not allow us to set this password via an environment variable at startup.</li> <li> We can only set this password via the REST API <em>after</em> Elasticsearch is running.</li> </ol> <p>Most tutorials solve this by telling you to "run the container, wait a minute, and then manually run this curl command." That is not automation; that is manual labor.</p> <p>Our script solves this with a <strong>Healthcheck Loop</strong>.<br> It uses <code>curl</code> to poll the cluster status (<code>_cluster/health</code>). It loops every 5 seconds until it gets a HTTP 200 OK and a status of "Green" or "Yellow."</p> <p>Only when the brain is fully awake does the script execute the <strong>API Injection</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST <span class="s2">"</span><span class="nv">$ES_URL</span><span class="s2">/_security/user/kibana_system/_password"</span> ... </code></pre> </div> <p>This automatically sets the password we generated in the Architect script. The result is a "Zero Touch" deployment: you run the script, walk away, and come back to a fully secured, interconnected cluster.</p> <h1> Chapter 4: The Interface – Kibana </h1> <h2> 4.1 The Deployment Script </h2> <p>With Elasticsearch running as our data store, we need a way to visualize the information. Kibana is the native interface for the Elastic Stack, providing the dashboards, search bars, and management tools we will use to operate the platform.</p> <p>While Elasticsearch is the "Backend," Kibana is the "Frontend." It is a Node.js application that queries the database and renders the results. Because it holds the encryption keys for our alerts and saved objects, its deployment requires careful handling of secrets and configuration files.</p> <p>Create <code>03-deploy-kibana.sh</code> with the following content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 03-deploy-kibana.sh</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"🚀 Deploying Kibana (The Interface)..."</span> <span class="c"># --- 1. Load Paths ---</span> <span class="nv">HOST_CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="nv">ELK_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/elk"</span> <span class="nv">SCOPED_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/kibana/kibana.env"</span> <span class="c"># --- 2. Validation ---</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Scoped env file not found at </span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Please run 01-setup-elk.sh first."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># --- 3. Clean Slate ---</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-q</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>kibana<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Stopping existing 'kibana'..."</span> docker stop kibana <span class="k">fi if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-aq</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>kibana<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Removing existing 'kibana'..."</span> docker <span class="nb">rm </span>kibana <span class="k">fi</span> <span class="c"># --- 4. Deploy ---</span> <span class="nb">echo</span> <span class="s2">"--- Launching Container ---"</span> <span class="c"># FIX: We rely fully on the env file now.</span> <span class="c"># It contains: ELASTICSEARCH_PASSWORD, XPACK Keys, and MATTERMOST_WEBHOOK_URL</span> docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> kibana <span class="se">\</span> <span class="nt">--restart</span> always <span class="se">\</span> <span class="nt">--network</span> cicd-net <span class="se">\</span> <span class="nt">--hostname</span> kibana.cicd.local <span class="se">\</span> <span class="nt">--publish</span> 127.0.0.1:5601:5601 <span class="se">\</span> <span class="nt">--env-file</span> <span class="s2">"</span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/kibana/config/kibana.yml"</span>:/usr/share/kibana/config/kibana.yml:ro <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/kibana/config/certs"</span>:/usr/share/kibana/config/certs:ro <span class="se">\</span> docker.elastic.co/kibana/kibana:9.2.2 <span class="nb">echo</span> <span class="s2">"Container started. Waiting for API healthcheck..."</span> <span class="c"># --- 5. Healthcheck Loop ---</span> <span class="nv">KIBANA_URL</span><span class="o">=</span><span class="s2">"https://127.0.0.1:5601"</span> <span class="nv">MAX_RETRIES</span><span class="o">=</span>60 <span class="nv">COUNT</span><span class="o">=</span>0 <span class="k">while </span><span class="nb">true</span><span class="p">;</span> <span class="k">do if</span> <span class="o">[</span> <span class="nv">$COUNT</span> <span class="nt">-ge</span> <span class="nv">$MAX_RETRIES</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"❌ Timeout waiting for Kibana."</span> <span class="nb">echo</span> <span class="s2">"Check logs: docker logs kibana"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nv">STATUS_OUTPUT</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-sS</span> <span class="s2">"</span><span class="nv">$KIBANA_URL</span><span class="s2">/api/status"</span> <span class="o">||</span> <span class="nb">true</span><span class="si">)</span> <span class="k">if </span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$STATUS_OUTPUT</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s1">'"level":"available"'</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" [</span><span class="nv">$COUNT</span><span class="s2">/</span><span class="nv">$MAX_RETRIES</span><span class="s2">] Status: AVAILABLE"</span> <span class="nb">break </span><span class="k">else </span><span class="nv">CURRENT_LEVEL</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$STATUS_OUTPUT</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="nt">-o</span> <span class="s1">'"level":"[^"]*"'</span> | <span class="nb">head</span> <span class="nt">-n1</span> <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"unreachable"</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">" [</span><span class="nv">$COUNT</span><span class="s2">/</span><span class="nv">$MAX_RETRIES</span><span class="s2">] Status: </span><span class="k">${</span><span class="nv">CURRENT_LEVEL</span><span class="k">:-</span><span class="nv">unreachable</span><span class="k">}</span><span class="s2">"</span> <span class="k">fi </span><span class="nb">sleep </span>5 <span class="nv">COUNT</span><span class="o">=</span><span class="k">$((</span>COUNT+1<span class="k">))</span> <span class="k">done </span><span class="nb">echo</span> <span class="s2">"✅ Kibana is Green and Available."</span> <span class="nb">echo</span> <span class="s2">" Access at: https://kibana.cicd.local:5601"</span> </code></pre> </div> <h2> 4.2 Configuration Strategy (The "Glue") </h2> <p>A critical aspect of this deployment is how we manage the connection between Kibana and Elasticsearch without exposing credentials in plain text.</p> <p>In standard Docker tutorials, you might see environment variables passed directly in the <code>docker run</code> command (e.g., <code>-e ELASTICSEARCH_PASSWORD=changeme</code>). This is insecure because anyone running <code>docker inspect</code> can see the password.</p> <p>We rely instead on <strong>Environment Injection</strong>.</p> <p>In our deployment script, we use the <code>--env-file</code> flag to load <code>elk/kibana/kibana.env</code>. This file was not written by hand; it was programmatically generated by our Architect script in Chapter 2. By doing this, we achieve three things:</p> <ol> <li> <strong>Credential Isolation:</strong> The <code>ELASTICSEARCH_PASSWORD</code> is injected at runtime. It exists only in the secure file on the host and the environment of the running process.</li> <li> <strong>Persistent Encryption:</strong> The three <code>XPACK</code> encryption keys are critical for Kibana's internal security. They encrypt "Saved Objects" (dashboards, visualizations, and alerting rules) at rest. By injecting them from a persistent file, we ensure that if we destroy and recreate the container, Kibana can still decrypt our saved dashboards.</li> <li> <strong>Pre-configured Integrations:</strong> We inject the <code>MATTERMOST_WEBHOOK_URL</code> here. This allows Kibana to register the connector immediately upon startup, saving us from having to manually paste the webhook URL into the UI later.</li> </ol> <p>We also treat our configuration files as <strong>Immutable</strong>. Notice that <code>kibana.yml</code> and the <code>certs</code> directory are mounted with the <code>:ro</code> (Read-Only) flag.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/kibana/config/kibana.yml"</span>:/usr/share/kibana/config/kibana.yml:ro </code></pre> </div> <p>This is a security best practice. Even if an attacker were to gain remote code execution within the Kibana Node.js process, they would be unable to overwrite the configuration to disable security or replace the trusted certificates. The container is locked down by the host.</p> <h2> 4.3 The "Startup Race" (Health Checks) </h2> <p>One of the most common friction points when automating Kibana deployments is the <strong>Initialization Gap</strong>.</p> <p>When you execute <code>docker run</code>, the Docker daemon returns a success code almost immediately. However, inside the container, Kibana is just waking up. As a heavy Node.js application, it has a lengthy startup sequence:</p> <ol> <li>It loads the configuration.</li> <li>It initializes plugins (APM, Maps, Graph, Security).</li> <li>It optimizes client-side assets (though this is faster in newer versions, it still takes time).</li> <li>It connects to Elasticsearch to verify the license and index templates.</li> </ol> <p>This process can take anywhere from 30 to 60 seconds on a standard server.</p> <p>If our script were to exit immediately after the <code>docker run</code> command, you would click the link, see a <code>502 Bad Gateway</code> (from Nginx) or <code>Connection Refused</code> error, and assume the deployment failed. You might start digging into logs or restarting containers unnecessarily, interrupting a process that was actually working fine.</p> <p>To solve this, we implement a <strong>State-Aware Healthcheck</strong>.</p> <p>We do not simply use <code>sleep 60</code>. Hardcoded sleeps are "brittle"—on a fast machine, you waste 30 seconds; on a slow machine, it's not enough. Instead, we poll the application itself.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">STATUS_OUTPUT</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-sS</span> <span class="s2">"</span><span class="nv">$KIBANA_URL</span><span class="s2">/api/status"</span> <span class="o">||</span> <span class="nb">true</span><span class="si">)</span> </code></pre> </div> <p>The Kibana Status API returns a rich JSON object detailing the state of every plugin. Crucially, it provides an overall status field. We grep specifically for:</p> <p><code>"level":"available"</code></p> <p>This is the only state that matters.</p> <ul> <li>If the status is <strong>Red</strong>, Kibana is initializing or cannot reach Elasticsearch.</li> <li>If the status is <strong>Yellow</strong>, Kibana is migrating saved objects or indices.</li> <li>If the status is <strong>Green</strong> (Available), the UI is ready to accept user traffic.</li> </ul> <p>By blocking the script until this specific string appears, we guarantee that when the script says "Green and Available," the link we provide will actually load the login page. This transforms the deployment experience from "Run and Pray" to "Run and Verify."</p> <h2> 4.4 Security &amp; Access </h2> <p>Finally, we must address the network exposure of our interface. You will notice the port mapping in our script is explicit:</p> <p><code>--publish 127.0.0.1:5601:5601</code></p> <p>We are binding strictly to the <strong>Loopback Interface</strong> (<code>127.0.0.1</code>), not the <strong>Wildcard Interface</strong> (<code>0.0.0.0</code>).</p> <p>This is a deliberate architectural constraint. In a "Zero Trust" model, we never expose management interfaces directly to the network.</p> <ul> <li> <strong>The Risk:</strong> If we bound to <code>0.0.0.0</code>, anyone on the same Wi-Fi or subnet could navigate to <code>http://&lt;your-ip&gt;:5601</code>. While they would still face the login screen (thanks to our password setup), we prefer to hide the door entirely.</li> <li> <strong>The Access Path:</strong> By locking it to localhost, the only way to access Kibana is from the machine itself.</li> <li> <strong>For Setup:</strong> We can use <code>curl</code> on the host (as our healthcheck does).</li> <li> <strong>For Browsing:</strong> In a real-world production setup, we would place an Nginx Reverse Proxy in front of this container (listening on port 443 with SSL) and route traffic internally to 127.0.0.1:5601. Alternatively, as administrators, we can use an SSH Tunnel (<code>ssh -L 5601:localhost:5601 user@server</code>) to securely bridge our laptop to the server.</li> </ul> <p>This restriction ensures that during the vulnerable setup phase—before we have configured complex firewall rules or VPNs—our visualization tool is effectively invisible to the outside world. We are building a "Dark" control center: fully functional, but only accessible to those with the keys to the host.</p> <h1> Chapter 5: The Parsing Engine – Ingest Pipelines </h1> <h2> 5.1 The Pipeline Script </h2> <p>We have a database, and we have a UI. But currently, our logs are just messy strings of text like <code>[INFO] 2025-12-15 Build Started</code>. If we send these directly to Elasticsearch, they will be stored as a single blob of text. You won't be able to filter by "Error Level" or "Client IP" because the database doesn't know those fields exist yet.</p> <p>In the traditional ELK stack, a tool called <strong>Logstash</strong> would sit in the middle to parse this text. However, Logstash is resource-heavy. Since we are optimizing for a lean "Factory in a Box," we will use <strong>Elasticsearch Ingest Pipelines</strong>.</p> <p>This feature allows us to define a chain of "Processors" inside the database itself. When a log document arrives, Elasticsearch runs it through this chain—extracting fields, fixing timestamps, and removing noise—milliseconds before writing it to disk.</p> <p>Create <code>04-setup-pipelines.sh</code> with the following content. This script defines a single pipeline called <code>cicd-logs</code> that acts as a "Universal Adapter" for every service in our stack.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 04-setup-pipelines.sh</span> <span class="c">#</span> <span class="c"># Configures Elasticsearch Ingest Pipelines.</span> <span class="c"># Defines parsing logic for all CICD stack components.</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"🚀 Configuring Elasticsearch Ingest Pipelines..."</span> <span class="c"># --- 1. Load Secrets ---</span> <span class="nv">HOST_CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="nv">ELK_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/elk"</span> <span class="nb">source</span> <span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/filebeat/filebeat.env"</span> <span class="c"># --- 2. Define the Pipeline JSON ---</span> <span class="c"># CRITICAL: We use 'EOF' (quoted) to prevent Bash from stripping regex backslashes.</span> <span class="nv">PIPELINE_JSON</span><span class="o">=</span><span class="si">$(</span><span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' { "description": "CICD Stack Log Parsing Pipeline", "processors": [ { "set": { "field": "event.original", "value": "{{message}}", "ignore_empty_value": true } }, { "grok": { "field": "message", "patterns": [ "</span><span class="se">\\</span><span class="sh">[%{TIMESTAMP_ISO8601:timestamp}</span><span class="se">\\</span><span class="sh">] </span><span class="se">\\</span><span class="sh">[%{LOGLEVEL:log.level}</span><span class="se">\\</span><span class="sh">] %{DATA:logger_name} - %{GREEDYDATA:message}" ], "if": "ctx.service_name == 'jenkins'", "ignore_missing": true, "ignore_failure": true } }, { "grok": { "field": "message", "patterns": [ "%{IPORHOST:client.ip} - %{DATA:user.name} </span><span class="se">\\</span><span class="sh">[%{HTTPDATE:timestamp}</span><span class="se">\\</span><span class="sh">] </span><span class="se">\"</span><span class="sh">%{WORD:http.request.method} %{DATA:url.path} HTTP/%{NUMBER:http.version}</span><span class="se">\"</span><span class="sh"> %{NUMBER:http.response.status_code:long} %{NUMBER:http.response.body.bytes:long} </span><span class="se">\"</span><span class="sh">%{DATA:http.request.referrer}</span><span class="se">\"</span><span class="sh"> </span><span class="se">\"</span><span class="sh">%{DATA:user_agent.original}</span><span class="se">\"</span><span class="sh">" ], "if": "ctx.service_name == 'gitlab-nginx'", "ignore_missing": true, "ignore_failure": true } }, { "grok": { "field": "message", "patterns": [ "%{YEAR:year}</span><span class="se">\\</span><span class="sh">.%{MONTHNUM:month}</span><span class="se">\\</span><span class="sh">.%{MONTHDAY:day} %{TIME:time} %{LOGLEVEL:log.level}</span><span class="se">\\</span><span class="sh">s+%{GREEDYDATA:message}" ], "if": "ctx.service_name == 'sonarqube'", "ignore_missing": true, "ignore_failure": true } }, { "script": { "lang": "painless", "source": "ctx.timestamp = ctx.year + '-' + ctx.month + '-' + ctx.day + 'T' + ctx.time + 'Z'", "if": "ctx.service_name == 'sonarqube' &amp;&amp; ctx.year != null" } }, { "json": { "field": "message", "target_field": "mattermost", "if": "ctx.service_name == 'mattermost'", "ignore_failure": true } }, { "set": { "field": "timestamp", "value": "{{mattermost.timestamp}}", "if": "ctx.service_name == 'mattermost' &amp;&amp; ctx.mattermost?.timestamp != null" } }, { "set": { "field": "log.level", "value": "{{mattermost.level}}", "if": "ctx.service_name == 'mattermost' &amp;&amp; ctx.mattermost?.level != null" } }, { "grok": { "field": "message", "patterns": [ "%{TIMESTAMP_ISO8601:timestamp} </span><span class="se">\\</span><span class="sh">[%{DATA:service_type}</span><span class="se">\\</span><span class="sh">s*</span><span class="se">\\</span><span class="sh">] </span><span class="se">\\</span><span class="sh">[%{LOGLEVEL:log.level}</span><span class="se">\\</span><span class="sh">s*</span><span class="se">\\</span><span class="sh">] </span><span class="se">\\</span><span class="sh">[%{DATA:trace_id}</span><span class="se">\\</span><span class="sh">] </span><span class="se">\\</span><span class="sh">[%{DATA:class}:%{NUMBER:line}</span><span class="se">\\</span><span class="sh">] (?&gt;</span><span class="se">\\</span><span class="sh">[%{DATA:thread_info}</span><span class="se">\\</span><span class="sh">] )?- %{GREEDYDATA:message}", "%{TIMESTAMP_ISO8601:timestamp}</span><span class="se">\\</span><span class="sh">|%{DATA:trace_id}</span><span class="se">\\</span><span class="sh">|%{IP:client.ip}</span><span class="se">\\</span><span class="sh">|%{DATA:user.name}</span><span class="se">\\</span><span class="sh">|%{WORD:http.request.method}</span><span class="se">\\</span><span class="sh">|%{DATA:url.path}</span><span class="se">\\</span><span class="sh">|%{NUMBER:http.response.status_code:long}</span><span class="se">\\</span><span class="sh">|.*" ], "if": "ctx.service_name == 'artifactory'", "ignore_missing": true, "ignore_failure": true } }, { "date": { "field": "timestamp", "formats": [ "ISO8601", "dd/MMM/yyyy:HH:mm:ss Z", "yyyy-MM-dd HH:mm:ss.SSS", "yyyy-MM-dd HH:mm:ss.SSS Z", "yyyy-MM-dd HH:mm:ss Z", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ], "target_field": "@timestamp", "ignore_failure": true } }, { "remove": { "field": ["timestamp", "year", "month", "day", "time", "mattermost"], "ignore_missing": true } } ], "on_failure": [ { "set": { "field": "error.message", "value": "Pipeline failed: {{ _ingest.on_failure_message }}" } } ] } </span><span class="no">EOF </span><span class="si">)</span> <span class="c"># --- 3. Upload to Elasticsearch ---</span> <span class="nb">echo</span> <span class="s2">"--- Uploading 'cicd-logs' Pipeline ---"</span> <span class="nv">RESPONSE</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-k</span> <span class="nt">-w</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">%{http_code}"</span> <span class="nt">-X</span> PUT <span class="s2">"https://127.0.0.1:9200/_ingest/pipeline/cicd-logs"</span> <span class="se">\</span> <span class="nt">-u</span> <span class="s2">"elastic:</span><span class="nv">$ELASTIC_PASSWORD</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s2">"</span><span class="nv">$PIPELINE_JSON</span><span class="s2">"</span><span class="si">)</span> <span class="nv">HTTP_BODY</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$RESPONSE</span><span class="s2">"</span> | <span class="nb">sed</span> <span class="s1">'$d'</span><span class="si">)</span> <span class="nv">HTTP_STATUS</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$RESPONSE</span><span class="s2">"</span> | <span class="nb">tail</span> <span class="nt">-n1</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$HTTP_STATUS</span><span class="s2">"</span> <span class="nt">-eq</span> 200 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"✅ Pipeline updated successfully (HTTP 200)."</span> <span class="nb">echo</span> <span class="s2">"Response: </span><span class="nv">$HTTP_BODY</span><span class="s2">"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"❌ Error uploading pipeline (HTTP </span><span class="nv">$HTTP_STATUS</span><span class="s2">)."</span> <span class="nb">echo</span> <span class="s2">"Elasticsearch Response:"</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$HTTP_BODY</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi</span> </code></pre> </div> <h2> 5.2 The Pipeline Blueprint (JSON Reference) </h2> <p>This JSON object is the "Source Code" for our logging logic. It defines a sequential list of steps that every log entry must pass through. Let's break down the critical components of this file so you can understand exactly how we transform chaos into order.</p> <p><strong>1. The Safety Net (<code>event.original</code>)</strong><br> The first processor is a <code>set</code> operation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"set"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field"</span><span class="p">:</span><span class="w"> </span><span class="s2">"event.original"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{{message}}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Before we touch anything, we copy the raw log line into a new field called <code>event.original</code>. If our complex parsing logic fails or corrupts the data later in the pipeline, we still have the original, untouched text safe and sound.</p> <p><strong>2. The Conditional Switch (<code>if</code> statements)</strong><br> Notice that almost every processor has an <code>if</code> condition attached to it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"if"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ctx.service_name == 'jenkins'"</span><span class="w"> </span></code></pre> </div> <p>This is our routing logic. Filebeat tags every log with a <code>service_name</code> (e.g., "jenkins", "gitlab-nginx") before shipping it. The pipeline checks this tag. If the log is from Jenkins, it runs the Jenkins Grok pattern; if it's from Nginx, it skips to the Nginx pattern. This allows us to use a <strong>Single Pipeline</strong> for the entire stack, rather than managing ten small ones.</p> <p><strong>3. The Parser (<code>grok</code>)</strong><br> Grok is the heavy lifter. It matches the raw text against predefined patterns and extracts structured variables.</p> <ul> <li> <strong>Pattern:</strong> <code>%{IPORHOST:client.ip}</code> </li> <li> <strong>Translation:</strong> "Find a string that looks like an IP address or Hostname. Extract it and save it into the field <code>client.ip</code>."</li> <li> <strong>Result:</strong> We can now build a map in Kibana showing where users are logging in from, because <code>client.ip</code> is a real data field, not just text.</li> </ul> <p><strong>4. The Script (<code>painless</code>)</strong><br> Sometimes, standard parsers aren't enough. SonarQube logs date and time in two separate fields (<code>2025.12.15</code> and <code>10:00:00</code>), but Elasticsearch needs a single ISO8601 string.<br> We use a tiny script written in <strong>Painless</strong> (Elastic's secure scripting language) to stitch them together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="n">ctx</span><span class="o">.</span><span class="na">timestamp</span> <span class="o">=</span> <span class="n">ctx</span><span class="o">.</span><span class="na">year</span> <span class="o">+</span> <span class="sc">'-'</span> <span class="o">+</span> <span class="n">ctx</span><span class="o">.</span><span class="na">month</span> <span class="o">+</span> <span class="sc">'-'</span> <span class="o">+</span> <span class="n">ctx</span><span class="o">.</span><span class="na">day</span> <span class="o">+</span> <span class="sc">'T'</span> <span class="o">+</span> <span class="n">ctx</span><span class="o">.</span><span class="na">time</span> <span class="o">+</span> <span class="sc">'Z'</span> </code></pre> </div> <p>This demonstrates the power of Ingest Pipelines: we can execute real programming logic inside the database to clean our data.</p> <p><strong>5. The Cleanup (<code>remove</code>)</strong><br> Once we have extracted <code>client.ip</code>, <code>http.status</code>, and <code>@timestamp</code>, the intermediate fields (like <code>year</code>, <code>month</code>, <code>mattermost</code> JSON objects) are just wasted disk space. The final step <code>remove</code> deletes them, keeping our index lean.</p> <p><strong>6. Error Handling (<code>on_failure</code>)</strong><br> At the very bottom, we define an <code>on_failure</code> block. If a log line is malformed and causes a processor to crash, the pipeline does <strong>not</strong> discard the log. Instead, it catches the exception and adds an <code>error.message</code> field. This ensures we never lose data, even if our code has bugs.</p> <h2> 5.3 Decoding the Services </h2> <p>Now we will walk through the specific parsing logic for each service. This is where we bridge the gap between the application's unique "accent" and the database's strict requirements.</p> <h3> <strong>1. Jenkins (The Custom Formatter)</strong> </h3> <p>In <strong>Chapter 2</strong>, we forced Jenkins to use a custom Java logging format:</p> <p><code>[%1$tF %1$tT] [%4$s] %3$s - %5$s %6$s%n</code></p> <p>This results in log lines that look like this:<br> <code>[2025-12-15 14:30:00] [INFO] hudson.plugins.git.GitSCM - Fetching changes...</code></p> <p>Our Grok pattern is a direct mirror of this structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="s2">"</span><span class="se">\\</span><span class="s2">[%{TIMESTAMP_ISO8601:timestamp}</span><span class="se">\\</span><span class="s2">] </span><span class="se">\\</span><span class="s2">[%{LOGLEVEL:log.level}</span><span class="se">\\</span><span class="s2">] %{DATA:logger_name} - %{GREEDYDATA:message}"</span><span class="w"> </span></code></pre> </div> <ul> <li> <code>\\[ ... \\]</code>: We escape the brackets because they are special characters in Regex.</li> <li> <code>%{TIMESTAMP_ISO8601:timestamp}</code>: Captures the <code>2025-12-15 14:30:00</code> part.</li> <li> <code>%{LOGLEVEL:log.level}</code>: Captures <code>INFO</code>, <code>WARNING</code>, or <code>SEVERE</code>. By mapping this to <code>log.level</code>, Kibana will automatically color-code these rows (Red for Error, Yellow for Warning).</li> </ul> <h3> <strong>2. GitLab Nginx (Standard Web Traffic)</strong> </h3> <p>GitLab's internal Nginx uses the industry-standard "Combined Log Format."</p> <p><code>192.168.1.50 - - [15/Dec/2025:14:30:00 +0000] "GET /api/v4/projects HTTP/1.1" 200 450 ...</code></p> <p>Our Grok pattern extracts the critical metrics for our security dashboard:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="s2">"%{IPORHOST:client.ip} - %{DATA:user.name} </span><span class="se">\\</span><span class="s2">[%{HTTPDATE:timestamp}</span><span class="se">\\</span><span class="s2">] ..."</span><span class="w"> </span></code></pre> </div> <ul> <li> <code>%{IPORHOST:client.ip}</code>: This is the most valuable field. It allows us to build the "Intruder Alert" map.</li> <li> <code>%{NUMBER:http.response.status_code:long}</code>: We explicitly cast this to a <code>long</code> (integer). If we left it as a string, we wouldn't be able to run math aggregations like "Average Response Code" or "Count of 5xx Errors."</li> </ul> <h3> <strong>3. SonarQube (The Format Outlier)</strong> </h3> <p>SonarQube is difficult. It logs date and time separated by a space, using dots for the date:</p> <p><code>2025.12.15 14:30:00 INFO web[][o.s.s.p.Platform] ...</code></p> <p>A standard Grok pattern can extract <code>2025.12.15</code> as <code>year</code> and <code>14:30:00</code> as <code>time</code>, but Elasticsearch requires a single ISO string for time-based indexing.</p> <p>We solve this with a two-step combo:</p> <ol> <li> <strong>Grok:</strong> Extract the parts (<code>year</code>, <code>month</code>, <code>day</code>, <code>time</code>).</li> <li> <strong>Painless Script:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="n">ctx</span><span class="o">.</span><span class="na">timestamp</span> <span class="o">=</span> <span class="n">ctx</span><span class="o">.</span><span class="na">year</span> <span class="o">+</span> <span class="sc">'-'</span> <span class="o">+</span> <span class="n">ctx</span><span class="o">.</span><span class="na">month</span> <span class="o">+</span> <span class="sc">'-'</span> <span class="o">+</span> <span class="n">ctx</span><span class="o">.</span><span class="na">day</span> <span class="o">+</span> <span class="sc">'T'</span> <span class="o">+</span> <span class="n">ctx</span><span class="o">.</span><span class="na">time</span> <span class="o">+</span> <span class="sc">'Z'</span> </code></pre> </div> <p>This script manually constructs a valid ISO string (<code>2025-12-15T14:30:00Z</code>) which the Date Processor can then understand.</p> <h3> <strong>4. Mattermost (Structure-Native)</strong> </h3> <p>Mattermost is modern; it logs in JSON format by default.</p> <p><code>{"timestamp": "2025-12-15 14:30:00", "level": "error", "msg": "Database timeout"}</code></p> <p>We don't need Grok (Regex) here. We use the <strong>JSON Processor</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"json"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field"</span><span class="p">:</span><span class="w"> </span><span class="s2">"message"</span><span class="p">,</span><span class="w"> </span><span class="nl">"target_field"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mattermost"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This tells Elasticsearch: "The <code>message</code> field contains a JSON string. Parse it and put the resulting object into a new field called <code>mattermost</code>."<br> We then use <code>set</code> processors to promote <code>mattermost.timestamp</code> and <code>mattermost.level</code> to the top-level <code>@timestamp</code> and <code>log.level</code> fields, ensuring consistency with Jenkins and Nginx.</p> <h3> <strong>5. Artifactory (The Polyglot)</strong> </h3> <p>Artifactory is complex because it generates two distinct types of logs in the same stream:</p> <ol> <li> <strong>Service Logs:</strong> Java application errors (standard stack traces).</li> <li> <strong>Request Logs:</strong> Pipe-separated values (<code>|</code>) tracking file downloads.</li> </ol> <p>We handle this using a <strong>Grok Array</strong>. We provide multiple patterns to the processor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"patterns"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"...Service Log Pattern..."</span><span class="p">,</span><span class="w"> </span><span class="s2">"...Request Log Pattern..."</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <p>Elasticsearch tries the first pattern. If it fails, it tries the second. This allows a single pipeline to handle both "Application Crashed" (Pattern A) and "User downloaded generic-local/app.jar" (Pattern B) seamlessly.</p> <h3> <strong>6. The Rosetta Stone: Date Normalization</strong> </h3> <p>Finally, the pipeline ends with the <strong>Date Processor</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"formats"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"ISO8601"</span><span class="p">,</span><span class="w"> </span><span class="s2">"dd/MMM/yyyy:HH:mm:ss Z"</span><span class="p">,</span><span class="w"> </span><span class="s2">"yyyy-MM-dd HH:mm:ss.SSS"</span><span class="p">,</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <p>This is the most critical step. Jenkins says <code>2025-12-15</code>, Nginx says <code>15/Dec/2025</code>. If we simply indexed these as strings, sorting by time would be impossible.<br> This processor takes the <code>timestamp</code> field we extracted from any of the services above, matches it against <em>any</em> of the allowed formats, and converts it to the sacred <code>@timestamp</code> field in UTC. This ensures that when you zoom in on "14:30" in Kibana, you see the events from Jenkins, Nginx, and SonarQube perfectly aligned.</p> <h3> <strong>7. A Note on System Logs (The Pass-Through)</strong> </h3> <p>You might notice that our <strong>System Logs</strong> (Journald) are missing from the pipeline's logic. We have defined rules for Jenkins, Nginx, and SonarQube, but there is no <code>if "ctx.service_name == 'system'"</code> block.</p> <p>This is intentional.</p> <p>Unlike the flat text files generated by Jenkins or Nginx, the Linux Journal (<code>journald</code>) is a <strong>structured binary format</strong>. When Filebeat reads from the Journal (via the <code>journald</code> input we configured in <code>filebeat.yml</code>), it doesn't just read a line of text. It reads a rich object containing the timestamp, the process name, the PID, and the priority level.</p> <p>Filebeat automatically maps these binary fields to the Elastic Common Schema (ECS) before the data even leaves the host. For example:</p> <ul> <li>Journal <code>_COMM</code> becomes <code>process.name</code>.</li> <li>Journal <code>PRIORITY</code> becomes <code>syslog.priority</code>.</li> <li>Journal <code>__REALTIME_TIMESTAMP</code> becomes <code>@timestamp</code>.</li> </ul> <p>Because the data arrives at Elasticsearch already parsed and structured, it skips every conditional <code>if</code> block in our pipeline. It effectively "falls through" the logic untouched, landing in the index ready to be searched. We don't need to fix what isn't broken.</p> <h2> 5.4 The Deployment Mechanism </h2> <p>The final part of our script handles the delivery of this logic to the database.</p> <p>It is important to understand that Ingest Pipelines are <strong>not configuration files</strong>. You cannot simply copy a <code>.json</code> file into a folder on the server and expect Elasticsearch to pick it up. Pipelines are part of the <strong>Cluster State</strong>—they live in the memory and disk of the Master Nodes, synchronized across the cluster.</p> <p>To install a pipeline, we must interact with the Elasticsearch REST API.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">RESPONSE</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-k</span> <span class="nt">-w</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">%{http_code}"</span> <span class="nt">-X</span> PUT <span class="s2">"https://127.0.0.1:9200/_ingest/pipeline/cicd-logs"</span> <span class="se">\</span> <span class="nt">-u</span> <span class="s2">"elastic:</span><span class="nv">$ELASTIC_PASSWORD</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s2">"</span><span class="nv">$PIPELINE_JSON</span><span class="s2">"</span><span class="si">)</span> </code></pre> </div> <p><strong>1. The Method (<code>PUT</code>)</strong><br> We use the HTTP <code>PUT</code> verb. This is idempotent; if the pipeline already exists, this command overwrites it with the new version. This is perfect for CI/CD: if we update our parsing logic later, we simply re-run this script to apply the changes.</p> <p><strong>2. The Endpoint (<code>_ingest/pipeline/cicd-logs</code>)</strong><br> We are defining a resource named <code>cicd-logs</code>. This name is critical. Later, when we configure Filebeat (Chapter 6), we will tell it specifically to use <code>pipeline: "cicd-logs"</code>. If these names do not match, the data will bypass our parser and arrive as raw text.</p> <p><strong>3. The Payload (<code>-d "$PIPELINE_JSON"</code>)</strong><br> We send the JSON object we defined earlier as the body of the request. Note that we used a Bash Heredoc (<code>cat &lt;&lt;'EOF'</code>) to capture that JSON. This ensures that the complex regex backslashes inside the Grok patterns are preserved and not interpreted by the shell.</p> <p><strong>4. The Verification</strong><br> The script does not blindly assume success.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">HTTP_STATUS</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$RESPONSE</span><span class="s2">"</span> | <span class="nb">tail</span> <span class="nt">-n1</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$HTTP_STATUS</span><span class="s2">"</span> <span class="nt">-eq</span> 200 <span class="o">]</span><span class="p">;</span> <span class="k">then</span> ... </code></pre> </div> <p>If our JSON syntax is invalid—for example, a missing comma or an unescaped quote—Elasticsearch will reject the request with a <strong>400 Bad Request</strong> error and a detailed message explaining <em>where</em> the syntax failed. Our script captures this error code and prints the server's response, allowing you to debug the JSON immediately without digging through server logs.</p> <p>With the pipeline registered, the "Brain" now knows how to read. It is time to deploy the "Collector" to start feeding it data.</p> <h1> <strong>Chapter 6: The Collector – Filebeat (<code>05-deploy-filebeat.sh</code>)</strong> </h1> <p>This chapter focuses on the "Shipper" that connects our log files to the pipeline we just built.</p> <h2> 6.1 The Collector Script </h2> <p>We have the database (Elasticsearch), the interface (Kibana), and the parsing logic (Ingest Pipelines). Now we need the agent to physically transport the logs from the hard drive to the cluster.</p> <p>Create <code>05-deploy-filebeat.sh</code> with the following content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 05-deploy-filebeat.sh</span> <span class="c">#</span> <span class="c"># The "Collector" Script.</span> <span class="c"># Deploys Filebeat (v9.2.2) to ship logs to Elasticsearch.</span> <span class="c">#</span> <span class="c"># 1. Mounts Host Docker Volumes (read app logs).</span> <span class="c"># 2. Mounts Host Journal (read system logs).</span> <span class="c"># 3. Mounts Data Volume (PERSIST REGISTRY).</span> <span class="c"># 4. Runs as ROOT to bypass host directory permissions.</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"🚀 Deploying Filebeat (The Collector)..."</span> <span class="c"># --- 1. Load Paths ---</span> <span class="nv">HOST_CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="nv">ELK_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/elk"</span> <span class="nv">SCOPED_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/filebeat/filebeat.env"</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Scoped env file not found at </span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Please run 01-setup-elk.sh first."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># --- 2. Clean Slate ---</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-q</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>filebeat<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Stopping existing 'filebeat'..."</span> docker stop filebeat <span class="k">fi if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-aq</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>filebeat<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Removing existing 'filebeat'..."</span> docker <span class="nb">rm </span>filebeat <span class="k">fi</span> <span class="c"># --- 3. Volume Management (CRITICAL FIX) ---</span> <span class="c"># We must persist the registry so we don't re-ingest old logs on restart.</span> <span class="nb">echo</span> <span class="s2">"Verifying filebeat-data volume..."</span> docker volume create filebeat-data <span class="o">&gt;</span> /dev/null <span class="c"># --- 4. Deploy ---</span> <span class="nb">echo</span> <span class="s2">"--- Launching Container ---"</span> <span class="c"># NOTES:</span> <span class="c"># - user root: Required to traverse /var/lib/docker and read Journal.</span> <span class="c"># - /var/log/journal: Required for native journald input.</span> <span class="c"># - /etc/machine-id: Required for journald reader to track host identity.</span> docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> filebeat <span class="se">\</span> <span class="nt">--restart</span> always <span class="se">\</span> <span class="nt">--network</span> cicd-net <span class="se">\</span> <span class="nt">--user</span> root <span class="se">\</span> <span class="nt">--env-file</span> <span class="s2">"</span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/filebeat/config/filebeat.yml"</span>:/usr/share/filebeat/filebeat.yml:ro <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$ELK_BASE</span><span class="s2">/filebeat/config/certs"</span>:/usr/share/filebeat/certs:ro <span class="se">\</span> <span class="nt">--volume</span> filebeat-data:/usr/share/filebeat/data <span class="se">\</span> <span class="nt">--volume</span> /var/lib/docker/volumes:/host_volumes:ro <span class="se">\</span> <span class="nt">--volume</span> /var/log/journal:/var/log/journal:ro <span class="se">\</span> <span class="nt">--volume</span> /etc/machine-id:/etc/machine-id:ro <span class="se">\</span> docker.elastic.co/beats/filebeat:9.2.2 <span class="nb">echo</span> <span class="s2">"Container started. Verifying connection..."</span> <span class="c"># --- 5. Verification ---</span> <span class="nv">MAX_RETRIES</span><span class="o">=</span>15 <span class="nv">COUNT</span><span class="o">=</span>0 <span class="nb">echo</span> <span class="s2">"Waiting for Filebeat to establish connection..."</span> <span class="k">while</span> <span class="o">[</span> <span class="nv">$COUNT</span> <span class="nt">-lt</span> <span class="nv">$MAX_RETRIES</span> <span class="o">]</span><span class="p">;</span> <span class="k">do </span><span class="nb">sleep </span>2 <span class="c"># Check for successful connection message</span> <span class="k">if </span>docker logs filebeat 2&gt;&amp;1 | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"Connection to backoff.*established"</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"✅ Filebeat successfully connected to Elasticsearch!"</span> <span class="nb">exit </span>0 <span class="k">fi</span> <span class="c"># Fail fast on Pipeline errors (common misconfiguration)</span> <span class="k">if </span>docker logs filebeat 2&gt;&amp;1 | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"pipeline/cicd-logs.*missing"</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"❌ ERROR: Filebeat says the 'cicd-logs' pipeline is missing!"</span> <span class="nb">echo</span> <span class="s2">" Did you run 04-setup-pipelines.sh?"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># Fail fast on Certificate errors</span> <span class="k">if </span>docker logs filebeat 2&gt;&amp;1 | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"x509: certificate signed by unknown authority"</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"❌ ERROR: SSL Certificate trust issue."</span> <span class="nb">echo</span> <span class="s2">" Check that ca.pem is correctly mounted and generated."</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">" [</span><span class="nv">$COUNT</span><span class="s2">/</span><span class="nv">$MAX_RETRIES</span><span class="s2">] Connecting..."</span> <span class="nv">COUNT</span><span class="o">=</span><span class="k">$((</span>COUNT+1<span class="k">))</span> <span class="k">done </span><span class="nb">echo</span> <span class="s2">"⚠️ Connection check timed out. Check logs manually:"</span> <span class="nb">echo</span> <span class="s2">" docker logs -f filebeat"</span> </code></pre> </div> <h2> 6.2 The "Agent" Pattern: Host vs. Sidecar </h2> <p>In the world of container observability, there are two primary ways to collect logs: the <strong>Sidecar Pattern</strong> and the <strong>Host Agent Pattern</strong>. It is important to understand why we have chosen the latter for this architecture.</p> <p><strong>The Sidecar Pattern (The Expensive Way)</strong><br> In many Kubernetes tutorials, you will see a "Sidecar" approach. This involves defining a Pod that contains <em>two</em> containers: your application (e.g., Jenkins) and a logging agent (Filebeat). The agent shares the storage volume with the app, reads the logs, and ships them.</p> <ul> <li> <strong>Pros:</strong> Complete isolation.</li> <li> <strong>Cons:</strong> Massive resource overhead. If you have 20 services, you run 20 instances of Filebeat. If each takes 50MB of RAM, you waste 1GB of memory just on shippers.</li> </ul> <p><strong>The Host Agent Pattern (The Efficient Way)</strong><br> We are using the Host Agent strategy. We run <strong>exactly one</strong> instance of Filebeat for the entire server. This agent sits on the "metal" (conceptually) and watches the Docker storage directory from the outside.</p> <ul> <li> <strong>The Mechanics:</strong> Docker stores named volumes at <code>/var/lib/docker/volumes/</code> on the host Linux filesystem.</li> <li> <strong>The Trick:</strong> By mounting this host directory into Filebeat (<code>--volume /var/lib/docker/volumes:/host_volumes:ro</code>), our single agent can peek inside the data directories of Jenkins, GitLab, SonarQube, and Mattermost simultaneously.</li> </ul> <p>This approach reduces our memory footprint significantly (1 agent vs. 10) and simplifies management. We have one configuration file to rule them all, rather than scattering logging configs across ten different repositories.</p> <h2> 6.3 Access Control: The Root CompromiseYou will notice a controversial flag in our deployment script: </h2> <p><code>--user root</code></p> <p>In almost every security guide, running containers as <code>root</code> is considered a vulnerability. However, for a Host Agent, it is a <strong>functional requirement</strong>.</p> <ol> <li> <strong>The Permission Barrier:</strong> The directory <code>/var/lib/docker/volumes</code> is owned by <code>root:root</code> with strict permissions (typically <code>700</code> or <code>750</code>). If we ran Filebeat as the default <code>filebeat</code> user (UID 1000), it would be denied access immediately. It physically cannot enter the directory to read the log files.</li> <li> <strong>The Mitigation (Read-Only):</strong> To balance the risk of running as root, we use the Docker <strong>Read-Only</strong> flag (<code>:ro</code>) on the volume mount: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nt">--volume</span> /var/lib/docker/volumes:/host_volumes:ro </code></pre> </div> <p>This imposes a hard limit at the filesystem level. Even if the Filebeat process were hijacked by an attacker, they could <em>read</em> your logs (confidentiality risk), but they could not <em>delete</em> your data or <em>inject</em> malicious files into your application volumes (integrity risk).</p> <p>This is the standard privilege model for infrastructure monitoring: the observer must have higher privileges than the observed, but we strip its ability to modify the world it watches.</p> <h2> 6.4 The Memory of the Elephant: Persistent Registry </h2> <p>One of the most dangerous pitfalls in deploying Filebeat is failing to persist its "Registry."</p> <p>Filebeat maintains a small internal database called the <strong>Registry</strong>. This file records exactly how far it has read into every log file it tracks. It stores the unique <code>inode</code> of the file and the byte <code>offset</code> (e.g., "I have read 10,240 bytes of <code>jenkins.log</code>").</p> <p>In our script, we explicitly handle this state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker volume create filebeat-data ... <span class="nt">--volume</span> filebeat-data:/usr/share/filebeat/data </code></pre> </div> <p><strong>The Scenario Without Persistence:</strong><br> Imagine we did <em>not</em> map this volume.</p> <ol> <li>Filebeat starts, reads 5,000 lines of Jenkins logs, and ships them to Elasticsearch.</li> <li>You restart the Filebeat container to change a config.</li> <li>The new container starts with a fresh, empty Registry.</li> <li>It looks at <code>jenkins.log</code>, sees 5,000 lines, and thinks, "A new file! I must read this from the beginning."</li> <li>It re-ships all 5,000 lines. You now have duplicates of every single event in your database.</li> </ol> <p>By mounting the <code>data</code> directory to a named Docker volume, we ensure that Filebeat's brain survives a restart. It wakes up, checks the disk, sees it has already processed those 5,000 lines, and waits patiently for line 5,001.</p> <h2> 6.5 System Visibility (Journald) </h2> <p>Finally, we address the "Blind Spot" of standard Docker logging.</p> <p><code>docker logs</code> only captures what an application writes to STDOUT (Standard Output). It does <strong>not</strong> capture what happens to the container itself from the Operating System's perspective.</p> <ul> <li> <strong>Scenario:</strong> Your Jenkins server is under heavy load. It consumes all available RAM. The Linux Kernel's "Out of Memory" (OOM) Killer steps in and terminates the process to save the system.</li> <li> <strong>The Result:</strong> Jenkins is dead. If you look at the Jenkins logs, they just stop. There is no error message because the process was killed before it could write one. You are left guessing.</li> </ul> <p>To solve this, we mount the Host System Journal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nt">--volume</span> /var/log/journal:/var/log/journal:ro <span class="se">\</span> <span class="nt">--volume</span> /etc/machine-id:/etc/machine-id:ro </code></pre> </div> <ul> <li> <strong><code>/var/log/journal</code></strong>: This is where modern Linux systems (Ubuntu, CentOS, Debian) store system-level logs in a binary format. Filebeat reads this directly.</li> <li> <strong><code>/etc/machine-id</code></strong>: This is required for the reader to correctly associate the journal entries with the specific host machine.</li> </ul> <p>By ingesting this stream, we can see the "Meta-Events." In our dashboard, we will be able to correlate a sudden stop in Jenkins logs with a simultaneous <code>kernel: Out of memory: Kill process 1234 (java)</code> event from the system log. This context is often the difference between a 5-minute fix and a 5-hour debugging session.</p> <h1> Chapter 7: The Discovery – Verification </h1> <h2> 7.1 First Contact (The Setup) </h2> <p>The scripts have finished running. The containers are green. Now comes the moment of truth: seeing your data.</p> <p>Before we open the browser, we must ensure your computer knows how to find the services. Our scripts used specific hostnames (<code>kibana.cicd.local</code>) which makes handling SSL certificates and networking much cleaner than using raw IP addresses.</p> <p><strong>1. Update Your Hosts File</strong><br> On your host machine (the one running the browser), open your <code>/etc/hosts</code> file (or <code>C:\Windows\System32\drivers\etc\hosts</code> on Windows) and add the following line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>127.0.0.1 elasticsearch.cicd.local kibana.cicd.local </code></pre> </div> <p><strong>2. The Login</strong><br> Navigate to <strong><code>https://kibana.cicd.local:5601</code></strong>.</p> <p>You will be greeted by the Elastic login screen.</p> <ul> <li> <strong>Username:</strong> <code>elastic</code> </li> <li> <strong>Password:</strong> The value you generated in <code>cicd.env</code> (look for <code>ELASTIC_PASSWORD</code>).</li> </ul> <p><strong>3. Creating the Data View</strong><br> When you first log in, Kibana is "blind." It knows it is connected to a database, but it doesn't know <em>which</em> tables (indices) you care about. We need to define a <strong>Data View</strong> (formerly known as an Index Pattern).</p> <ol> <li>Open the main menu (hamburger icon) and go to <strong>Stack Management &gt; Data Views</strong>.</li> <li>Click <strong>Create data view</strong>.</li> <li> <strong>Name:</strong> Give it a friendly name like <code>CICD Logs</code>.</li> <li> <strong>Index pattern:</strong> Enter <code>filebeat-*</code>. <ul> <li> <em>Why?</em> Filebeat creates a new index every day (e.g., <code>filebeat-9.2.2-2025.12.17</code>). By using the wildcard <code>*</code>, we tell Kibana to look at <em>all</em> existing and future Filebeat indices.</li> <li> <em>Confirmation:</em> You should see a success message on the right listing the matching indices (e.g., <code>filebeat-9.2.2-2025...</code>).</li> </ul> </li> <li> <strong>Timestamp field:</strong> Select <code>@timestamp</code>. <ul> <li> <em>Critical:</em> This tells Kibana which field represents "Time." If you pick the wrong field, your time-series charts will be broken.</li> </ul> </li> <li>Click <strong>Save data view to Kibana</strong>.</li> </ol> <p>Kibana now has a lens through which it can see your data.</p> <h2> 7.2 Verifying the Pipeline (The "Discover" Tab) </h2> <p>Now that Kibana can see the data, let's verify that our <strong>Ingest Pipeline</strong> (Chapter 5) is actually working. If the pipeline failed, we would see a giant block of text in the <code>message</code> field and nothing else. If it succeeded, that text should be exploded into useful fields.</p> <ol> <li>Click on the <strong>Discover</strong> icon (compass) in the left sidebar.</li> <li>Ensure the date picker (top right) is set to <strong>"Today"</strong> or <strong>"Last 15 minutes"</strong>.</li> <li>In the search bar, type <code>service_name: "gitlab-nginx"</code> and hit Enter.</li> </ol> <p>You should see a list of log events. Click on the small arrow <code>&gt;</code> next to any document to expand it into Table/JSON view.</p> <p><strong>The "Anatomy of a Log"</strong><br> Look at the JSON structure (like the example below). This is the proof of success:</p> <ul> <li> <strong><code>event.original</code></strong>: This contains the raw, ugly text: <code>172.30.0.5 - - [17/Dec/2025...]</code>. This is our safety net.</li> <li> <strong><code>client.ip</code></strong>: The pipeline successfully extracted <code>172.30.0.5</code>. This is now a searchable IP address, not just text.</li> <li> <strong><code>http.response.status_code</code></strong>: It extracted <code>404</code>. Because we cast this to a <code>long</code> in our pipeline, we can now build charts aggregating "Top Error Codes."</li> <li> <strong><code>@timestamp</code></strong>: Notice the time is <code>2025-12-17T09:51:49.000Z</code>. The pipeline took the Nginx format (<code>17/Dec/2025...</code>) and standardized it to UTC ISO8601.</li> </ul> <p>If you see these fields, your "Brain" is correctly parsing the "Voice" of your infrastructure.</p> <h2> 7.3 Troubleshooting Common Issues </h2> <p>If you navigate to Discover and see... <strong>nothing</strong>, don't panic. This is the "No Data" state, and it usually has three simple causes.</p> <p><strong>1. The Time Trap</strong><br> Kibana defaults to "Last 15 minutes." If your logs are from an hour ago (or if your server time is drifting), you won't see them.</p> <ul> <li> <em>Fix:</em> Set the time picker to <strong>"Last 24 hours"</strong>.</li> </ul> <p><strong>2. The Connection Gap</strong><br> If Filebeat can't reach Elasticsearch, no data arrives.</p> <ul> <li> <em>Fix:</em> Check the Filebeat logs: <code>docker logs filebeat</code>. Look for <code>Connection refused</code>. If you see this, check that Elasticsearch is healthy (<code>docker ps</code>) and that you are using the correct password.</li> </ul> <p><strong>3. The Pipeline Reject</strong><br> If your pipeline has a syntax error, Elasticsearch might reject the logs entirely.</p> <ul> <li> <em>Fix:</em> Look at the Filebeat logs again. If you see <code>400 Bad Request</code> or <code>pipeline [cicd-logs] missing</code>, it means the data made it to the door but was turned away. Re-run <code>04-setup-pipelines.sh</code> to ensure the logic is loaded.</li> </ul> <h1> Chapter 8: The Dashboard – Visualization </h1> <h2> 8.1 System Health (The Blame Wheel) </h2> <p>Raw logs are useful for debugging, but they are terrible for monitoring. You cannot scroll through thousands of lines of text to guess if the server is healthy. We need a visual signal—a "Traffic Light" that turns Red when things are wrong.</p> <p>We will build a <strong>Pie Chart</strong> to visualize the distribution of errors across our stack.</p> <ol> <li>Open the main menu and go to <strong>Dashboard</strong>.</li> <li>Click <strong>Create dashboard</strong>.</li> <li>Click <strong>Create visualization</strong> (This opens the "Lens" editor).</li> <li> <strong>Configure the Chart:</strong> <ul> <li> <strong>View:</strong> Select <strong>Pie</strong> from the chart type dropdown.</li> <li> <strong>Metric (Slice Size):</strong> <code>Count of records</code>.</li> <li> <strong>Slice by:</strong> Drag the field <code>service_name.keyword</code> onto the "Slices" area.</li> </ul> </li> <li> <p><strong>The "Unified" Query:</strong></p> <ul> <li>We have a challenge: Application logs use text levels (<code>ERROR</code>, <code>WARN</code>), but System logs (Journald) use numbers (<code>priority 3</code>, <code>priority 4</code>).</li> <li>In the Search bar at the top, paste this <strong>KQL (Kibana Query Language)</strong> string: </li> </ul> <pre class="highlight plaintext"><code>log.level.keyword: ("WARN" or "error" or "WARNING") or log.syslog.priority &lt;= 4 </code></pre> </li> </ol> <ul> <li>This query captures <em>both</em> types of failures in a single view. <ol> <li> <strong>Save:</strong> Click "Save and return" and name it <strong>"System Health Status"</strong>.</li> </ol> </li> </ul> <p><strong>The Value:</strong><br> If this chart is empty or shows only small slices, you are fine. If you see a massive slice labeled <code>jenkins</code>, you know exactly which service is screaming, without reading a single log line.</p> <h2> 8.2 Intruder Alert (The Security Radar) </h2> <p>Next, we need to secure our perimeter. We want to see if anyone is scanning our Nginx proxy or trying to brute-force URLs. We will use a <strong>Stacked Bar Chart</strong> to show HTTP response codes over time.</p> <ol> <li>On your dashboard, click <strong>Create visualization</strong> again.</li> <li> <strong>Configure the Chart:</strong> <ul> <li> <strong>View:</strong> Select <strong>Bar</strong> (Stacked).</li> <li> <strong>Horizontal Axis:</strong> Drag <code>@timestamp</code> here. Kibana will automatically group data into buckets (e.g., "per minute").</li> <li> <strong>Vertical Axis:</strong> <code>Count of records</code>.</li> <li> <strong>Break down by:</strong> Drag <code>http.response.status_code</code> here.</li> </ul> </li> <li> <strong>Add Filters:</strong> <ul> <li>In the search bar, add: <code>service_name: "gitlab-nginx"</code>.</li> <li>We want to highlight specific anomalies. Click the <strong>Plus (+)</strong> next to the Query bar to add explicit filters for interesting codes: <code>403</code> (Forbidden), <code>502</code> (Bad Gateway), and <code>302</code> (Redirects/Logins).</li> </ul> </li> <li> <strong>Save:</strong> Click "Save and return" and name it <strong>"GitLab Access Patterns"</strong>.</li> </ol> <p><strong>The Value:</strong></p> <ul> <li> <strong>A spike in 302:</strong> Someone is hammering the login page (Brute Force).</li> <li> <strong>A spike in 403:</strong> Someone is scanning for secrets or unauthorized paths.</li> <li> <strong>A spike in 502:</strong> Your GitLab container has likely crashed behind the proxy.</li> </ul> <h2> 8.3 Factory Pulse (Build Frequency) </h2> <p>Finally, we want to see the "Heartbeat" of our factory. We don't want to count logs; we want to count <em>work</em>. We will track how often Jenkins provisions a new agent to run a build.</p> <ol> <li>Click <strong>Create visualization</strong>.</li> <li> <strong>Configure the Chart:</strong> <ul> <li> <strong>View:</strong> Select <strong>Area</strong> (Stacked).</li> <li> <strong>Horizontal Axis:</strong> <code>@timestamp</code>.</li> <li> <strong>Vertical Axis:</strong> <code>Count of records</code>.</li> </ul> </li> <li> <p><strong>The Filter Logic:</strong></p> <ul> <li>In the search bar, use this query: </li> </ul> <pre class="highlight plaintext"><code>logger_name.keyword: "hudson.slaves.NodeProvisioner" and message: "*provisioning successfully completed*" </code></pre> </li> <li> <p><strong>A Note on Accuracy (The Double Log):</strong></p> <ul> <li> <em>Observation:</em> You might notice that for every one build, the count goes up by 2.</li> <li> <em>Cause:</em> The current version of Jenkins logs this specific success message twice (once for the request, once for the completion).</li> <li> <em>Impact:</em> While the absolute number is inflated, the <strong>trend line</strong> is accurate. A spike on this chart still represents a spike in workload. We accept this imperfection rather than over-engineering a fix.</li> </ul> </li> <li><p><strong>Save:</strong> Name it <strong>"Build Frequency"</strong>.</p></li> </ol> <h2> 8.4 Assembling the View </h2> <p>You now have a dashboard with three powerful widgets.</p> <ol> <li> <strong>Resize:</strong> Grab the bottom-right corner of the <strong>Security Radar</strong> and <strong>Build Frequency</strong> charts and stretch them across the full width of the screen. Time-series data needs width to be readable.</li> <li> <strong>Position:</strong> Place the <strong>Health Pie Chart</strong> in the top-left corner.</li> <li> <strong>Save the Dashboard:</strong> <ul> <li>Click the <strong>Save</strong> button in the top right.</li> <li> <strong>Title:</strong> <code>CICD Stack</code>.</li> <li> <strong>Store time with dashboard:</strong> Toggle this <strong>On</strong>. This ensures that whenever you open this dashboard, it defaults to the correct time window.</li> </ul> </li> </ol> <p>You now have a professional-grade observability dashboard. But if you restart the containers now, this manual work might be lost. In the next chapter, we will ensure this dashboard is saved as code so it can be automatically restored.</p> <h1> Chapter 9: Disaster Recovery </h1> <h2> 9.1 The "Ephemeral" Problem </h2> <p>You have just spent valuable time building a dashboard. You tweaked the colors, filtered out the noise, and aligned the charts perfectly.</p> <p>But in a DevOps environment, infrastructure is ephemeral. If you tear down your stack to save costs or spin it up on a new server for a demo, that dashboard is gone. Kibana stores these configurations in its internal index (<code>.kibana</code>), and unless you have a robust snapshot strategy, your manual clicks evaporate when the volume is deleted.</p> <p>We need to treat our dashboard like our application code: <strong>Version Controlled</strong> and <strong>Automated</strong>.</p> <h2> 9.2 Generating the Artifact (<code>export.ndjson</code>) </h2> <p>First, we need to extract the "Source Code" of the dashboard we built in Chapter 8.</p> <ol> <li>In Kibana, go to <strong>Stack Management &gt; Saved Objects</strong>.</li> <li>Find your dashboard titled <strong>"CICD Stack"</strong>.</li> <li>Select the checkbox next to it.</li> <li> <strong>Crucial Step:</strong> Click the <strong>Export</strong> button. <ul> <li>A modal will appear asking if you want to include related objects. <strong>Toggle this ON.</strong> This ensures that the Data View (<code>filebeat-*</code>) and the individual visualizations (Pie Chart, Bar Chart) are bundled into the file.</li> </ul> </li> <li>Save the file as <code>export.ndjson</code> in your project root.</li> </ol> <p>You now have a portable snapshot of your monitoring logic. You can delete your entire Docker environment, run a script, and have this exact view back in seconds.</p> <h2> 9.3 The Restoration Script </h2> <p>Now we write the automation to load this file. Create <code>06-import-dashboard.sh</code>.</p> <p>This script uses the Kibana API to upload our saved objects. Notice that it does <em>not</em> require the <code>-k</code> (insecure) flag for <code>curl</code>. Because our host machine trusts the Private Certificate Authority we generated during the setup phase, we can interact with our local HTTPS services securely and correctly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 06-import-dashboard.sh</span> <span class="c"># Imports the Kibana Dashboard from 'export.ndjson'.</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># 1. Source the Environment Variables (Absolute Path)</span> <span class="c"># We look for the file generated by 01-setup-elk.sh in the runtime directory.</span> <span class="nv">ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack/elk/filebeat/filebeat.env"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">source</span> <span class="s2">"</span><span class="nv">$ENV_FILE</span><span class="s2">"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"❌ Error: Could not find credentials at </span><span class="nv">$ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" Did you run 01-setup-elk.sh?"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># 2. Configuration</span> <span class="nv">KIBANA_URL</span><span class="o">=</span><span class="s2">"https://kibana.cicd.local:5601"</span> <span class="nv">DASHBOARD_FILE</span><span class="o">=</span><span class="s2">"export.ndjson"</span> <span class="c"># 3. Check for the Export File</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$DASHBOARD_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"❌ Error: '</span><span class="nv">$DASHBOARD_FILE</span><span class="s2">' not found in current directory."</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"⏳ Waiting for Kibana to be ready..."</span> <span class="k">until </span>curl <span class="nt">-s</span> <span class="s2">"</span><span class="nv">$KIBANA_URL</span><span class="s2">/api/status"</span> | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"available"</span><span class="p">;</span> <span class="k">do </span><span class="nb">echo</span> <span class="nt">-n</span> <span class="s2">"."</span> <span class="nb">sleep </span>5 <span class="k">done </span><span class="nb">echo</span> <span class="s2">" Kibana is up!"</span> <span class="nb">echo</span> <span class="s2">"🚀 Importing Dashboard from </span><span class="nv">$DASHBOARD_FILE</span><span class="s2">..."</span> <span class="nb">echo</span> <span class="s2">"---------------------------------------------"</span> <span class="c"># 4. Import the Dashboard</span> <span class="c"># -X POST: The API method</span> <span class="c"># -u: Basic Auth using the password from the env file</span> <span class="c"># -H "kbn-xsrf: true": Required header for Kibana API</span> <span class="c"># --form file=@...: Uploads the file</span> curl <span class="nt">-X</span> POST <span class="s2">"</span><span class="nv">$KIBANA_URL</span><span class="s2">/api/saved_objects/_import?overwrite=true"</span> <span class="se">\</span> <span class="nt">-u</span> <span class="s2">"elastic:</span><span class="nv">$ELASTIC_PASSWORD</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"kbn-xsrf: true"</span> <span class="se">\</span> <span class="nt">--form</span> <span class="nv">file</span><span class="o">=</span>@<span class="nv">$DASHBOARD_FILE</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"---------------------------------------------"</span> <span class="nb">echo</span> <span class="s2">"✅ Import request finished."</span> </code></pre> </div> <h2> 9.4 The Mechanics of the Restore </h2> <p><strong>1. The "Green" Gate</strong><br> Just like in our deployment scripts, we cannot fire requests at Kibana before it is ready. The <code>until</code> loop hits the <code>/api/status</code> endpoint. It will block execution until Kibana explicitly returns <code>"level":"available"</code>. This prevents the script from failing if you run it immediately after starting the container.</p> <p><strong>2. The Overwrite Flag</strong><br> <code>.../saved_objects/_import?overwrite=true</code><br> We explicitly set <code>overwrite=true</code>. This makes the script <strong>Idempotent</strong>. You can run it ten times in a row; if the dashboard already exists, it updates it. If we didn't do this, the second run would crash with a "Conflict" error.</p> <p><strong>3. The CSRF Token</strong><br> <code>-H "kbn-xsrf: true"</code><br> Kibana has strict security protections against Cross-Site Request Forgery. Even though we are authenticating with a valid password, the API will reject any write operation that lacks this specific header. It is a mandatory handshake that proves the request is intentional.</p> <p>With this script in your toolkit, your observability stack is now as reproducible as the applications it monitors.</p> <h1> Chapter 10: Validation – The Stress Test </h1> <h2> 10.1 The "Fire Drill" Philosophy </h2> <p>We have built a complex machine. We have containers, pipelines, secure certificate authorities, and dashboards. But right now, it is sitting idle. A monitoring system that looks good when nothing is happening is useless; you need to know what it looks like when the world is burning.</p> <p>In this final chapter, we are going to attack our own infrastructure. We will execute a "Fire Drill" to prove that:</p> <ol> <li> <strong>Filebeat</strong> can handle a sudden flood of events (Backpressure).</li> <li> <strong>The Pipeline</strong> correctly parses logs even under load.</li> <li> <strong>The Dashboard</strong> translates this chaos into a clear, readable signal.</li> </ol> <h2> 10.2 The Nuclear Option (The Script) </h2> <p>Create <code>99-stress-test.sh</code>. This script is designed to be noisy. It uses standard Linux tools to generate two distinct types of failures: <strong>System Stability</strong> failures and <strong>Network Security</strong> events.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 99-stress-test.sh</span> <span class="c">#</span> <span class="c"># Generates 1000 System Errors and 1000 Access Events</span> <span class="c"># to stress-test ELK dashboards.</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"🔥 Starting ELK 'Nuclear' Stress Test..."</span> <span class="nb">echo</span> <span class="s2">"---------------------------------"</span> <span class="c"># 1. Generate 1000 System Events (Blame Wheel -&gt; System Slice)</span> <span class="nb">echo</span> <span class="s2">"1. Injecting 1000 System Errors &amp; Warnings..."</span> <span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..1000<span class="o">}</span><span class="p">;</span> <span class="k">do </span>logger <span class="nt">-p</span> syslog.err <span class="s2">"CICD-STRESS-TEST: Critical Database Failure #</span><span class="nv">$i</span><span class="s2">"</span> logger <span class="nt">-p</span> syslog.warning <span class="s2">"CICD-STRESS-TEST: Memory Threshold Exceeded #</span><span class="nv">$i</span><span class="s2">"</span> <span class="c"># Progress bar effect (print a dot every 50 events)</span> <span class="o">((</span>i % 50 <span class="o">==</span> 0<span class="o">))</span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="nt">-n</span> <span class="s2">"."</span> <span class="k">done </span><span class="nb">echo</span> <span class="s2">" Done."</span> <span class="nb">echo</span> <span class="s2">"---------------------------------"</span> <span class="c"># 2. Generate 1000 Access Events (Security Radar -&gt; 302 Spike)</span> <span class="c"># We target Port 10300 (GitLab HTTPS).</span> <span class="c"># Expect 302 (Redirect to Login) or 401/403 depending on the endpoint.</span> <span class="nb">echo</span> <span class="s2">"2. Simulating 1000 Access Attempts on GitLab (Port 10300)..."</span> <span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..1000<span class="o">}</span><span class="p">;</span> <span class="k">do</span> <span class="c"># Hit the protected admin endpoint on the correct mapped port</span> curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="s2">"https://gitlab.cicd.local:10300/admin"</span> <span class="o">((</span>i % 50 <span class="o">==</span> 0<span class="o">))</span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="nt">-n</span> <span class="s2">"."</span> <span class="k">done </span><span class="nb">echo</span> <span class="s2">" Done."</span> <span class="nb">echo</span> <span class="s2">"---------------------------------"</span> <span class="nb">echo</span> <span class="s2">"🎉 Stress Test Complete."</span> <span class="nb">echo</span> <span class="s2">" Go to Kibana -&gt; Refresh Dashboard (Last 15 Minutes)"</span> <span class="nb">echo</span> <span class="s2">" You should see a massive spike in '302' events."</span> </code></pre> </div> <h2> 10.3 Vector 1: The System Flood (Testing Journald) </h2> <p>The first loop uses the <code>logger</code> command. This tool writes directly to the Linux System Journal, bypassing Docker completely.</p> <p><strong>The Test:</strong><br> We are injecting 1,000 messages with specific severity levels (<code>syslog.err</code> and <code>syslog.warning</code>).</p> <p><strong>The Visual Result:</strong><br> Look at your <strong>"System Health Status"</strong> Pie Chart.</p> <ul> <li> <strong>Before:</strong> It was likely empty or had thin slices, as a healthy system generates very few errors.</li> <li> <strong>After:</strong> You will see a massive new slice appear, dominating the chart. This slice represents the <strong>Host System</strong>.</li> <li> <em>Why this matters:</em> We filtered this chart to only show "Bad Things" (<code>WARN</code> or <code>ERROR</code>). The fact that this slice appeared instantly proves that our <strong>Unified Query</strong> works: it successfully caught the <code>syslog.priority</code> signal from the host, even though it didn't come from a container.</li> </ul> <h2> 10.4 Vector 2: The Network Flood (Testing Nginx) </h2> <p>The second loop uses <code>curl</code> to hit the GitLab Admin interface (<code>/admin</code>). Since our script does not provide a session cookie, GitLab rejects us.</p> <p><strong>The Test:</strong><br> We fire 1,000 requests at the Nginx Reverse Proxy.</p> <p><strong>The Visual Result:</strong><br> Look at your <strong>"GitLab Access Patterns"</strong> Bar Chart.</p> <ul> <li> <strong>The Wall:</strong> You will see a massive vertical spike.</li> <li> <strong>The Code:</strong> The bars will be colored for status code <strong>302</strong> (Redirect).</li> <li> <em>Why this matters:</em> If we had failed to configure the <strong>Ingest Pipeline</strong> (Chapter 5) correctly, these logs would just be text. Kibana wouldn't know they were "302" errors. The fact that you can see a "302" bar proves the regex parser extracted <code>http.response.status_code</code> correctly.</li> </ul> <h2> 10.5 Conclusion: The Single Pane of Glass </h2> <p>Congratulations. You have successfully deployed a production-grade Observability Stack for a CI/CD environment.</p> <p>Let's review what we achieved:</p> <ol> <li> <strong>Architecture:</strong> We built a secure, single-node architecture using custom Docker networks and TLS encryption.</li> <li> <strong>Ingestion:</strong> We used <strong>Filebeat</strong> as a lightweight "Host Agent" to collect data from both containers (Docker volumes) and the OS (Journald).</li> <li> <strong>Parsing:</strong> We replaced the heavy Logstash with lean <strong>Ingest Pipelines</strong>, moving the logic into the database to save RAM.</li> <li> <strong>Persistence:</strong> We automated the dashboard recovery with <code>export.ndjson</code>, ensuring our work is never lost.</li> <li> <strong>Validation:</strong> We proved it works by attacking it.</li> </ol> <p>You have moved beyond "SSH and Grep." You now have a <strong>Single Pane of Glass</strong>—a central nervous system that tells you the health, security, and workload of your factory in real-time. This is the foundation of modern DevOps.</p> elasticsearch monitoring tutorial devops Warren Jitsing Mon, 22 Dec 2025 05:35:47 +0000 https://dev.to/warren_jitsing_dd1c1d6fc6/part-07-building-a-sovereign-software-factory-chatops-with-mattermost-bf2 https://dev.to/warren_jitsing_dd1c1d6fc6/part-07-building-a-sovereign-software-factory-chatops-with-mattermost-bf2 <p>GitHub: <a href="https://github.com/InfiniteConsult/0011_cicd_part07_mattermost" rel="noopener noreferrer">https://github.com/InfiniteConsult/0011_cicd_part07_mattermost</a></p> <p><strong>TL;DR:</strong> In this installment, we solve the "Silent City" problem where alerts are ignored. We construct the <strong>"Command Center"</strong> by deploying <strong>Mattermost</strong> for ChatOps, but first, we must conquer the <strong>"Mobile Frontier"</strong> by manually installing our Root CA on Android to enable secure HTTPS without public DNS. We solve the <strong>"Double NAT"</strong> problem for video conferencing by deploying a <strong>Coturn TURN server</strong> with host networking, and we wire the city's nervous system so that Jenkins builds and SonarQube alerts are pushed directly to engineering channels.</p> <p><strong>The Sovereign Software Factory Series:</strong></p> <ol> <li> <strong>Part 01:</strong> Building a Sovereign Software Factory: Docker Networking &amp; Persistence</li> <li> <strong>Part 02:</strong> Building a Sovereign Software Factory: The Local Root CA &amp; Trust Chains</li> <li> <strong>Part 03:</strong> Building a Sovereign Software Factory: Self-Hosted GitLab &amp; Secrets Management</li> <li> <strong>Part 04:</strong> Building a Sovereign Software Factory: Jenkins Configuration as Code (JCasC)</li> <li> <strong>Part 05:</strong> Building a Sovereign Software Factory: Artifactory &amp; The "Strict TLS" Trap</li> <li> <strong>Part 06:</strong> Building a Sovereign Software Factory: SonarQube Quality Gates</li> <li> <strong>Part 07: Building a Sovereign Software Factory: ChatOps with Mattermost</strong> (You are here)</li> <li> <strong>Part 08:</strong> Building a Sovereign Software Factory: Observability with the ELK Stack</li> <li> <strong>Part 09:</strong> Building a Sovereign Software Factory: Monitoring with Prometheus &amp; Grafana</li> <li> <strong>Part 10:</strong> Building a Sovereign Software Factory: The Python API Package (Capstone)</li> </ol> <h1> Chapter 1: The Challenge - The Silent City </h1> <h2> 1.1 The "Lights Out" Problem </h2> <p>In the previous six articles, we have meticulously constructed a sovereign "Software Supply Chain." We started with the foundation in <strong>Docker</strong> and a custom <strong>Certificate Authority</strong>, then built a <strong>Library</strong> (GitLab) to store our blueprints, a <strong>Factory</strong> (Jenkins) to manufacture our products, an <strong>Inspector</strong> (SonarQube) to certify their quality, and a <strong>Warehouse</strong> (Artifactory) to store them securely.</p> <p>Technically, our city is perfect. The pipelines run, the code is analyzed, and the artifacts are shipped.</p> <p>But functionally, our city is broken. It is a "Silent City."</p> <p>When a build fails in the Factory, the only person who knows is the engineer staring at the Jenkins console. When the Inspector slams the Quality Gate shut, the event is logged in a database, but no alarm bells ring. To know the status of our operations, we are forced to manually patrol the dashboards of four different tools. We have built a complex machine, but we have failed to build a nervous system.</p> <p>In a modern DevOps environment, this latency is unacceptable. We need instantaneous, passive awareness. If the "Main Line" stops, every engineer should know immediately. If a critical security vulnerability is detected, the alert should find us where we are—whether that is at our desk or on our phone.</p> <h2> 1.2 The "Command Center" (ChatOps) </h2> <p>To solve this, we need to fundamentally change how we interact with our infrastructure. We need to move beyond passive monitoring and fragmented dashboards. We need a <strong>Command Center</strong>.</p> <p>This concept is industry-known as <strong>ChatOps</strong>. It represents a paradigm shift where the chat client ceases to be merely a "water cooler" for human conversation and becomes a shared, real-time command line interface for the entire engineering team. In a mature ChatOps environment, the chat window is the central console where operations happen. You don't alt-tab to Jenkins to trigger a build; you type <code>/jenkins build</code> in the channel. You don't log into SonarQube to check the quality gate; the gate reports its status directly to you.</p> <p>By centralizing these operations, we achieve three critical goals:</p> <ol> <li> <strong>Transparency:</strong> Every action is visible to the team. If a senior engineer fixes a broken build, the junior engineers watch it happen in real-time, learning the diagnosis and the cure implicitly.</li> <li> <strong>Context:</strong> The alert is located right next to the conversation about the alert. The "What happened?" and the "Why did it happen?" live in the same timeline.</li> <li> <strong>Velocity:</strong> We reduce context switching. We stop jumping between four different browser tabs to understand the state of the world.</li> </ol> <p>In a typical startup environment, setting this up is trivial: you sign up for Slack or Discord, generate a webhook token, and pipe your logs to the cloud. However, our "First Principles" architecture strictly forbids this. We are simulating a high-assurance, air-gapped environment—modeled after defense or financial sectors—where data sovereignty is paramount.</p> <p>We cannot pipe our proprietary build logs, code snippets, or vulnerability reports to a third-party SaaS cloud. That data constitutes our intellectual property and our security posture. If we use Slack, our internal state leaves our perimeter.</p> <p>Therefore, we will deploy <strong>Mattermost</strong>. Mattermost is the open-source industry standard for secure, self-hosted collaboration. It offers the modern features we expect—threaded messaging, file sharing, rich media, and mobile applications—but it runs entirely on our own silicon, inside our <code>cicd-net</code>. It gives us the usability of Silicon Valley SaaS with the security of a hardened bunker.</p> <h2> 1.3 The Scope: War Room &amp; Nervous System </h2> <p>However, a "Command Center" is defined by more than just its ability to display text. In the heat of a production incident or a broken build pipeline, text is often the bottleneck.</p> <p>When the "Main Line" stops, the immediate next step is almost always a "War Room" scenario. Engineers need to escalate from asynchronous text to synchronous collaboration. They need to see each other, share screens, point at logs, and debug the issue in real-time. In a traditional setup, this is the moment the team breaks protocol: they leave the secure chat, open Zoom or Microsoft Teams, and effectively carry the conversation (and potentially sensitive screen data) out of the secure facility and onto a public cloud server.</p> <p>This breaks our security model. It punches a hole in our air-gapped fortress. To maintain total sovereignty, we must provide a Video Conferencing capability that is as secure and local as the code itself.</p> <p>So, our mission in this article is twofold:</p> <ol> <li> <strong>The Nervous System:</strong> We will wire up the sensory organs of our city—Jenkins, GitLab, and SonarQube—to push rich, actionable alerts into specific Mattermost channels (<code>#builds</code>, <code>#alerts</code>).</li> <li> <strong>The War Room:</strong> We will deploy a fully functional, self-hosted Video Conferencing stack using the Mattermost <strong>Calls</strong> plugin.</li> </ol> <p>This second requirement will force us to confront one of the most notorious "Dragons" in self-hosted networking: <strong>NAT Traversal</strong>. Unlike simple HTTP traffic, which flows easily through Docker containers, real-time video relies on <strong>WebRTC</strong> (Web Real-Time Communication). This protocol is allergic to the complex layers of Network Address Translation (NAT) found in Docker. To make this work—specifically to make it work on a mobile phone over WiFi—we will have to build a dedicated "Radio Tower" (TURN Server) to relay the signal over the walls of our container fortress.</p> <h1> Chapter 2: Architecture - The Fortress and the Phone </h1> <h2> 2.1 The "Enterprise" Hack (Entry Mode) </h2> <p>Our first architectural decision concerns the software edition. Mattermost offers two primary Docker images: the purely open-source <strong>Team Edition</strong> (<code>mattermost-team-edition</code>) and the commercial <strong>Enterprise Edition</strong> (<code>mattermost-enterprise-edition</code>).</p> <p>Historically, self-hosters strictly deployed the Team Edition to avoid licensing nags. However, Mattermost has shifted its distribution model. They now encourage even free users to deploy the <strong>Enterprise Image</strong>. When deployed without a license key, this image runs in a special state known as <strong>"Entry Mode."</strong></p> <p>We will adopt this modern approach.</p> <p>We choose the Enterprise image not because we intend to pirate software, but because the Team Edition is functionally incomplete for a modern DevOps workflow. By running the Enterprise image in Entry Mode, we unlock the <strong>"Intelligent Mission Environment."</strong> This grants us access to powerful tools like <strong>Boards</strong> (Kanban project management) and <strong>Playbooks</strong> (incident response checklists)—features that are entirely stripped from the Team build.</p> <p>This power comes with constraints. Entry Mode imposes hard limits designed to encourage commercial upgrades:</p> <ul> <li> <strong>10,000 Message Search Limit:</strong> Older messages remain in the database but vanish from search results.</li> <li> <strong>Single Node Only:</strong> We cannot cluster the application for High Availability.</li> <li> <strong>Feature Caps:</strong> Limits on active Playbooks and Board cards.</li> </ul> <p>For our "First Principles" laboratory, these limits are acceptable. For a production client, we would strongly advise purchasing a license to lift these gates. But for us, this strategy gives us Ferrari features on a Corolla budget.</p> <p>Finally, we will treat our database as a commodity. In <strong>Article 9</strong>, we established a centralized <strong>PostgreSQL 17</strong> cluster. Mattermost will not spawn its own private database container; it will simply be another tenant in our existing "Water Treatment Plant," connecting via our internal <code>cicd-net</code>. This reduces our resource footprint and ensures our chat data benefits from the same backup and security policies as our artifact data.</p> <h2> 2.2 The "Mobile-Ready" Trust </h2> <p>The second architectural challenge is <strong>Trust</strong>, specifically how trust varies across different devices in our ecosystem.</p> <p>In previous articles, we established a "Local Root of Trust" using our custom Certificate Authority (CA). On our desktop machines, this system works flawlessly. We imported our Root CA into the operating system's trust store (Debian/Ubuntu/MacOS), and our browsers immediately recognized <code>gitlab.cicd.local</code> and <code>jenkins.cicd.local</code> as secure. We relied on a simple <code>/etc/hosts</code> modification to route those domain names to <code>127.0.0.1</code>, effectively tricking the browser into believing the server was local.</p> <p>However, our Command Center has a requirement that our other tools did not: <strong>Mobile Access</strong>. We want to receive alerts and join "War Room" calls from our Android or iOS devices while roaming around the office (connected to WiFi).</p> <p>This introduces a hostile environment. Mobile operating systems, particularly modern Android (11+), are notoriously strict about TLS security. They present two specific barriers that break our standard desktop strategy:</p> <ol> <li> <strong>The DNS Barrier:</strong> You cannot easily edit the <code>/etc/hosts</code> file on a non-rooted Android phone. This means the phone has no idea who <code>mattermost.cicd.local</code> is. It relies entirely on the network's DNS server. Unless we run a custom DNS server on our LAN (like Pi-hole), the phone will fail to resolve the domain name.</li> <li> <strong>The IP Barrier:</strong> To bypass the DNS issue, we might try to connect directly via the server's LAN IP address (e.g., <code>https://192.168.0.105:8065</code>). However, standard SSL certificates are issued to <em>Domain Names</em>, not <em>IP Addresses</em>. If we use our standard certificate, the app will reject the connection because the "Common Name" (domain) does not match the "Host" (IP) in the address bar.</li> <li> <strong>The Trust Barrier:</strong> Even if the IP matches, the Android app does not trust our custom CA by default. It will throw a generic, often cryptic error like "Trusted Anchor not found" or simply "Cannot connect to server."</li> </ol> <p>To solve this, we must engineer a <strong>"Mobile-Ready" Certificate</strong>. We cannot use the generic certificate generation script we built in Article 6. We need a specialized issuance process that explicitly bakes the <strong>LAN IP Address</strong> into the certificate's <strong>Subject Alternative Names (SANs)</strong> field.</p> <p>By adding <code>IP:192.168.x.x</code> to the certificate, we create a cryptographic identity that is valid even when accessed via a raw IP address. This allows us to bypass the DNS problem entirely. We simply tell the mobile app to connect to the IP, and because the certificate explicitly claims that IP, the TLS handshake succeeds—provided we also manually install the Root CA on the device (which we will cover in the deployment phase). This architectural foresight turns a "connection refused" error into a functioning mobile command post.</p> <h2> 2.3 The "Radio Tower" (Coturn &amp; Host Networking) </h2> <p>The final and most formidable piece of our architecture is the <strong>Video Conferencing</strong> stack. This requirement forces us to leave the comfortable world of HTTP and confront the chaotic reality of <strong>WebRTC</strong> (Web Real-Time Communication).</p> <p>In our previous articles, every service we deployed—GitLab, Jenkins, SonarQube—communicated using TCP/IP over HTTP. This model is simple: the client opens a connection to the server, sends a request, and waits for a response. It is reliable, predictable, and remarkably tolerant of network layers like Docker's bridge network and Nginx reverse proxies.</p> <p><strong>WebRTC is different.</strong> It is designed for real-time audio and video, where latency is the enemy. It prefers <strong>UDP</strong> over TCP because it's faster to drop a lost packet than to wait for retransmission (a glitch is better than a lag). More importantly, WebRTC attempts to establish a <strong>Peer-to-Peer (P2P)</strong> connection directly between two devices to minimize latency.</p> <p>In a containerized environment, this P2P model breaks instantly.</p> <p>When your phone (on WiFi) tries to send video to the Mattermost server (in a container), it needs an IP address to target. However, the Mattermost container lives inside a Docker Bridge network. It has an internal IP (e.g., <code>172.18.0.5</code>) that is completely invisible to the outside world. To make matters worse, your phone is likely behind its own NAT (Network Address Translation). This scenario is known as <strong>Double NAT</strong>, and it acts as an unbridgeable moat for direct media streams.</p> <p>To bridge this moat, we need a <strong>TURN Server</strong> (Traversal Using Relays around NAT). We will deploy <strong>Coturn</strong>, the industry-standard open-source TURN server.</p> <p>Architecturally, Coturn acts as a <strong>"Radio Tower."</strong> It sits on the absolute edge of our network. When direct P2P communication fails (which it always will in Docker), the phone sends its media packets to the Radio Tower. The Tower then relays those packets across the Docker boundary to the Mattermost container.</p> <p>But deploying Coturn brings its own "Dragon": <strong>The Port Range.</strong></p> <p>Unlike a web server that listens on a single port (443), a TURN server requires a massive range of ephemeral UDP ports—typically <strong>32,768 to 65,535</strong>—to handle media streams for multiple users simultaneously. Every active call consumes a port.</p> <p>If we tried to deploy this using standard Docker Bridge networking, we would have to map every single one of these ports in the <code>docker run</code> command or Compose file. This creates two critical problems:</p> <ol> <li> <strong>The "Docker Proxy" Bottleneck:</strong> For every mapped port, Docker spins up a userland proxy process (<code>docker-proxy</code>). Asking Docker to manage 30,000+ proxy rules explodes the memory usage and adds significant CPU latency to every packet, killing call quality.</li> <li> <strong>IPTables Bloat:</strong> Creating tens of thousands of NAT rules in the host's firewall table slows down networking for the entire system.</li> </ol> <p>To solve this, we will make a rare exception to our "Isolation First" rule. We will deploy the Coturn container using <strong>Host Networking</strong> (<code>--network host</code>).</p> <p>This mode effectively removes the Docker network isolation layer for this specific container. Coturn will not have a private <code>172.x.x.x</code> IP; it will bind directly to the physical network interface of your host machine (<code>192.168.x.x</code>). This eliminates the need for port mapping entirely. It gives our Radio Tower a clear, unobstructed line of sight to your mobile device, ensuring that when you press "Join Call," the video flows instantly and efficiently.</p> <h1> Chapter 3: The Architect - Preparing the Ground </h1> <h2> 3.1 Database Hygiene (Postgres 15+ Compliance) </h2> <p>Before we write a single line of configuration code, we must attend to the soil in which we are planting our application. We are using <strong>PostgreSQL 17</strong> as our shared data store. While this gives us performance and longevity, it also brings strict security defaults that can strangle legacy applications if we aren't careful.</p> <p>Specifically, PostgreSQL 15 introduced a breaking change regarding schema ownership. In older versions, any user could create tables in the <code>public</code> schema by default. In 15+, this permission was revoked to harden the database against accidental pollution.</p> <p>Mattermost, like many mature applications, expects to own its schema completely. It performs complex migrations on startup—creating tables, altering columns, and indexing data. If the database user (<code>mattermost</code>) does not explicitly own the <code>public</code> schema, these migrations can fail. Often, this failure is silent or cryptic, manifesting as a boot loop where the logs complain about "permission denied" on a table that doesn't exist yet.</p> <p>To prevent this "Silent Crash," we cannot just create the user and hope for the best. Our setup script must actively intervene. We will use the <code>psql</code> client to execute a targeted <code>ALTER SCHEMA</code> command, explicitly transferring ownership of the <code>public</code> schema in the <code>mattermost</code> database to the <code>mattermost</code> user. This restores the "God Mode" permissions the application expects within its own sandbox, ensuring smooth migrations for years to come.</p> <h2> 3.2 The "Mobile-Ready" Certificate </h2> <p>With our database secured, we must address the single biggest friction point in self-hosted DevOps: <strong>Mobile Trust</strong>.</p> <p>In our previous articles, we connected our desktop browsers to our internal tools using a simple trick. We updated our <code>/etc/hosts</code> file to map <code>gitlab.cicd.local</code> to <code>127.0.0.1</code>. Because we had imported our Root CA into the desktop's trust store, the browser saw a valid certificate for a valid domain and gave us the green lock.</p> <p>Mobile devices, however, exist in a more hostile networking environment.</p> <p>Modern Android (11+) and iOS devices lock down their DNS settings. You cannot simply edit a "hosts file" on a non-rooted phone to tell it that <code>mattermost.cicd.local</code> resides on your laptop. When your phone is on the office WiFi, it uses the router's DNS. If that router doesn't know your internal domain (which it won't, because we don't have a custom DNS server like Pi-hole), the phone will fail to resolve the address.</p> <p>The pragmatic workaround is to bypass DNS entirely and connect via the <strong>LAN IP Address</strong> (e.g., <code>https://192.168.0.105:8065</code>).</p> <p>This solves the network path, but it breaks the <strong>TLS Identity Trust</strong>. Standard SSL certificates are bound to <strong>Domain Names</strong> (DNS entries). If you present a certificate issued to <code>mattermost.cicd.local</code> but the user is visiting <code>192.168.0.105</code>, the client will reject the connection immediately because the "Host" does not match the "Certificate Name." This is a fundamental protection against Phishing and Man-in-the-Middle attacks.</p> <p>To conquer this, we must engineer a <strong>"Mobile-Ready" Certificate</strong>.</p> <p>We cannot use the generic issuance script we built in Article 6. We need a specialized signing request that explicitly creates a <strong>Subject Alternative Name (SAN)</strong> entry for the IP address. By baking <code>IP:192.168.x.x</code> directly into the certificate's cryptographic identity, we tell the mobile OS: <em>"It is legal and valid for this server to be accessed via this raw IP address."</em></p> <p>Our architect script will automate this. It will dynamically detect your host's LAN IP (<code>hostname -I</code>), construct a custom OpenSSL configuration file with the required SAN extensions, and mint a certificate that satisfies the strict identity requirements of modern mobile operating systems.</p> <h2> 3.3 Secrets Management </h2> <p>Beyond certificates and database permissions, a secure Mattermost deployment relies on a specific set of cryptographic keys. These are not simple passwords that you can type in; they are high-entropy strings that underpin the security of the application's data at rest and in transit.</p> <p>If we leave these default or empty, we compromise the integrity of our fortress. Our Architect script manages three critical secrets:</p> <ol> <li><p><strong>The At-Rest Encryption Key (<code>MM_SQLSETTINGS_ATRESTENCRYPTKEY</code>):</strong><br> Mattermost stores sensitive data in the Postgres database, including OAuth tokens for GitLab and incoming webhook secrets for Jenkins. If an attacker managed to dump our database, these tokens would be exposed in plain text. By configuring an At-Rest Encryption Key (32-character AES), we ensure that Mattermost encrypts these sensitive fields before writing them to the disk.</p></li> <li><p><strong>The Public Link Salt (<code>MM_FILESETTINGS_PUBLICLINKSALT</code>):</strong><br> When a user shares a file via a public link, the URL is generated using a hash function. Without a strong, random salt, these links become predictable, potentially allowing an external attacker to enumerate and download private files by guessing URL patterns.</p></li> <li><p><strong>The TURN Shared Secret (<code>MATTERMOST_TURN_SECRET</code>):</strong><br> This is the most critical key for our "War Room" functionality. The Coturn (Radio Tower) server and the Mattermost (Town Square) server are separate entities. To prevent unauthorized users from hijacking our bandwidth to relay their own traffic, the TURN server requires authentication.<br> We do not use a static username/password for this. Instead, we use a <strong>Time-Limited Credential</strong> mechanism. Both servers share this single, long secret key. Mattermost uses it to generate temporary, short-lived tokens for your phone when you join a call. Coturn uses the same key to validate those tokens. If these keys do not match exactly, the call fails instantly.</p></li> </ol> <p>Our script uses <code>openssl rand -hex</code> to generate these strings. Crucially, as we discovered during our GitLab integration debugging (Chapter 9), we must be precise about length. For AES-256 encryption, the key must be exactly <strong>32 bytes</strong>. A 64-byte key (often generated by overzealous <code>openssl</code> commands) will cause the application's crypto subsystem to crash on boot.</p> <p>We persist these keys in our master <code>cicd.env</code> file, ensuring that our "Radio Tower" and our "Town Square" always wake up knowing the same handshake.</p> <h2> 3.4 The Script (<code>01-setup-mattermost.sh</code>) </h2> <p>We have defined our requirements: Postgres 15+ hygiene, mobile-ready networking, and cryptographic security. Now, we codify these rules into our "Architect" script.</p> <p>This script is the single source of truth for the Mattermost deployment. It does not launch the container; it prepares the battlefield. It ensures that when the container finally starts, it lands in an environment that is secure, configured, and trusted.</p> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0011_cicd_part07_mattermost/01-setup-mattermost.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 01-setup-mattermost.sh</span> <span class="c">#</span> <span class="c"># The "Architect" script for Mattermost.</span> <span class="c">#</span> <span class="c"># 1. Secrets: Generates TURN credentials and Salt keys.</span> <span class="c"># 2. Database: Hot-patches PostgreSQL 15+ Schema Ownership.</span> <span class="c"># 3. Certificates: Generates a "Mobile-Ready" SSL cert (.lan.crt.pem).</span> <span class="c"># 4. Config: Generates the 'mattermost.env' 12-factor file.</span> <span class="c"># 5. Permissions: Sets ownership for Bind Mounts ONLY.</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># --- 1. Define Paths ---</span> <span class="nv">HOST_CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="nv">MATTERMOST_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/mattermost"</span> <span class="nv">MASTER_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/cicd.env"</span> <span class="nv">SCOPED_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$MATTERMOST_BASE</span><span class="s2">/mattermost.env"</span> <span class="c"># Certificate Authority Paths</span> <span class="nv">CA_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/ca"</span> <span class="nv">SERVICE_NAME</span><span class="o">=</span><span class="s2">"mattermost.cicd.local"</span> <span class="nv">CA_SERVICE_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/services/</span><span class="nv">$SERVICE_NAME</span><span class="s2">"</span> <span class="c"># Ensure directories exist (Bind Mounts Only)</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$MATTERMOST_BASE</span><span class="s2">/config"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$MATTERMOST_BASE</span><span class="s2">/certs"</span> <span class="c"># FIX: Temporarily claim ownership for the host user so we can write files</span> <span class="nb">echo</span> <span class="s2">"🔧 Setting temporary permissions for setup..."</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> <span class="s2">"</span><span class="nv">$USER</span><span class="s2">"</span>:<span class="s2">"</span><span class="nv">$USER</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$MATTERMOST_BASE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"🚀 Starting Mattermost 'Architect' Setup..."</span> <span class="c"># --- 2. Secrets Management ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 1: Secrets Management ---"</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Master env file not found at </span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># Load existing secrets</span> <span class="nb">set</span> <span class="nt">-a</span> <span class="nb">source</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">set</span> +a <span class="c"># Helper: Generates 64-char string (Good for Salts/Secrets)</span> generate_secret<span class="o">()</span> <span class="o">{</span> openssl rand <span class="nt">-hex</span> 32 <span class="o">}</span> <span class="c"># Helper: Generates 32-char string (REQUIRED for AES Encryption Keys)</span> generate_aes_key<span class="o">()</span> <span class="o">{</span> openssl rand <span class="nt">-hex</span> 16 <span class="o">}</span> <span class="c"># Verify DB password exists (from Article 9)</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$MATTERMOST_DB_PASSWORD</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: MATTERMOST_DB_PASSWORD not found in cicd.env"</span> <span class="nb">echo</span> <span class="s2">"Please run 01-setup-database.sh (Article 9) first."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># Generate new Mattermost-specific secrets if missing</span> <span class="nv">update_env</span><span class="o">=</span><span class="nb">false </span><span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$MATTERMOST_TURN_SECRET</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Generating TURN Shared Secret..."</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"# Mattermost &amp; Coturn Shared Secret"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"MATTERMOST_TURN_SECRET=</span><span class="se">\"</span><span class="si">$(</span>generate_secret<span class="si">)</span><span class="se">\"</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nv">update_env</span><span class="o">=</span><span class="nb">true </span><span class="k">fi if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$MATTERMOST_AT_REST_KEY</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Generating At-Rest Encryption Key (Core)..."</span> <span class="nb">echo</span> <span class="s2">"# Mattermost At-Rest Encryption Key"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"MATTERMOST_AT_REST_KEY=</span><span class="se">\"</span><span class="si">$(</span>generate_secret<span class="si">)</span><span class="se">\"</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nv">update_env</span><span class="o">=</span><span class="nb">true </span><span class="k">fi if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$MATTERMOST_PUBLIC_LINK_SALT</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Generating Public Link Salt..."</span> <span class="nb">echo</span> <span class="s2">"# Mattermost Public Link Salt"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"MATTERMOST_PUBLIC_LINK_SALT=</span><span class="se">\"</span><span class="si">$(</span>generate_secret<span class="si">)</span><span class="se">\"</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nv">update_env</span><span class="o">=</span><span class="nb">true </span><span class="k">fi</span> <span class="c"># Plugin Secrets (GitLab/Jenkins Interactive)</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$MATTERMOST_GITLAB_PLUGIN_SECRET</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Generating GitLab Plugin Webhook Secret..."</span> <span class="nb">echo</span> <span class="s2">"MATTERMOST_GITLAB_PLUGIN_SECRET=</span><span class="se">\"</span><span class="si">$(</span>generate_secret<span class="si">)</span><span class="se">\"</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nv">update_env</span><span class="o">=</span><span class="nb">true </span><span class="k">fi if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$MATTERMOST_GITLAB_PLUGIN_KEY</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Generating GitLab Plugin Encryption Key (AES-256)..."</span> <span class="c"># FIX: Must be exactly 32 chars</span> <span class="nb">echo</span> <span class="s2">"MATTERMOST_GITLAB_PLUGIN_KEY=</span><span class="se">\"</span><span class="si">$(</span>generate_aes_key<span class="si">)</span><span class="se">\"</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nv">update_env</span><span class="o">=</span><span class="nb">true </span><span class="k">fi if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$MATTERMOST_JENKINS_PLUGIN_KEY</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Generating Jenkins Plugin Encryption Key (AES-256)..."</span> <span class="c"># FIX: Must be exactly 32 chars</span> <span class="nb">echo</span> <span class="s2">"MATTERMOST_JENKINS_PLUGIN_KEY=</span><span class="se">\"</span><span class="si">$(</span>generate_aes_key<span class="si">)</span><span class="se">\"</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nv">update_env</span><span class="o">=</span><span class="nb">true </span><span class="k">fi</span> <span class="c"># Reload secrets if we added any</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$update_env</span><span class="s2">"</span> <span class="o">=</span> <span class="nb">true</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">source</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Secrets generated and persisted."</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"Secrets already exist."</span> <span class="k">fi</span> <span class="c"># --- 3. Database Schema Ownership Fix (Postgres 15+) ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 2: Verifying Database Schema Ownership ---"</span> <span class="c"># Postgres 15+ revokes permission to create tables in 'public' from regular users.</span> <span class="c"># We apply this fix specifically to the 'mattermost' database.</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-q</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>postgres<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Applying PostgreSQL 15+ schema ownership fix..."</span> docker <span class="nb">exec</span> <span class="nt">-i</span> postgres psql <span class="nt">-U</span> postgres <span class="nt">-d</span> mattermost <span class="nt">-c</span> <span class="s2">"ALTER SCHEMA public OWNER TO mattermost;"</span> <span class="o">||</span> <span class="nb">true echo</span> <span class="s2">"Database schema permissions verified."</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"WARNING: Postgres container not running. Skipping DB patch."</span> <span class="nb">echo</span> <span class="s2">"Ensure postgres is running before deploying Mattermost."</span> <span class="k">fi</span> <span class="c"># --- 4. Mobile-Ready Certificate Generation ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 3: Generating Mobile-Ready SSL Certificate ---"</span> <span class="c"># Detect LAN IP (First non-loopback IP)</span> <span class="nv">LAN_IP</span><span class="o">=</span><span class="si">$(</span><span class="nb">hostname</span> <span class="nt">-I</span> | <span class="nb">awk</span> <span class="s1">'{print $1}'</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"Detected LAN IP: </span><span class="nv">$LAN_IP</span><span class="s2">"</span> <span class="c"># Define Paths for the LAN-specific cert</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$CA_SERVICE_DIR</span><span class="s2">"</span> <span class="nv">LAN_KEY_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_SERVICE_DIR</span><span class="s2">/</span><span class="nv">$SERVICE_NAME</span><span class="s2">.lan.key.pem"</span> <span class="nv">LAN_CSR_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_SERVICE_DIR</span><span class="s2">/</span><span class="nv">$SERVICE_NAME</span><span class="s2">.lan.csr"</span> <span class="nv">LAN_CERT_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_SERVICE_DIR</span><span class="s2">/</span><span class="nv">$SERVICE_NAME</span><span class="s2">.lan.crt.pem"</span> <span class="nv">EXT_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_SERVICE_DIR</span><span class="s2">/v3.lan.ext"</span> <span class="c"># Destination in Mattermost volume</span> <span class="nv">MM_CERTS_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$MATTERMOST_BASE</span><span class="s2">/certs"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$LAN_CERT_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Existing LAN certificate found. Skipping generation."</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"Generating new LAN certificate..."</span> <span class="c"># 1. Generate Key</span> openssl genrsa <span class="nt">-out</span> <span class="s2">"</span><span class="nv">$LAN_KEY_FILE</span><span class="s2">"</span> 4096 <span class="c"># 2. Create specific SAN config including the LAN IP</span> <span class="nb">cat</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$EXT_FILE</span><span class="s2">"</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = </span><span class="nv">$SERVICE_NAME</span><span class="sh"> DNS.2 = localhost IP.1 = 127.0.0.1 IP.2 = </span><span class="nv">$LAN_IP</span><span class="sh"> </span><span class="no">EOF </span> <span class="c"># 3. Generate CSR</span> openssl req <span class="nt">-new</span> <span class="nt">-key</span> <span class="s2">"</span><span class="nv">$LAN_KEY_FILE</span><span class="s2">"</span> <span class="nt">-out</span> <span class="s2">"</span><span class="nv">$LAN_CSR_FILE</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/C=ZA/ST=Gauteng/L=Johannesburg/O=Local CICD/CN=</span><span class="nv">$SERVICE_NAME</span><span class="s2">"</span> <span class="c"># 4. Sign with Root CA</span> <span class="nv">CA_ROOT_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki"</span> <span class="c"># Assuming CA pass is standard from previous articles</span> openssl x509 <span class="nt">-req</span> <span class="nt">-in</span> <span class="s2">"</span><span class="nv">$LAN_CSR_FILE</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-CA</span> <span class="s2">"</span><span class="nv">$CA_ROOT_DIR</span><span class="s2">/certs/ca.pem"</span> <span class="se">\</span> <span class="nt">-CAkey</span> <span class="s2">"</span><span class="nv">$CA_ROOT_DIR</span><span class="s2">/private/ca.key"</span> <span class="se">\</span> <span class="nt">-CAcreateserial</span> <span class="nt">-out</span> <span class="s2">"</span><span class="nv">$LAN_CERT_FILE</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-days</span> 365 <span class="se">\</span> <span class="nt">-sha256</span> <span class="se">\</span> <span class="nt">-extfile</span> <span class="s2">"</span><span class="nv">$EXT_FILE</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-passin</span> pass:your_secure_password <span class="nb">echo</span> <span class="s2">"Certificate generated: </span><span class="nv">$LAN_CERT_FILE</span><span class="s2">"</span> <span class="k">fi</span> <span class="c"># Always copy to the run directory</span> <span class="nb">echo</span> <span class="s2">"Installing certificates to </span><span class="nv">$MM_CERTS_DIR</span><span class="s2">..."</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$LAN_CERT_FILE</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$MM_CERTS_DIR</span><span class="s2">/cert.pem"</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$LAN_KEY_FILE</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$MM_CERTS_DIR</span><span class="s2">/key.pem"</span> <span class="c"># --- 5. Generate Scoped Environment File ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 4: Generating mattermost.env ---"</span> <span class="c"># NOTE: We remove quotes around simple string values (default_on, id_loaded)</span> <span class="c"># because docker --env-file might pass the quotes literally, breaking validation.</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$SCOPED_ENV_FILE</span><span class="sh">" # Scoped Environment for Mattermost # Generated by 01-setup-mattermost.sh # --- Core Identity --- MM_SQLSETTINGS_DRIVERNAME=postgres # Note: We use the internal Docker DNS 'postgres.cicd.local' # FIX: sslmode=verify-full because we enforce SSL in Postgres and inject the CA into Mattermost MM_SQLSETTINGS_DATASOURCE=postgres://mattermost:</span><span class="nv">$MATTERMOST_DB_PASSWORD</span><span class="sh">@postgres.cicd.local:5432/mattermost?sslmode=verify-full&amp;connect_timeout=10 MM_SERVICESETTINGS_SITEURL=https://</span><span class="nv">$SERVICE_NAME</span><span class="sh">:8065 MM_SERVICESETTINGS_LISTENADDRESS=:8065 # Security: Allow local IPs (needed for Webhooks from other containers) # We strictly allow: localhost, Docker subnet, and Host LAN IP MM_SERVICESETTINGS_ALLOWEDUNTRUSTEDINTERNALCONNECTIONS="127.0.0.1/8 172.30.0.0/24 </span><span class="nv">$LAN_IP</span><span class="sh">/32" # --- TLS Configuration (Application Level) --- MM_SERVICESETTINGS_CONNECTIONSECURITY=TLS MM_SERVICESETTINGS_TLSCERTFILE=/mattermost/certs/cert.pem MM_SERVICESETTINGS_TLSKEYFILE=/mattermost/certs/key.pem # --- Security &amp; Privacy --- MM_SERVICESETTINGS_ENABLELOCALMODE=true MM_EMAILSETTINGS_PUSHNOTIFICATIONCONTENTS=id_loaded MM_FILESETTINGS_PUBLICLINKSALT=</span><span class="nv">$MATTERMOST_PUBLIC_LINK_SALT</span><span class="sh"> MM_SQLSETTINGS_ATRESTENCRYPTKEY=</span><span class="nv">$MATTERMOST_AT_REST_KEY</span><span class="sh"> # --- Developer Experience --- MM_SERVICESETTINGS_ENABLELATEX=true MM_SERVICESETTINGS_ENABLEINLINELATEX=true MM_SERVICESETTINGS_COLLAPSEDTHREADS=default_on MM_SERVICESETTINGS_ENABLECUSTOMGROUPS=true # --- Announcements --- MM_ANNOUNCEMENTSETTINGS_ENABLEBANNER=true MM_ANNOUNCEMENTSETTINGS_BANNERTEXT="🚀 CI/CD City: Systems Operational" MM_ANNOUNCEMENTSETTINGS_BANNERCOLOR="#20a83b" # --- Advanced "Cool" Features --- # 1. Performance Metrics (Port 8067) MM_METRICSSETTINGS_ENABLE=true MM_METRICSSETTINGS_LISTENADDRESS=:8067 # 2. Guest Access MM_GUESTACCOUNTSSETTINGS_ENABLE=true # 3. Automation Freedom MM_SERVICESETTINGS_ENABLEBOTACCOUNTCREATION=true MM_SERVICESETTINGS_ENABLEUSERACCESSTOKENS=true # 4. Hardened Security (MFA) MM_SERVICESETTINGS_ENABLEMULTIFACTORAUTHENTICATION=true # 5. Urgent Messaging MM_SERVICESETTINGS_POSTPRIORITY=true # 6. Culture (Custom Emoji) MM_SERVICESETTINGS_ENABLECUSTOMEMOJI=true # --- Plugins (Force Enable for Entry Mode) --- # NOTE: We only enable them here. Specific config is handled by 08-configure-plugins.py # Added: com.mattermost.plugin-jenkins MM_PLUGINSETTINGS_PLUGINSTATES={"playbooks":{"Enable":true},"focalboard":{"Enable":true},"com.mattermost.calls":{"Enable":true},"mattermost-ai":{"Enable":true},"com.github.manland.mattermost-plugin-gitlab":{"Enable":true},"jenkins":{"Enable":true}} # --- WebRTC (The Radio Tower) --- # 1. Connectivity (Moved to 8444 to avoid conflict with Artifactory on 8443) MM_CALLS_UDP_SERVER_PORT=8444 MM_CALLS_TCP_SERVER_PORT=8444 MM_CALLS_ICE_SERVERS_CONFIGS=[{"urls":["turn:</span><span class="nv">$LAN_IP</span><span class="sh">:3478"],"username":"mattermost","credential":"</span><span class="nv">$MATTERMOST_TURN_SECRET</span><span class="sh">"}] # 2. Network Stability MM_CALLS_ICE_HOST_OVERRIDE=</span><span class="nv">$LAN_IP</span><span class="sh"> # 3. User Permissions MM_CALLS_DEFAULT_ENABLED=true # 4. Features MM_CALLS_ALLOW_SCREEN_SHARING=true MM_CALLS_ICE_HOST_PORT_OVERRIDE=8444 # 5. Mobile &amp; CORS Fixes MM_SERVICESETTINGS_ALLOWCORSFROM=* MM_SERVICESETTINGS_ENABLEINSECUREOUTGOINGCONNECTIONS=true </span><span class="no">EOF </span><span class="c"># Secure the env file (readable by owner only)</span> <span class="nb">chmod </span>600 <span class="s2">"</span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="c"># --- 6. Final Permissions Lock ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 5: Locking Permissions (UID 2000) ---"</span> <span class="c"># FIX: We ONLY chown the directories that need to be bind-mounted.</span> <span class="c"># We leave the .env file owned by the current user so docker run can read it.</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> 2000:2000 <span class="s2">"</span><span class="nv">$MATTERMOST_BASE</span><span class="s2">/config"</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> 2000:2000 <span class="s2">"</span><span class="nv">$MATTERMOST_BASE</span><span class="s2">/certs"</span> <span class="c"># The Key file must be readable by the app (0600 owned by 2000)</span> <span class="c"># (Already handled by the recursive chown above, but ensuring mode)</span> <span class="nb">sudo chmod </span>600 <span class="s2">"</span><span class="nv">$MM_CERTS_DIR</span><span class="s2">/key.pem"</span> <span class="nb">echo</span> <span class="s2">"✅ Setup Complete."</span> <span class="nb">echo</span> <span class="s2">" - Config written to </span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">."</span> <span class="nb">echo</span> <span class="s2">" - Bind Mounts ownership transferred to UID 2000."</span> </code></pre> </div> <h3> Deconstructing the Architect </h3> <p><strong>1. The "Split-Brain" Certificate Strategy (Phase 3)</strong><br> Notice the <code>[alt_names]</code> block. We explicitly define <code>IP.2 = $LAN_IP</code>. This dynamic injection is what makes the certificate "Mobile-Ready." Unlike our standard scripts which only care about the DNS name (<code>mattermost.cicd.local</code>), this script queries the host's actual network interface (<code>hostname -I</code>) and bakes that physical address into the cryptographic identity. This ensures that when an Android phone connects to <code>192.168.0.x</code>, the certificate matches the URL.</p> <p><strong>2. The Key Length Fix (Phase 1)</strong><br> We use two different generator functions: <code>generate_secret</code> (64 hex chars) and <code>generate_aes_key</code> (16 hex chars). This is a critical distinction. The At-Rest Encryption Key and Plugin Encryption Keys rely on AES-256. This algorithm strictly requires a <strong>32-byte key</strong>. If we used the standard 64-char generator (which results in 64 bytes when hex-encoded), the Mattermost server would crash on startup with a generic <code>invalid key size</code> error. We are precise here to prevent runtime failures.</p> <p><strong>3. The WebRTC Configuration (Phase 4)</strong><br> In the environment file generation, we configure the <strong>Calls</strong> plugin immediately.</p> <ul> <li> <code>MM_CALLS_ICE_HOST_OVERRIDE=$LAN_IP</code>: This forces the server to advertise the LAN IP, not the internal Docker IP (<code>172.x</code>), ensuring the phone knows where to send the video packets.</li> <li> <code>MM_CALLS_UDP_SERVER_PORT=8444</code>: We shift the media port from the default (8443) to 8444. This avoids a collision with <strong>Artifactory</strong> (Article 9), which already claimed 8443 for its HTTPS interface. In a "City," port discipline is mandatory.</li> </ul> <h1> Chapter 4: The Radio Tower - Deploying Coturn </h1> <h2> 4.1 The NAT Traversal Challenge </h2> <p>With our "Town Square" foundation laid, we must now build the infrastructure that allows us to see and hear each other. We are deploying the Video Conferencing stack using the Mattermost <strong>Calls</strong> plugin.</p> <p>This requirement forces us to leave the comfortable world of HTTP and confront the chaotic reality of <strong>WebRTC</strong> (Web Real-Time Communication).</p> <p>In our previous articles, every service we deployed—GitLab, Jenkins, SonarQube—communicated using TCP/IP over HTTP. This model is simple: the client opens a connection to the server, sends a request, and waits for a response. It is reliable, predictable, and remarkably tolerant of network layers like Docker's bridge network and Nginx reverse proxies.</p> <p><strong>WebRTC is different.</strong> It is designed for real-time audio and video, where latency is the enemy. It prefers <strong>UDP</strong> over TCP because it's faster to drop a lost packet than to wait for retransmission (a glitch is better than a lag). More importantly, WebRTC attempts to establish a <strong>Peer-to-Peer (P2P)</strong> connection directly between two devices to minimize latency.</p> <p>In a containerized environment, this P2P model breaks instantly.</p> <p>When your phone (on WiFi) tries to send video to the Mattermost server (in a container), it needs an IP address to target. However, the Mattermost container lives inside a Docker Bridge network. It has an internal IP (e.g., <code>172.18.0.5</code>) that is completely invisible to the outside world. To make matters worse, your phone is likely behind its own NAT (Network Address Translation). This scenario is known as <strong>Double NAT</strong>, and it acts as an unbridgeable moat for direct media streams.</p> <p>To bridge this moat, we need a <strong>TURN Server</strong> (Traversal Using Relays around NAT). We will deploy <strong>Coturn</strong>, the industry-standard open-source TURN server.</p> <p>Architecturally, Coturn acts as a <strong>"Radio Tower."</strong> It sits on the absolute edge of our network. When direct P2P communication fails (which it always will in Docker), the phone sends its media packets to the Radio Tower. The Tower then relays those packets across the Docker boundary to the Mattermost container.</p> <h2> 4.2 The Solution (<code>02-deploy-coturn.sh</code>) </h2> <p>But deploying Coturn brings its own "Dragon": <strong>The Port Range.</strong></p> <p>Unlike a web server that listens on a single port (443), a TURN server requires a massive range of ephemeral UDP ports—typically <strong>49,152 to 65,535</strong>—to handle media streams for multiple users simultaneously. Every active call consumes a port.</p> <p>If we tried to deploy this using standard Docker Bridge networking, we would have to map every single one of these ports in the <code>docker run</code> command. This creates two critical problems:</p> <ol> <li> <strong>The "Docker Proxy" Bottleneck:</strong> For every mapped port, Docker spins up a userland proxy process (<code>docker-proxy</code>). Asking Docker to manage 16,000+ proxy rules explodes the memory usage and adds significant CPU latency to every packet, killing call quality.</li> <li> <strong>IPTables Bloat:</strong> Creating tens of thousands of NAT rules in the host's firewall table slows down networking for the entire system.</li> </ol> <p>To solve this, we will make a rare exception to our "Isolation First" rule. We will deploy the Coturn container using <strong>Host Networking</strong> (<code>--network host</code>).</p> <p>This mode effectively removes the Docker network isolation layer for this specific container. Coturn will not have a private <code>172.x.x.x</code> IP; it will bind directly to the physical network interface of your host machine (<code>192.168.x.x</code>). This eliminates the need for port mapping entirely. It gives our Radio Tower a clear, unobstructed line of sight to your mobile device, ensuring that when you press "Join Call," the video flows instantly and efficiently.</p> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0011_cicd_part07_mattermost/02-deploy-coturn.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 02-deploy-coturn.sh</span> <span class="c">#</span> <span class="c"># The "Radio Tower" script.</span> <span class="c"># Deploys a Coturn STUN/TURN server for WebRTC media relay.</span> <span class="c">#</span> <span class="c"># 1. Network: Uses '--network host' to bypass Docker NAT.</span> <span class="c"># 2. Config: Injects the shared secret generated in Step 01.</span> <span class="c"># 3. Identity: Auto-detects LAN IP for the --external-ip flag.</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"🚀 Deploying Coturn (Radio Tower)..."</span> <span class="c"># --- 1. Load Secrets ---</span> <span class="nv">MASTER_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack/cicd.env"</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Master env file not found at </span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">source</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$MATTERMOST_TURN_SECRET</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: MATTERMOST_TURN_SECRET not found in cicd.env"</span> <span class="nb">echo</span> <span class="s2">"Please run 01-setup-mattermost.sh first."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># --- 2. Detect Host IP ---</span> <span class="c"># We need to tell Coturn what its external IP is so it can</span> <span class="c"># advertise it to clients (phones/browsers).</span> <span class="c"># hostname -I returns all IPs; awk '{print $1}' takes the first one.</span> <span class="nv">LAN_IP</span><span class="o">=</span><span class="si">$(</span><span class="nb">hostname</span> <span class="nt">-I</span> | <span class="nb">awk</span> <span class="s1">'{print $1}'</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$LAN_IP</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Could not detect LAN IP."</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"📡 Radio Tower Configuration:"</span> <span class="nb">echo</span> <span class="s2">" - Listening IP: 0.0.0.0"</span> <span class="nb">echo</span> <span class="s2">" - External IP: </span><span class="nv">$LAN_IP</span><span class="s2"> (Advertised to clients)"</span> <span class="nb">echo</span> <span class="s2">" - Realm: mattermost.cicd.local"</span> <span class="nb">echo</span> <span class="s2">" - Network: Host Mode (Bypassing Docker Bridge)"</span> <span class="c"># --- 3. Clean Slate ---</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-q</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>coturn<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Stopping existing 'coturn'..."</span> docker stop coturn <span class="k">fi if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-aq</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>coturn<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Removing existing 'coturn'..."</span> docker <span class="nb">rm </span>coturn <span class="k">fi</span> <span class="c"># --- 4. Deploy ---</span> <span class="c"># We use the official coturn image.</span> <span class="c"># We pass configuration flags directly to the command.</span> <span class="c"># Note: --network host is critical here for UDP performance.</span> docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> coturn <span class="se">\</span> <span class="nt">--network</span> host <span class="se">\</span> <span class="nt">--restart</span> always <span class="se">\</span> coturn/coturn <span class="se">\</span> <span class="nt">-n</span> <span class="se">\</span> <span class="nt">--log-file</span><span class="o">=</span>stdout <span class="se">\</span> <span class="nt">--min-port</span><span class="o">=</span>49152 <span class="se">\</span> <span class="nt">--max-port</span><span class="o">=</span>65535 <span class="se">\</span> <span class="nt">--realm</span><span class="o">=</span>mattermost.cicd.local <span class="se">\</span> <span class="nt">--listening-ip</span><span class="o">=</span>0.0.0.0 <span class="se">\</span> <span class="nt">--external-ip</span><span class="o">=</span><span class="nv">$LAN_IP</span> <span class="se">\</span> <span class="nt">--use-auth-secret</span> <span class="se">\</span> <span class="nt">--static-auth-secret</span><span class="o">=</span><span class="nv">$MATTERMOST_TURN_SECRET</span> <span class="nb">echo</span> <span class="s2">"✅ Coturn deployed."</span> <span class="nb">echo</span> <span class="s2">" Verify logs with: docker logs -f coturn"</span> </code></pre> </div> <h3> Deconstructing the Radio Tower </h3> <p><strong>1. The IP Detection (<code>hostname -I</code>)</strong><br> Coturn needs to know "who it is" to function correctly. When a phone asks for a relay candidate, Coturn must respond with an IP address that the phone can actually reach. We automate this by detecting the host's LAN IP at runtime and passing it to <code>--external-ip</code>. If we hardcoded this or let it default, Coturn might advertise an internal loopback address, causing call failures.</p> <p><strong>2. The "No-Map" Deployment (<code>--network host</code>)</strong><br> Notice that there are no <code>-p 3478:3478</code> or <code>-p 49152:49152</code> flags in the <code>docker run</code> command. Because we used <code>--network host</code>, the container essentially "becomes" the host networking stack. It opens these sockets directly on the host's interface. This is the secret to high-performance WebRTC in Docker.</p> <p><strong>3. The Shared Secret (<code>--static-auth-secret</code>)</strong><br> This ties back to <strong>Article 3</strong>. We inject the <code>MATTERMOST_TURN_SECRET</code>. This ensures that our Radio Tower isn't an open relay for the internet. It will only relay traffic for clients that present a valid token signed by our Mattermost server using this exact key.</p> <h2> 4.3 The Verification (<code>test-turn-server.py</code>) </h2> <p>Before we try to connect a complex application like Mattermost to this Radio Tower, we must verify that the Tower is actually broadcasting. If we skip this step, debugging broken video calls later becomes a guessing game: is it the Android app? The certificate? The firewall? Or the TURN server itself?</p> <p>We will perform a "Smoke Test" using the industry-standard <strong>Trickle ICE</strong> diagnostic tool.</p> <p>To do this securely, we cannot just guess a username and password. Our TURN server is protected by the Time-Limited Credential mechanism. We need to generate a valid, signed token that expires in 24 hours.</p> <p>We will write a small Python script to generate these credentials using the <code>MATTERMOST_TURN_SECRET</code> from our environment file.</p> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0011_cicd_part07_mattermost/test-turn-server.py</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/ </span><span class="kn">import</span> <span class="n">hashlib</span><span class="p">,</span> <span class="n">hmac</span><span class="p">,</span> <span class="n">base64</span><span class="p">,</span> <span class="n">time</span> <span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="c1"># Load Secret </span><span class="n">env_path</span> <span class="o">=</span> <span class="n">Path</span><span class="p">.</span><span class="nf">home</span><span class="p">()</span> <span class="o">/</span> <span class="sh">"</span><span class="s">cicd_stack</span><span class="sh">"</span> <span class="o">/</span> <span class="sh">"</span><span class="s">cicd.env</span><span class="sh">"</span> <span class="n">secret</span> <span class="o">=</span> <span class="sh">""</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">env_path</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">f</span><span class="p">:</span> <span class="k">if</span> <span class="sh">"</span><span class="s">MATTERMOST_TURN_SECRET</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">line</span><span class="p">:</span> <span class="n">secret</span> <span class="o">=</span> <span class="n">line</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">=</span><span class="sh">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">].</span><span class="nf">strip</span><span class="p">().</span><span class="nf">strip</span><span class="p">(</span><span class="sh">"</span><span class="se">\"</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">secret</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Error: Could not find secret</span><span class="sh">"</span><span class="p">)</span> <span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># Generate Credentials (valid for 24 hours) </span><span class="n">timestamp</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">())</span> <span class="o">+</span> <span class="p">(</span><span class="mi">24</span> <span class="o">*</span> <span class="mi">3600</span><span class="p">)</span> <span class="n">username</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">timestamp</span><span class="si">}</span><span class="s">:testuser</span><span class="sh">"</span> <span class="n">dig</span> <span class="o">=</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">secret</span><span class="p">.</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">username</span><span class="p">.</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">hashlib</span><span class="p">.</span><span class="n">sha1</span><span class="p">).</span><span class="nf">digest</span><span class="p">()</span> <span class="n">password</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64encode</span><span class="p">(</span><span class="n">dig</span><span class="p">).</span><span class="nf">decode</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">=== TURN Credentials (Valid 24h) ===</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Username: </span><span class="si">{</span><span class="n">username</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Password: </span><span class="si">{</span><span class="n">password</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">====================================</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> Deconstructing the Smoke Test </h3> <p>This script implements the standard TURN REST API hashing algorithm. It combines a timestamp (valid for 24 hours) with a username, signs it with our secret key using HMAC-SHA1, and Base64 encodes the result. This matches exactly what the Mattermost server does internally when a user requests to join a call.</p> <h3> Execution: The Trickle ICE Test </h3> <p>Now, we perform the physical test.</p> <ol> <li> <p><strong>Generate Credentials:</strong> Run the script on your host.<br> </p> <pre class="highlight shell"><code>python3 test-turn-server.py </code></pre> <p>Copy the <strong>Username</strong> and <strong>Password</strong> output.</p> </li> <li><p><strong>Open the Diagnostics Tool:</strong><br> On a <strong>different device</strong> (like your phone or a laptop on the same WiFi, <em>not</em> the host running Docker), open this URL:<br> <a href="https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/" rel="noopener noreferrer">https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/</a></p></li> <li><p><strong>Configure the Server:</strong></p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>* **STUN or TURN URI:** `turn:&lt;YOUR_LAN_IP&gt;:3478` (e.g., `turn:192.168.0.105:3478`) * **TURN username:** (Paste from script) * **TURN password:** (Paste from script) </code></pre> </div> <ol> <li> <strong>Run the Test:</strong> Click <strong>"Gather candidates"</strong>.</li> </ol> <p><strong>The Success Criteria:</strong><br> You are looking for a specific row in the output table.</p> <ul> <li> <strong>Component Type:</strong> <code>rtcp</code> or <code>rtp</code> </li> <li> <strong>Type:</strong> <strong><code>relay</code></strong> (This is the critical keyword).</li> <li> <strong>Protocol:</strong> <code>udp</code> </li> </ul> <p>If you see a candidate of type <strong><code>relay</code></strong>, it means your device successfully contacted the Coturn server, authenticated with the secret, and received a relay address. The Radio Tower is operational. If you only see <code>host</code> or <code>srflx</code> candidates, the TURN server is unreachable (check your firewall) or authentication failed (check your secret).</p> <h1> Chapter 5: Deployment - Launching the Town Square </h1> <h2> 5.1 The "Clean Slate" Protocol </h2> <p>We have tuned our database, generated our mobile-ready certificates, and erected our radio tower. The ground is prepared. It is time to deploy the application itself.</p> <p>We will use our standard <strong>"Launcher"</strong> pattern. This script (<code>03-deploy-mattermost.sh</code>) is the enforcement mechanism for our infrastructure. It does not just "start" the container; it ensures that every deployment begins with a predictable, clean state.</p> <p>This "Clean Slate" protocol—stopping the container, removing it, and verifying volumes before launching—is critical for "Immutable Infrastructure." It guarantees that if we change a configuration variable in <code>mattermost.env</code> or update a certificate, the new container will pick up those changes immediately. We never rely on <code>docker restart</code>, which often preserves stale state.</p> <p>This script also handles a specific architectural requirement for Mattermost: <strong>Plugin Persistence</strong>. Unlike Jenkins, where plugins are baked into the image or volume in a single blob, Mattermost benefits from separating its storage concerns. We create four distinct named volumes:</p> <ol> <li> <code>mattermost-data</code>: For file uploads and images.</li> <li> <code>mattermost-logs</code>: For audit trails (critical for security).</li> <li> <code>mattermost-plugins</code>: For server-side plugin binaries.</li> <li> <code>mattermost-client-plugins</code>: For the webapp frontend code of those plugins.</li> </ol> <p>By separating these, we ensure that a plugin upgrade doesn't accidentally corrupt our file store, and that we can wipe plugins if necessary without losing user data.</p> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0011_cicd_part07_mattermost/03-deploy-mattermost.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 03-deploy-mattermost.sh</span> <span class="c">#</span> <span class="c"># The "Town Square" script.</span> <span class="c"># Deploys Mattermost Enterprise Edition (Entry Mode).</span> <span class="c">#</span> <span class="c"># 1. Network: Connects to 'cicd-net' for internal comms.</span> <span class="c"># 2. Ports:</span> <span class="c"># - 8065 (TCP): Main UI/API (Exposed to LAN).</span> <span class="c"># - 8443 (UDP): Calls Plugin SFU (Exposed to LAN).</span> <span class="c"># - 8067 (TCP): Metrics (Exposed to Localhost).</span> <span class="c"># 3. Trust: Mounts Host's ca-certificates.crt (Distroless fix).</span> <span class="c"># 4. Config: Injects 'mattermost.env' (12-Factor).</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"🚀 Deploying Mattermost (Town Square)..."</span> <span class="c"># --- 1. Define Paths ---</span> <span class="nv">HOST_CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="nv">MATTERMOST_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/mattermost"</span> <span class="nv">SCOPED_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$MATTERMOST_BASE</span><span class="s2">/mattermost.env"</span> <span class="c"># --- 2. Prerequisite Checks ---</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: mattermost.env not found."</span> <span class="nb">echo</span> <span class="s2">"Please run 01-setup-mattermost.sh first."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># --- 3. Volume Management ---</span> <span class="nb">echo</span> <span class="s2">"--- Verifying Storage Volumes ---"</span> docker volume create mattermost-data <span class="o">&gt;</span>/dev/null docker volume create mattermost-logs <span class="o">&gt;</span>/dev/null docker volume create mattermost-plugins <span class="o">&gt;</span>/dev/null docker volume create mattermost-client-plugins <span class="o">&gt;</span>/dev/null <span class="c"># Note: Bleve indexes volume removed (Deprecated in v11)</span> <span class="c"># --- 4. Clean Slate ---</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-q</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>mattermost<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Stopping existing 'mattermost'..."</span> docker stop mattermost <span class="k">fi if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-aq</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>mattermost<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Removing existing 'mattermost'..."</span> docker <span class="nb">rm </span>mattermost <span class="k">fi</span> <span class="c"># --- 5. Deploy ---</span> <span class="nb">echo</span> <span class="s2">"--- Launching Container ---"</span> <span class="c"># CRITICAL PORTS:</span> <span class="c"># 8065: Main HTTP traffic (LAN access)</span> <span class="c"># 8443/udp: Calls Plugin Media/SFU (LAN access for calls)</span> <span class="c"># 8067: Metrics (Localhost only, for Prometheus later)</span> docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> mattermost <span class="se">\</span> <span class="nt">--restart</span> always <span class="se">\</span> <span class="nt">--network</span> cicd-net <span class="se">\</span> <span class="nt">--hostname</span> mattermost.cicd.local <span class="se">\</span> <span class="nt">--publish</span> 0.0.0.0:8065:8065 <span class="se">\</span> <span class="nt">--publish</span> 0.0.0.0:8444:8444/udp <span class="se">\</span> <span class="nt">--publish</span> 0.0.0.0:8444:8444/tcp <span class="se">\</span> <span class="nt">--publish</span> 127.0.0.1:8067:8067 <span class="se">\</span> <span class="nt">--env-file</span> <span class="s2">"</span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$MATTERMOST_BASE</span><span class="s2">/config"</span>:/mattermost/config:rw <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$MATTERMOST_BASE</span><span class="s2">/certs"</span>:/mattermost/certs:ro <span class="se">\</span> <span class="nt">--volume</span> mattermost-data:/mattermost/data <span class="se">\</span> <span class="nt">--volume</span> mattermost-logs:/mattermost/logs <span class="se">\</span> <span class="nt">--volume</span> mattermost-plugins:/mattermost/plugins <span class="se">\</span> <span class="nt">--volume</span> mattermost-client-plugins:/mattermost/client/plugins <span class="se">\</span> <span class="nt">--volume</span> /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro <span class="se">\</span> mattermost/mattermost-enterprise-edition:release-11 <span class="nb">echo</span> <span class="s2">"✅ Mattermost deployed."</span> <span class="nb">echo</span> <span class="s2">" - Main URL: https://mattermost.cicd.local:8065"</span> <span class="nb">echo</span> <span class="s2">" - Metrics: http://127.0.0.1:8067/metrics"</span> <span class="nb">echo</span> <span class="s2">" - Logs: docker logs -f mattermost"</span> <span class="nb">echo</span> <span class="s2">" - Trust: Host CA bundle injected."</span> </code></pre> </div> <h3> Deconstructing the Launcher </h3> <p><strong>1. The Trust Injection (<code>/etc/ssl/certs/...</code>)</strong><br> This single line solves the "Island Problem" we faced with SonarQube and Jenkins. We mount the host's CA bundle directly over the container's CA bundle. Because we previously installed our Root CA on the host (Article 6), this "brain transplant" allows Mattermost to instantly trust <code>gitlab.cicd.local</code> and <code>jenkins.cicd.local</code>. Without this, every integration webhook would fail with a certificate error.</p> <p><strong>2. The Port Strategy (<code>8444</code>)</strong><br> Notice we map port <strong>8444</strong> for both TCP and UDP. This corresponds to the <code>MM_CALLS_UDP_SERVER_PORT</code> setting we configured in the Architect script. By explicitly mapping this, we punch a hole through the Docker NAT for our relayed media packets coming from the Coturn server.</p> <p><strong>3. The Image Selection (<code>enterprise-edition:release-11</code>)</strong><br> We explicitly pull the <strong>Enterprise Edition</strong>. As discussed in Chapter 2, this—combined with the lack of a license key—activates "Entry Mode," giving us access to Boards and Playbooks which are absent in the Team Edition image.</p> <p><strong>4. The Localhost Bind (<code>127.0.0.1:8067</code>)</strong><br> For the metrics port, we bind strictly to <code>127.0.0.1</code>. We do not want our internal performance metrics exposed to the LAN. This allows a future Prometheus instance (running in the same <code>cicd-net</code>) to scrape metrics, or us to curl them from the host, but prevents casual snooping from the office WiFi.</p> <h1> Chapter 6: The Mobile Frontier - Connecting Android </h1> <h2> 6.1 The "Generic Failure" Barrier </h2> <p>We have launched our "Town Square." From your desktop machine, you can likely open a browser, navigate to <code>https://mattermost.cicd.local:8065</code>, and see the login screen. The green lock icon is present because your desktop OS trusts the Root CA we installed in Article 6.</p> <p>Now, we attempt to extend this perimeter to the mobile frontier.</p> <p>Connect your Android device to the same WiFi network as your host machine. Open the official Mattermost app. Since we cannot easily configure DNS on a standard Android phone to resolve <code>.local</code> domains, we bypass the DNS system entirely and enter the raw IP address:</p> <p><strong>Server URL:</strong> <code>https://192.168.X.X:8065</code> (Replace with your LAN IP)</p> <p>You will be met with an immediate, generic failure: <strong>"Cannot connect to the server."</strong></p> <p>This error message is dangerously misleading. It implies a network timeout or a firewall block. You might waste time checking <code>iptables</code> or Docker port mappings. However, the connection is physically reaching the server; it is being rejected at the cryptographic layer.</p> <p>This is the "Trust Gap." Your Android device has its own segregated store of trusted Certificate Authorities (Google, DigiCert, Let's Encrypt). It has absolutely no knowledge of the "CICD-Root-CA" we generated on our laptop. When the server presents its "Mobile-Ready" certificate, the phone sees a valid cryptographic signature from an unknown entity. It assumes a Man-in-the-Middle attack is in progress and creates a hard stop at the TLS layer.</p> <p>To fix this, we cannot just change a setting in the app. We must surgically intervene in the device's operating system.</p> <h2> 6.2 The Manual Trust Protocol </h2> <p>To breach this barrier, we must perform a manual key exchange. We need to take the <strong>Root CA</strong> (<code>ca.pem</code>)—the "Master Key" that signed our Mattermost certificate—and import it into the Android "User Credentials" store. This explicitly tells the operating system: <em>"Trust any certificate signed by this file."</em></p> <p>This is a physical process that varies slightly by Android version, but the core protocol is universal.</p> <p><strong>Step 1: Transport the Key</strong><br> First, we must get the file onto the device. Since we are simulating an air-gapped environment, we would typically use a USB cable. For simplicity in this lab, email the <code>~/cicd_stack/ca/pki/certs/ca.pem</code> file to an account accessible on the phone.<br> Open the email on your Android device and save the attachment to your <strong>Downloads</strong> folder.</p> <p><strong>Step 2: The Security Settings</strong><br> Android buries certificate management deep within its security menus to prevent users from accidentally installing malicious roots.</p> <ol> <li> Open <strong>Settings</strong>.</li> <li> In the search bar at the top, type <strong>"certificate"</strong>.</li> <li> Select <strong>"CA certificate"</strong> (often found under <em>Encryption &amp; Credentials</em> or <em>Install from storage</em>).</li> <li> If prompted with a frightening warning ("Your data won't be private"), click <strong>"Install anyway"</strong>. This warning exists because a malicious CA could inspect your traffic; however, in this case, <em>we</em> are the CA.</li> <li> Confirm your identity by entering your <strong>Device PIN</strong> or <strong>Pattern</strong>.</li> </ol> <p><strong>Step 3: The Import and Verification</strong><br> The file explorer will open. Navigate to your <strong>Downloads</strong> folder (or wherever you saved the file).<br> Select the <code>ca.pem</code> file.<br> You should see a brief "toast" notification: <strong>"CA certificate installed."</strong></p> <p>To verify this, we must dig into the user credential store. On modern Android versions, the path is often convoluted:<br> Navigate to <strong>Fingerprints, face data and screen lock</strong> -&gt; <strong>Privacy</strong> -&gt; <strong>More security settings</strong> -&gt; <strong>Encryption and credentials</strong> -&gt; <strong>User credentials</strong>.</p> <p>In this list, you should see your custom CA (e.g., <code>Local CICD Root CA</code>). With the root established, the phone now possesses the cryptographic chain of trust required to validate our server's identity.</p> <h2> 6.3 The "CORS" Dragon </h2> <p>You might expect that installing the certificate would be the end of the battle. You return to the Mattermost app, enter the server URL (<code>https://192.168.x.x:8065</code>), and hit connect.</p> <p>If we had not carefully configured our environment variables in Chapter 3, you would likely hit a second, invisible wall. The app might let you log in, but then immediately disconnect. Or, more subtly, text messages would work, but the status indicators would never update, and video calls would fail to initiate.</p> <p>This is the <strong>WebSocket</strong> layer failing.</p> <p>Mattermost uses a persistent WebSocket connection for real-time events (typing indicators, new messages, call signaling). When a mobile app initiates this connection, it sends an HTTP Origin header. Unlike a browser which sends the domain name, mobile apps (depending on the framework) often send <code>null</code> or the raw IP address as the Origin.</p> <p>By default, the Mattermost server is strict. It checks the Origin header against its own <code>SiteURL</code>. If they don't match exactly, it slams the door on the WebSocket to prevent Cross-Site WebSocket Hijacking (CSWSH).</p> <p>Because we are accessing the server via an IP address (<code>192.168.x.x</code>) but the server thinks its name is <code>mattermost.cicd.local</code>, this check fails. The text API (REST) works, but the real-time API (WebSocket) dies.</p> <p>We solved this preemptively in <strong>Section 3.4</strong>. By setting <code>MM_SERVICESETTINGS_ALLOWCORSFROM=*</code>, we instructed the server to drop its shield and accept WebSocket connections from any origin. In a public internet deployment, this would be a security risk. In our private <code>cicd-net</code> fortress, it is a necessary concession to allow our mobile devices to speak freely with the Command Center.</p> <p>With the Certificate installed and CORS unlocked, your mobile Command Center is now fully operational. You can log in, browse channels, and—most importantly—prepare to receive signals from the city we are about to wire up.</p> <h1> Chapter 7: The Wiring (Part 1) - The Silent Observer </h1> <h2> 7.1 The "Click-Ops" Trap </h2> <p>Our Command Center is online, but it is currently a ghost town. It has no teams, no channels, and no users other than the admin.</p> <p>In a typical "hobbyist" deployment, this is where you would start clicking. You would log into the web UI, click "Create Team," type "Engineering," click "Create Channel," type "builds," go to the System Console, create a Bot Account, copy the token, save it to a text file... and repeat this process for every tool you want to integrate.</p> <p>This manual approach—often called "Click-Ops"—is an architectural trap.</p> <ol> <li> <strong>It is not reproducible.</strong> If your server crashes and you have to redeploy, you have to remember every single button click.</li> <li> <strong>It is insecure.</strong> Copy-pasting access tokens and webhook URLs through the browser clipboard is a great way to accidentally expose secrets or lose them.</li> <li> <strong>It scales poorly.</strong> Managing permissions for three tools is annoying; managing them for thirty is a full-time job.</li> </ol> <p>We are building a <strong>Software Supply Chain</strong>, not a chatroom. Our infrastructure must be defined as code. The creation of our "Engineering" team, our standard channels (<code>#builds</code>, <code>#alerts</code>, <code>#code-reviews</code>), and the bot accounts that own them should be scripted, versioned, and executed automatically.</p> <p>We need an "Electrician"—a script that walks into the empty building and wires up the lights before the residents arrive.</p> <h2> 7.2 The Electrician (<code>04-configure-integrations.py</code>) </h2> <p>To achieve this automation, we rely on <code>mmctl</code>, the official command-line tool for Mattermost. Unlike the web API, <code>mmctl</code> has a superpower: <strong>Local Mode</strong>.</p> <p>When running inside the container (or communicating via the Docker socket), <code>mmctl</code> can execute administrative commands without a username or password. It speaks directly to the server process over a Unix socket. This solves the "Bootstrap Paradox"—how do you authenticate to the API to create the first admin user if you don't have an admin user yet?</p> <p>We will wrap <code>mmctl</code> in a Python script. While Bash is great for plumbing, Python is superior for parsing JSON responses and handling the logic flow of "If this webhook exists, don't create it; if it doesn't, create it and save the secret."</p> <p>This script is our <strong>Electrician</strong>. It establishes the taxonomy of our city:</p> <ul> <li> <strong>#builds:</strong> The noisy factory floor where Jenkins reports status.</li> <li> <strong>#code-reviews:</strong> The library where GitLab announces changes.</li> <li> <strong>#alerts:</strong> The dedicated red-phone line for SonarQube quality gate failures.</li> </ul> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0011_cicd_part07_mattermost/04-configure-integrations.py</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">import</span> <span class="n">subprocess</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">secrets</span> <span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="c1"># --- Configuration --- </span><span class="n">CICD_ROOT</span> <span class="o">=</span> <span class="nc">Path</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">HOME</span><span class="sh">"</span><span class="p">))</span> <span class="o">/</span> <span class="sh">"</span><span class="s">cicd_stack</span><span class="sh">"</span> <span class="n">ENV_FILE</span> <span class="o">=</span> <span class="n">CICD_ROOT</span> <span class="o">/</span> <span class="sh">"</span><span class="s">cicd.env</span><span class="sh">"</span> <span class="n">CONTAINER_NAME</span> <span class="o">=</span> <span class="sh">"</span><span class="s">mattermost</span><span class="sh">"</span> <span class="c1"># We use --local to bypass authentication (requires EnableLocalMode=true) </span><span class="n">MMCTL_CMD</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">docker</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">exec</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-i</span><span class="sh">"</span><span class="p">,</span> <span class="n">CONTAINER_NAME</span><span class="p">,</span> <span class="sh">"</span><span class="s">mmctl</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--local</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--json</span><span class="sh">"</span><span class="p">]</span> <span class="n">ADMIN_USER</span> <span class="o">=</span> <span class="sh">"</span><span class="s">warren.jitsing</span><span class="sh">"</span> <span class="c1"># The user who will own the webhooks </span> <span class="c1"># --- Entities to Create --- </span><span class="n">TEAM_NAME</span> <span class="o">=</span> <span class="sh">"</span><span class="s">engineering</span><span class="sh">"</span> <span class="n">CHANNELS</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">builds</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">code-reviews</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">alerts</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">town-square</span><span class="sh">"</span><span class="p">]</span> <span class="k">def</span> <span class="nf">run_mmctl</span><span class="p">(</span><span class="n">args</span><span class="p">,</span> <span class="n">allow_fail</span><span class="o">=</span><span class="bp">False</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Runs an mmctl command inside the container and returns parsed JSON.</span><span class="sh">"""</span> <span class="n">cmd</span> <span class="o">=</span> <span class="n">MMCTL_CMD</span> <span class="o">+</span> <span class="n">args</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># check=True is removed so we can handle the return code manually </span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">check</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="n">returncode</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span> <span class="k">if</span> <span class="n">allow_fail</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error running mmctl: </span><span class="si">{</span><span class="n">result</span><span class="p">.</span><span class="n">stderr</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">output</span> <span class="o">=</span> <span class="n">result</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">output</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="c1"># Attempt 1: Parse the full output as JSON </span> <span class="k">try</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">output</span><span class="p">)</span> <span class="k">if</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="nb">list</span><span class="p">):</span> <span class="k">return</span> <span class="n">data</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="k">if</span> <span class="n">data</span> <span class="k">else</span> <span class="bp">None</span> <span class="k">return</span> <span class="n">data</span> <span class="k">except</span> <span class="n">json</span><span class="p">.</span><span class="n">JSONDecodeError</span><span class="p">:</span> <span class="c1"># Attempt 2: Fallback for mixed output </span> <span class="n">lines</span> <span class="o">=</span> <span class="n">output</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="se">\n</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">lines</span><span class="p">:</span> <span class="k">return</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">lines</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">])</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">if</span> <span class="n">allow_fail</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Unexpected error parsing mmctl output: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">def</span> <span class="nf">read_env_file</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Reads the current state of cicd.env.</span><span class="sh">"""</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">ENV_FILE</span><span class="p">.</span><span class="nf">exists</span><span class="p">():</span> <span class="k">return</span> <span class="sh">""</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">ENV_FILE</span><span class="p">,</span> <span class="sh">"</span><span class="s">r</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="k">return</span> <span class="n">f</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="k">def</span> <span class="nf">append_to_env</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">value</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Appends a secret to the master cicd.env file.</span><span class="sh">"""</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> 💾 Writing </span><span class="si">{</span><span class="n">key</span><span class="si">}</span><span class="s"> to cicd.env...</span><span class="sh">"</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">ENV_FILE</span><span class="p">,</span> <span class="sh">"</span><span class="s">a</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="se">\n</span><span class="si">{</span><span class="n">key</span><span class="si">}</span><span class="s">=</span><span class="se">\"</span><span class="si">{</span><span class="n">value</span><span class="si">}</span><span class="se">\"\n</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">wait_for_server</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">⏳ Waiting for Mattermost to be ready...</span><span class="sh">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">30</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">docker</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">exec</span><span class="sh">"</span><span class="p">,</span> <span class="n">CONTAINER_NAME</span><span class="p">,</span> <span class="sh">"</span><span class="s">mmctl</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--local</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">system</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">],</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">DEVNULL</span><span class="p">,</span> <span class="n">stderr</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">DEVNULL</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">✅ Mattermost is responding.</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="k">except</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">CalledProcessError</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">❌ Timeout waiting for Mattermost.</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">ENV_FILE</span><span class="p">.</span><span class="nf">exists</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">❌ Error: </span><span class="si">{</span><span class="n">ENV_FILE</span><span class="si">}</span><span class="s"> not found.</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="nf">wait_for_server</span><span class="p">()</span> <span class="n">env_content</span> <span class="o">=</span> <span class="nf">read_env_file</span><span class="p">()</span> <span class="c1"># 1. Create Team </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">--- Configuring Team: </span><span class="si">{</span><span class="n">TEAM_NAME</span><span class="si">}</span><span class="s"> ---</span><span class="sh">"</span><span class="p">)</span> <span class="n">res</span> <span class="o">=</span> <span class="nf">run_mmctl</span><span class="p">([</span><span class="sh">"</span><span class="s">team</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">create</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--name</span><span class="sh">"</span><span class="p">,</span> <span class="n">TEAM_NAME</span><span class="p">,</span> <span class="sh">"</span><span class="s">--display-name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Engineering</span><span class="sh">"</span><span class="p">],</span> <span class="n">allow_fail</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">if</span> <span class="n">res</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ✅ Team </span><span class="sh">'</span><span class="si">{</span><span class="n">TEAM_NAME</span><span class="si">}</span><span class="sh">'</span><span class="s"> created.</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ℹ️ Team </span><span class="sh">'</span><span class="si">{</span><span class="n">TEAM_NAME</span><span class="si">}</span><span class="sh">'</span><span class="s"> likely exists.</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># FIX: Add Admin User to Team so they can own webhooks </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Ensuring </span><span class="si">{</span><span class="n">ADMIN_USER</span><span class="si">}</span><span class="s"> is in </span><span class="si">{</span><span class="n">TEAM_NAME</span><span class="si">}</span><span class="s">...</span><span class="sh">"</span><span class="p">)</span> <span class="nf">run_mmctl</span><span class="p">([</span><span class="sh">"</span><span class="s">team</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">users</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">add</span><span class="sh">"</span><span class="p">,</span> <span class="n">TEAM_NAME</span><span class="p">,</span> <span class="n">ADMIN_USER</span><span class="p">],</span> <span class="n">allow_fail</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="c1"># 2. Create Channels </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">--- Configuring Channels ---</span><span class="sh">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">channel</span> <span class="ow">in</span> <span class="n">CHANNELS</span><span class="p">:</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">docker</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">exec</span><span class="sh">"</span><span class="p">,</span> <span class="n">CONTAINER_NAME</span><span class="p">,</span> <span class="sh">"</span><span class="s">mmctl</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--local</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">channel</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">create</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--team</span><span class="sh">"</span><span class="p">,</span> <span class="n">TEAM_NAME</span><span class="p">,</span> <span class="sh">"</span><span class="s">--name</span><span class="sh">"</span><span class="p">,</span> <span class="n">channel</span><span class="p">,</span> <span class="sh">"</span><span class="s">--display-name</span><span class="sh">"</span><span class="p">,</span> <span class="n">channel</span><span class="p">.</span><span class="nf">capitalize</span><span class="p">()],</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">DEVNULL</span><span class="p">,</span> <span class="n">stderr</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">DEVNULL</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ✅ Channel </span><span class="sh">'</span><span class="s">#</span><span class="si">{</span><span class="n">channel</span><span class="si">}</span><span class="sh">'</span><span class="s"> ensured.</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 3. Configure Jenkins Integration (Bot + Webhook) </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">--- Configuring Jenkins Integration ---</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 3a. Ensure Bot User Exists (Identity) </span> <span class="n">bot_password</span> <span class="o">=</span> <span class="sh">""</span> <span class="k">if</span> <span class="sh">"</span><span class="s">JENKINS_BOT_PASSWORD</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">env_content</span><span class="p">:</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">env_content</span><span class="p">.</span><span class="nf">splitlines</span><span class="p">():</span> <span class="k">if</span> <span class="n">line</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">JENKINS_BOT_PASSWORD=</span><span class="sh">"</span><span class="p">):</span> <span class="n">bot_password</span> <span class="o">=</span> <span class="n">line</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">=</span><span class="sh">"</span><span class="p">,</span> <span class="mi">1</span><span class="p">)[</span><span class="mi">1</span><span class="p">].</span><span class="nf">strip</span><span class="p">(</span><span class="sh">'"'</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> 🎲 Generating high-entropy Bot Password...</span><span class="sh">"</span><span class="p">)</span> <span class="n">bot_password</span> <span class="o">=</span> <span class="n">secrets</span><span class="p">.</span><span class="nf">token_urlsafe</span><span class="p">(</span><span class="mi">24</span><span class="p">)</span> <span class="nf">append_to_env</span><span class="p">(</span><span class="sh">"</span><span class="s">JENKINS_BOT_PASSWORD</span><span class="sh">"</span><span class="p">,</span> <span class="n">bot_password</span><span class="p">)</span> <span class="n">env_content</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"</span><span class="se">\n</span><span class="s">JENKINS_BOT_PASSWORD=</span><span class="si">{</span><span class="n">bot_password</span><span class="si">}</span><span class="sh">"</span> <span class="n">bot_email</span> <span class="o">=</span> <span class="sh">"</span><span class="s">jenkins-bot@cicd.local</span><span class="sh">"</span> <span class="n">bot_user</span> <span class="o">=</span> <span class="sh">"</span><span class="s">jenkins-bot</span><span class="sh">"</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> Ensuring Jenkins Bot User exists...</span><span class="sh">"</span><span class="p">)</span> <span class="nf">run_mmctl</span><span class="p">([</span><span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">create</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--email</span><span class="sh">"</span><span class="p">,</span> <span class="n">bot_email</span><span class="p">,</span> <span class="sh">"</span><span class="s">--username</span><span class="sh">"</span><span class="p">,</span> <span class="n">bot_user</span><span class="p">,</span> <span class="sh">"</span><span class="s">--password</span><span class="sh">"</span><span class="p">,</span> <span class="n">bot_password</span><span class="p">],</span> <span class="n">allow_fail</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="nf">run_mmctl</span><span class="p">([</span><span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">verify</span><span class="sh">"</span><span class="p">,</span> <span class="n">bot_user</span><span class="p">],</span> <span class="n">allow_fail</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="nf">run_mmctl</span><span class="p">([</span><span class="sh">"</span><span class="s">team</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">users</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">add</span><span class="sh">"</span><span class="p">,</span> <span class="n">TEAM_NAME</span><span class="p">,</span> <span class="n">bot_user</span><span class="p">],</span> <span class="n">allow_fail</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="c1"># 3b. Create Webhook for Notifications (Required by Jenkins Notification Plugin) </span> <span class="k">if</span> <span class="sh">"</span><span class="s">JENKINS_MATTERMOST_WEBHOOK</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">env_content</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> ℹ️ JENKINS_MATTERMOST_WEBHOOK already exists. Skipping.</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> Creating Incoming Webhook for #builds...</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># FIX: Use fully qualified channel name and ADMIN_USER ownership </span> <span class="n">hook_res</span> <span class="o">=</span> <span class="nf">run_mmctl</span><span class="p">([</span><span class="sh">"</span><span class="s">webhook</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">create-incoming</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--user</span><span class="sh">"</span><span class="p">,</span> <span class="n">ADMIN_USER</span><span class="p">,</span> <span class="sh">"</span><span class="s">--channel</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">TEAM_NAME</span><span class="si">}</span><span class="s">:builds</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--display-name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Jenkins</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--description</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Build Notifications</span><span class="sh">"</span><span class="p">])</span> <span class="k">if</span> <span class="n">hook_id</span> <span class="p">:</span><span class="o">=</span> <span class="n">hook_res</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">):</span> <span class="n">webhook_url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">https://mattermost.cicd.local:8065/hooks/</span><span class="si">{</span><span class="n">hook_id</span><span class="si">}</span><span class="sh">"</span> <span class="nf">append_to_env</span><span class="p">(</span><span class="sh">"</span><span class="s">JENKINS_MATTERMOST_WEBHOOK</span><span class="sh">"</span><span class="p">,</span> <span class="n">webhook_url</span><span class="p">)</span> <span class="n">env_content</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"</span><span class="se">\n</span><span class="s">JENKINS_MATTERMOST_WEBHOOK=</span><span class="si">{</span><span class="n">webhook_url</span><span class="si">}</span><span class="sh">"</span> <span class="c1"># 4. Create SonarQube Webhook (#alerts) </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">--- Configuring SonarQube Webhook ---</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="sh">"</span><span class="s">SONAR_MATTERMOST_WEBHOOK</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">env_content</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> ℹ️ SONAR_MATTERMOST_WEBHOOK already exists. Skipping.</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> Creating Incoming Webhook for #alerts...</span><span class="sh">"</span><span class="p">)</span> <span class="n">hook_res</span> <span class="o">=</span> <span class="nf">run_mmctl</span><span class="p">([</span><span class="sh">"</span><span class="s">webhook</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">create-incoming</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--user</span><span class="sh">"</span><span class="p">,</span> <span class="n">ADMIN_USER</span><span class="p">,</span> <span class="sh">"</span><span class="s">--channel</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">TEAM_NAME</span><span class="si">}</span><span class="s">:alerts</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--display-name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">SonarQube</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--description</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Quality Gate Alerts</span><span class="sh">"</span><span class="p">])</span> <span class="k">if</span> <span class="n">hook_id</span> <span class="p">:</span><span class="o">=</span> <span class="n">hook_res</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">):</span> <span class="n">webhook_url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">https://mattermost.cicd.local:8065/hooks/</span><span class="si">{</span><span class="n">hook_id</span><span class="si">}</span><span class="sh">"</span> <span class="nf">append_to_env</span><span class="p">(</span><span class="sh">"</span><span class="s">SONAR_MATTERMOST_WEBHOOK</span><span class="sh">"</span><span class="p">,</span> <span class="n">webhook_url</span><span class="p">)</span> <span class="n">env_content</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"</span><span class="se">\n</span><span class="s">SONAR_MATTERMOST_WEBHOOK=</span><span class="si">{</span><span class="n">webhook_url</span><span class="si">}</span><span class="sh">"</span> <span class="c1"># 5. Create GitLab Webhook (#code-reviews) </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">--- Configuring GitLab Webhook ---</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="sh">"</span><span class="s">MATTERMOST_CODE_REVIEW_WEBHOOK</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">env_content</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> ℹ️ MATTERMOST_CODE_REVIEW_WEBHOOK already exists. Skipping.</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> Creating Incoming Webhook for #code-reviews...</span><span class="sh">"</span><span class="p">)</span> <span class="n">hook_res</span> <span class="o">=</span> <span class="nf">run_mmctl</span><span class="p">([</span><span class="sh">"</span><span class="s">webhook</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">create-incoming</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--user</span><span class="sh">"</span><span class="p">,</span> <span class="n">ADMIN_USER</span><span class="p">,</span> <span class="sh">"</span><span class="s">--channel</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">TEAM_NAME</span><span class="si">}</span><span class="s">:code-reviews</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--display-name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">GitLab</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--description</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Commit and Merge Request Events</span><span class="sh">"</span><span class="p">])</span> <span class="k">if</span> <span class="n">hook_id</span> <span class="p">:</span><span class="o">=</span> <span class="n">hook_res</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">):</span> <span class="n">webhook_url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">https://mattermost.cicd.local:8065/hooks/</span><span class="si">{</span><span class="n">hook_id</span><span class="si">}</span><span class="sh">"</span> <span class="nf">append_to_env</span><span class="p">(</span><span class="sh">"</span><span class="s">MATTERMOST_CODE_REVIEW_WEBHOOK</span><span class="sh">"</span><span class="p">,</span> <span class="n">webhook_url</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">✅ Configuration Complete.</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> Restart Jenkins/SonarQube to pick up new secrets.</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">main</span><span class="p">()</span> </code></pre> </div> <h3> Deconstructing the Electrician </h3> <p><strong>1. The "Local Mode" Bypass</strong><br> The script uses <code>docker exec ... mmctl --local</code>. This is the key. It allows us to configure the server from the outside without needing to manually create an admin user first or wrestle with login tokens. We are manipulating the server's brain directly via its command socket.</p> <p><strong>2. Idempotency (The "Check First" Logic)</strong><br> Notice how the script checks for existing environment variables (<code>if "JENKINS_MATTERMOST_WEBHOOK" in env_content</code>). This prevents duplicate webhooks. If you run the script ten times, it will only create the resources once. This is a core tenet of Infrastructure as Code.</p> <p><strong>3. The Secret Extraction</strong><br> When <code>mmctl</code> creates a webhook, it returns a JSON object containing the ID. We parse this ID immediately, construct the full URL (<code>https://mattermost.../hooks/ID</code>), and append it to our master <code>cicd.env</code> file. This eliminates the "Copy-Paste Risk." The secret moves directly from the generator to the vault, untouched by human hands.</p> <h2> 7.3 The Connector (<code>05-connect-jenkins.sh</code>) </h2> <p>We have created the destination (the <code>#builds</code> channel) and generated the address (the webhook URL). Now we must hand that address to the Factory.</p> <p>In <strong>Article 8</strong>, we deployed Jenkins using <strong>Configuration as Code (JCasC)</strong>. We did not use the UI to set up our system message or credentials. We defined them in a YAML file (<code>jenkins.yaml</code>). To add Mattermost notifications, we must modify that YAML file.</p> <p>However, we cannot simply hardcode the webhook URL into the YAML. That would be a security violation (checking secrets into git) and an idempotency failure (the secret is generated dynamically by the previous script).</p> <p>We need a "Hot-Patcher." We need a script that reads the fresh secret from <code>cicd.env</code>, injects it into the <code>jenkins.env</code> file, and then updates the <code>jenkins.yaml</code> configuration to use that variable.</p> <p>We will split this into two parts: a Python helper to handle the YAML surgery, and a Bash script to orchestrate the deployment.</p> <p><strong>Part 1: The YAML Surgeon</strong></p> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0011_cicd_part07_mattermost/update_jcasc_mattermost.py</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">import</span> <span class="n">yaml</span> <span class="kn">import</span> <span class="n">os</span> <span class="c1"># Target the LIVE configuration </span><span class="n">JCAS_FILE</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">expanduser</span><span class="p">(</span><span class="sh">"</span><span class="s">~/cicd_stack/jenkins/config/jenkins.yaml</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">update_jcasc</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[INFO] Reading JCasC file: </span><span class="si">{</span><span class="n">JCAS_FILE</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">JCAS_FILE</span><span class="p">,</span> <span class="sh">'</span><span class="s">r</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">jcasc</span> <span class="o">=</span> <span class="n">yaml</span><span class="p">.</span><span class="nf">safe_load</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> <span class="k">except</span> <span class="nb">FileNotFoundError</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[ERROR] File not found: </span><span class="si">{</span><span class="n">JCAS_FILE</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># Configure Mattermost Notification Plugin (Global) </span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[INFO] Injecting Mattermost Global Configuration...</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="sh">'</span><span class="s">unclassified</span><span class="sh">'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">jcasc</span><span class="p">:</span> <span class="n">jcasc</span><span class="p">[</span><span class="sh">'</span><span class="s">unclassified</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">{}</span> <span class="c1"># CORRECTED SCHEMA: </span> <span class="c1"># 1. Valid attributes only (endpoint, room, buildServerUrl, icon). </span> <span class="c1"># 2. Room set to 'engineering@builds' (Team@Channel format verified by user). </span> <span class="n">jcasc</span><span class="p">[</span><span class="sh">'</span><span class="s">unclassified</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">mattermostNotifier</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">endpoint</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">${MATTERMOST_JENKINS_WEBHOOK_URL}</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">room</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">engineering@builds</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">buildServerUrl</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">https://jenkins.cicd.local:10400/</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">icon</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">https://mattermost.org/wp-content/uploads/2016/04/icon.png</span><span class="sh">'</span> <span class="p">}</span> <span class="c1"># Write back to file </span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[INFO] Writing updated JCasC file...</span><span class="sh">"</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">JCAS_FILE</span><span class="p">,</span> <span class="sh">'</span><span class="s">w</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">yaml</span><span class="p">.</span><span class="nf">dump</span><span class="p">(</span><span class="n">jcasc</span><span class="p">,</span> <span class="n">f</span><span class="p">,</span> <span class="n">default_flow_style</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">sort_keys</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[INFO] JCasC update complete.</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">update_jcasc</span><span class="p">()</span> </code></pre> </div> <p><strong>Part 2: The Orchestrator</strong></p> <p>This script ties it all together. It reads the secret, runs the python helper, and then triggers a Jenkins redeployment to pick up the changes.</p> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0011_cicd_part07_mattermost/05-connect-jenkins.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 05-connect-jenkins.sh</span> <span class="c">#</span> <span class="c"># Integrates Jenkins with Mattermost via Webhook.</span> <span class="c">#</span> <span class="c"># 1. Secrets: Reads JENKINS_MATTERMOST_WEBHOOK (host)</span> <span class="c"># -&gt; Injects MATTERMOST_JENKINS_WEBHOOK_URL (jenkins.env).</span> <span class="c"># 2. JCasC: Updates jenkins.yaml with Notifier config.</span> <span class="c"># 3. Apply: Re-deploys Jenkins.</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># --- Paths ---</span> <span class="nv">CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="c"># Adjust this path if your Jenkins article folder is named differently</span> <span class="nv">JENKINS_MODULE_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/Documents/FromFirstPrinciples/articles/0008_cicd_part04_jenkins"</span> <span class="nv">JENKINS_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$JENKINS_MODULE_DIR</span><span class="s2">/jenkins.env"</span> <span class="nv">DEPLOY_SCRIPT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$JENKINS_MODULE_DIR</span><span class="s2">/03-deploy-controller.sh"</span> <span class="c"># Path to the Python helper (Local to this script)</span> <span class="nv">PY_HELPER</span><span class="o">=</span><span class="s2">"./update_jcasc_mattermost.py"</span> <span class="nv">MASTER_ENV</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CICD_ROOT</span><span class="s2">/cicd.env"</span> <span class="nb">echo</span> <span class="s2">"[INFO] Starting Jenkins &lt;-&gt; Mattermost Integration..."</span> <span class="c"># --- 1. Secret Injection ---</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$MASTER_ENV</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"[ERROR] Master environment file not found: </span><span class="nv">$MASTER_ENV</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># Load secrets</span> <span class="nb">source</span> <span class="s2">"</span><span class="nv">$MASTER_ENV</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$JENKINS_MATTERMOST_WEBHOOK</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"[ERROR] JENKINS_MATTERMOST_WEBHOOK not found in cicd.env."</span> <span class="nb">echo</span> <span class="s2">" Please run 04-configure-integrations.py first."</span> <span class="nb">exit </span>1 <span class="k">fi if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$JENKINS_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"[ERROR] Jenkins env file not found at: </span><span class="nv">$JENKINS_ENV_FILE</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"[INFO] Injecting Mattermost Webhook into jenkins.env..."</span> <span class="c"># Idempotency check using grep</span> <span class="k">if</span> <span class="o">!</span> <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"MATTERMOST_JENKINS_WEBHOOK_URL"</span> <span class="s2">"</span><span class="nv">$JENKINS_ENV_FILE</span><span class="s2">"</span><span class="p">;</span> <span class="k">then </span><span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt;&gt; "</span><span class="nv">$JENKINS_ENV_FILE</span><span class="sh">" # --- Mattermost Integration --- MATTERMOST_JENKINS_WEBHOOK_URL=</span><span class="nv">$JENKINS_MATTERMOST_WEBHOOK</span><span class="sh"> </span><span class="no">EOF </span> <span class="nb">echo</span> <span class="s2">"[INFO] Secrets injected."</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"[INFO] Secrets already present."</span> <span class="k">fi</span> <span class="c"># --- 2. Update JCasC ---</span> <span class="nb">echo</span> <span class="s2">"[INFO] Updating JCasC configuration..."</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$PY_HELPER</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"[ERROR] Python helper script not found at </span><span class="nv">$PY_HELPER</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># Install yaml if missing (on host)</span> <span class="k">if</span> <span class="o">!</span> python3 <span class="nt">-c</span> <span class="s2">"import yaml"</span> 2&gt;/dev/null<span class="p">;</span> <span class="k">then </span><span class="nb">sudo </span>apt-get update <span class="nt">-qq</span> <span class="o">&amp;&amp;</span> <span class="nb">sudo </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">-qq</span> python3-yaml <span class="k">fi </span>python3 <span class="s2">"</span><span class="nv">$PY_HELPER</span><span class="s2">"</span> <span class="c"># --- 3. Re-Deploy Jenkins ---</span> <span class="nb">echo</span> <span class="s2">"[INFO] Triggering Jenkins Re-deployment..."</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-x</span> <span class="s2">"</span><span class="nv">$DEPLOY_SCRIPT</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"[ERROR] Deploy script not found: </span><span class="nv">$DEPLOY_SCRIPT</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="o">(</span><span class="nb">cd</span> <span class="s2">"</span><span class="nv">$JENKINS_MODULE_DIR</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> ./03-deploy-controller.sh<span class="o">)</span> <span class="nb">echo</span> <span class="s2">"[SUCCESS] Jenkins is restarting with Mattermost integration."</span> </code></pre> </div> <h3> Deconstructing the Connector </h3> <p><strong>1. The Variable Hand-Off</strong><br> This script performs a crucial bridging operation. It takes <code>JENKINS_MATTERMOST_WEBHOOK</code> (which lives in the host's <code>cicd.env</code>) and injects it into <code>jenkins.env</code> as <code>MATTERMOST_JENKINS_WEBHOOK_URL</code>. Why rename it? Because inside the Jenkins container, we want clear namespacing. This variable is then referenced in the JCasC file as <code>${MATTERMOST_JENKINS_WEBHOOK_URL}</code>. This ensures the secret is never written to disk in the YAML file; it is only resolved in memory at runtime.</p> <p><strong>2. The Team@Channel Format</strong><br> In the Python script, notice the room configuration: <code>'room': 'engineering@builds'</code>. The Mattermost plugin requires this specific syntax to target a channel within a specific team. If we just put <code>builds</code>, it might default to the wrong team or fail silently.</p> <p><strong>3. The Redeployment Trigger</strong><br> The script concludes by running <code>03-deploy-controller.sh</code> from the Jenkins directory. This is not optional. JCasC reloading can sometimes be done on the fly, but injecting new environment variables (the webhook URL) requires a container restart. We force a clean deploy to ensure the new "nerve" is fully attached.</p> <h1> Chapter 7: The Wiring (Part 1) - The Silent Observer </h1> <h2> 7.4 The Pipeline Update (<code>Jenkinsfile</code>) </h2> <p>We have connected the cable (the webhook), but we haven't told the operator when to press the button.</p> <p>While the JCasC configuration we just applied sets up the <em>default</em> connection details (the endpoint and the default room), we want granular control over <em>what</em> gets sent and <em>where</em>.</p> <p>Specifically, we want to implement a routing logic that matches our "City" taxonomy:</p> <ol> <li> <strong>General Status:</strong> Success/Failure notifications for the build itself should go to <strong>#builds</strong>.</li> <li> <strong>Quality Alerts:</strong> If the Inspector (SonarQube) blocks the pipeline, that specific alarm should ring in <strong>#alerts</strong>.</li> </ol> <p>To achieve this, we must update our project's <code>Jenkinsfile</code>. We will use the <code>mattermostSend</code> step provided by the plugin. Note how we override the channel in the Quality Gate block to route that specific message to <code>engineering@alerts</code>.</p> <p>Update your <code>Jenkinsfile</code> in the <code>0004_std_lib_http_client</code> project (or your test repo) with the following content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">pipeline</span> <span class="o">{</span> <span class="n">agent</span> <span class="o">{</span> <span class="n">label</span> <span class="s1">'general-purpose-agent'</span> <span class="o">}</span> <span class="n">stages</span> <span class="o">{</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Setup &amp; Build'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">echo</span> <span class="s1">'--- Building Project ---'</span> <span class="n">sh</span> <span class="s1">'chmod +x ./setup.sh'</span> <span class="n">sh</span> <span class="s1">'./setup.sh'</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Test &amp; Coverage'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">echo</span> <span class="s1">'--- Running Tests ---'</span> <span class="n">sh</span> <span class="s1">'chmod +x ./run-coverage-cicd.sh'</span> <span class="n">sh</span> <span class="s1">'./run-coverage-cicd.sh'</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Code Analysis'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="kt">def</span> <span class="n">sonarProjectKey</span> <span class="o">=</span> <span class="n">sh</span><span class="o">(</span><span class="nl">returnStdout:</span> <span class="kc">true</span><span class="o">,</span> <span class="nl">script:</span> <span class="s1">'grep "^sonar.projectKey=" sonar-project.properties | cut -d= -f2'</span><span class="o">).</span><span class="na">trim</span><span class="o">()</span> <span class="kt">def</span> <span class="n">sonarHostUrl</span> <span class="o">=</span> <span class="s2">"http://sonarqube.cicd.local:9000"</span> <span class="n">withSonarQubeEnv</span><span class="o">(</span><span class="s1">'SonarQube'</span><span class="o">)</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">'sonar-scanner'</span> <span class="o">}</span> <span class="c1">// 3. Wait for Quality Gate</span> <span class="n">timeout</span><span class="o">(</span><span class="nl">time:</span> <span class="mi">5</span><span class="o">,</span> <span class="nl">unit:</span> <span class="s1">'MINUTES'</span><span class="o">)</span> <span class="o">{</span> <span class="kt">def</span> <span class="n">qg</span> <span class="o">=</span> <span class="n">waitForQualityGate</span><span class="o">()</span> <span class="k">if</span> <span class="o">(</span><span class="n">qg</span><span class="o">.</span><span class="na">status</span> <span class="o">!=</span> <span class="s1">'OK'</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// ROUTING: Quality Gate failures go to #alerts</span> <span class="n">mattermostSend</span> <span class="o">(</span> <span class="nl">color:</span> <span class="s1">'danger'</span><span class="o">,</span> <span class="nl">channel:</span> <span class="s1">'engineering@alerts'</span><span class="o">,</span> <span class="nl">message:</span> <span class="s2">":no_entry: **Quality Gate Failed**: ${qg.status}\n&lt;${sonarHostUrl}/dashboard?id=${sonarProjectKey}|View Analysis&gt;"</span> <span class="o">)</span> <span class="n">error</span> <span class="s2">"Pipeline aborted due to quality gate failure: ${qg.status}"</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Package'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">echo</span> <span class="s1">'--- Packaging Artifacts ---'</span> <span class="n">sh</span> <span class="s1">'mkdir -p dist'</span> <span class="n">dir</span><span class="o">(</span><span class="s1">'build_release'</span><span class="o">)</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">'cpack -G TGZ -C Release'</span> <span class="n">sh</span> <span class="s1">'mv *.tar.gz ../dist/'</span> <span class="o">}</span> <span class="n">dir</span><span class="o">(</span><span class="s1">'src/rust'</span><span class="o">)</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">'cargo package'</span> <span class="n">sh</span> <span class="s1">'cp target/package/*.crate ../../dist/'</span> <span class="o">}</span> <span class="n">sh</span> <span class="s1">'cp build_release/wheelhouse/*.whl dist/'</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Publish'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">echo</span> <span class="s1">'--- Publishing to Artifactory ---'</span> <span class="n">rtUpload</span> <span class="o">(</span> <span class="nl">serverId:</span> <span class="s1">'artifactory'</span><span class="o">,</span> <span class="nl">spec:</span> <span class="s2">"""{ "files": [ { "pattern": "dist/*", "target": "generic-local/http-client/${BUILD_NUMBER}/", "flat": "true" } ] }"""</span><span class="o">,</span> <span class="nl">failNoOp:</span> <span class="kc">true</span><span class="o">,</span> <span class="nl">buildName:</span> <span class="s2">"${JOB_NAME}"</span><span class="o">,</span> <span class="nl">buildNumber:</span> <span class="s2">"${BUILD_NUMBER}"</span> <span class="o">)</span> <span class="n">rtPublishBuildInfo</span> <span class="o">(</span> <span class="nl">serverId:</span> <span class="s1">'artifactory'</span><span class="o">,</span> <span class="nl">buildName:</span> <span class="s2">"${JOB_NAME}"</span><span class="o">,</span> <span class="nl">buildNumber:</span> <span class="s2">"${BUILD_NUMBER}"</span> <span class="o">)</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="c1">// Global Post Actions: Standard notifications go to default channel (#builds)</span> <span class="n">post</span> <span class="o">{</span> <span class="n">failure</span> <span class="o">{</span> <span class="n">mattermostSend</span> <span class="o">(</span> <span class="nl">color:</span> <span class="s1">'danger'</span><span class="o">,</span> <span class="nl">message:</span> <span class="s2">":x: **Build Failed**\n**Job:** ${env.JOB_NAME} #${env.BUILD_NUMBER}\n(&lt;${env.BUILD_URL}|Open Build&gt;)"</span> <span class="o">)</span> <span class="o">}</span> <span class="n">success</span> <span class="o">{</span> <span class="n">mattermostSend</span> <span class="o">(</span> <span class="nl">color:</span> <span class="s1">'good'</span><span class="o">,</span> <span class="nl">message:</span> <span class="s2">":white_check_mark: **Build Succeeded**\n**Job:** ${env.JOB_NAME} #${env.BUILD_NUMBER}\n(&lt;${env.BUILD_URL}|Open Build&gt;)"</span> <span class="o">)</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Deconstructing the Pipeline </h3> <p><strong>1. The "Global Post" Block (The Heartbeat)</strong><br> At the bottom of the file, the <code>post</code> block handles the routine heartbeat of the factory. Whether the build succeeds or fails, <code>mattermostSend</code> fires. Because we do not specify a <code>channel</code> parameter here, it defaults to the configuration we injected via JCasC (<code>engineering@builds</code>). This creates a steady stream of "Green/Red" status updates in our main channel.</p> <p><strong>2. The Conditional Alert (The Alarm Bell)</strong><br> Inside the <code>Code Analysis</code> stage, we have a specific <code>if (qg.status != 'OK')</code> block. Here, we invoke <code>mattermostSend</code> with <code>channel: 'engineering@alerts'</code>. This is a critical pattern. We do not want to flood the general <code>#builds</code> channel with nitty-gritty quality gate details. By routing this specific failure event to <code>#alerts</code>, we ensure that the "Red Phone" only rings when something actually requires inspection.</p> <p><strong>3. Contextual Linking</strong><br> Notice how we construct the message string: <code>&lt;${sonarHostUrl}/dashboard...|View Analysis&gt;</code>. Mattermost supports Markdown-style links. We are not just saying "It failed"; we are providing a one-click path for the engineer to jump directly to the SonarQube dashboard to see <em>why</em> it failed. This reduces the "Time to Diagnosis."</p> <h2> 7.5 Verification: First Contact </h2> <p>We have completed the electrical wiring. The "Electrician" (<code>04-configure-integrations.py</code>) built the channel and the bot. The "Connector" (<code>05-connect-jenkins.sh</code>) handed the webhook to Jenkins. The "Pipeline" (<code>Jenkinsfile</code>) knows exactly where to route the signals.</p> <p>Now, we close the circuit.</p> <ol> <li> <p><strong>Commit and Push:</strong> Commit the updated <code>Jenkinsfile</code> to your GitLab repository using our standard conventional commit style.<br> </p> <pre class="highlight shell"><code>git add Jenkinsfile git commit <span class="nt">-m</span> <span class="s2">":package: build(Jenkinsfile): add mattermost notifications"</span> git push </code></pre> </li> <li><p><strong>Open your Mattermost Tab:</strong> Navigate to the <strong>Engineering</strong> team and open the <strong>#builds</strong> channel. It should be empty, waiting for a signal.</p></li> <li><p><strong>Trigger the Signal:</strong> If your GitLab webhook (from Article 8) is active, the push will trigger a build automatically. If not, open your Jenkins dashboard (<code><a href="https://jenkins.cicd.local:10400" rel="noopener noreferrer">https://jenkins.cicd.local:10400</a></code>) and click <strong>"Build Now"</strong> on the project.</p></li> <li><p><strong>Observe:</strong></p></li> </ol> <p>Wait for the pipeline to finish. Our configuration is designed to be low-noise: it does not spam the channel when the build <em>starts</em>, only when it <em>concludes</em>.</p> <p>Once the build finishes, you will see the <strong>Jenkins</strong> bot appear in the <code>#builds</code> channel with a definitive verdict: either a green <strong>"Build Succeeded"</strong> or a red <strong>"Build Failed"</strong> message, complete with a hyperlink to the build logs.</p> <p>If you see this, the nervous system is live. The "Silent City" is no longer silent. Every time a build verdict is reached, the event is broadcast to the team.</p> <p>However, try to reply to the bot. Type: <code>@jenkins help</code> in the channel.</p> <p>Nothing happens.</p> <p>This is a <strong>Unidirectional (One-Way)</strong> connection. Jenkins can talk to us, but we cannot talk to Jenkins. In a true "Command Center," we demand control. We want to trigger builds, check logs, and restart servers directly from the chat window without context-switching to the Jenkins UI.</p> <p>To achieve this, we need to upgrade from simple Webhooks to a full <strong>Interactive Plugin</strong>. This brings us to Chapter 8.</p> <h1> Chapter 8: The Wiring (Part 2) - The Interactive Agent </h1> <h2> 8.1 Beyond Notification: The Need for Command </h2> <p>In the previous chapter, we successfully wired the nerves of our city. When Jenkins finishes a job, our Mattermost channel lights up. This is valuable—it reduces the "polling loop" where engineers obsessively refresh a browser tab.</p> <p>But it is passive. It is <strong>Read-Only</strong>.</p> <p>A true "Command Center" must be <strong>Read-Write</strong>. We don't just want to know that a build failed; we want to restart it. We don't just want to see a deployment notification; we want to <em>trigger</em> the deployment. We want to treat the chat window as a shared CLI (Command Line Interface) for our infrastructure.</p> <p>This is the domain of <strong>Slash Commands</strong>.</p> <p>We want to type <code>/jenkins build articles/0004_std_lib_http_client</code> and have the Factory immediately spin up the turbines. We want to type <code>/jenkins get-log</code> to debug a failure without leaving the chat. We even want the power to reboot the factory floor remotely with <code>/jenkins safe-restart</code>.</p> <p>To achieve this, the standard "Incoming Webhook" we used in Chapter 7 is insufficient. That was just a simple POST endpoint. For interactive control, we need the dedicated <strong>Mattermost Jenkins Plugin</strong>. This plugin acts as a bridge, translating Mattermost slash commands into Jenkins API calls, and translating Jenkins API responses back into interactive chat messages.</p> <p>However, enabling this plugin in a "Code-First" environment involves overcoming a specific configuration hurdle that trips up many automated deployments: the <strong>Plugin ID Dragon</strong>.</p> <h2> 8.2 The "Missing Limb" Dragon </h2> <p>In <strong>Chapter 3</strong>, when we generated our <code>mattermost.env</code> file, we included a specific line to enable the Jenkins plugin:</p> <p><code>MM_PLUGINSETTINGS_PLUGINSTATES={"jenkins":{"Enable":true} ... }</code></p> <p>This directive tells Mattermost to <em>load</em> the plugin. However, unlike the "Boards" or "Playbooks" features which are baked into the Enterprise image, the Jenkins plugin is an external add-on. It does not exist on the disk. We tried to flip a switch for a lightbulb that isn't screwed in.</p> <p>To make this work, we have two distinct tasks:</p> <ol> <li> <strong>Installation:</strong> We must download the plugin bundle (<code>.tar.gz</code>) from the release repository and physically upload it to the Mattermost server.</li> <li> <strong>Configuration:</strong> Once installed, the plugin is a blank slate. It doesn't know where Jenkins is, and it doesn't have the encryption keys required to talk to it.</li> </ol> <p>Here lies the architectural dragon: <strong>Plugin Configuration vs. Environment Variables.</strong></p> <p>For core Mattermost settings (like database URL), we can simply set <code>MM_SQLSETTINGS_DATASOURCE</code>. But for <em>Plugins</em>, there is no such mechanism. You cannot set <code>MM_PLUGINSETTINGS_JENKINS_BASEURL</code>. Plugin settings live in a complex, unstructured JSON blob inside the server's state.</p> <p>If we were using "Click-Ops," we would manually upload the file in the System Console and then type the secrets into the UI. But we are building a reproducible city. We need a "Surgeon"—a script that can perform this transplant operation programmatically.</p> <p>This surgeon must:</p> <ol> <li> <strong>Download</strong> the latest plugin release.</li> <li> <strong>Install</strong> it via <code>mmctl</code> (the CLI tool).</li> <li> <strong>Inject</strong> the configuration payload that binds the plugin to <code>http://jenkins.cicd.local:10400</code> using the keys we generated in Chapter 3.</li> </ol> <h2> 8.3 The Surgeon (<code>09-install-jenkins-plugin.py</code>) </h2> <p>We will now write the script that performs this delicate operation. This is not a simple "fire and forget" command; it is a multi-step workflow.</p> <p>The script acts as a specialized package manager. It:</p> <ol> <li> <strong>Unlocks</strong> the server's write-protection (<code>EnableUploads</code>).</li> <li> <strong>Downloads</strong> the plugin bundle (<code>.tar.gz</code>) from the release repository.</li> <li> <strong>Installs</strong> and <strong>Enables</strong> the binary using <code>mmctl</code>.</li> <li> <strong>Injects</strong> the specific configuration keys (URL and Encryption Key) using granular <code>config set</code> commands.</li> <li> <strong>Re-locks</strong> the server.</li> </ol> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0011_cicd_part07_mattermost/09-install-jenkins-plugin.py</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">import</span> <span class="n">subprocess</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">import</span> <span class="n">urllib.request</span> <span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="c1"># --- Configuration --- # Paths </span><span class="n">CICD_ROOT</span> <span class="o">=</span> <span class="nc">Path</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">HOME</span><span class="sh">"</span><span class="p">))</span> <span class="o">/</span> <span class="sh">"</span><span class="s">cicd_stack</span><span class="sh">"</span> <span class="n">ENV_FILE</span> <span class="o">=</span> <span class="n">CICD_ROOT</span> <span class="o">/</span> <span class="sh">"</span><span class="s">cicd.env</span><span class="sh">"</span> <span class="c1"># Docker / Plugin Info </span><span class="n">CONTAINER_NAME</span> <span class="o">=</span> <span class="sh">"</span><span class="s">mattermost</span><span class="sh">"</span> <span class="n">PLUGIN_URL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://github.com/mattermost-community/mattermost-plugin-jenkins/releases/download/v1.1.0/jenkins-1.1.0.tar.gz</span><span class="sh">"</span> <span class="n">PLUGIN_FILE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">jenkins-1.1.0.tar.gz</span><span class="sh">"</span> <span class="n">PLUGIN_ID</span> <span class="o">=</span> <span class="sh">"</span><span class="s">jenkins</span><span class="sh">"</span> <span class="c1"># Community version ID </span> <span class="c1"># Commands </span><span class="n">MMCTL</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">docker</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">exec</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-i</span><span class="sh">"</span><span class="p">,</span> <span class="n">CONTAINER_NAME</span><span class="p">,</span> <span class="sh">"</span><span class="s">mmctl</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--local</span><span class="sh">"</span><span class="p">]</span> <span class="k">def</span> <span class="nf">load_secret_key</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Reads the Jenkins Encryption Key from cicd.env.</span><span class="sh">"""</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">ENV_FILE</span><span class="p">.</span><span class="nf">exists</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">❌ Error: </span><span class="si">{</span><span class="n">ENV_FILE</span><span class="si">}</span><span class="s"> not found.</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">ENV_FILE</span><span class="p">,</span> <span class="sh">"</span><span class="s">r</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">f</span><span class="p">:</span> <span class="k">if</span> <span class="n">line</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">MATTERMOST_JENKINS_PLUGIN_KEY=</span><span class="sh">"</span><span class="p">):</span> <span class="k">return</span> <span class="n">line</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">,</span> <span class="mi">1</span><span class="p">)[</span><span class="mi">1</span><span class="p">].</span><span class="nf">strip</span><span class="p">().</span><span class="nf">strip</span><span class="p">(</span><span class="sh">'"</span><span class="se">\'</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">def</span> <span class="nf">run_command</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">description</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Runs a shell command and prints status.</span><span class="sh">"""</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ⚙️ </span><span class="si">{</span><span class="n">description</span><span class="si">}</span><span class="s">...</span><span class="sh">"</span><span class="p">,</span> <span class="n">end</span><span class="o">=</span><span class="sh">"</span><span class="s"> </span><span class="sh">"</span><span class="p">,</span> <span class="n">flush</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">✅</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">CalledProcessError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">❌</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Error: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">stderr</span><span class="p">.</span><span class="nf">decode</span><span class="p">().</span><span class="nf">strip</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">def</span> <span class="nf">set_config</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="n">value</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Sets a config value via mmctl.</span><span class="sh">"""</span> <span class="c1"># Note: mmctl requires string values </span> <span class="n">cmd</span> <span class="o">=</span> <span class="n">MMCTL</span> <span class="o">+</span> <span class="p">[</span><span class="sh">"</span><span class="s">config</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">set</span><span class="sh">"</span><span class="p">,</span> <span class="n">path</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="n">value</span><span class="p">)]</span> <span class="nf">run_command</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Setting </span><span class="si">{</span><span class="n">path</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">--- 🤖 Automating Jenkins Plugin (mmctl edition) ---</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 0. Pre-flight Check </span> <span class="n">jenkins_key</span> <span class="o">=</span> <span class="nf">load_secret_key</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">jenkins_key</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">❌ Error: MATTERMOST_JENKINS_PLUGIN_KEY not found in cicd.env</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># 1. Unlock Uploads </span> <span class="nf">set_config</span><span class="p">(</span><span class="sh">"</span><span class="s">PluginSettings.EnableUploads</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">true</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 2. Download </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ⬇️ Downloading Plugin...</span><span class="sh">"</span><span class="p">,</span> <span class="n">end</span><span class="o">=</span><span class="sh">"</span><span class="s"> </span><span class="sh">"</span><span class="p">,</span> <span class="n">flush</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">exists</span><span class="p">(</span><span class="n">PLUGIN_FILE</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlretrieve</span><span class="p">(</span><span class="n">PLUGIN_URL</span><span class="p">,</span> <span class="n">PLUGIN_FILE</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">✅</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">❌</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Download failed: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">✅ (Cached)</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 3. Transfer </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> 📦 Copying to container...</span><span class="sh">"</span><span class="p">,</span> <span class="n">end</span><span class="o">=</span><span class="sh">"</span><span class="s"> </span><span class="sh">"</span><span class="p">,</span> <span class="n">flush</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">([</span><span class="sh">"</span><span class="s">docker</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">cp</span><span class="sh">"</span><span class="p">,</span> <span class="n">PLUGIN_FILE</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">CONTAINER_NAME</span><span class="si">}</span><span class="s">:/tmp/</span><span class="si">{</span><span class="n">PLUGIN_FILE</span><span class="si">}</span><span class="sh">"</span><span class="p">],</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">✅</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 4. Install (Robust) </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ⚙️ Installing Plugin bundle...</span><span class="sh">"</span><span class="p">,</span> <span class="n">end</span><span class="o">=</span><span class="sh">"</span><span class="s"> </span><span class="sh">"</span><span class="p">,</span> <span class="n">flush</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">MMCTL</span> <span class="o">+</span> <span class="p">[</span><span class="sh">"</span><span class="s">plugin</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">add</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">/tmp/</span><span class="si">{</span><span class="n">PLUGIN_FILE</span><span class="si">}</span><span class="sh">"</span><span class="p">],</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">✅</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">CalledProcessError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">if</span> <span class="sh">"</span><span class="s">already installed</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">e</span><span class="p">.</span><span class="n">stderr</span><span class="p">.</span><span class="nf">decode</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">⚠️ (Already Installed)</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">❌</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Error: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">stderr</span><span class="p">.</span><span class="nf">decode</span><span class="p">().</span><span class="nf">strip</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># 5. Enable </span> <span class="c1"># This initializes the default config structure in the DB </span> <span class="nf">run_command</span><span class="p">(</span><span class="n">MMCTL</span> <span class="o">+</span> <span class="p">[</span><span class="sh">"</span><span class="s">plugin</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">enable</span><span class="sh">"</span><span class="p">,</span> <span class="n">PLUGIN_ID</span><span class="p">],</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Enabling </span><span class="sh">'</span><span class="si">{</span><span class="n">PLUGIN_ID</span><span class="si">}</span><span class="sh">'"</span><span class="p">)</span> <span class="c1"># 6. Configure via mmctl </span> <span class="c1"># We use the exact keys confirmed from your config dump: 'jenkinsurl' and 'encryptionkey' </span> <span class="c1"># The Base Path for mmctl is PluginSettings.Plugins.jenkins </span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> 🔌 Configuring Plugin settings...</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 6a. Set URL </span> <span class="nf">set_config</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">PluginSettings.Plugins.</span><span class="si">{</span><span class="n">PLUGIN_ID</span><span class="si">}</span><span class="s">.jenkinsurl</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">https://jenkins.cicd.local:10400</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 6b. Set Encryption Key </span> <span class="nf">set_config</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">PluginSettings.Plugins.</span><span class="si">{</span><span class="n">PLUGIN_ID</span><span class="si">}</span><span class="s">.encryptionkey</span><span class="sh">"</span><span class="p">,</span> <span class="n">jenkins_key</span><span class="p">)</span> <span class="c1"># 7. Re-Lock Uploads </span> <span class="nf">set_config</span><span class="p">(</span><span class="sh">"</span><span class="s">PluginSettings.EnableUploads</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">false</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 8. Cleanup </span> <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">exists</span><span class="p">(</span><span class="n">PLUGIN_FILE</span><span class="p">):</span> <span class="n">os</span><span class="p">.</span><span class="nf">remove</span><span class="p">(</span><span class="n">PLUGIN_FILE</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[SUCCESS] Jenkins Plugin Installed &amp; Configured.</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">main</span><span class="p">()</span> </code></pre> </div> <h3> Deconstructing the Surgeon </h3> <p><strong>1. The <code>EnableUploads</code> Toggle (Security)</strong><br> By default, Mattermost prevents plugin uploads to protect the server from unauthorized code execution.<br> <code>set_config("PluginSettings.EnableUploads", "true")</code><br> The script temporarily lifts this gate, installs the software, and then immediately slams the gate shut again. This reduces the window of vulnerability to mere seconds.</p> <p><strong>2. The Granular Config (<code>PluginSettings.Plugins...</code>)</strong><br> Unlike environment variables which are broad, <code>mmctl config set</code> allows us to target deeply nested JSON keys using dot notation.<br> <code>PluginSettings.Plugins.jenkins.encryptionkey</code><br> This writes directly to the plugin's private storage area in the <code>config.json</code>. It is cleaner and safer than downloading and patching the entire server configuration blob.</p> <p><strong>3. The Encryption Key Injection</strong><br> We pull the 32-byte AES key (<code>MATTERMOST_JENKINS_PLUGIN_KEY</code>) from our environment and inject it. This ensures that when the plugin encrypts your personal Jenkins API token in the next step, it uses a key that persists across server restarts. Without this, your handshake would break every time the container redeployed.</p> <h2> 8.4 The Handshake: Establishing Command </h2> <p>The Surgeon has successfully transplanted the plugin. Now, we must wake the patient.</p> <p>We have established the server-to-server link, but we have not yet established the <strong>User-to-User</strong> link. When you type a command, Jenkins needs to know <em>who</em> you are. It cannot simply trust your Mattermost username; it needs a valid Jenkins API token belonging to your user.</p> <p>This requires a manual credential exchange.</p> <h3> Protocol 1: The Connection (Manual) </h3> <ol> <li> <strong>Generate the Token (Jenkins Side):</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>* Navigate to your Jenkins Dashboard (`https://jenkins.cicd.local:10400`). * Click on your **Username** (top right corner) -\&gt; **Configure**. * Scroll to the **API Token** section and click **Add new Token**. * Name it `Mattermost-Bot` and click **Generate**. * **Copy the token immediately.** (You will never see it again). </code></pre> </div> <ol> <li> <strong>Perform the Handshake (Mattermost Side):</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>* Go to the **\#builds** channel in Mattermost. * Type the connect command with your username and the token: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ```bash /jenkins connect &lt;your_username&gt; &lt;your_api_token&gt; ``` </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> *(Example: `/jenkins connect warren.jitsing 11d38...9a`)* </code></pre> </div> <ol> <li> <strong>Confirmation:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>* The bot will reply privately: *"Validating Jenkins credentials..."* * Followed by: *"Your Jenkins account has been successfully connected to Mattermost."* </code></pre> </div> <h3> Protocol 2: The Command </h3> <p>Now, let's test the control.</p> <p>The error <code>Don't have key "Location"</code> is a common trap. It occurs if you try to build a job name that doesn't exist. Jenkins returns a generic page instead of a Queue ID, confusing the plugin.</p> <p>You must use the exact path. Since we are using Multibranch Pipelines inside a Folder (from Article 8), the path includes the folder, the repo, and the branch.</p> <ol> <li> <p><strong>Trigger:</strong><br> Type the following command:<br> </p> <pre class="highlight shell"><code>/jenkins build articles/0004_std_lib_http_client/main </code></pre> </li> <li> <p><strong>Response:</strong><br> You will see immediate feedback confirming the command was received and processed:</p> <blockquote> <p><strong>Jenkins BOT</strong><br> Initiated by Jenkins user: admin<br> Job 'articles/0004_std_lib_http_client/main' has been triggered and is in queue.</p> </blockquote> <p>Moments later, as the executor picks up the job:</p> <blockquote> <p><strong>Jenkins BOT</strong><br> Initiated by Jenkins user: admin<br> Job 'articles/0004_std_lib_http_client/main' - #14 has been started<br> Build URL : <a href="https://www.google.com/search?q=https://jenkins.cicd.local:10400/" rel="noopener noreferrer">https://jenkins.cicd.local:10400/</a>...</p> </blockquote> <p>Notice the difference? When the <em>pipeline</em> runs automatically (via git push), it is silent until the end. But when <em>you</em> trigger it manually via chat, the bot confirms receipt immediately.</p> </li> </ol> <h3> Protocol 3: The Investigation </h3> <p>If you need to peek at the logs while the job is running (or after a failure) without leaving the chat:</p> <ol> <li> <p><strong>Get Log:</strong><br> </p> <pre class="highlight shell"><code>/jenkins get-log articles/0004_std_lib_http_client/main </code></pre> </li> <li><p><strong>Response:</strong><br><br> The bot will fetch the last few lines of the console output and post them as a code snippet directly in the channel.</p></li> </ol> <p>We have achieved the <strong>Interactive Loop</strong>. We can Observe (Notifications), Orient (Get Log), Decide (Analyze), and Act (Rebuild)—all without touching a browser tab.</p> <h1> Chapter 9: The Wiring (Part 3) - The Library &amp; The Inspector </h1> <h2> 9.1 The Library: Notifications (<code>06-connect-gitlab.py</code>) </h2> <p>We have connected the Factory (Jenkins) to our "Town Square." Now we turn our attention to the Library (GitLab).</p> <p>Our first goal is to ensure that activity in the library—commits, merge requests, and pipeline statuses—is broadcast to the <code>#code-reviews</code> channel we established in Chapter 7.</p> <p>While GitLab has a native "Slack notifications" integration, it also supports Mattermost natively. We will use a Python script to programmatically configure this integration for our specific project (<code>0004_std_lib_http_client</code>). This script acts as <strong>The Diplomat</strong>: it takes the webhook URL generated by the Mattermost "Electrician" (<code>04</code>) and registers it with the GitLab project.</p> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0011_cicd_part07_mattermost/06-connect-gitlab.py</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">ssl</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">urllib.request</span> <span class="kn">import</span> <span class="n">urllib.error</span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="c1"># --- Configuration --- </span><span class="n">ENV_FILE</span> <span class="o">=</span> <span class="nc">Path</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">HOME</span><span class="sh">"</span><span class="p">))</span> <span class="o">/</span> <span class="sh">"</span><span class="s">cicd_stack</span><span class="sh">"</span> <span class="o">/</span> <span class="sh">"</span><span class="s">cicd.env</span><span class="sh">"</span> <span class="n">GITLAB_URL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://gitlab.cicd.local:10300</span><span class="sh">"</span> <span class="n">TARGET_GROUP</span> <span class="o">=</span> <span class="sh">"</span><span class="s">Articles</span><span class="sh">"</span> <span class="n">TARGET_PROJECT</span> <span class="o">=</span> <span class="sh">"</span><span class="s">0004_std_lib_http_client</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">load_env</span><span class="p">():</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">ENV_FILE</span><span class="p">.</span><span class="nf">exists</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">❌ Error: </span><span class="si">{</span><span class="n">ENV_FILE</span><span class="si">}</span><span class="s"> not found.</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">ENV_FILE</span><span class="p">,</span> <span class="sh">"</span><span class="s">r</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">f</span><span class="p">:</span> <span class="n">line</span> <span class="o">=</span> <span class="n">line</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="k">if</span> <span class="n">line</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">line</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">'</span><span class="s">#</span><span class="sh">'</span><span class="p">)</span> <span class="ow">and</span> <span class="sh">'</span><span class="s">=</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">line</span><span class="p">:</span> <span class="n">key</span><span class="p">,</span> <span class="n">value</span> <span class="o">=</span> <span class="n">line</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="n">key</span><span class="p">.</span><span class="nf">strip</span><span class="p">()]</span> <span class="o">=</span> <span class="n">value</span><span class="p">.</span><span class="nf">strip</span><span class="p">().</span><span class="nf">strip</span><span class="p">(</span><span class="sh">'"</span><span class="se">\'</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_ssl_context</span><span class="p">():</span> <span class="c1"># Uses the host's system trust store (where our CA is installed) </span> <span class="k">return</span> <span class="n">ssl</span><span class="p">.</span><span class="nf">create_default_context</span><span class="p">()</span> <span class="k">def</span> <span class="nf">make_request</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">method</span><span class="o">=</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">token</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">}</span> <span class="k">if</span> <span class="n">token</span><span class="p">:</span> <span class="n">headers</span><span class="p">[</span><span class="sh">"</span><span class="s">PRIVATE-TOKEN</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">token</span> <span class="k">if</span> <span class="n">data</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">data</span><span class="p">).</span><span class="nf">encode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">)</span> <span class="n">req</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nc">Request</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">data</span><span class="p">,</span> <span class="n">method</span><span class="o">=</span><span class="n">method</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">context</span><span class="o">=</span><span class="nf">get_ssl_context</span><span class="p">())</span> <span class="k">as</span> <span class="n">response</span><span class="p">:</span> <span class="k">return</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">())</span> <span class="k">except</span> <span class="n">urllib</span><span class="p">.</span><span class="n">error</span><span class="p">.</span><span class="n">HTTPError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">if</span> <span class="n">e</span><span class="p">.</span><span class="n">code</span> <span class="o">==</span> <span class="mi">404</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ⛔ HTTP Error </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">code</span><span class="si">}</span><span class="s">: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">reason</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span><span class="p">:</span> <span class="k">pass</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="nf">load_env</span><span class="p">()</span> <span class="n">token</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">GITLAB_API_TOKEN</span><span class="sh">"</span><span class="p">)</span> <span class="n">webhook_url</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">MATTERMOST_CODE_REVIEW_WEBHOOK</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">--- Connecting GitLab to Mattermost ---</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">token</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">❌ Error: GITLAB_API_TOKEN not found in cicd.env.</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">webhook_url</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">❌ Error: MATTERMOST_CODE_REVIEW_WEBHOOK not found in cicd.env.</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> Please run 04-configure-integrations.py first.</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># 1. Find Project ID </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> 🔎 Finding project </span><span class="sh">'</span><span class="si">{</span><span class="n">TARGET_GROUP</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">TARGET_PROJECT</span><span class="si">}</span><span class="sh">'</span><span class="s">...</span><span class="sh">"</span><span class="p">)</span> <span class="n">projects</span> <span class="o">=</span> <span class="nf">make_request</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">GITLAB_URL</span><span class="si">}</span><span class="s">/api/v4/projects?search=</span><span class="si">{</span><span class="n">TARGET_PROJECT</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">token</span><span class="o">=</span><span class="n">token</span><span class="p">)</span> <span class="n">project_id</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">target_path</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">TARGET_GROUP</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">TARGET_PROJECT</span><span class="si">}</span><span class="sh">"</span><span class="p">.</span><span class="nf">lower</span><span class="p">()</span> <span class="k">for</span> <span class="n">p</span> <span class="ow">in</span> <span class="n">projects</span><span class="p">:</span> <span class="k">if</span> <span class="n">p</span><span class="p">[</span><span class="sh">"</span><span class="s">path_with_namespace</span><span class="sh">"</span><span class="p">].</span><span class="nf">lower</span><span class="p">()</span> <span class="o">==</span> <span class="n">target_path</span><span class="p">:</span> <span class="n">project_id</span> <span class="o">=</span> <span class="n">p</span><span class="p">[</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">]</span> <span class="k">break</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">project_id</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ❌ Project not found.</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ✅ Found Project ID: </span><span class="si">{</span><span class="n">project_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 2. Configure Integration (Idempotent PUT) </span> <span class="c1"># We use PUT to enforce the state defined in our environment. </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ⚙️ Enforcing Integration Configuration...</span><span class="sh">"</span><span class="p">)</span> <span class="n">config_data</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">webhook</span><span class="sh">"</span><span class="p">:</span> <span class="n">webhook_url</span><span class="p">,</span> <span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">GitLab</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">notify_only_broken_pipelines</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">,</span> <span class="sh">"</span><span class="s">push_events</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">"</span><span class="s">merge_requests_events</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">"</span><span class="s">pipeline_events</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">"</span><span class="s">tag_push_events</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">"</span><span class="s">branches_to_be_notified</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">all</span><span class="sh">"</span> <span class="p">}</span> <span class="nf">make_request</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">GITLAB_URL</span><span class="si">}</span><span class="s">/api/v4/projects/</span><span class="si">{</span><span class="n">project_id</span><span class="si">}</span><span class="s">/integrations/mattermost</span><span class="sh">"</span><span class="p">,</span> <span class="n">method</span><span class="o">=</span><span class="sh">"</span><span class="s">PUT</span><span class="sh">"</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">config_data</span><span class="p">,</span> <span class="n">token</span><span class="o">=</span><span class="n">token</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ✅ Integration synced. Notifications active in #code-reviews.</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[SUCCESS] GitLab integration complete.</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">main</span><span class="p">()</span> </code></pre> </div> <h3> Deconstructing the Diplomat </h3> <p><strong>1. The Target Discovery</strong><br> The script does not assume the project ID. It searches for <code>Articles/0004_std_lib_http_client</code>. This makes the script portable; if you recreate the repo, the ID changes, but the script still finds the correct target.</p> <p><strong>2. The Integration Payload</strong><br> We use the <code>integrations/mattermost</code> endpoint. Notice the configuration:</p> <ul> <li> <code>push_events</code>: True. Every commit triggers a notification.</li> <li> <code>merge_requests_events</code>: True. Opening or merging an MR alerts the channel.</li> <li> <code>pipeline_events</code>: True. GitLab CI status changes are reported (distinct from Jenkins).</li> <li> <code>webhook</code>: This comes directly from <code>MATTERMOST_CODE_REVIEW_WEBHOOK</code>, ensuring the messages land in <code>#code-reviews</code>.</li> </ul> <p><strong>3. Idempotency (PUT)</strong><br> We use the HTTP <code>PUT</code> method. If the integration doesn't exist, GitLab creates it. If it does exist, GitLab updates it to match our JSON payload exactly. This prevents "configuration drift."</p> <h2> 9.2 The Library: Identity (Manual OAuth Setup) </h2> <p>Webhooks give us <strong>Notifications</strong>. But to achieve <strong>Interaction</strong> (viewing your personal To-Do list, subscribing to specific repos, and seeing MR previews in the sidebar), we need <strong>OAuth2</strong>.</p> <p>The Mattermost GitLab Plugin needs permission to act on your behalf. This requires creating a "User-Scoped Application" in GitLab. Because this process generates sensitive secrets that are displayed only once, we perform this step manually in the GitLab UI.</p> <p><strong>Step 1: Navigate to Applications</strong></p> <ol> <li> Log in to GitLab (<code>https://gitlab.cicd.local:10300</code>).</li> <li> Click your <strong>Avatar</strong> (top right) -&gt; <strong>Preferences</strong>.</li> <li> In the left sidebar, select <strong>Applications</strong>.</li> <li> Click <strong>Add new application</strong>.</li> </ol> <p><strong>Step 2: Define the Treaty</strong><br> Fill in the form with the following details. Be precise with the Redirect URIs.</p> <ul> <li><p><strong>Name:</strong> <code>Mattermost Chat Ops</code></p></li> <li><p><strong>Redirect URI:</strong><br> You must provide <em>two</em> URIs: one for the internal DNS name (for desktop/browser users) and one for the IP address (for mobile users/Entry Mode).<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> https://mattermost.cicd.local:8065/plugins/com.github.manland.mattermost-plugin-gitlab/oauth/complete https://&lt;YOUR_LAN_IP&gt;:8065/plugins/com.github.manland.mattermost-plugin-gitlab/oauth/complete </code></pre> </div> <p><em>(Replace <code>&lt;YOUR_LAN_IP&gt;</code> with your host machine's IP, e.g., <code>192.168.0.105</code>)</em></p> <ul> <li><p><strong>Confidential:</strong> <code>Yes</code> (Checked)</p></li> <li> <p><strong>Scopes:</strong> Select the following:</p> <ul> <li> <code>api</code> (Access the API on your behalf)</li> <li> <code>read_user</code> (Read your personal information)</li> </ul> </li> </ul> <p><strong>Step 3: Secure the Secrets</strong><br> Click <strong>Save application</strong>.<br> GitLab will present you with an <strong>Application ID</strong> and a <strong>Secret</strong>.</p> <blockquote> <p><strong>⚠️ CRITICAL:</strong> Keep this page open or copy these values immediately. You cannot see the Secret again.</p> </blockquote> <p>We will use these two values in the next section to configure the Mattermost server.</p> <h2> 9.3 The Messenger (<code>07-connect-sonarqube.py</code>) </h2> <p>We have connected the Factory and the Library. Now we turn to <strong>The Inspector</strong>.</p> <p>SonarQube analyzes our code quality. In <strong>Article 10</strong>, we established a "Quality Gate"—a pass/fail threshold for our software. If the Inspector fails a build because of low test coverage or security vulnerabilities, we want that alarm to ring immediately in the dedicated <strong>#alerts</strong> channel.</p> <p>We have already created the destination (the Webhook URL for <code>#alerts</code>) in script <code>04</code>. Now we must tell SonarQube to use it.</p> <p><strong>Architectural Note: The Formatting Mismatch</strong><br> It is important to note a limitation here. SonarQube sends webhooks with a complex, nested JSON payload detailing the quality gate status. Mattermost's Incoming Webhooks, however, expect a specific, flat JSON format (e.g., <code>{"text": "..."}</code>).</p> <p>If we connect SonarQube directly to Mattermost without a middleware translator, Mattermost will receive the signal but may fail to render it meaningfully (or reject it entirely as malformed). While there are third-party plugins that solve this, in our "First Principles" architecture, we have chosen a more robust pattern: <strong>The Jenkins Relay</strong>.</p> <p>As we configured in the <code>Jenkinsfile</code> (Chapter 7), we allow Jenkins—which understands both the build context and the SonarQube result—to format and send the rich, color-coded alert to Mattermost.</p> <p>However, we still provide the following script, <strong>The Messenger</strong>, to establish the direct link. This is useful if you intend to deploy a middleware adapter later or if you want to inspect the raw SonarQube payloads for debugging purposes.</p> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0011_cicd_part07_mattermost/07-connect-sonarqube.py</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">urllib.request</span> <span class="kn">import</span> <span class="n">urllib.parse</span> <span class="kn">import</span> <span class="n">urllib.error</span> <span class="kn">import</span> <span class="n">base64</span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="c1"># --- Configuration --- </span><span class="n">ENV_FILE</span> <span class="o">=</span> <span class="nc">Path</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">HOME</span><span class="sh">"</span><span class="p">))</span> <span class="o">/</span> <span class="sh">"</span><span class="s">cicd_stack</span><span class="sh">"</span> <span class="o">/</span> <span class="sh">"</span><span class="s">cicd.env</span><span class="sh">"</span> <span class="c1"># SonarQube runs on HTTP internally (Article 10 architecture) </span><span class="n">SONAR_URL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">http://sonarqube.cicd.local:9000</span><span class="sh">"</span> <span class="n">WEBHOOK_NAME</span> <span class="o">=</span> <span class="sh">"</span><span class="s">Mattermost</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">load_env</span><span class="p">():</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">ENV_FILE</span><span class="p">.</span><span class="nf">exists</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">❌ Error: </span><span class="si">{</span><span class="n">ENV_FILE</span><span class="si">}</span><span class="s"> not found.</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">ENV_FILE</span><span class="p">,</span> <span class="sh">"</span><span class="s">r</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">f</span><span class="p">:</span> <span class="n">line</span> <span class="o">=</span> <span class="n">line</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="k">if</span> <span class="n">line</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">line</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">'</span><span class="s">#</span><span class="sh">'</span><span class="p">)</span> <span class="ow">and</span> <span class="sh">'</span><span class="s">=</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">line</span><span class="p">:</span> <span class="n">key</span><span class="p">,</span> <span class="n">value</span> <span class="o">=</span> <span class="n">line</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="n">key</span><span class="p">.</span><span class="nf">strip</span><span class="p">()]</span> <span class="o">=</span> <span class="n">value</span><span class="p">.</span><span class="nf">strip</span><span class="p">().</span><span class="nf">strip</span><span class="p">(</span><span class="sh">'"</span><span class="se">\'</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">make_request</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">method</span><span class="o">=</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">token</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="c1"># SonarQube uses Basic Auth with Token as username, empty password </span> <span class="n">auth_str</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">token</span><span class="si">}</span><span class="s">:</span><span class="sh">"</span> <span class="n">b64_auth</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64encode</span><span class="p">(</span><span class="n">auth_str</span><span class="p">.</span><span class="nf">encode</span><span class="p">()).</span><span class="nf">decode</span><span class="p">()</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Basic </span><span class="si">{</span><span class="n">b64_auth</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># SonarQube requires form-encoded data for these endpoints </span> <span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/x-www-form-urlencoded</span><span class="sh">"</span> <span class="p">}</span> <span class="k">if</span> <span class="n">data</span><span class="p">:</span> <span class="n">encoded_data</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">parse</span><span class="p">.</span><span class="nf">urlencode</span><span class="p">(</span><span class="n">data</span><span class="p">).</span><span class="nf">encode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">encoded_data</span> <span class="o">=</span> <span class="bp">None</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> [DEBUG] Request: </span><span class="si">{</span><span class="n">method</span><span class="si">}</span><span class="s"> </span><span class="si">{</span><span class="n">url</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">data</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> [DEBUG] Payload: </span><span class="si">{</span><span class="n">data</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">req</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nc">Request</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">encoded_data</span><span class="p">,</span> <span class="n">method</span><span class="o">=</span><span class="n">method</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="n">req</span><span class="p">)</span> <span class="k">as</span> <span class="n">response</span><span class="p">:</span> <span class="n">body</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> [DEBUG] Response </span><span class="si">{</span><span class="n">response</span><span class="p">.</span><span class="n">status</span><span class="si">}</span><span class="s">: </span><span class="si">{</span><span class="n">body</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">status</span> <span class="o">==</span> <span class="mi">204</span><span class="p">:</span> <span class="c1"># No Content </span> <span class="k">return</span> <span class="bp">None</span> <span class="k">return</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">body</span><span class="p">)</span> <span class="k">except</span> <span class="n">urllib</span><span class="p">.</span><span class="n">error</span><span class="p">.</span><span class="n">HTTPError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ⛔ HTTP Error </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">code</span><span class="si">}</span><span class="s">: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">reason</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">err_body</span> <span class="o">=</span> <span class="n">e</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> [DEBUG] Error Body: </span><span class="si">{</span><span class="n">err_body</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span><span class="p">:</span> <span class="k">pass</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ❌ Unexpected Error: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="nf">load_env</span><span class="p">()</span> <span class="n">token</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">SONAR_ADMIN_TOKEN</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Generated in Art 10 </span> <span class="n">webhook_url</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">SONAR_MATTERMOST_WEBHOOK</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Generated in Step 04 </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">--- Connecting SonarQube to Mattermost ---</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">token</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">❌ Error: SONAR_ADMIN_TOKEN not found in cicd.env. (Run Art 10 setup?)</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">webhook_url</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">❌ Error: SONAR_MATTERMOST_WEBHOOK not found in cicd.env. (Run Step 04?)</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># 1. Check existing webhooks to ensure Idempotency </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> 🔎 Checking existing webhooks...</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># The 'list' endpoint returns a JSON object with a 'webhooks' array </span> <span class="n">webhooks_resp</span> <span class="o">=</span> <span class="nf">make_request</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">SONAR_URL</span><span class="si">}</span><span class="s">/api/webhooks/list</span><span class="sh">"</span><span class="p">,</span> <span class="n">token</span><span class="o">=</span><span class="n">token</span><span class="p">)</span> <span class="n">exists</span> <span class="o">=</span> <span class="bp">False</span> <span class="k">for</span> <span class="n">hook</span> <span class="ow">in</span> <span class="n">webhooks_resp</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">webhooks</span><span class="sh">"</span><span class="p">,</span> <span class="p">[]):</span> <span class="k">if</span> <span class="n">hook</span><span class="p">[</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="n">WEBHOOK_NAME</span><span class="p">:</span> <span class="n">exists</span> <span class="o">=</span> <span class="bp">True</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ℹ️ Webhook </span><span class="sh">'</span><span class="si">{</span><span class="n">WEBHOOK_NAME</span><span class="si">}</span><span class="sh">'</span><span class="s"> already exists.</span><span class="sh">"</span><span class="p">)</span> <span class="k">break</span> <span class="c1"># 2. Create Webhook if missing </span> <span class="k">if</span> <span class="ow">not</span> <span class="n">exists</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Creating webhook </span><span class="sh">'</span><span class="si">{</span><span class="n">WEBHOOK_NAME</span><span class="si">}</span><span class="sh">'</span><span class="s">...</span><span class="sh">"</span><span class="p">)</span> <span class="n">params</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="n">WEBHOOK_NAME</span><span class="p">,</span> <span class="sh">"</span><span class="s">url</span><span class="sh">"</span><span class="p">:</span> <span class="n">webhook_url</span> <span class="p">}</span> <span class="nf">make_request</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">SONAR_URL</span><span class="si">}</span><span class="s">/api/webhooks/create</span><span class="sh">"</span><span class="p">,</span> <span class="n">method</span><span class="o">=</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">params</span><span class="p">,</span> <span class="n">token</span><span class="o">=</span><span class="n">token</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ✅ Webhook created.</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ✅ Connection verified. Quality Gate alerts will go to #alerts.</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[SUCCESS] SonarQube integration complete.</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">main</span><span class="p">()</span> </code></pre> </div> <h2> 9.4 The Integrator (<code>08-configure-plugins.py</code>) </h2> <p>We are now in the final phase of wiring the Library (GitLab).</p> <p>In <strong>Section 9.2</strong>, we manually created the OAuth Application in GitLab and obtained the <strong>Application ID</strong> and <strong>Secret</strong>. However, Mattermost doesn't know these secrets yet.</p> <p>Before running this script, you <strong>must</strong> update your <code>cicd.env</code> file with the values you copied from the GitLab UI.</p> <p><strong>Pre-Requisite: Update Environment</strong><br> Open <code>~/cicd_stack/cicd.env</code> and append the following lines (replace the placeholders with your actual secrets):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">GITLAB_OAUTH_ID</span><span class="o">=</span><span class="s2">"&lt;paste_application_id_here&gt;"</span> <span class="nv">GITLAB_OAUTH_SECRET</span><span class="o">=</span><span class="s2">"&lt;paste_secret_here&gt;"</span> </code></pre> </div> <p>Now we run <strong>The Integrator</strong>. This script uses <code>mmctl</code> to inject these secrets into the Mattermost GitLab Plugin configuration, effectively "logging in" the server to GitLab.</p> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0011_cicd_part07_mattermost/08-configure-plugins.py</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">import</span> <span class="n">subprocess</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="c1"># --- Configuration --- </span><span class="n">CICD_ROOT</span> <span class="o">=</span> <span class="nc">Path</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">HOME</span><span class="sh">"</span><span class="p">))</span> <span class="o">/</span> <span class="sh">"</span><span class="s">cicd_stack</span><span class="sh">"</span> <span class="n">ENV_FILE</span> <span class="o">=</span> <span class="n">CICD_ROOT</span> <span class="o">/</span> <span class="sh">"</span><span class="s">cicd.env</span><span class="sh">"</span> <span class="n">CONTAINER_NAME</span> <span class="o">=</span> <span class="sh">"</span><span class="s">mattermost</span><span class="sh">"</span> <span class="c1"># Base command for mmctl via socket </span><span class="n">MMCTL</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">docker</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">exec</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-i</span><span class="sh">"</span><span class="p">,</span> <span class="n">CONTAINER_NAME</span><span class="p">,</span> <span class="sh">"</span><span class="s">mmctl</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--local</span><span class="sh">"</span><span class="p">]</span> <span class="k">def</span> <span class="nf">load_env</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Reads cicd.env into a dictionary.</span><span class="sh">"""</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">ENV_FILE</span><span class="p">.</span><span class="nf">exists</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">❌ Error: </span><span class="si">{</span><span class="n">ENV_FILE</span><span class="si">}</span><span class="s"> not found.</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">env_vars</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">ENV_FILE</span><span class="p">,</span> <span class="sh">"</span><span class="s">r</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">f</span><span class="p">:</span> <span class="n">line</span> <span class="o">=</span> <span class="n">line</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="k">if</span> <span class="n">line</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">line</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">'</span><span class="s">#</span><span class="sh">'</span><span class="p">)</span> <span class="ow">and</span> <span class="sh">'</span><span class="s">=</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">line</span><span class="p">:</span> <span class="n">key</span><span class="p">,</span> <span class="n">value</span> <span class="o">=</span> <span class="n">line</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="n">env_vars</span><span class="p">[</span><span class="n">key</span><span class="p">.</span><span class="nf">strip</span><span class="p">()]</span> <span class="o">=</span> <span class="n">value</span><span class="p">.</span><span class="nf">strip</span><span class="p">().</span><span class="nf">strip</span><span class="p">(</span><span class="sh">'"</span><span class="se">\'</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="n">env_vars</span> <span class="k">def</span> <span class="nf">set_config</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="n">value</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Sets a config value using mmctl and prints output.</span><span class="sh">"""</span> <span class="k">if</span> <span class="n">value</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ⚠️ Skipping </span><span class="si">{</span><span class="n">path</span><span class="si">}</span><span class="s"> (Value is missing/None)</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="c1"># mmctl config set &lt;path&gt; &lt;value&gt; </span> <span class="n">cmd</span> <span class="o">=</span> <span class="n">MMCTL</span> <span class="o">+</span> <span class="p">[</span><span class="sh">"</span><span class="s">config</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">set</span><span class="sh">"</span><span class="p">,</span> <span class="n">path</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="n">value</span><span class="p">)]</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Capture stdout and stderr to print them </span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ✅ Set </span><span class="si">{</span><span class="n">path</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Print actual output from the tool if it exists </span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="nf">strip</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> &gt; </span><span class="si">{</span><span class="n">result</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="n">stderr</span><span class="p">.</span><span class="nf">strip</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> &gt; </span><span class="si">{</span><span class="n">result</span><span class="p">.</span><span class="n">stderr</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">CalledProcessError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ❌ Failed to set </span><span class="si">{</span><span class="n">path</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Exit Code: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">returncode</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">e</span><span class="p">.</span><span class="n">stdout</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> [STDOUT]: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">e</span><span class="p">.</span><span class="n">stderr</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> [STDERR]: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">stderr</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">--- Configuring Mattermost Plugins via CLI ---</span><span class="sh">"</span><span class="p">)</span> <span class="n">secrets</span> <span class="o">=</span> <span class="nf">load_env</span><span class="p">()</span> <span class="c1"># --- 1. GitLab Plugin Configuration --- </span> <span class="c1"># Plugin ID: com.github.manland.mattermost-plugin-gitlab </span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> 🔌 Configuring GitLab Plugin...</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># We use the exact keys seen in your config.json </span> <span class="n">base_path</span> <span class="o">=</span> <span class="sh">"</span><span class="s">PluginSettings.Plugins.com.github.manland.mattermost-plugin-gitlab</span><span class="sh">"</span> <span class="c1"># Required Secrets </span> <span class="n">gitlab_url</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://gitlab.cicd.local:10300</span><span class="sh">"</span> <span class="n">oauth_id</span> <span class="o">=</span> <span class="n">secrets</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">GITLAB_OAUTH_ID</span><span class="sh">"</span><span class="p">)</span> <span class="n">oauth_secret</span> <span class="o">=</span> <span class="n">secrets</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">GITLAB_OAUTH_SECRET</span><span class="sh">"</span><span class="p">)</span> <span class="n">webhook_secret</span> <span class="o">=</span> <span class="n">secrets</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">MATTERMOST_GITLAB_PLUGIN_SECRET</span><span class="sh">"</span><span class="p">)</span> <span class="n">enc_key</span> <span class="o">=</span> <span class="n">secrets</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">MATTERMOST_GITLAB_PLUGIN_KEY</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">all</span><span class="p">([</span><span class="n">oauth_id</span><span class="p">,</span> <span class="n">oauth_secret</span><span class="p">,</span> <span class="n">webhook_secret</span><span class="p">,</span> <span class="n">enc_key</span><span class="p">]):</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> ⚠️ Missing GitLab OAuth/Secret keys in cicd.env. Please check 01-setup script output.</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">set_config</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">base_path</span><span class="si">}</span><span class="s">.gitlaburl</span><span class="sh">"</span><span class="p">,</span> <span class="n">gitlab_url</span><span class="p">)</span> <span class="nf">set_config</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">base_path</span><span class="si">}</span><span class="s">.gitlaboauthclientid</span><span class="sh">"</span><span class="p">,</span> <span class="n">oauth_id</span><span class="p">)</span> <span class="nf">set_config</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">base_path</span><span class="si">}</span><span class="s">.gitlaboauthclientsecret</span><span class="sh">"</span><span class="p">,</span> <span class="n">oauth_secret</span><span class="p">)</span> <span class="nf">set_config</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">base_path</span><span class="si">}</span><span class="s">.webhooksecret</span><span class="sh">"</span><span class="p">,</span> <span class="n">webhook_secret</span><span class="p">)</span> <span class="c1"># Note: JSON key is 'encryptionkey', NOT 'atrestencryptionkey' based on the config structure </span> <span class="nf">set_config</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">base_path</span><span class="si">}</span><span class="s">.encryptionkey</span><span class="sh">"</span><span class="p">,</span> <span class="n">enc_key</span><span class="p">)</span> <span class="c1"># Feature Flags </span> <span class="nf">set_config</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">base_path</span><span class="si">}</span><span class="s">.enableprivaterepo</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">true</span><span class="sh">"</span><span class="p">)</span> <span class="nf">set_config</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">base_path</span><span class="si">}</span><span class="s">.enablecodepreview</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">public_private</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># --- 2. Reload Config --- </span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> 🔄 Reloading Configuration...</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">reload_res</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">MMCTL</span> <span class="o">+</span> <span class="p">[</span><span class="sh">"</span><span class="s">config</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">reload</span><span class="sh">"</span><span class="p">],</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> ✅ Config Reloaded.</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">reload_res</span><span class="p">.</span><span class="n">stdout</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> &gt; </span><span class="si">{</span><span class="n">reload_res</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">subprocess</span><span class="p">.</span><span class="n">CalledProcessError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ❌ Failed to reload config: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">stderr</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[SUCCESS] Plugin configuration complete.</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">main</span><span class="p">()</span> </code></pre> </div> <h3> Deconstructing the Integrator </h3> <p><strong>1. Granular Configuration Targeting</strong><br> The Mattermost GitLab plugin is not a "first-party" plugin in the same way <code>focalboard</code> is. It lives under the long namespace <code>com.github.manland.mattermost-plugin-gitlab</code>. The script builds the config path dynamically: <code>PluginSettings.Plugins.com.github.manland...</code>.</p> <p><strong>2. The Secrets Injection</strong><br> We inject four critical secrets:</p> <ul> <li> <code>gitlaboauthclientid</code> &amp; <code>secret</code>: For authenticating users via the Sidebar.</li> <li> <code>webhooksecret</code>: For verifying that incoming webhooks are actually from GitLab (preventing spoofing).</li> <li> <code>encryptionkey</code>: For encrypting the user access tokens stored in the database.</li> </ul> <p><strong>3. The Config Reload</strong><br> Unlike the Jenkins plugin installation (which required enabling/disabling), configuration changes via <code>config set</code> are often cached. We force a <code>config reload</code> command at the end to ensure the server picks up the new OAuth settings immediately without requiring a full container restart.</p> <h2> 9.5 Verification: The Sidebar and the Alarm </h2> <p>We have wired the Library (GitLab) and the Inspector (SonarQube). Now we must confirm that the signals are flowing correctly.</p> <h3> Part 1: The Library (GitLab Sidebar) </h3> <p>We have configured the server-side OAuth secrets. Now, just like with Jenkins, every user must perform a one-time handshake to link their Mattermost identity to their GitLab identity.</p> <ol> <li> <p><strong>The Handshake:</strong><br> Go to any channel (e.g., <strong>#town-square</strong>) and type:<br> </p> <pre class="highlight shell"><code>/gitlab connect </code></pre> </li> <li><p><strong>The Authorization:</strong><br><br> The bot will reply with a private link. Click it.</p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>* You will be redirected to `gitlab.cicd.local`. * If you are already logged in to GitLab, the authorization happens instantly. * You will be redirected back to Mattermost with a success message: *"You have successfully connected your GitLab account."* </code></pre> </div> <ol> <li> <p><strong>The Sidebar:</strong><br> Look at the <strong>Right Sidebar</strong> of your Mattermost interface. It is always visible.<br> You should see a GitLab section that reflects your status:</p> <blockquote> <p><strong>GitLab</strong><br> Signed in as: <strong>root</strong> (or your user)</p> </blockquote> <p>If you see "There are no GitLab subscriptions available in this channel," that is normal for a generic channel like <code>#town-square</code>. It simply means we haven't linked this specific chat channel to a specific git repository for commit broadcasts (which is what we used the Webhook for in Section 9.1). The critical part is that it recognizes <em>you</em>.</p> </li> </ol> <h3> Part 2: The Alarm (Quality Gate Failure) </h3> <p>Now we test the "Red Phone." We want to verify that if the Inspector (SonarQube) detects a violation, the alarm rings specifically in <strong>#alerts</strong>, not just the general <strong>#builds</strong> channel.</p> <ol> <li> <strong>Verify the Rigging:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>* Log in to **SonarQube** (`http://sonarqube.cicd.local:9000`). * Navigate to **Quality Gates**. * Ensure the **"Fail Hard"** gate (created in Article 10) is active. * Confirm the **Coverage** condition is set to **100%**. * *Note: Our `0004_std_lib_http_client` currently has \~94% coverage, so this guarantees a failure.* </code></pre> </div> <ol> <li> <p><strong>Trigger the Build:</strong><br> Go to <strong>#builds</strong> in Mattermost and use your command power:<br> </p> <pre class="highlight shell"><code>/jenkins build articles/0004_std_lib_http_client/main </code></pre> </li> <li><p><strong>The Observation:</strong></p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>* **\#builds channel:** You will see the "Build Queued" confirmation. * *Wait approx. 2 minutes for the analysis...* * **\#alerts channel:** Suddenly, a notification appears here. &gt; ⛔ **Quality Gate Failed**: ERROR &gt; `http://sonarqube.cicd.local:9000/dashboard?id=...` * **\#builds channel:** Shortly after, the final verdict appears: &gt; ❌ **Build Failed** </code></pre> </div> <p>This confirms our routing logic is active. The general population in <code>#builds</code> sees that the build died, but the specific <em>reason</em> (Quality Gate Failure) is routed to <code>#alerts</code>, where the QA team or senior engineers would be subscribed.</p> <h1> Chapter 10: Conclusion - The Command Center </h1> <h2> 10.1 The Echo Test (Verifying the Radio Tower) </h2> <p>We have verified that messages flow from our servers to our devices. Now, we must verify that high-bandwidth media can flow between our devices, traversing the treacherous "Double NAT" landscape we navigated in Chapter 4.</p> <p>We built a <strong>Coturn Radio Tower</strong> to bridge the gap between the Docker internal network and the physical LAN. It is time to test if the tower is broadcasting.</p> <p><strong>The Test Protocol:</strong></p> <ol> <li> <strong>The Host:</strong> On your desktop browser, navigate to the <strong>#town-square</strong> channel. Click the <strong>Call</strong> icon (phone handset) in the header to start a call. Grant camera and microphone permissions.</li> <li> <strong>The Client:</strong> On your Android device (connected to WiFi), open the <strong>Mattermost App</strong>. Navigate to <strong>#town-square</strong>. You should see a banner: <em>"Call in progress. Tap to join."</em> </li> <li> <strong>The Connection:</strong> Tap <strong>Join</strong>.</li> </ol> <p><strong>The Moment of Truth:</strong><br> If the screen remains black or says "Reconnecting...", the UDP packets are being dropped by a firewall or misconfigured NAT.<br> If you see video from both devices and hear audio (likely with a screeching feedback loop because you are in the same room—<strong>mute your mics quickly!</strong>), then the Radio Tower is operational.</p> <p>This success confirms that our "Host Mode" deployment of Coturn (<code>02-deploy-coturn.sh</code>) is successfully relaying UDP packets from your phone, through the host's physical interface, into the Mattermost container. We have achieved peer-to-peer style communication in a containerized environment.</p> <h2> 10.2 The Architecture of ChatOps </h2> <p>With the video link established, take a step back and look at what we have built.</p> <p>Before this article, managing our CI/CD pipeline was a game of "Tab Fatigue." You wrote code in an IDE. You pushed it. You switched to a browser tab to check GitLab. You switched to another tab to watch Jenkins. You clicked through to SonarQube to check for code smells. You were constantly <strong>pulling</strong> information from the system.</p> <p>We have inverted this model. We have moved to a <strong>Push-based</strong> architecture.</p> <ul> <li> <strong>The Factory (Jenkins)</strong> pushes status updates to us.</li> <li> <strong>The Inspector (SonarQube)</strong> pushes alarms to us.</li> <li> <strong>The Library (GitLab)</strong> pushes merge requests to us.</li> </ul> <p>We no longer poll the infrastructure; the infrastructure reports to us. The chat window has become the single pane of glass for the entire software lifecycle. We have achieved <strong>ChatOps</strong>: the practice of connecting people, tools, and processes into a transparent workflow.</p> <h2> 10.3 Sovereign Infrastructure </h2> <p>Perhaps the greater achievement is <em>how</em> we built it.</p> <p>We did not spin up a SaaS instance of Slack or Discord. We did not rely on cloud-hosted relays. We built a fully sovereign communications platform on our own hardware, running on a standard Linux kernel.</p> <p>More importantly, we rejected the easy path of "Click-Ops." We did not manually configure ten different integration settings in the web UI. We wrote software to configure our software.</p> <ul> <li> <strong><code>01-03</code></strong>: Deployed the core infrastructure.</li> <li> <strong><code>04, 06, 07</code></strong>: Wired the webhooks and integrations programmatically.</li> <li> <strong><code>05, 08, 09</code></strong>: Injected configuration and plugins into running containers.</li> </ul> <p>If we were to wipe our <code>mattermost</code> container today, we could restore the entire city—every channel, every bot, every permission scheme—simply by re-running our scripts. This is the discipline of <strong>Infrastructure as Code</strong>.</p> <p>We also conquered the "Mobile Frontier." By manually establishing our own Certificate Authority and installing it on Android, we proved that you do not need Let's Encrypt or a public domain name to have secure, encrypted mobile connectivity.</p> <h2> 10.4 The Road Ahead: The Noise Problem </h2> <p>Our "Digital City" is now bustling. We have GitLab managing code, Jenkins building binaries, SonarQube inspecting quality, and Mattermost coordinating communications.</p> <p>But a bustling city generates noise.</p> <p>Currently, if a build fails mysteriously, you have to SSH into the host and run <code>docker logs jenkins</code>. If Nginx throws a 502 error, you are grepping through <code>/var/log/nginx</code>. As we add more services, our logs are becoming fragmented, scattered across different containers and file systems. We have built a powerful engine, but we lack a centralized dashboard to monitor its internal health.</p> <p>In the next and final article of this series, we will tackle the <strong>Observability</strong> layer. We will deploy the <strong>ELK Stack</strong> (Elasticsearch, Logstash, Kibana) to ingest, parse, and visualize the massive stream of data our city is generating, turning raw noise into actionable intelligence.</p> <p>The command center is open. Now, let's turn on the radar.</p> cicd devops mattermost tutorial Warren Jitsing Sun, 21 Dec 2025 04:57:03 +0000 https://dev.to/warren_jitsing_dd1c1d6fc6/julia-high-performance-crash-course-4i7p https://dev.to/warren_jitsing_dd1c1d6fc6/julia-high-performance-crash-course-4i7p <p>I just wanted to post a resource I wrote while learning Julia. Note, this was done in a week and likely contains errors. But it should still be useful on the whole</p> <p>GitHub: <a href="https://github.com/InfiniteConsult/julia_practice" rel="noopener noreferrer">https://github.com/InfiniteConsult/julia_practice</a></p> <h1> Module 1: Getting Started: Basics </h1> <h2> Repl </h2> <h3> <code>0001_hello_world.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0001_hello_world.jl</span> <span class="n">println</span><span class="x">(</span><span class="s">"Hello, World!"</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the most fundamental function for displaying output in Julia: <code>println()</code>.</p> <ul> <li> <strong><code>println()</code></strong>: This function takes one or more arguments, prints their string representation to the console, and automatically appends a newline character at the end.</li> <li> <strong>Strings</strong>: Text literals, like <code>"Hello, World!"</code>, are created using double quotes.</li> <li> <strong>Comments</strong>: Lines beginning with <code>#</code> are single-line comments and are ignored by the interpreter.</li> </ul> <p>To run this script, save it as <code>0001_hello_world.jl</code> and execute it from your terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0001_hello_world.jl Hello, World! </code></pre> </div> <h3> <code>0002_repl_modes.md</code> </h3> <h3> Explanation </h3> <p>Julia's REPL (Read-Eval-Print Loop) is more than just a command line; it's an interactive environment with several distinct modes, each with its own prompt and purpose. You switch between them using single keystrokes.</p> <h3> 1. Julian Mode (<code>julia&gt;</code>) </h3> <p>This is the default mode for writing and executing Julia code.</p> <ul> <li> <strong>Prompt</strong>: <code>julia&gt;</code> </li> <li> <strong>Purpose</strong>: To evaluate Julia expressions. You can define variables, call functions, and test code snippets here.</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="n">julia</span><span class="o">&gt;</span> <span class="mi">1</span> <span class="o">+</span> <span class="mi">1</span> <span class="mi">2</span> <span class="n">julia</span><span class="o">&gt;</span> <span class="n">my_variable</span> <span class="o">=</span> <span class="s">"Hello from the REPL"</span> <span class="s">"Hello from the REPL"</span> </code></pre> </div> <h3> 2. Help Mode (<code>help?&gt;</code>) </h3> <p>This mode is for accessing Julia's built-in documentation.</p> <ul> <li> <strong>Prompt</strong>: <code>help?&gt;</code> </li> <li> <strong>How to Enter</strong>: Type <code>?</code> in Julian mode.</li> <li> <strong>How to Exit</strong>: Press <code>Backspace</code> or <code>Ctrl+C</code>.</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="n">julia</span><span class="o">&gt;</span> <span class="o">?</span> <span class="n">help</span><span class="o">?&gt;</span> <span class="n">println</span> <span class="n">println</span><span class="x">([</span><span class="n">io</span><span class="o">::</span><span class="kt">IO</span><span class="x">],</span> <span class="n">xs</span><span class="o">...</span><span class="x">)</span> <span class="n">Print</span> <span class="n">a</span> <span class="n">string</span> <span class="n">or</span> <span class="n">representation</span> <span class="n">of</span> <span class="n">values</span> <span class="n">xs</span> <span class="n">to</span> <span class="n">io</span><span class="x">,</span> <span class="n">followed</span> <span class="n">by</span> <span class="n">a</span> <span class="n">newline</span><span class="o">.</span> <span class="n">If</span> <span class="n">io</span> <span class="n">is</span> <span class="n">not</span> <span class="n">supplied</span><span class="x">,</span> <span class="n">prints</span> <span class="n">to</span> <span class="nb">stdout</span><span class="o">.</span> <span class="n">help</span><span class="o">?&gt;</span> </code></pre> </div> <h3> 3. Pkg Mode (<code>pkg&gt;</code>) </h3> <p>This mode provides an interface to Julia's built-in package manager, <code>Pkg</code>.</p> <ul> <li> <strong>Prompt</strong>: <code>pkg&gt;</code> </li> <li> <strong>How to Enter</strong>: Type <code>]</code> in Julian mode.</li> <li> <strong>How to Exit</strong>: Press <code>Backspace</code> or <code>Ctrl+C</code>.</li> </ul> <p>You use this mode to add, remove, and update dependencies for your project.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="n">julia</span><span class="o">&gt;</span> <span class="x">]</span> <span class="n">pkg</span><span class="o">&gt;</span> <span class="n">status</span> <span class="n">Project</span> <span class="n">MultiLanguageHttpClient</span> <span class="n">v0</span><span class="o">.</span><span class="mf">1.0</span> <span class="n">Status</span> <span class="sb">`~/MultiLanguageHttpClient/Project.toml`</span> <span class="x">(</span><span class="n">empty</span> <span class="n">project</span><span class="x">)</span> <span class="n">pkg</span><span class="o">&gt;</span> <span class="n">add</span> <span class="n">Sockets</span> <span class="n">Updating</span> <span class="n">registry</span> <span class="n">at</span> <span class="sb">`~/.julia/registries/General`</span> <span class="n">Resolving</span> <span class="n">package</span> <span class="n">versions</span><span class="o">...</span> <span class="n">Updating</span> <span class="sb">`~/Multi-Language-HTTP-Client/Project.toml`</span> <span class="x">[</span><span class="mi">6</span><span class="n">eb21f48</span><span class="x">]</span> <span class="o">+</span> <span class="n">Sockets</span> <span class="o">...</span> </code></pre> </div> <h3> 4. Shell Mode (<code>shell&gt;</code>) </h3> <p>This mode allows you to run shell commands directly from within Julia.</p> <ul> <li> <strong>Prompt</strong>: <code>shell&gt;</code> </li> <li> <strong>How to Enter</strong>: Type <code>;</code> in Julian mode.</li> <li> <strong>How to Exit</strong>: Press <code>Backspace</code> or <code>Ctrl+C</code>.</li> </ul> <p>This is useful for file system operations or running other command-line tools without leaving the Julia REPL.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="n">julia</span><span class="o">&gt;</span> <span class="x">;</span> <span class="n">shell</span><span class="o">&gt;</span> <span class="n">ls</span> <span class="o">-</span><span class="n">l</span> <span class="n">total</span> <span class="mi">4</span> <span class="o">-</span><span class="n">rw</span><span class="o">-</span><span class="n">r</span><span class="o">--</span><span class="n">r</span><span class="o">--</span> <span class="mi">1</span> <span class="n">user</span> <span class="n">user</span> <span class="mi">44</span> <span class="n">Oct</span> <span class="mi">16</span> <span class="mi">12</span><span class="o">:</span><span class="mi">00</span> <span class="mi">0001</span><span class="n">_hello_world</span><span class="o">.</span><span class="n">jl</span> <span class="n">drwxr</span><span class="o">-</span><span class="n">xr</span><span class="o">-</span><span class="n">x</span> <span class="mi">2</span> <span class="n">user</span> <span class="n">user</span> <span class="mi">4</span> <span class="n">Oct</span> <span class="mi">16</span> <span class="mi">12</span><span class="o">:</span><span class="mi">00</span> <span class="n">Project</span><span class="o">.</span><span class="n">toml</span> <span class="n">shell</span><span class="o">&gt;</span> </code></pre> </div> <h2> Variables Assignments </h2> <h3> <code>0003_variables.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0003_variables.jl</span> <span class="c"># 1. Assign an integer value to a variable named 'x'</span> <span class="n">x</span> <span class="o">=</span> <span class="mi">100</span> <span class="n">println</span><span class="x">(</span><span class="s">"The value of x is: "</span><span class="x">,</span> <span class="n">x</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"The type of x is: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">x</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># Print a separator line</span> <span class="c"># 2. Reassign a new value of a different type (a String) to the same variable</span> <span class="n">x</span> <span class="o">=</span> <span class="s">"Hello, Julia!"</span> <span class="n">println</span><span class="x">(</span><span class="s">"The value of x is now: "</span><span class="x">,</span> <span class="n">x</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"The type of x is now: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">x</span><span class="x">))</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates fundamental variable assignment and the dynamic nature of Julia's type system.</p> <ul> <li><p><strong>Assignment</strong>: The <code>=</code> operator is used to assign or <em>bind</em> a value to a variable name.</p></li> <li><p><strong>Dynamic Types</strong>: Unlike C++ or Rust, you do not need to declare a variable's type before using it. Julia is dynamically typed, which means a variable is simply a name bound to a value, and the type is associated with the value itself, not the variable name. As shown in the example, the variable <code>x</code> can first hold an integer (<code>Int64</code> by default on a 64-bit system) and then be reassigned to hold a <code>String</code>.</p></li> <li><p><strong><code>typeof()</code></strong>: This built-in function returns the type of the value that its argument currently refers to. It's a useful tool for interactive exploration and debugging.</p></li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0003_variables.jl The value of x is: 100 The <span class="nb">type </span>of x is: Int64 <span class="nt">--------------------</span> The value of x is now: Hello, Julia! The <span class="nb">type </span>of x is now: String </code></pre> </div> <h3> <code>0004_constants.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0004_constants.jl</span> <span class="c"># A regular (non-constant) global variable. Its type can change.</span> <span class="n">NON_CONST_GLOBAL</span> <span class="o">=</span> <span class="mi">100</span> <span class="c"># A constant global variable. Its type is now fixed.</span> <span class="kd">const</span> <span class="n">CONST_GLOBAL</span> <span class="o">=</span> <span class="mi">200</span> <span class="k">function</span><span class="nf"> get_non_const</span><span class="x">()</span> <span class="k">return</span> <span class="n">NON_CONST_GLOBAL</span> <span class="o">*</span> <span class="mi">2</span> <span class="k">end</span> <span class="k">function</span><span class="nf"> get_const</span><span class="x">()</span> <span class="k">return</span> <span class="n">CONST_GLOBAL</span> <span class="o">*</span> <span class="mi">2</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"This script demonstrates the performance difference between constant and non-constant globals."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"The real difference is seen by inspecting the compiled code, not just by timing this simple script."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">In the Julia REPL, run the following commands to see the difference:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" include(</span><span class="se">\"</span><span class="s">0004_constants.jl</span><span class="se">\"</span><span class="s">)"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" @code_warntype get_non_const()"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" @code_warntype get_const()"</span><span class="x">)</span> <span class="c"># We can call the functions to show they work</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Result from non-constant global: "</span><span class="x">,</span> <span class="n">get_non_const</span><span class="x">())</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result from constant global: "</span><span class="x">,</span> <span class="n">get_const</span><span class="x">())</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces one of the most important concepts for writing high-performance Julia code: <strong>constant global variables</strong>.</p> <ul> <li> <strong><code>const</code> Keyword</strong>: When used on a global variable, <code>const</code> is a promise to the Julia compiler that the <em>type</em> of this variable will never change. This allows the compiler to generate highly optimized, specialized machine code for any function that uses it.</li> </ul> <h3> Performance Impact ❗ </h3> <p>Accessing <strong>non-constant global variables</strong> is extremely slow and is one of the most common performance pitfalls for beginners.</p> <ul> <li><p><strong>Why it's slow</strong>: Because the type of <code>NON_CONST_GLOBAL</code> could change at any moment, the compiler can't make any assumptions. Every time <code>get_non_const()</code> is called, it must generate slow code to dynamically look up the variable, check its current type, and then decide how to perform the <code>* 2</code> operation.</p></li> <li><p><strong>How <code>const</code> fixes it</strong>: By declaring <code>const CONST_GLOBAL</code>, the compiler knows its type will always be an integer. It can then generate fast, direct code for <code>get_const()</code> that performs an efficient integer multiplication, completely avoiding the runtime type-checking overhead.</p></li> </ul> <h3> Diagnosing with <code>@code_warntype</code> </h3> <p>The <code>@code_warntype</code> macro is your primary tool for diagnosing this kind of performance issue. After running <code>include("0004_constants.jl")</code> in the REPL, compare the output of these two commands:</p> <p><strong>1. The Slow Case (Non-Constant)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="n">julia</span><span class="o">&gt;</span> <span class="nd">@code_warntype</span> <span class="n">get_non_const</span><span class="x">()</span> <span class="o">...</span> <span class="n">Body</span><span class="o">::</span><span class="kt">Any</span> <span class="o">...</span> </code></pre> </div> <p>The <code>Body::Any</code> (often highlighted in red) is a warning sign. It means Julia couldn't figure out the function's return type because it depends on a global variable of an unknown type.</p> <p><strong>2. The Fast Case (Constant)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="n">julia</span><span class="o">&gt;</span> <span class="nd">@code_warntype</span> <span class="n">get_const</span><span class="x">()</span> <span class="o">...</span> <span class="n">Body</span><span class="o">::</span><span class="kt">Int64</span> <span class="o">...</span> </code></pre> </div> <p>Here, Julia correctly infers the return type as <code>Int64</code>. This indicates type-stable, performant code.</p> <p><strong>Rule of Thumb</strong>: Always declare global variables as <code>const</code> unless you have a specific reason to change their type.</p> <h3> <code>0005_unicode_names.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0005_unicode_names.jl</span> <span class="c"># Standard variable names work as expected</span> <span class="n">radius</span> <span class="o">=</span> <span class="mi">5</span> <span class="c"># Julia allows many Unicode characters, like Greek letters, in variable names</span> <span class="nb">π</span> <span class="o">=</span> <span class="mf">3.14159</span> <span class="n">δ</span> <span class="o">=</span> <span class="mf">0.01</span> <span class="c"># These variables can be used in calculations just like any other</span> <span class="n">circumference</span> <span class="o">=</span> <span class="mi">2</span> <span class="o">*</span> <span class="nb">π</span> <span class="o">*</span> <span class="n">radius</span> <span class="n">area</span> <span class="o">=</span> <span class="nb">π</span> <span class="o">*</span> <span class="n">radius</span><span class="o">^</span><span class="mi">2</span> <span class="n">println</span><span class="x">(</span><span class="s">"Radius (r): "</span><span class="x">,</span> <span class="n">radius</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Pi (π): "</span><span class="x">,</span> <span class="nb">π</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Delta (δ): "</span><span class="x">,</span> <span class="n">δ</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Calculated Circumference: "</span><span class="x">,</span> <span class="n">circumference</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Calculated Area: "</span><span class="x">,</span> <span class="n">area</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates a unique and powerful feature of Julia: its first-class support for Unicode in variable names.</p> <ul> <li><p><strong>Unicode Identifiers</strong>: You can use a vast array of Unicode characters, including most mathematical symbols and Greek letters, as valid variable names. This allows your code to more closely resemble the mathematical formulas it represents, which can significantly improve readability in scientific and technical domains.</p></li> <li> <p><strong>How to Type Them</strong>: In the Julia REPL and many code editors (like VS Code with the Julia extension), you can type these symbols using their LaTeX names followed by the <code>Tab</code> key.</p> <ul> <li>To get <code>π</code>, type <code>\pi</code> and then press <code>Tab</code>.</li> <li>To get <code>δ</code>, type <code>\delta</code> and then press <code>Tab</code>.</li> </ul> </li> </ul> <p>This feature is not just cosmetic; it's a fundamental part of the language that encourages writing clear, descriptive, and notationally familiar code.</p> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0005_unicode_names.jl Radius <span class="o">(</span>r<span class="o">)</span>: 5 Pi <span class="o">(</span>π<span class="o">)</span>: 3.14159 Delta <span class="o">(</span>δ<span class="o">)</span>: 0.01 <span class="nt">--------------------</span> Calculated Circumference: 31.4159 Calculated Area: 78.53975 </code></pre> </div> <h2> Primitive Types </h2> <h3> <code>0006_integers.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0006_integers.jl (Corrected)</span> <span class="c"># By default, integer literals are of type Int64 on 64-bit systems</span> <span class="n">default_int</span> <span class="o">=</span> <span class="mi">100</span> <span class="n">println</span><span class="x">(</span><span class="s">"Default integer type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">default_int</span><span class="x">))</span> <span class="c"># You can specify the exact bit size</span> <span class="n">i8</span><span class="o">::</span><span class="kt">Int8</span> <span class="o">=</span> <span class="mi">127</span> <span class="n">i64</span><span class="o">::</span><span class="kt">Int64</span> <span class="o">=</span> <span class="mi">9_223_372_036_854_775_807</span> <span class="c"># Underscores can be used as separators</span> <span class="n">u8</span><span class="o">::</span><span class="kt">UInt8</span> <span class="o">=</span> <span class="mi">255</span> <span class="n">println</span><span class="x">(</span><span class="s">"An 8-bit signed integer: "</span><span class="x">,</span> <span class="n">i8</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"A 64-bit signed integer: "</span><span class="x">,</span> <span class="n">i64</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"An 8-bit unsigned integer: "</span><span class="x">,</span> <span class="n">u8</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># To demonstrate overflow, all operands must be of the same type.</span> <span class="c"># We explicitly construct an Int8 from the literal '2' before adding.</span> <span class="n">println</span><span class="x">(</span><span class="s">"The maximum value for Int8 is: "</span><span class="x">,</span> <span class="n">typemax</span><span class="x">(</span><span class="kt">Int8</span><span class="x">))</span> <span class="n">overflowed_int</span> <span class="o">=</span> <span class="n">i8</span> <span class="o">+</span> <span class="kt">Int8</span><span class="x">(</span><span class="mi">2</span><span class="x">)</span> <span class="c"># This is now Int8(127) + Int8(2)</span> <span class="n">println</span><span class="x">(</span><span class="s">"127 + 2 as Int8 results in: "</span><span class="x">,</span> <span class="n">overflowed_int</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"The minimum value for Int8 is: "</span><span class="x">,</span> <span class="n">typemin</span><span class="x">(</span><span class="kt">Int8</span><span class="x">))</span> </code></pre> </div> <h3> Explanation </h3> <p>This script covers Julia's primitive integer types and their overflow behavior.</p> <ul> <li> <strong>Sized Integers</strong>: Julia provides a full range of standard integer types: <code>Int8</code>, <code>Int16</code>, <code>Int32</code>, <code>Int64</code>, <code>Int128</code> and their unsigned (<code>UInt...</code>) counterparts.</li> <li> <strong>Default Type</strong>: The default type for an integer literal is <code>Int</code>, which is an alias for the platform's native word size (<code>Int64</code> on 64-bit systems).</li> <li> <strong>Type Construction</strong>: You can construct a value of a specific type using <code>TypeName(value)</code>, for example, <code>Int8(2)</code>.</li> </ul> <h3> Performance &amp; Behavior Notes </h3> <ul> <li> <strong>Memory Usage</strong>: For large arrays, using the smallest appropriate integer type (e.g., <code>Vector{Int8}</code>) can significantly reduce memory usage.</li> <li> <strong>Overflow Behavior</strong>: Julia's arithmetic operations <strong>wrap around</strong> on overflow <em>when all operands are of the same fixed-size integer type</em>. The expression <code>i8 + Int8(2)</code> performs <code>Int8</code> arithmetic, causing the value to wrap from the maximum (<code>127</code>) to the minimum (<code>-128</code>) and continue from there. This is a crucial distinction from operations involving mixed types, which promote to a larger type and do not wrap.</li> </ul> <p>To run the corrected script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0006_integers.jl Default integer <span class="nb">type</span>: Int64 An 8-bit signed integer: 127 A 64-bit signed integer: 9223372036854775807 An 8-bit unsigned integer: 255 <span class="nt">--------------------</span> The maximum value <span class="k">for </span>Int8 is: 127 127 + 2 as Int8 results <span class="k">in</span>: <span class="nt">-127</span> The minimum value <span class="k">for </span>Int8 is: <span class="nt">-128</span> </code></pre> </div> <h3> <code>0007_floats.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0007_floats.jl</span> <span class="c"># By default, literals with a decimal point are Float64</span> <span class="n">f64</span> <span class="o">=</span> <span class="mf">1.0</span> <span class="n">println</span><span class="x">(</span><span class="s">"Default float type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">f64</span><span class="x">))</span> <span class="c"># You can create a Float32 by using an 'f0' suffix</span> <span class="n">f32</span> <span class="o">=</span> <span class="mf">1.5f0</span> <span class="n">println</span><span class="x">(</span><span class="s">"A 32-bit float: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">f32</span><span class="x">))</span> <span class="c"># Scientific notation is also supported</span> <span class="n">small_num</span> <span class="o">=</span> <span class="mf">1e-5</span> <span class="n">println</span><span class="x">(</span><span class="s">"Scientific notation (1e-5): "</span><span class="x">,</span> <span class="n">small_num</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># Floating-point arithmetic follows IEEE 754 standards, including special values</span> <span class="n">positive_infinity</span> <span class="o">=</span> <span class="mf">1.0</span> <span class="o">/</span> <span class="mf">0.0</span> <span class="n">negative_infinity</span> <span class="o">=</span> <span class="o">-</span><span class="mf">1.0</span> <span class="o">/</span> <span class="mf">0.0</span> <span class="n">not_a_number</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="o">/</span> <span class="mf">0.0</span> <span class="n">println</span><span class="x">(</span><span class="s">"1.0 / 0.0 = "</span><span class="x">,</span> <span class="n">positive_infinity</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"-1.0 / 0.0 = "</span><span class="x">,</span> <span class="n">negative_infinity</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"0.0 / 0.0 = "</span><span class="x">,</span> <span class="n">not_a_number</span><span class="x">)</span> <span class="c"># You can check for these special values</span> <span class="n">println</span><span class="x">(</span><span class="s">"Is positive_infinity infinite? "</span><span class="x">,</span> <span class="n">isinf</span><span class="x">(</span><span class="n">positive_infinity</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"Is not_a_number a NaN? "</span><span class="x">,</span> <span class="n">isnan</span><span class="x">(</span><span class="n">not_a_number</span><span class="x">))</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces Julia's floating-point types and their special values, which will be familiar from C++ and Rust as they follow the IEEE 754 standard.</p> <ul> <li><p><strong>Floating-Point Types</strong>: Julia's main floating-point types are <code>Float32</code> (single precision) and <code>Float64</code> (double precision). <code>Float64</code> is the default for any literal containing a decimal point.</p></li> <li> <p><strong>Literals</strong>:</p> <ul> <li>A literal like <code>3.14</code> is automatically a <code>Float64</code>.</li> <li>To create a <code>Float32</code> literal, you can use the <code>f0</code> suffix (e.g., <code>3.14f0</code>). This is a concise syntax similar to the <code>f</code> suffix in C/C++.</li> <li>Scientific notation can be expressed with <code>e</code> or <code>E</code>, as in <code>6.022e23</code>.</li> </ul> </li> <li> <p><strong>Special Values</strong>: Standard floating-point arithmetic can result in three special values:</p> <ul> <li> <code>Inf</code>: Infinity, resulting from operations like <code>1.0 / 0.0</code>.</li> <li> <code>-Inf</code>: Negative infinity.</li> <li> <code>NaN</code>: "Not a Number," resulting from undefined operations like <code>0.0 / 0.0</code>.</li> </ul> </li> <li><p><strong>Check Functions</strong>: Julia provides <code>isinf()</code>, <code>isnan()</code>, and <code>isfinite()</code> to test for these special values.</p></li> </ul> <h3> Performance Note </h3> <p>For general-purpose computing, the default <code>Float64</code> is recommended. However, for applications involving very large arrays of floating-point numbers (like in graphics, machine learning, or scientific simulation), explicitly using <code>Float32</code> can cut memory usage in half and may offer significant speedups on hardware optimized for single-precision arithmetic, such as GPUs.</p> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0007_floats.jl Default float <span class="nb">type</span>: Float64 A 32-bit float: Float32 Scientific notation <span class="o">(</span>1e-5<span class="o">)</span>: 1.0e-5 <span class="nt">--------------------</span> 1.0 / 0.0 <span class="o">=</span> Inf <span class="nt">-1</span>.0 / 0.0 <span class="o">=</span> <span class="nt">-Inf</span> 0.0 / 0.0 <span class="o">=</span> NaN Is positive_infinity infinite? <span class="nb">true </span>Is not_a_number a NaN? <span class="nb">true</span> </code></pre> </div> <h3> <code>0008_booleans_chars.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0008_booleans_chars.jl</span> <span class="c"># Booleans can be 'true' or 'false'</span> <span class="n">is_active</span> <span class="o">=</span> <span class="nb">true</span> <span class="n">is_complete</span> <span class="o">=</span> <span class="nb">false</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value of is_active: "</span><span class="x">,</span> <span class="n">is_active</span><span class="x">,</span> <span class="s">", Type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">is_active</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value of is_complete: "</span><span class="x">,</span> <span class="n">is_complete</span><span class="x">,</span> <span class="s">", Type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">is_complete</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># Characters are created with single quotes and represent a single Unicode code point</span> <span class="n">letter_a</span> <span class="o">=</span> <span class="sc">'a'</span> <span class="n">unicode_char</span> <span class="o">=</span> <span class="sc">'Ω'</span> <span class="c"># Greek letter Omega</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value of letter_a: "</span><span class="x">,</span> <span class="n">letter_a</span><span class="x">,</span> <span class="s">", Type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">letter_a</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value of unicode_char: "</span><span class="x">,</span> <span class="n">unicode_char</span><span class="x">,</span> <span class="s">", Type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">unicode_char</span><span class="x">))</span> <span class="c"># A Julia Char is a 32-bit primitive type, which can be seen by converting it to an integer</span> <span class="n">codepoint</span> <span class="o">=</span> <span class="kt">UInt32</span><span class="x">(</span><span class="n">unicode_char</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"The Unicode codepoint for 'Ω' is: "</span><span class="x">,</span> <span class="n">codepoint</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script covers two fundamental primitive types: booleans and characters.</p> <ul> <li><p><strong><code>Bool</code></strong>: The boolean type has two possible instances: <code>true</code> and <code>false</code>. It is used for logical operations and control flow.</p></li> <li><p><strong><code>Char</code></strong>: A character literal is created using <strong>single quotes</strong> (e.g., <code>'a'</code>). This distinguishes it from strings, which use double quotes.</p></li> </ul> <h3> Important Distinction for C/C++ Programmers </h3> <p>A crucial difference from C/C++ is that a Julia <code>Char</code> is <strong>not</strong> an 8-bit integer. It is a special 32-bit primitive type that represents a single Unicode code point. This allows any Unicode character, from 'a' to 'Ω' to '😂', to be stored in a <code>Char</code> variable without ambiguity. You can convert a <code>Char</code> to its corresponding integer value to see its code point.</p> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0008_booleans_chars.jl Value of is_active: <span class="nb">true</span>, Type: Bool Value of is_complete: <span class="nb">false</span>, Type: Bool <span class="nt">--------------------</span> Value of letter_a: a, Type: Char Value of unicode_char: Ω, Type: Char The Unicode codepoint <span class="k">for</span> <span class="s1">'Ω'</span> is: 937 </code></pre> </div> <h2> Basic Operators </h2> <h3> <code>0009_arithmetic_operators.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0009_arithmetic_operators.jl</span> <span class="n">a</span> <span class="o">=</span> <span class="mi">10</span> <span class="n">b</span> <span class="o">=</span> <span class="mi">3</span> <span class="c"># Standard arithmetic operators</span> <span class="n">addition</span> <span class="o">=</span> <span class="n">a</span> <span class="o">+</span> <span class="n">b</span> <span class="n">subtraction</span> <span class="o">=</span> <span class="n">a</span> <span class="o">-</span> <span class="n">b</span> <span class="n">multiplication</span> <span class="o">=</span> <span class="n">a</span> <span class="o">*</span> <span class="n">b</span> <span class="n">exponentiation</span> <span class="o">=</span> <span class="n">a</span> <span class="o">^</span> <span class="n">b</span> <span class="c"># Note: ^ is for power, not XOR</span> <span class="n">println</span><span class="x">(</span><span class="s">"a + b = "</span><span class="x">,</span> <span class="n">addition</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"a - b = "</span><span class="x">,</span> <span class="n">subtraction</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"a * b = "</span><span class="x">,</span> <span class="n">multiplication</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"a ^ b = "</span><span class="x">,</span> <span class="n">exponentiation</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># Julia has two types of division</span> <span class="n">float_division</span> <span class="o">=</span> <span class="n">a</span> <span class="o">/</span> <span class="n">b</span> <span class="n">integer_division</span> <span class="o">=</span> <span class="n">a</span> <span class="o">÷</span> <span class="n">b</span> <span class="c"># Type this with \div&lt;tab&gt;</span> <span class="n">remainder</span> <span class="o">=</span> <span class="n">a</span> <span class="o">%</span> <span class="n">b</span> <span class="n">println</span><span class="x">(</span><span class="s">"Floating-point division (a / b): "</span><span class="x">,</span> <span class="n">float_division</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Integer division (a ÷ b): "</span><span class="x">,</span> <span class="n">integer_division</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Remainder (a % b): "</span><span class="x">,</span> <span class="n">remainder</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script covers Julia's standard arithmetic operators, highlighting the important distinction between the two division operators.</p> <ul> <li> <strong>Standard Operators</strong>: Julia uses the expected symbols for addition (<code>+</code>), subtraction (<code>-</code>), multiplication (<code>*</code>), exponentiation (<code>^</code>), and remainder (<code>%</code>). <ul> <li> <strong>Note</strong>: Coming from C/C++/Rust, be aware that <code>^</code> is for exponentiation, not bitwise XOR (which is done with the <code>xor()</code> function or the <code>⊻</code> symbol).</li> </ul> </li> </ul> <h3> Division Operators </h3> <p>Julia provides two distinct division operators to avoid ambiguity, which is a common source of bugs in other languages.</p> <ul> <li> <p><code>/</code> <strong>(Floating-Point Division)</strong>: This operator <em>always</em> performs floating-point division and will always return a floating-point number, even if the inputs are integers. This is identical to Python 3's <code>/</code> operator.</p> <ul> <li> <code>10 / 2</code> results in <code>5.0</code>.</li> </ul> </li> <li> <p><code>÷</code> <strong>(Integer Division)</strong>: This operator (typed as <code>\div</code> followed by <code>Tab</code>) performs Euclidean division, truncating the result to an integer. This is the equivalent of integer division in C/C++ or the <code>//</code> operator in Python.</p> <ul> <li> <code>10 ÷ 3</code> results in <code>3</code>.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0009_arithmetic_operators.jl a + b <span class="o">=</span> 13 a - b <span class="o">=</span> 7 a <span class="k">*</span> b <span class="o">=</span> 30 a ^ b <span class="o">=</span> 1000 <span class="nt">--------------------</span> Floating-point division <span class="o">(</span>a / b<span class="o">)</span>: 3.3333333333333335 Integer division <span class="o">(</span>a ÷ b<span class="o">)</span>: 3 Remainder <span class="o">(</span>a % b<span class="o">)</span>: 1 </code></pre> </div> <h3> <code>0010_comparison_operators.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0010_comparison_operators.jl</span> <span class="c"># Standard comparison operators</span> <span class="n">println</span><span class="x">(</span><span class="s">"5 &gt; 3 is "</span><span class="x">,</span> <span class="mi">5</span> <span class="o">&gt;</span> <span class="mi">3</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"5 == 5 is "</span><span class="x">,</span> <span class="mi">5</span> <span class="o">==</span> <span class="mi">5</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"5 != 3 is "</span><span class="x">,</span> <span class="mi">5</span> <span class="o">!=</span> <span class="mi">3</span><span class="x">)</span> <span class="c"># 'a' is less than 'b' based on its Unicode value</span> <span class="n">println</span><span class="x">(</span><span class="s">"'a' &lt; 'b' is "</span><span class="x">,</span> <span class="sc">'a'</span> <span class="o">&lt;</span> <span class="sc">'b'</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># The `==` operator compares values after type promotion</span> <span class="n">println</span><span class="x">(</span><span class="s">"Does 1 (Integer) == 1.0 (Float)? "</span><span class="x">,</span> <span class="mi">1</span> <span class="o">==</span> <span class="mf">1.0</span><span class="x">)</span> <span class="c"># The `===` operator checks for strict equality (same type and value)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Does 1 (Integer) === 1.0 (Float)? "</span><span class="x">,</span> <span class="mi">1</span> <span class="o">===</span> <span class="mf">1.0</span><span class="x">)</span> <span class="c"># `NaN` is a special case for equality</span> <span class="n">println</span><span class="x">(</span><span class="s">"Does NaN == NaN? "</span><span class="x">,</span> <span class="nb">NaN</span> <span class="o">==</span> <span class="nb">NaN</span><span class="x">)</span> <span class="c"># `isequal()` is a function that considers NaN equal to itself</span> <span class="n">println</span><span class="x">(</span><span class="s">"Does isequal(NaN, NaN)? "</span><span class="x">,</span> <span class="n">isequal</span><span class="x">(</span><span class="nb">NaN</span><span class="x">,</span> <span class="nb">NaN</span><span class="x">))</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates Julia's comparison operators, highlighting the important differences between the three types of equality checks.</p> <ul> <li> <strong>Standard Operators</strong>: The usual operators <code>==</code> (equal), <code>!=</code> (not equal), <code>&lt;</code>, <code>&gt;</code>, <code>&lt;=</code>, and <code>&gt;=</code> work as expected. They compare values, promoting numeric types if necessary. This is why <code>1 == 1.0</code> evaluates to <code>true</code>.</li> </ul> <h3> The Three Equalities </h3> <p>For a systems programmer, understanding the distinction between different equality checks is critical.</p> <ul> <li><p><strong><code>==</code> (Value Equality)</strong>: This is the most common equality check. It compares values. If the types are different but can be promoted to a common type (like <code>Int</code> and <code>Float64</code>), it does so before comparing. The one special case is that <code>NaN == NaN</code> is always <code>false</code>, following the IEEE 754 standard.</p></li> <li><p><strong><code>isequal()</code> (Consistent Value Equality)</strong>: This function is similar to <code>==</code> but provides more consistent behavior for use in hash tables (like <code>Dict</code>). The key difference is that <code>isequal(NaN, NaN)</code> returns <code>true</code>.</p></li> <li> <p><strong><code>===</code> (Strict Equality / Identity)</strong>: This operator, pronounced "triple equals," checks if two operands are identical.</p> <ul> <li>For immutable values like numbers or characters, it returns <code>true</code> only if they are of the <strong>exact same type</strong> and have the same value. This is why <code>1 === 1.0</code> is <code>false</code>.</li> <li>For mutable objects (which we will cover later), it checks if they are the exact same object in memory, similar to comparing pointers in C/C++.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0010_comparison_operators.jl 5 <span class="o">&gt;</span> 3 is <span class="nb">true </span>5 <span class="o">==</span> 5 is <span class="nb">true </span>5 <span class="o">!=</span> 3 is <span class="nb">true</span> <span class="s1">'a'</span> &lt; <span class="s1">'b'</span> is <span class="nb">true</span> <span class="nt">--------------------</span> Does 1 <span class="o">(</span>Integer<span class="o">)</span> <span class="o">==</span> 1.0 <span class="o">(</span>Float<span class="o">)</span>? <span class="nb">true </span>Does 1 <span class="o">(</span>Integer<span class="o">)</span> <span class="o">===</span> 1.0 <span class="o">(</span>Float<span class="o">)</span>? <span class="nb">false </span>Does NaN <span class="o">==</span> NaN? <span class="nb">false </span>Does isequal<span class="o">(</span>NaN, NaN<span class="o">)</span>? <span class="nb">true</span> </code></pre> </div> <h3> <code>0011_boolean_operators.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0011_boolean_operators.jl</span> <span class="c"># Define functions that print when they are called</span> <span class="k">function</span><span class="nf"> is_true</span><span class="x">(</span><span class="n">label</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Function '"</span><span class="x">,</span> <span class="n">label</span><span class="x">,</span> <span class="s">"' was called and returns true."</span><span class="x">)</span> <span class="k">return</span> <span class="nb">true</span> <span class="k">end</span> <span class="k">function</span><span class="nf"> is_false</span><span class="x">(</span><span class="n">label</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Function '"</span><span class="x">,</span> <span class="n">label</span><span class="x">,</span> <span class="s">"' was called and returns false."</span><span class="x">)</span> <span class="k">return</span> <span class="nb">false</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Demonstrating &amp;&amp; (AND) ---"</span><span class="x">)</span> <span class="c"># The right side is NOT evaluated because the left side is false.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result: "</span><span class="x">,</span> <span class="n">is_false</span><span class="x">(</span><span class="s">"LHS"</span><span class="x">)</span> <span class="o">&amp;&amp;</span> <span class="n">is_true</span><span class="x">(</span><span class="s">"RHS"</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Demonstrating || (OR) ---"</span><span class="x">)</span> <span class="c"># The right side is NOT evaluated because the left side is true.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result: "</span><span class="x">,</span> <span class="n">is_true</span><span class="x">(</span><span class="s">"LHS"</span><span class="x">)</span> <span class="o">||</span> <span class="n">is_false</span><span class="x">(</span><span class="s">"RHS"</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Demonstrating ! (NOT) ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result: "</span><span class="x">,</span> <span class="o">!</span><span class="n">is_false</span><span class="x">(</span><span class="s">"NOT test"</span><span class="x">))</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates Julia's logical operators and their short-circuiting behavior, which is a critical feature for writing efficient and safe code.</p> <ul> <li> <strong>Operators</strong>: <ul> <li> <strong><code>&amp;&amp;</code></strong>: Logical AND. Returns <code>true</code> only if both the left and right sides are <code>true</code>.</li> <li> <strong><code>||</code></strong>: Logical OR. Returns <code>true</code> if either the left or the right side is <code>true</code>.</li> <li> <strong><code>!</code></strong>: Logical NOT. Inverts a boolean value.</li> </ul> </li> </ul> <h3> Short-Circuit Evaluation </h3> <p>As in C, C++, Rust, and Python, Julia's <code>&amp;&amp;</code> and <code>||</code> operators perform <strong>short-circuit evaluation</strong>. This is a key performance and control-flow feature.</p> <ul> <li><p><strong>For <code>a &amp;&amp; b</code></strong>: The expression <code>b</code> is <strong>only</strong> evaluated if <code>a</code> is <code>true</code>. If <code>a</code> is <code>false</code>, the overall result must be <code>false</code>, so there is no need to evaluate <code>b</code>. In the first example, only the <code>is_false("LHS")</code> function is called.</p></li> <li><p><strong>For <code>a || b</code></strong>: The expression <code>b</code> is <strong>only</strong> evaluated if <code>a</code> is <code>false</code>. If <code>a</code> is <code>true</code>, the overall result must be <code>true</code>, so there is no need to evaluate <code>b</code>. In the second example, only the <code>is_true("LHS")</code> function is called.</p></li> </ul> <p>This behavior is commonly used to "guard" subsequent operations, for example, checking that an object is not <code>nothing</code> before trying to access one of its fields.</p> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0011_boolean_operators.jl <span class="nt">---</span> Demonstrating <span class="o">&amp;&amp;</span> <span class="o">(</span>AND<span class="o">)</span> <span class="nt">---</span> Function <span class="s1">'LHS'</span> was called and returns false. Result: <span class="nb">false</span> <span class="nt">---</span> Demonstrating <span class="o">||</span> <span class="o">(</span>OR<span class="o">)</span> <span class="nt">---</span> Function <span class="s1">'LHS'</span> was called and returns true. Result: <span class="nb">true</span> <span class="nt">---</span> Demonstrating <span class="o">!</span> <span class="o">(</span>NOT<span class="o">)</span> <span class="nt">---</span> Function <span class="s1">'NOT test'</span> was called and returns false. Result: <span class="nb">true</span> </code></pre> </div> <h3> <code>0012_updating_operators.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0012_updating_operators.jl</span> <span class="c"># Initialize a counter</span> <span class="n">counter</span> <span class="o">=</span> <span class="mi">10</span> <span class="n">println</span><span class="x">(</span><span class="s">"Initial counter value: "</span><span class="x">,</span> <span class="n">counter</span><span class="x">)</span> <span class="c"># Increment the counter by 5</span> <span class="n">counter</span> <span class="o">+=</span> <span class="mi">5</span> <span class="n">println</span><span class="x">(</span><span class="s">"After 'counter += 5': "</span><span class="x">,</span> <span class="n">counter</span><span class="x">)</span> <span class="c"># Decrement the counter by 3</span> <span class="n">counter</span> <span class="o">-=</span> <span class="mi">3</span> <span class="n">println</span><span class="x">(</span><span class="s">"After 'counter -= 3': "</span><span class="x">,</span> <span class="n">counter</span><span class="x">)</span> <span class="c"># Multiply the counter by 2</span> <span class="n">counter</span> <span class="o">*=</span> <span class="mi">2</span> <span class="n">println</span><span class="x">(</span><span class="s">"After 'counter *= 2': "</span><span class="x">,</span> <span class="n">counter</span><span class="x">)</span> <span class="c"># Floating-point divide the counter by 4</span> <span class="c"># Note: The type of 'counter' will change from Int to Float64</span> <span class="n">counter</span> <span class="o">/=</span> <span class="mi">4</span> <span class="n">println</span><span class="x">(</span><span class="s">"After 'counter /= 4': "</span><span class="x">,</span> <span class="n">counter</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"New type of counter: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">counter</span><span class="x">))</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates Julia's updating operators, which provide a concise syntax for modifying a variable in place. These operators are syntactically and functionally identical to their counterparts in C, C++, Rust, and Python.</p> <ul> <li><p><strong>Syntax</strong>: An updating operator is a combination of a binary operator (like <code>+</code>, <code>-</code>, <code>*</code>) and the assignment operator (<code>=</code>). The expression <code>x += y</code> is a shorthand for <code>x = x + y</code>.</p></li> <li> <p><strong>Common Operators</strong>: Julia supports a wide range of these operators, including:</p> <ul> <li> <code>+=</code> (add and assign)</li> <li> <code>-=</code> (subtract and assign)</li> <li> <code>*=</code> (multiply and assign)</li> <li> <code>/=</code> (divide and assign)</li> <li> <code>÷=</code> (integer divide and assign)</li> <li> <code>%=</code> (remainder and assign)</li> <li> <code>^=</code> (exponentiate and assign)</li> </ul> </li> <li><p><strong>Type Promotion</strong>: Be aware that the operation can change the type of the variable. As shown in the example, when <code>counter /= 4</code> is executed, the <code>/</code> operator performs floating-point division. The result is a <code>Float64</code>, so the <code>counter</code> variable is rebound to this new floating-point value.</p></li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0012_updating_operators.jl Initial counter value: 10 After <span class="s1">'counter += 5'</span>: 15 After <span class="s1">'counter -= 3'</span>: 12 After <span class="s1">'counter *= 2'</span>: 24 After <span class="s1">'counter /= 4'</span>: 6.0 New <span class="nb">type </span>of counter: Float64 </code></pre> </div> <h2> Strings And Interpolation </h2> <h3> <code>0013_string_basics.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0013_string_basics.jl</span> <span class="c"># A standard, single-line string is created with double quotes.</span> <span class="n">single_line</span> <span class="o">=</span> <span class="s">"This is a standard string."</span> <span class="n">println</span><span class="x">(</span><span class="n">single_line</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">single_line</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># Multi-line strings are created with triple-double quotes.</span> <span class="c"># Indentation and newlines within the quotes are preserved.</span> <span class="n">multi_line</span> <span class="o">=</span> <span class="s">""" This is a multi-line string. The indentation on this line is preserved. It can contain any character, like π or 😊. """</span> <span class="n">println</span><span class="x">(</span><span class="n">multi_line</span><span class="x">)</span> <span class="c"># Strings are sequences, and you can access characters by index.</span> <span class="c"># Note: Julia uses 1-based indexing, not 0-based like C++/Python/Rust.</span> <span class="n">first_char</span> <span class="o">=</span> <span class="n">single_line</span><span class="x">[</span><span class="mi">1</span><span class="x">]</span> <span class="n">println</span><span class="x">(</span><span class="s">"The first character is: '"</span><span class="x">,</span> <span class="n">first_char</span><span class="x">,</span> <span class="s">"', and its type is: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">first_char</span><span class="x">))</span> <span class="c"># Attempting to modify a character will cause an error because strings are immutable.</span> <span class="k">try</span> <span class="n">single_line</span><span class="x">[</span><span class="mi">1</span><span class="x">]</span> <span class="o">=</span> <span class="sc">'t'</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"Error trying to modify string: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="k">end</span> </code></pre> </div> <h3> Explanation </h3> <p>This script covers the basics of creating and interacting with strings in Julia.</p> <ul> <li> <p><strong>Literals</strong>:</p> <ul> <li>Single-line strings are enclosed in double quotes (<code>"</code>).</li> <li>Multi-line strings are enclosed in triple-double quotes (<code>"""</code>). This is a convenient feature for embedding blocks of text, similar to Python's triple quotes.</li> </ul> </li> <li><p><strong>Encoding</strong>: Julia strings are UTF-8 encoded by default. This means they can natively store any Unicode character without any special handling.</p></li> <li><p><strong>1-Based Indexing</strong>: A major difference from C/C++/Python/Rust is that Julia uses <strong>1-based indexing</strong>. The first element of any sequence is at index <code>1</code>.</p></li> <li><p><strong>Immutability</strong>: Strings in Julia are <strong>immutable</strong>. You cannot change the characters of an existing string. When you "modify" a string (e.g., through concatenation), you are actually creating a completely new string in memory. This is a critical design feature that ensures safety and predictable performance, as the compiler doesn't need to worry about the string's contents changing unexpectedly.</p></li> <li><p><strong><code>String</code> vs. <code>Char</code></strong>: When you index into a <code>String</code>, you get a value of type <code>Char</code>, which represents a single Unicode code point.</p></li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0013_string_basics.jl This is a standard string. Type: String <span class="nt">--------------------</span> This is a multi-line string. The indentation on this line is preserved. It can contain any character, like π or 😊. The first character is: <span class="s1">'T'</span>, and its <span class="nb">type </span>is: Char Error trying to modify string: MethodError<span class="o">(</span><span class="nv">f</span><span class="o">=</span>setindex!, <span class="nv">args</span><span class="o">=(</span>...<span class="o">))</span> </code></pre> </div> <h3> <code>0014_string_interpolation.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0014_string_interpolation.jl</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"Julia"</span> <span class="n">year</span> <span class="o">=</span> <span class="mi">2012</span> <span class="n">version</span> <span class="o">=</span> <span class="mf">1.10</span> <span class="c"># 1. Basic interpolation with the '$' symbol</span> <span class="c"># The variable's value is inserted directly into the string.</span> <span class="n">intro</span> <span class="o">=</span> <span class="s">"My name is </span><span class="si">$</span><span class="s">name. I was released in </span><span class="si">$</span><span class="s">year."</span> <span class="n">println</span><span class="x">(</span><span class="n">intro</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># 2. Expression interpolation with '$(...)'</span> <span class="c"># Any Julia expression inside the parentheses will be evaluated,</span> <span class="c"># and its result will be inserted into the string.</span> <span class="n">current_year</span> <span class="o">=</span> <span class="mi">2025</span> <span class="n">age_calculation</span> <span class="o">=</span> <span class="s">"It is now </span><span class="si">$</span><span class="s">current_year, so I am </span><span class="si">$</span><span class="s">(current_year - year) years old."</span> <span class="n">println</span><span class="x">(</span><span class="n">age_calculation</span><span class="x">)</span> <span class="c"># You can even call functions inside the expression.</span> <span class="n">version_info</span> <span class="o">=</span> <span class="s">"My current version is </span><span class="si">$(version)</span><span class="s">, and uppercase it is </span><span class="si">$</span><span class="s">(uppercase(string(version)))"</span> <span class="n">println</span><span class="x">(</span><span class="n">version_info</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates string interpolation, which is Julia's most efficient and common method for constructing strings from other values.</p> <ul> <li> <p><strong>Syntax</strong>: Interpolation is performed inside double-quoted strings (<code>"..."</code>).</p> <ul> <li> <strong><code>$</code> for Variables</strong>: A dollar sign (<code>$</code>) followed by a variable name inserts the value of that variable.</li> <li> <strong><code>$(...)</code> for Expressions</strong>: A dollar sign followed by parentheses (<code>$(...)</code>) evaluates any Julia code within the parentheses and inserts the result.</li> </ul> </li> <li><p><strong>Performance</strong>: String interpolation is extremely performant. Unlike manual string concatenation (e.g., <code>"a" * "b" * "c"</code>), which creates multiple intermediate strings, interpolation calculates the final size and builds the new string in a single, optimized operation. This is the preferred method for building strings from parts, especially in performance-sensitive code.</p></li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0014_string_interpolation.jl My name is Julia. I was released <span class="k">in </span>2012. <span class="nt">--------------------</span> It is now 2025, so I am 13 years old. My current version is 1.1, and uppercase it is 1.1 </code></pre> </div> <h3> <code>0015_string_concatenation.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0015_string_concatenation.jl</span> <span class="c"># The '*' operator is used for simple string concatenation.</span> <span class="n">str1</span> <span class="o">=</span> <span class="s">"Hello"</span> <span class="n">str2</span> <span class="o">=</span> <span class="s">"World"</span> <span class="n">combined</span> <span class="o">=</span> <span class="n">str1</span> <span class="o">*</span> <span class="s">", "</span> <span class="o">*</span> <span class="n">str2</span> <span class="o">*</span> <span class="s">"!"</span> <span class="n">println</span><span class="x">(</span><span class="s">"Concatenated with '*': "</span><span class="x">,</span> <span class="n">combined</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># --- Performance Demonstration ---</span> <span class="c"># Method 1: Inefficiently building a string in a loop with '*'.</span> <span class="c"># This is slow because it creates a new string in every iteration.</span> <span class="n">parts</span> <span class="o">=</span> <span class="x">[</span><span class="s">"a"</span><span class="x">,</span> <span class="s">"b"</span><span class="x">,</span> <span class="s">"c"</span><span class="x">,</span> <span class="s">"d"</span><span class="x">,</span> <span class="s">"e"</span><span class="x">]</span> <span class="n">s_slow</span> <span class="o">=</span> <span class="s">""</span> <span class="k">for</span> <span class="n">part</span> <span class="k">in</span> <span class="n">parts</span> <span class="kd">global</span> <span class="n">s_slow</span> <span class="c"># Super important because for loop is a "soft scope".</span> <span class="c"># Without declaring the global Julia tries to create a local.</span> <span class="n">s_slow</span> <span class="o">*=</span> <span class="n">part</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result from slow loop: "</span><span class="x">,</span> <span class="n">s_slow</span><span class="x">)</span> <span class="c"># Method 2: The performant and idiomatic way using 'join()'.</span> <span class="c"># This calculates the final size once and builds the string efficiently.</span> <span class="n">s_fast</span> <span class="o">=</span> <span class="n">join</span><span class="x">(</span><span class="n">parts</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result from fast join: "</span><span class="x">,</span> <span class="n">s_fast</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates how to join strings and highlights the critical performance difference between concatenation in a loop and using the <code>join()</code> function.</p> <ul> <li> <strong><code>*</code> Operator</strong>: For joining a small, fixed number of strings, the <code>*</code> operator is a perfectly readable and acceptable choice. <code>str1 * str2</code> creates a new string containing the contents of <code>str1</code> followed by <code>str2</code>.</li> </ul> <h3> Performance in Loops ❗ </h3> <p>This is a crucial performance concept that translates directly from languages like Python.</p> <ul> <li><p><strong>Inefficient Loop (<code>*=</code>):</strong> When you use <code>s_slow *= part</code> inside a loop, you are not modifying the string <code>s_slow</code>. Because strings are immutable, Julia must allocate a <strong>brand new string</strong> that is large enough to hold the old <code>s_slow</code> plus the new <code>part</code>, copy the contents of both into it, and then reassign the name <code>s_slow</code> to this new string. In a loop with many iterations, this results in excessive memory allocations and copying, leading to very poor performance.</p></li> <li><p><strong>Performant <code>join()</code>:</strong> The <code>join()</code> function is the correct and idiomatic way to combine a collection of strings. It first iterates through the collection to calculate the total size of the final string. Then, it allocates a single block of memory of the correct size and copies each part into it just once. This "calculate-then-allocate" strategy avoids creating many intermediate strings and is dramatically faster.</p></li> </ul> <p><strong>Rule of Thumb</strong>: Always use <code>join()</code> when combining a variable number of strings, especially from within a loop.</p> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0015_string_concatenation.jl Concatenated with <span class="s1">'*'</span>: Hello, World! <span class="nt">--------------------</span> Result from slow loop: abcde Result from fast <span class="nb">join</span>: abcde </code></pre> </div> <h1> Module 2: Control Flow </h1> <h2> Conditional Logic </h2> <h3> <code>0016_if_else.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0016_if_else.jl</span> <span class="c"># A simple function to check if a number is even or odd</span> <span class="k">function</span><span class="nf"> check_parity</span><span class="x">(</span><span class="n">n</span><span class="x">)</span> <span class="k">if</span> <span class="n">n</span> <span class="o">%</span> <span class="mi">2</span> <span class="o">==</span> <span class="mi">0</span> <span class="n">println</span><span class="x">(</span><span class="s">"The number "</span><span class="x">,</span> <span class="n">n</span><span class="x">,</span> <span class="s">" is even."</span><span class="x">)</span> <span class="k">else</span> <span class="n">println</span><span class="x">(</span><span class="s">"The number "</span><span class="x">,</span> <span class="n">n</span><span class="x">,</span> <span class="s">" is odd."</span><span class="x">)</span> <span class="k">end</span> <span class="k">end</span> <span class="n">check_parity</span><span class="x">(</span><span class="mi">10</span><span class="x">)</span> <span class="n">check_parity</span><span class="x">(</span><span class="mi">7</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates the fundamental <code>if</code>/<code>else</code> statement, which is the most basic structure for conditional logic.</p> <ul> <li> <strong>Syntax</strong>: The structure is <code>if &lt;condition&gt; ... else ... end</code>. The code inside the <code>if</code> block is executed if the <code>&lt;condition&gt;</code> evaluates to <code>true</code>. Otherwise, the code inside the <code>else</code> block is executed.</li> <li> <strong>Condition</strong>: The condition (<code>n % 2 == 0</code>) must be an expression that results in a <code>Bool</code> (<code>true</code> or <code>false</code>).</li> <li> <strong><code>end</code> Keyword</strong>: Unlike Python's indentation or C++/Rust's curly braces, Julia uses the <code>end</code> keyword to terminate blocks of code, including <code>if</code> statements and functions.</li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0016_if_else.jl The number 10 is even. The number 7 is odd. </code></pre> </div> <h3> <code>0017_if_elseif_else.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0017_if_elseif_else.jl</span> <span class="c"># A function to check the sign of a number</span> <span class="k">function</span><span class="nf"> check_sign</span><span class="x">(</span><span class="n">n</span><span class="x">)</span> <span class="k">if</span> <span class="n">n</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="n">println</span><span class="x">(</span><span class="s">"The number "</span><span class="x">,</span> <span class="n">n</span><span class="x">,</span> <span class="s">" is positive."</span><span class="x">)</span> <span class="k">elseif</span> <span class="n">n</span> <span class="o">&lt;</span> <span class="mi">0</span> <span class="n">println</span><span class="x">(</span><span class="s">"The number "</span><span class="x">,</span> <span class="n">n</span><span class="x">,</span> <span class="s">" is negative."</span><span class="x">)</span> <span class="k">else</span> <span class="n">println</span><span class="x">(</span><span class="s">"The number "</span><span class="x">,</span> <span class="n">n</span><span class="x">,</span> <span class="s">" is zero."</span><span class="x">)</span> <span class="k">end</span> <span class="k">end</span> <span class="n">check_sign</span><span class="x">(</span><span class="mi">10</span><span class="x">)</span> <span class="n">check_sign</span><span class="x">(</span><span class="o">-</span><span class="mi">5</span><span class="x">)</span> <span class="n">check_sign</span><span class="x">(</span><span class="mi">0</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the <code>if</code>/<code>elseif</code>/<code>else</code> structure, which allows you to chain multiple conditions together.</p> <ul> <li> <strong>Syntax</strong>: The structure is <code>if &lt;condition1&gt; ... elseif &lt;condition2&gt; ... else ... end</code>.</li> <li> <strong>Execution Flow</strong>: Julia evaluates the conditions sequentially from top to bottom. <ol> <li> First, it checks <code>if n &gt; 0</code>. If this is <code>true</code>, its block is executed, and the entire chain is exited.</li> <li> Only if the first condition is <code>false</code>, it then checks <code>elseif n &lt; 0</code>. If this is <code>true</code>, its block is executed, and the chain is exited.</li> <li> If all preceding <code>if</code> and <code>elseif</code> conditions are <code>false</code>, the final <code>else</code> block is executed as a fallback.</li> </ol> </li> </ul> <p>This structure is a direct equivalent to <code>if</code>/<code>else if</code>/<code>else</code> in C++/Rust and <code>if</code>/<code>elif</code>/<code>else</code> in Python. It's a clean way to handle a series of mutually exclusive conditions.</p> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0017_if_elseif_else.jl The number 10 is positive. The number <span class="nt">-5</span> is negative. The number 0 is zero. </code></pre> </div> <h3> <code>0018_ternary_operator.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0018_ternary_operator.jl</span> <span class="k">function</span><span class="nf"> get_parity_message</span><span class="x">(</span><span class="n">n</span><span class="x">)</span> <span class="c"># The ternary operator provides a concise way to write a simple if/else.</span> <span class="c"># The structure is: &lt;condition&gt; ? &lt;value_if_true&gt; : &lt;value_if_false&gt;</span> <span class="n">message</span> <span class="o">=</span> <span class="x">(</span><span class="n">n</span> <span class="o">%</span> <span class="mi">2</span> <span class="o">==</span> <span class="mi">0</span><span class="x">)</span> <span class="o">?</span> <span class="s">"even"</span> <span class="o">:</span> <span class="s">"odd"</span> <span class="k">return</span> <span class="s">"The number </span><span class="si">$</span><span class="s">n is </span><span class="si">$</span><span class="s">message."</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="n">get_parity_message</span><span class="x">(</span><span class="mi">10</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="n">get_parity_message</span><span class="x">(</span><span class="mi">7</span><span class="x">))</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the <strong>ternary operator</strong>, a compact syntax for a simple conditional expression.</p> <ul> <li><p><strong>Syntax</strong>: The syntax <code>a ? b : c</code> is identical to its usage in C, C++, Rust, and Python. The parentheses around the condition, <code>(n % 2 == 0)</code>, are not strictly required but are often used to improve readability.</p></li> <li> <p><strong>Execution</strong>: The condition <code>a</code> is evaluated first.</p> <ul> <li>If it's <code>true</code>, the entire expression evaluates to <code>b</code>.</li> <li>If it's <code>false</code>, the entire expression evaluates to <code>c</code>.</li> </ul> </li> <li><p><strong>Usage</strong>: It's best used for assigning one of two simple values to a variable based on a single condition. It's an expression that returns a value, not a statement that performs actions. For logic involving multiple lines or <code>elseif</code> branches, a full <code>if/else</code> block remains more readable and appropriate.</p></li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0018_ternary_operator.jl The number 10 is even. The number 7 is odd. </code></pre> </div> <h3> <code>0019_short_circuit_guard.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0019_short_circuit_guard.jl</span> <span class="c"># A simple data structure to hold a value.</span> <span class="k">mutable struct</span><span class="nc"> Container</span> <span class="n">value</span><span class="o">::</span><span class="kt">Int</span> <span class="k">end</span> <span class="c"># This function safely processes a container.</span> <span class="c"># The variable 'obj' can either be a 'Container' or 'nothing'.</span> <span class="k">function</span><span class="nf"> process_container</span><span class="x">(</span><span class="n">obj</span><span class="x">)</span> <span class="c"># This is a "guard clause" using short-circuiting.</span> <span class="c"># The second part, 'obj.value &gt; 10', is ONLY evaluated if the first part is true.</span> <span class="k">if</span> <span class="n">obj</span> <span class="o">!==</span> <span class="nb">nothing</span> <span class="o">&amp;&amp;</span> <span class="n">obj</span><span class="o">.</span><span class="n">value</span> <span class="o">&gt;</span> <span class="mi">10</span> <span class="n">println</span><span class="x">(</span><span class="s">"Processing container with high value: "</span><span class="x">,</span> <span class="n">obj</span><span class="o">.</span><span class="n">value</span><span class="x">)</span> <span class="k">else</span> <span class="n">println</span><span class="x">(</span><span class="s">"Skipping, object is either nothing or its value is not &gt; 10."</span><span class="x">)</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># Create an instance of our container</span> <span class="n">c1</span> <span class="o">=</span> <span class="n">Container</span><span class="x">(</span><span class="mi">20</span><span class="x">)</span> <span class="c"># Create a variable that holds 'nothing'</span> <span class="n">c2</span> <span class="o">=</span> <span class="nb">nothing</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Processing a valid container ---"</span><span class="x">)</span> <span class="n">process_container</span><span class="x">(</span><span class="n">c1</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Processing 'nothing' ---"</span><span class="x">)</span> <span class="c"># Without the short-circuit guard, `c2.value` would cause a crash.</span> <span class="n">process_container</span><span class="x">(</span><span class="n">c2</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates a practical and critical use of the <code>&amp;&amp;</code> operator's short-circuiting behavior: creating a <strong>guard clause</strong>.</p> <ul> <li><p><strong>The Problem</strong>: In many languages, you might have a variable that could be <code>null</code> (or <code>None</code> in Python). In Julia, the equivalent is <code>nothing</code>. If you try to access a member of <code>nothing</code> (e.g., <code>nothing.value</code>), your program will crash.</p></li> <li><p><strong>The Solution</strong>: Short-circuiting provides an elegant and performant solution. In the line <code>if obj !== nothing &amp;&amp; obj.value &gt; 10</code>:</p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Julia first evaluates `obj !== nothing`. The `!==` operator is the negation of `===` (strict identity) and is the standard way to check if something is not `nothing`. 2. If `obj` is `nothing`, this expression is `false`. Because this is an `&amp;&amp;` (AND) operation, the entire condition *must* be false, so Julia **stops evaluating** and does not execute the right side. 3. The right side, `obj.value &gt; 10`, is only ever reached if the first check passed, guaranteeing that `obj` is a valid `Container` object and that accessing `.value` is safe. </code></pre> </div> <p>This pattern is fundamental in Julia (and many other languages) for writing robust code that gracefully handles potentially missing values.</p> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0019_short_circuit_guard.jl <span class="nt">---</span> Processing a valid container <span class="nt">---</span> Processing container with high value: 20 <span class="nt">---</span> Processing <span class="s1">'nothing'</span> <span class="nt">---</span> Skipping, object is either nothing or its value is not <span class="o">&gt;</span> 10. </code></pre> </div> <h2> Loops </h2> <h3> <code>0020_for_loop_range.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0020_for_loop_range.jl</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Iterating from 1 to 5 ---"</span><span class="x">)</span> <span class="c"># The expression '1:5' creates a UnitRange object.</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="mi">5</span> <span class="n">println</span><span class="x">(</span><span class="s">"Current value of i is: "</span><span class="x">,</span> <span class="n">i</span><span class="x">)</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Iterating with a step ---"</span><span class="x">)</span> <span class="c"># The expression '2:2:10' creates a StepRange object.</span> <span class="k">for</span> <span class="n">j</span> <span class="k">in</span> <span class="mi">2</span><span class="o">:</span><span class="mi">2</span><span class="o">:</span><span class="mi">10</span> <span class="n">println</span><span class="x">(</span><span class="s">"Current value of j is: "</span><span class="x">,</span> <span class="n">j</span><span class="x">)</span> <span class="k">end</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the <code>for</code> loop, Julia's primary construct for iteration.</p> <ul> <li><p><strong>Syntax</strong>: The basic structure is <code>for &lt;variable&gt; in &lt;iterable&gt; ... end</code>. The code inside the loop is executed for each element in the <code>&lt;iterable&gt;</code>.</p></li> <li> <p><strong>Ranges</strong>:</p> <ul> <li> <strong><code>UnitRange</code> (<code>start:stop</code>)</strong>: The expression <code>1:5</code> creates a <code>UnitRange</code>, which is a lightweight object that represents the sequence of integers from 1 to 5. It is <strong>performant</strong> because it doesn't actually allocate memory to store all the numbers; it just tracks the start and end points.</li> <li> <strong><code>StepRange</code> (<code>start:step:stop</code>)</strong>: The expression <code>2:2:10</code> creates a <code>StepRange</code>, representing the sequence starting at 2, incrementing by 2, up to 10. This is also a very efficient object.</li> </ul> </li> </ul> <p>This is the direct equivalent of <code>for (int i = 1; i &lt;= 5; ++i)</code> in C/C++/Rust or <code>for i in range(1, 6)</code> in Python.</p> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0020_for_loop_range.jl <span class="nt">---</span> Iterating from 1 to 5 <span class="nt">---</span> Current value of i is: 1 Current value of i is: 2 Current value of i is: 3 Current value of i is: 4 Current value of i is: 5 <span class="nt">---</span> Iterating with a step <span class="nt">---</span> Current value of j is: 2 Current value of j is: 4 Current value of j is: 6 Current value of j is: 8 Current value of j is: 10 </code></pre> </div> <h3> <code>0021_for_loop_collection.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0021_for_loop_collection.jl</span> <span class="c"># A Vector is Julia's primary resizable array type.</span> <span class="n">fruits</span> <span class="o">=</span> <span class="x">[</span><span class="s">"Apple"</span><span class="x">,</span> <span class="s">"Banana"</span><span class="x">,</span> <span class="s">"Cherry"</span><span class="x">]</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Iterating over a Vector of strings ---"</span><span class="x">)</span> <span class="k">for</span> <span class="n">fruit</span> <span class="k">in</span> <span class="n">fruits</span> <span class="n">println</span><span class="x">(</span><span class="s">"Processing: "</span><span class="x">,</span> <span class="n">fruit</span><span class="x">)</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Iterating with index and value using enumerate ---"</span><span class="x">)</span> <span class="k">for</span> <span class="x">(</span><span class="n">index</span><span class="x">,</span> <span class="n">fruit</span><span class="x">)</span> <span class="k">in</span> <span class="n">enumerate</span><span class="x">(</span><span class="n">fruits</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Item at index "</span><span class="x">,</span> <span class="n">index</span><span class="x">,</span> <span class="s">" is: "</span><span class="x">,</span> <span class="n">fruit</span><span class="x">)</span> <span class="k">end</span> </code></pre> </div> <h3> Explanation </h3> <p>This script shows how to iterate directly over the elements of a collection, which is one of the most common uses for a <code>for</code> loop.</p> <ul> <li><p><strong>Direct Iteration</strong>: The syntax <code>for fruit in fruits</code> iterates through each element of the <code>fruits</code> collection, assigning the element to the <code>fruit</code> variable for each pass of the loop. This is the direct equivalent of a range-based <code>for</code> loop in C++/Rust or a standard <code>for item in list</code> loop in Python. It's the most readable and idiomatic way to process every item in a collection.</p></li> <li><p><strong><code>enumerate()</code></strong>: If you need both the index and the value during iteration, the <code>enumerate()</code> function provides an efficient way to do so. It wraps the collection and, on each iteration, yields a tuple of <code>(index, value)</code>. This is preferable to manually managing an index counter (e.g., <code>i = 1; for fruit in fruits... i += 1</code>).</p></li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0021_for_loop_collection.jl <span class="nt">---</span> Iterating over a Vector of strings <span class="nt">---</span> Processing: Apple Processing: Banana Processing: Cherry <span class="nt">---</span> Iterating with index and value using enumerate <span class="nt">---</span> Item at index 1 is: Apple Item at index 2 is: Banana Item at index 3 is: Cherry </code></pre> </div> <h3> <code>0022_while_loop.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0022_while_loop.jl</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Countdown from 5 using a while loop ---"</span><span class="x">)</span> <span class="c"># Initialize a counter variable outside the loop</span> <span class="n">n</span> <span class="o">=</span> <span class="mi">5</span> <span class="c"># The loop will continue as long as n is greater than 0</span> <span class="k">while</span> <span class="n">n</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="n">println</span><span class="x">(</span><span class="s">"Current value of n is: "</span><span class="x">,</span> <span class="n">n</span><span class="x">)</span> <span class="c"># It is crucial to update the condition variable inside the loop</span> <span class="kd">global</span> <span class="n">n</span> <span class="o">-=</span> <span class="mi">1</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"Blast off!"</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates the <code>while</code> loop, which executes a block of code repeatedly as long as a specified condition remains true.</p> <ul> <li><p><strong>Syntax</strong>: The structure is <code>while &lt;condition&gt; ... end</code>.</p></li> <li><p><strong>Execution Flow</strong>: Before each iteration, the <code>&lt;condition&gt;</code> is evaluated. If it's <code>true</code>, the body of the loop is executed. If it's <code>false</code>, the loop terminates, and execution continues after the <code>end</code> keyword.</p></li> <li><p><strong>Loop Variable</strong>: It's the programmer's responsibility to ensure the condition eventually becomes false. In this example, <code>n -= 1</code> decrements the counter in each iteration. Forgetting this line would result in an infinite loop, as <code>n</code> would always be <code>5</code>.</p></li> <li><p><strong><code>global</code> Keyword</strong>: Just like in the <code>for</code> loop example, because we are modifying a global variable <code>n</code> from within the "soft scope" of the <code>while</code> loop, we must use <code>global n -= 1</code> to explicitly state our intent to modify the global variable.</p></li> </ul> <p><code>while</code> loops are best used when the number of iterations isn't known beforehand and depends on a state that changes within the loop.</p> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0022_while_loop.jl <span class="nt">---</span> Countdown from 5 using a <span class="k">while </span>loop <span class="nt">---</span> Current value of n is: 5 Current value of n is: 4 Current value of n is: 3 Current value of n is: 2 Current value of n is: 1 Blast off! </code></pre> </div> <h3> <code>0023_loop_control.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0023_loop_control.jl</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Using 'continue' and 'break' in a loop from 1 to 10 ---"</span><span class="x">)</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="mi">10</span> <span class="c"># If i is 3, skip the rest of this iteration and start the next one.</span> <span class="k">if</span> <span class="n">i</span> <span class="o">==</span> <span class="mi">3</span> <span class="n">println</span><span class="x">(</span><span class="s">"Skipping 3 with 'continue'..."</span><span class="x">)</span> <span class="n">continue</span> <span class="k">end</span> <span class="c"># If i is 8, terminate the loop completely.</span> <span class="k">if</span> <span class="n">i</span> <span class="o">==</span> <span class="mi">8</span> <span class="n">println</span><span class="x">(</span><span class="s">"Exiting loop at 8 with 'break'..."</span><span class="x">)</span> <span class="n">break</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"Processing number: "</span><span class="x">,</span> <span class="n">i</span><span class="x">)</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"Loop finished."</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates the two essential keywords for controlling the flow of a loop: <code>continue</code> and <code>break</code>. Their behavior is identical to their counterparts in C, C++, Rust, and Python.</p> <ul> <li><p><strong><code>continue</code></strong>: This keyword immediately stops the current iteration of the loop. The program "skips" the rest of the code in the loop's body for the current element and moves on to the next one. In the example, when <code>i</code> is 3, the <code>println("Processing...")</code> line is never reached.</p></li> <li><p><strong><code>break</code></strong>: This keyword immediately terminates the innermost loop it is in. Execution jumps to the first line of code after the loop's <code>end</code> block. In the example, once <code>i</code> reaches 8, the loop stops entirely, and numbers 9 and 10 are never processed.</p></li> </ul> <p>These keywords are fundamental tools for handling special cases or termination conditions within an iterative process.</p> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0023_loop_control.jl <span class="nt">---</span> Using <span class="s1">'continue'</span> and <span class="s1">'break'</span> <span class="k">in </span>a loop from 1 to 10 <span class="nt">---</span> Processing number: 1 Processing number: 2 Skipping 3 with <span class="s1">'continue'</span>... Processing number: 4 Processing number: 5 Processing number: 6 Processing number: 7 Exiting loop at 8 with <span class="s1">'break'</span>... Loop finished. </code></pre> </div> <h3> <code>0024_nested_loops.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0024_nested_loops.jl</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Demonstrating nested loops to create coordinate pairs ---"</span><span class="x">)</span> <span class="c"># The outer loop iterates from 1 to 3</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="mi">3</span> <span class="c"># The inner loop iterates from 1 to 2</span> <span class="k">for</span> <span class="n">j</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="mi">2</span> <span class="c"># This line is executed for every combination of i and j.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Coordinate: ("</span><span class="x">,</span> <span class="n">i</span><span class="x">,</span> <span class="s">", "</span><span class="x">,</span> <span class="n">j</span><span class="x">,</span> <span class="s">")"</span><span class="x">)</span> <span class="k">end</span> <span class="c"># This line is executed after the inner loop completes for a given i.</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Inner loop finished for i = "</span><span class="x">,</span> <span class="n">i</span><span class="x">,</span> <span class="s">" ---"</span><span class="x">)</span> <span class="k">end</span> </code></pre> </div> <h3> Explanation </h3> <p>This script shows a <strong>nested loop</strong>, where one loop is placed inside another.</p> <ul> <li> <strong>Execution Flow</strong>: The inner loop (<code>for j in 1:2</code>) runs to completion for <strong>each single iteration</strong> of the outer loop (<code>for i in 1:3</code>).</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. The outer loop starts with `i = 1`. 2. The inner loop then runs completely for `j = 1` and `j = 2`. 3. The outer loop moves to `i = 2`. 4. The inner loop runs completely again for `j = 1` and `j = 2`. 5. This process repeats until the outer loop is finished. </code></pre> </div> <ul> <li> <p><strong>Compact Syntax</strong>: Julia also offers a more compact syntax for nested loops, which is often more readable:<br> </p> <pre class="highlight julia"><code><span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="mi">3</span><span class="x">,</span> <span class="n">j</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="mi">2</span> <span class="n">println</span><span class="x">(</span><span class="s">"Coordinate: ("</span><span class="x">,</span> <span class="n">i</span><span class="x">,</span> <span class="s">", "</span><span class="x">,</span> <span class="n">j</span><span class="x">,</span> <span class="s">")"</span><span class="x">)</span> <span class="k">end</span> </code></pre> <p>This single loop header is equivalent to the two separate <code>for</code> blocks.</p> </li> </ul> <p>Nested loops are commonly used for tasks like iterating over 2D arrays (matrices), generating combinations, or creating coordinate grids.</p> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0024_nested_loops.jl <span class="nt">---</span> Demonstrating nested loops to create coordinate pairs <span class="nt">---</span> Coordinate: <span class="o">(</span>1, 1<span class="o">)</span> Coordinate: <span class="o">(</span>1, 2<span class="o">)</span> <span class="nt">---</span> Inner loop finished <span class="k">for </span>i <span class="o">=</span> 1 <span class="nt">---</span> Coordinate: <span class="o">(</span>2, 1<span class="o">)</span> Coordinate: <span class="o">(</span>2, 2<span class="o">)</span> <span class="nt">---</span> Inner loop finished <span class="k">for </span>i <span class="o">=</span> 2 <span class="nt">---</span> Coordinate: <span class="o">(</span>3, 1<span class="o">)</span> Coordinate: <span class="o">(</span>3, 2<span class="o">)</span> <span class="nt">---</span> Inner loop finished <span class="k">for </span>i <span class="o">=</span> 3 <span class="nt">---</span> </code></pre> </div> <h3> <code>0025_loop_performance.md</code> </h3> <h3> Explanation </h3> <p>As a systems programmer, you know that the performance of a loop is critical. In interpreted languages like Python, loops are famously slow because the interpreter has to re-evaluate every operation in every iteration. Julia solves this problem, achieving C/Rust-level speed for loops.</p> <h2> The Julia Performance Model: Functions are Compilation Boundaries </h2> <p>The single most important rule is: <strong>For performance, put your code in functions.</strong></p> <ul> <li><p><strong>Global Scope is Slow</strong>: When you run a <code>for</code> loop in the global scope (like in many of our basic examples), Julia's compiler can't make many assumptions. The types of the variables involved could change at any time, forcing the interpreter to fall back to slow, dynamic lookups in every iteration.</p></li> <li><p><strong>Functions are Fast</strong>: When you put a loop inside a function, the Julia JIT compiler can perform powerful optimizations. The first time you call a function with arguments of specific types (e.g., <code>my_function(10, 3.0)</code>), the compiler:</p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. **Analyzes Types**: It traces the types of all variables throughout the function. 2. **Checks for Type Stability**: It checks if the types of variables change within the function. 3. **Generates Specialized Machine Code**: If the function is type-stable, the compiler generates a highly optimized version of that function specifically for those input types. </code></pre> </div> <p>The result is machine code that is just as fast as what a C++ or Rust compiler would produce. The overhead of the JIT compilation happens only once (the first time), and every subsequent call to the function with the same argument types is extremely fast.</p> <h3> Example: The "Why" </h3> <p>Consider this simple loop:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># Slow if run in global scope</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="mi">1_000_000_000</span> <span class="c"># operation</span> <span class="k">end</span> <span class="c"># Fast if run like this</span> <span class="k">function</span><span class="nf"> loop_in_a_function</span><span class="x">()</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="mi">1_000_000_000</span> <span class="c"># operation</span> <span class="k">end</span> <span class="k">end</span> <span class="n">loop_in_a_function</span><span class="x">()</span> <span class="c"># First call compiles, subsequent calls are fast</span> </code></pre> </div> <p>Inside <code>loop_in_a_function</code>, the compiler knows the type of <code>i</code> will always be an <code>Int</code>. It can then unroll the loop, use CPU registers, and apply other low-level optimizations, just as <code>gcc</code> or <code>clang</code> would. In the global scope, it cannot make these guarantees.</p> <p>This "compilation boundary" at the function level is the core of Julia's performance model and the reason it successfully solves the "two-language problem" (where you prototype in a slow language and rewrite in a fast one). In Julia, the prototype <em>is</em> the fast code, as long as it's written in functions.</p> <h1> Module 3: Collections </h1> <h2> Tuples </h2> <h3> <code>0026_tuples.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0026_tuples.jl</span> <span class="c"># 1. Tuples are created with parentheses and commas.</span> <span class="c"># They are immutable and have a fixed size.</span> <span class="n">my_tuple</span> <span class="o">=</span> <span class="x">(</span><span class="mi">10</span><span class="x">,</span> <span class="s">"hello"</span><span class="x">,</span> <span class="nb">true</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Tuple value: "</span><span class="x">,</span> <span class="n">my_tuple</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Tuple type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">my_tuple</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># 2. Elements are accessed with 1-based indexing.</span> <span class="n">first_element</span> <span class="o">=</span> <span class="n">my_tuple</span><span class="x">[</span><span class="mi">1</span><span class="x">]</span> <span class="n">second_element</span> <span class="o">=</span> <span class="n">my_tuple</span><span class="x">[</span><span class="mi">2</span><span class="x">]</span> <span class="n">println</span><span class="x">(</span><span class="s">"First element: "</span><span class="x">,</span> <span class="n">first_element</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Second element: "</span><span class="x">,</span> <span class="n">second_element</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># 3. You can "destructure" a tuple to unpack its values into separate variables.</span> <span class="c"># This is a common and efficient way to handle multiple return values from a function.</span> <span class="x">(</span><span class="n">a</span><span class="x">,</span> <span class="n">b</span><span class="x">,</span> <span class="n">c</span><span class="x">)</span> <span class="o">=</span> <span class="n">my_tuple</span> <span class="n">println</span><span class="x">(</span><span class="s">"Unpacked variable 'a': "</span><span class="x">,</span> <span class="n">a</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Unpacked variable 'b': "</span><span class="x">,</span> <span class="n">b</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Unpacked variable 'c': "</span><span class="x">,</span> <span class="n">c</span><span class="x">)</span> <span class="c"># 4. Attempting to modify a tuple will result in an error.</span> <span class="k">try</span> <span class="n">my_tuple</span><span class="x">[</span><span class="mi">1</span><span class="x">]</span> <span class="o">=</span> <span class="mi">20</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Error trying to modify a tuple: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="k">end</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the <strong>tuple</strong>, a fixed-size, immutable collection of ordered elements. Its properties make it a highly performant data structure, very similar to a <code>std::tuple</code> in C++ or a tuple in Python.</p> <ul> <li><p><strong>Creation</strong>: Tuples are defined by enclosing comma-separated values in parentheses <code>()</code>. The type of the tuple, like <code>Tuple{Int64, String, Bool}</code>, is determined by the types of the elements it contains.</p></li> <li><p><strong>Immutability</strong>: Once a tuple is created, its contents cannot be changed. This makes it a safe and predictable data structure to pass around, as you can be certain it won't be modified.</p></li> <li><p><strong>Access</strong>: Elements are accessed using square brackets <code>[]</code> with <strong>1-based indexing</strong>, just like strings. <code>my_tuple[1]</code> retrieves the first element.</p></li> <li><p><strong>Destructuring</strong>: This is a powerful feature where you can unpack the elements of a tuple directly into variables. The syntax <code>(a, b, c) = my_tuple</code> assigns <code>my_tuple[1]</code> to <code>a</code>, <code>my_tuple[2]</code> to <code>b</code>, and so on. This is the idiomatic way to handle functions that return multiple values.</p></li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0026_tuples.jl Tuple value: <span class="o">(</span>10, <span class="s2">"hello"</span>, <span class="nb">true</span><span class="o">)</span> Tuple <span class="nb">type</span>: Tuple<span class="o">{</span>Int64, String, Bool<span class="o">}</span> <span class="nt">--------------------</span> First element: 10 Second element: hello <span class="nt">--------------------</span> Unpacked variable <span class="s1">'a'</span>: 10 Unpacked variable <span class="s1">'b'</span>: hello Unpacked variable <span class="s1">'c'</span>: <span class="nb">true </span>Error trying to modify a tuple: MethodError<span class="o">(</span><span class="nv">f</span><span class="o">=</span>setindex!, <span class="nv">args</span><span class="o">=(</span>...<span class="o">))</span> </code></pre> </div> <h3> <code>0027_named_tuples.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0027_named_tuples.jl</span> <span class="c"># 1. A NamedTuple is created with a syntax similar to a tuple,</span> <span class="c"># but each element is given a name.</span> <span class="n">point</span> <span class="o">=</span> <span class="x">(</span><span class="n">x</span><span class="o">=</span><span class="mi">10</span><span class="x">,</span> <span class="n">y</span><span class="o">=</span><span class="mi">20</span><span class="x">,</span> <span class="n">label</span><span class="o">=</span><span class="s">"Start"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"NamedTuple value: "</span><span class="x">,</span> <span class="n">point</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"NamedTuple type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">point</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># 2. Elements can be accessed like struct fields using dot notation.</span> <span class="c"># This is the primary and most readable way to access them.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Access via name (point.x): "</span><span class="x">,</span> <span class="n">point</span><span class="o">.</span><span class="n">x</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Access via name (point.label): "</span><span class="x">,</span> <span class="n">point</span><span class="o">.</span><span class="n">label</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># 3. It is still a tuple, so you can also access elements by index.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Access via index (point[1]): "</span><span class="x">,</span> <span class="n">point</span><span class="x">[</span><span class="mi">1</span><span class="x">])</span> <span class="n">println</span><span class="x">(</span><span class="s">"Access via index (point[3]): "</span><span class="x">,</span> <span class="n">point</span><span class="x">[</span><span class="mi">3</span><span class="x">])</span> <span class="c"># You can also get its keys and values</span> <span class="n">println</span><span class="x">(</span><span class="s">"Keys: "</span><span class="x">,</span> <span class="n">keys</span><span class="x">(</span><span class="n">point</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"Values: "</span><span class="x">,</span> <span class="n">values</span><span class="x">(</span><span class="n">point</span><span class="x">))</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the <strong><code>NamedTuple</code></strong>, which combines the performance and immutability of a tuple with the readability of a <code>struct</code>.</p> <ul> <li><p><strong>Syntax</strong>: A <code>NamedTuple</code> is created by assigning names to each element within the parentheses: <code>(name1 = value1, name2 = value2)</code>. The resulting type includes the names and the types of the values, like <code>NamedTuple{(:x, :y, :label), Tuple{Int64, Int64, String}}</code>.</p></li> <li><p><strong>Access</strong>: The key advantage of a <code>NamedTuple</code> is that you can access its elements using dot notation (<code>point.x</code>), which makes the code self-documenting. You can still access elements by their 1-based index (<code>point[1]</code>) just like a regular tuple.</p></li> <li><p><strong>Use Case</strong>: <code>NamedTuple</code>s are extremely useful as lightweight, "anonymous" structs. They are perfect for returning multiple, clearly-labeled values from a function without the need to define a formal <code>struct</code> type beforehand. Because they are immutable and have a fixed structure known at compile time, they are just as <strong>performant</strong> as regular tuples.</p></li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0027_named_tuples.jl NamedTuple value: <span class="o">(</span>x <span class="o">=</span> 10, y <span class="o">=</span> 20, label <span class="o">=</span> <span class="s2">"Start"</span><span class="o">)</span> NamedTuple <span class="nb">type</span>: NamedTuple<span class="o">{(</span>:x, :y, :label<span class="o">)</span>, Tuple<span class="o">{</span>Int64, Int64, String<span class="o">}}</span> <span class="nt">--------------------</span> Access via name <span class="o">(</span>point.x<span class="o">)</span>: 10 Access via name <span class="o">(</span>point.label<span class="o">)</span>: Start <span class="nt">--------------------</span> Access via index <span class="o">(</span>point[1]<span class="o">)</span>: 10 Access via index <span class="o">(</span>point[3]<span class="o">)</span>: Start Keys: <span class="o">(</span>:x, :y, :label<span class="o">)</span> Values: <span class="o">(</span>10, 20, <span class="s2">"Start"</span><span class="o">)</span> </code></pre> </div> <h3> <code>0028_tuple_performance.md</code> </h3> <h3> Explanation </h3> <p>For a systems programmer, understanding <em>why</em> a data structure is fast is as important as knowing how to use it. Tuples and <code>NamedTuple</code>s are among the most performant data structures in Julia because of how the compiler treats them.</p> <h2> Why Tuples are Fast </h2> <p>A tuple in Julia is conceptually very similar to a <code>struct</code> in C.</p> <p>Consider this C <code>struct</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="k">struct</span> <span class="n">Point</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">x</span><span class="p">;</span> <span class="kt">double</span> <span class="n">y</span><span class="p">;</span> <span class="p">};</span> </code></pre> </div> <p>And this Julia <code>NamedTuple</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="n">point</span> <span class="o">=</span> <span class="x">(</span><span class="n">x</span><span class="o">=</span><span class="mi">10</span><span class="x">,</span> <span class="n">y</span><span class="o">=</span><span class="mf">3.14</span><span class="x">)</span> </code></pre> </div> <p>The Julia compiler can optimize the <code>NamedTuple</code> to have a memory layout and performance profile that is virtually identical to the C <code>struct</code>. Here’s why:</p> <ol> <li><p><strong>Immutable</strong>: Because tuples cannot be changed after creation, the compiler has a strong guarantee about their state. It knows the values and types inside a tuple are fixed for its entire lifetime.</p></li> <li><p><strong>Fixed-Size and Type-Stable</strong>: The size, type, and order of elements in a tuple are known at compile time. This allows the compiler to generate specialized, highly efficient machine code to access its elements. There is no dynamic lookup; accessing <code>point.x</code> can be compiled down to a simple memory offset from a base pointer, just like accessing a member of a C <code>struct</code>.</p></li> <li><p><strong>Stack Allocation</strong>: For small, simple tuples (containing primitive types like numbers), the compiler will often allocate them directly on the <strong>stack</strong> instead of the heap. Stack allocation is significantly faster than heap allocation because it's just a matter of moving the stack pointer. This completely avoids the overhead of the garbage collector (GC), making their use in tight loops extremely cheap.</p></li> </ol> <p>In summary, you should feel confident using tuples and <code>NamedTuple</code>s in performance-critical code. They are not like Python tuples, which carry extra overhead. Julia tuples are lightweight, compile-time constructs that map very closely to the efficient memory layouts you are used to in C, C++, and Rust.</p> <h2> Vector </h2> <h3> <code>0029_vector_basics.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0029_vector_basics.jl</span> <span class="c"># 1. A Vector is created with square brackets.</span> <span class="c"># It is a mutable, resizable, one-dimensional array.</span> <span class="n">my_vector</span> <span class="o">=</span> <span class="x">[</span><span class="mi">10</span><span class="x">,</span> <span class="mi">20</span><span class="x">,</span> <span class="mi">30</span><span class="x">]</span> <span class="n">println</span><span class="x">(</span><span class="s">"Vector value: "</span><span class="x">,</span> <span class="n">my_vector</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Vector type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">my_vector</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"Initial length: "</span><span class="x">,</span> <span class="n">length</span><span class="x">(</span><span class="n">my_vector</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># 2. Use `push!` to add elements to the end of the vector.</span> <span class="c"># The '!' signifies that this function modifies its first argument.</span> <span class="n">push!</span><span class="x">(</span><span class="n">my_vector</span><span class="x">,</span> <span class="mi">40</span><span class="x">)</span> <span class="n">push!</span><span class="x">(</span><span class="n">my_vector</span><span class="x">,</span> <span class="mi">50</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Vector after pushing elements: "</span><span class="x">,</span> <span class="n">my_vector</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"New length: "</span><span class="x">,</span> <span class="n">length</span><span class="x">(</span><span class="n">my_vector</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># 3. Access and modify elements using 1-based indexing.</span> <span class="c"># Because Vectors are mutable, their elements can be changed.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Element at index 2: "</span><span class="x">,</span> <span class="n">my_vector</span><span class="x">[</span><span class="mi">2</span><span class="x">])</span> <span class="n">my_vector</span><span class="x">[</span><span class="mi">2</span><span class="x">]</span> <span class="o">=</span> <span class="mi">25</span> <span class="n">println</span><span class="x">(</span><span class="s">"Vector after modification: "</span><span class="x">,</span> <span class="n">my_vector</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the <strong><code>Vector</code></strong>, which is Julia's fundamental, resizable, one-dimensional array. It's the direct equivalent of <code>std::vector</code> in C++, <code>Vec</code> in Rust, or <code>list</code> in Python.</p> <ul> <li><p><strong>Creation</strong>: Vectors are created using square brackets <code>[...]</code>. The type of the vector is inferred from the elements it contains. <code>[10, 20, 30]</code> creates a <code>Vector{Int64}</code>.</p></li> <li><p><strong>Mutability</strong>: Unlike tuples, vectors are <strong>mutable</strong>. You can add, remove, and change their elements after they are created.</p></li> <li><p><strong><code>push!()</code></strong>: The standard function for appending an element to the end of a vector is <code>push!</code>. The <code>!</code> at the end is a Julia convention indicating that the function <strong>modifies</strong> its first argument (in this case, <code>my_vector</code>).</p></li> <li><p><strong><code>length()</code></strong>: This function returns the number of elements currently in the vector.</p></li> <li><p><strong>Access &amp; Modification</strong>: You can access and reassign elements using 1-based indexing (<code>my_vector[2] = 25</code>), just like you would with a standard C array or <code>std::vector</code>.</p></li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0029_vector_basics.jl Vector value: <span class="o">[</span>10, 20, 30] Vector <span class="nb">type</span>: Vector<span class="o">{</span>Int64<span class="o">}</span> Initial length: 3 <span class="nt">--------------------</span> Vector after pushing elements: <span class="o">[</span>10, 20, 30, 40, 50] New length: 5 <span class="nt">--------------------</span> Element at index 2: 20 Vector after modification: <span class="o">[</span>10, 25, 30, 40, 50] </code></pre> </div> <h3> <code>0030_vector_slicing.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0030_vector_slicing.jl</span> <span class="n">original_vector</span> <span class="o">=</span> <span class="x">[</span><span class="mi">10</span><span class="x">,</span> <span class="mi">20</span><span class="x">,</span> <span class="mi">30</span><span class="x">,</span> <span class="mi">40</span><span class="x">,</span> <span class="mi">50</span><span class="x">]</span> <span class="c"># 1. Create a "slice" of the vector from the 2nd to the 4th element.</span> <span class="c"># In Julia, this operation creates a new Vector, copying the elements.</span> <span class="n">sub_vector</span> <span class="o">=</span> <span class="n">original_vector</span><span class="x">[</span><span class="mi">2</span><span class="o">:</span><span class="mi">4</span><span class="x">]</span> <span class="n">println</span><span class="x">(</span><span class="s">"Original vector: "</span><span class="x">,</span> <span class="n">original_vector</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Sub-vector (slice): "</span><span class="x">,</span> <span class="n">sub_vector</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of sub-vector: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">sub_vector</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># 2. Modify an element in the original vector.</span> <span class="n">original_vector</span><span class="x">[</span><span class="mi">2</span><span class="x">]</span> <span class="o">=</span> <span class="mi">999</span> <span class="c"># 3. Observe the results. The sub-vector is unaffected because it's a separate copy.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Original vector after modification: "</span><span class="x">,</span> <span class="n">original_vector</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Sub-vector remains unchanged: "</span><span class="x">,</span> <span class="n">sub_vector</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates <strong>slicing</strong>, a common operation for extracting a sub-section of an array. It also reveals a critical performance behavior in Julia.</p> <ul> <li> <strong>Syntax</strong>: Slicing is done using the range syntax <code>[start:end]</code> inside the indexing brackets. <code>original_vector[2:4]</code> creates a new sequence containing the elements from index 2 up to and including index 4.</li> </ul> <h3> Performance Note ❗ </h3> <p>This is a crucial concept for a systems programmer. By default, <strong>slicing an array in Julia creates a copy</strong>, not a view or a reference.</p> <ul> <li><p><strong>What it means</strong>: The expression <code>original_vector[2:4]</code> allocates new memory for a new <code>Vector</code>, and then copies the values (<code>20</code>, <code>30</code>, <code>40</code>) from the original vector into this new one. The variable <code>sub_vector</code> points to this completely independent object.</p></li> <li><p><strong>Implications</strong>: While safe, this behavior can be very <strong>inefficient</strong> if you are working with large arrays or performing slicing inside a performance-critical loop. It leads to unnecessary memory allocations and data copying, which can hurt performance and increase pressure on the garbage collector.</p></li> </ul> <p>The next lesson will introduce <strong>views</strong>, which are Julia's high-performance, zero-copy solution to this problem.</p> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0030_vector_slicing.jl Original vector: <span class="o">[</span>10, 20, 30, 40, 50] Sub-vector <span class="o">(</span>slice<span class="o">)</span>: <span class="o">[</span>20, 30, 40] Type of sub-vector: Vector<span class="o">{</span>Int64<span class="o">}</span> <span class="nt">--------------------</span> Original vector after modification: <span class="o">[</span>10, 999, 30, 40, 50] Sub-vector remains unchanged: <span class="o">[</span>20, 30, 40] </code></pre> </div> <h3> <code>0031_vector_views.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0031_vector_views.jl</span> <span class="n">original_vector</span> <span class="o">=</span> <span class="x">[</span><span class="mi">10</span><span class="x">,</span> <span class="mi">20</span><span class="x">,</span> <span class="mi">30</span><span class="x">,</span> <span class="mi">40</span><span class="x">,</span> <span class="mi">50</span><span class="x">]</span> <span class="c"># 1. Create a "view" of the vector using the @view macro.</span> <span class="c"># This does NOT copy the data; it creates a lightweight object</span> <span class="c"># that refers to the original vector's memory.</span> <span class="n">sub_view</span> <span class="o">=</span> <span class="nd">@view</span> <span class="n">original_vector</span><span class="x">[</span><span class="mi">2</span><span class="o">:</span><span class="mi">4</span><span class="x">]</span> <span class="n">println</span><span class="x">(</span><span class="s">"Original vector: "</span><span class="x">,</span> <span class="n">original_vector</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Sub-view: "</span><span class="x">,</span> <span class="n">sub_view</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of sub-view: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">sub_view</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># 2. Modify an element in the original vector.</span> <span class="n">original_vector</span><span class="x">[</span><span class="mi">2</span><span class="x">]</span> <span class="o">=</span> <span class="mi">999</span> <span class="c"># 3. Observe the results. The sub-view is AFFECTED because it shares</span> <span class="c"># the same underlying data as the original vector.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Original vector after modification: "</span><span class="x">,</span> <span class="n">original_vector</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Sub-view now reflects the change: "</span><span class="x">,</span> <span class="n">sub_view</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <strong>views</strong>, Julia's high-performance, zero-copy solution for array slicing. This concept is the direct equivalent of <code>std::span</code> in C++, slices (<code>&amp;[T]</code>) in Rust, or <code>memoryview</code> in Python.</p> <ul> <li><p><strong><code>@view</code> Macro</strong>: To create a view, you prefix the standard slicing operation with the <code>@view</code> macro. Instead of allocating a new <code>Vector</code>, this creates a <code>SubArray</code> object.</p></li> <li><p><strong><code>SubArray</code></strong>: A <code>SubArray</code> is a lightweight wrapper that stores a reference to the original array along with information about the selected indices. It does <strong>not</strong> own its own data.</p></li> </ul> <h3> Performance and Behavior ❗ </h3> <p>This is the idiomatic way to handle slicing in performance-critical code.</p> <ul> <li> <strong>Zero-Copy</strong>: Creating a view is extremely fast because no data is copied. The operation is allocation-free, which reduces the workload on the garbage collector and avoids memory bandwidth costs.</li> <li> <strong>Shared Memory</strong>: As the example shows, since the view and the original vector share the same underlying data, any modification made through one is immediately visible in the other.</li> </ul> <p><strong>Rule of Thumb</strong>: When you need to pass a slice of an array to a function, always use a view to prevent unnecessary copying. Slicing with <code>my_array[start:end]</code> is for when you explicitly need an independent copy of the data.</p> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0031_vector_views.jl Original vector: <span class="o">[</span>10, 20, 30, 40, 50] Sub-view: <span class="o">[</span>20, 30, 40] Type of sub-view: SubArray<span class="o">{</span>Int64, 1, Vector<span class="o">{</span>Int64<span class="o">}</span>, Tuple<span class="o">{</span>UnitRange<span class="o">{</span>Int64<span class="o">}}</span>, <span class="nb">true</span><span class="o">}</span> <span class="nt">--------------------</span> Original vector after modification: <span class="o">[</span>10, 999, 30, 40, 50] Sub-view now reflects the change: <span class="o">[</span>999, 30, 40] </code></pre> </div> <h3> <code>0032_vector_comprehensions.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0032_vector_comprehensions.jl</span> <span class="c"># 1. A comprehension provides a concise way to create a new vector.</span> <span class="c"># This creates a vector of the squares of numbers from 1 to 5.</span> <span class="n">squares</span> <span class="o">=</span> <span class="x">[</span><span class="n">i</span><span class="o">^</span><span class="mi">2</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="mi">5</span><span class="x">]</span> <span class="n">println</span><span class="x">(</span><span class="s">"Vector of squares: "</span><span class="x">,</span> <span class="n">squares</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">squares</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># 2. You can add a filter condition with an 'if' clause.</span> <span class="c"># This creates a vector of only the even numbers from 1 to 10.</span> <span class="n">evens</span> <span class="o">=</span> <span class="x">[</span><span class="n">i</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="mi">10</span> <span class="k">if</span> <span class="n">i</span> <span class="o">%</span> <span class="mi">2</span> <span class="o">==</span> <span class="mi">0</span><span class="x">]</span> <span class="n">println</span><span class="x">(</span><span class="s">"Vector of even numbers: "</span><span class="x">,</span> <span class="n">evens</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># 3. The comprehension above is a more readable and equally performant</span> <span class="c"># equivalent of writing the following manual loop:</span> <span class="n">evens_loop</span> <span class="o">=</span> <span class="kt">Int</span><span class="x">[]</span> <span class="c"># Create an empty vector of Integers</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="mi">10</span> <span class="k">if</span> <span class="n">i</span> <span class="o">%</span> <span class="mi">2</span> <span class="o">==</span> <span class="mi">0</span> <span class="n">push!</span><span class="x">(</span><span class="n">evens_loop</span><span class="x">,</span> <span class="n">i</span><span class="x">)</span> <span class="k">end</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"Vector from manual loop: "</span><span class="x">,</span> <span class="n">evens_loop</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <strong>comprehensions</strong>, a powerful and concise syntax for creating collections. This feature will be immediately familiar to you from Python's list comprehensions.</p> <ul> <li><p><strong>Syntax</strong>: The basic structure is <code>[expression for variable in iterable]</code>. For each element in the <code>iterable</code>, the <code>expression</code> is evaluated, and the results are collected into a new <code>Vector</code>.</p></li> <li><p><strong>Filtering</strong>: You can add a conditional clause <code>if condition</code> at the end to filter which elements are processed. The <code>expression</code> is only evaluated for elements where the <code>condition</code> is <code>true</code>.</p></li> <li><p><strong>Readability &amp; Performance</strong>: Comprehensions are often more readable than writing out a full <code>for</code> loop with <code>push!</code>. They are also just as <strong>performant</strong>. The Julia compiler is able to generate highly optimized code for comprehensions, often pre-calculating the size of the final vector and allocating it in a single step. This makes them the idiomatic choice for constructing a new vector based on an existing sequence.</p></li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0032_vector_comprehensions.jl Vector of squares: <span class="o">[</span>1, 4, 9, 16, 25] Type: Vector<span class="o">{</span>Int64<span class="o">}</span> <span class="nt">--------------------</span> Vector of even numbers: <span class="o">[</span>2, 4, 6, 8, 10] <span class="nt">--------------------</span> Vector from manual loop: <span class="o">[</span>2, 4, 6, 8, 10] </code></pre> </div> <h3> <code>0033_vector_of_any.md</code> </h3> <h3> Explanation </h3> <p>This is one of the most critical performance concepts in Julia, especially for a systems programmer. Understanding the difference between a <strong>concrete</strong> vector like <code>Vector{Int64}</code> and an <strong>abstract</strong> vector like <code>Vector{Any}</code> is the key to avoiding massive, unexpected slowdowns.</p> <h2> The Performance Pitfall of <code>Vector{Any}</code> </h2> <p>When you create a vector with elements of different types, Julia creates a heterogeneous vector of type <code>Vector{Any}</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># This creates a Vector{Any}</span> <span class="n">mixed_vector</span> <span class="o">=</span> <span class="x">[</span><span class="mi">1</span><span class="x">,</span> <span class="s">"hello"</span><span class="x">,</span> <span class="mf">3.0</span><span class="x">]</span> </code></pre> </div> <p>From a performance perspective, a <code>Vector{Any}</code> is disastrous. You should think of it as a <code>Vector{void*}</code> in C/C++.</p> <h3> Memory Layout Comparison </h3> <ul> <li><p><strong><code>Vector{Int64}</code> (Concrete &amp; Fast)</strong>: This is a single, contiguous block of memory containing 64-bit integers. It's cache-friendly, and accessing an element is a simple memory offset calculation. It's as fast as a C array or <code>std::vector&lt;int64_t&gt;</code>.</p></li> <li><p><strong><code>Vector{Any}</code> (Abstract &amp; Slow)</strong>: This is a contiguous block of <strong>pointers</strong>. Each element of the vector is not the value itself, but a pointer to a heap-allocated "box" that contains the value <em>and</em> its type information.</p></li> </ul> <h3> Why <code>Vector{Any}</code> is Slow </h3> <p>When you iterate over a <code>Vector{Any}</code>, the following happens for <em>every single element</em>:</p> <ol> <li> <strong>Pointer Chasing</strong>: The CPU must read the pointer from the vector.</li> <li> <strong>Cache Miss</strong>: It must then follow that pointer to a potentially random location in heap memory to find the boxed value. This frequently results in a CPU cache miss, which is a major performance penalty.</li> <li> <strong>Dynamic Dispatch (Unboxing)</strong>: Once the box is found, Julia must inspect its type tag at runtime to figure out what the value is (an <code>Int</code>? a <code>String</code>?). Only then can it perform the requested operation. This is called "dynamic dispatch," and it's orders of magnitude slower than a direct machine instruction (like adding two integers).</li> </ol> <p><strong>In short, operating on a <code>Vector{Any}</code> inside a loop prevents almost all of the compiler's optimizations.</strong></p> <p><strong>Rule of Thumb</strong>: Always strive for type-stable, homogeneous collections (e.g., <code>Vector{Int64}</code>, <code>Vector{String}</code>). If you find yourself with a <code>Vector{Any}</code>, it's a strong signal that there is a problem in your code design that needs to be fixed for performance.</p> <h2> Dict And Pair </h2> <h3> <code>0034_dict_basics.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0034_dict_basics.jl</span> <span class="c"># 1. A Dictionary (Dict) is created with the Dict() constructor.</span> <span class="c"># The `key =&gt; value` syntax creates a Pair object.</span> <span class="n">http_codes</span> <span class="o">=</span> <span class="kt">Dict</span><span class="x">(</span> <span class="mi">200</span> <span class="o">=&gt;</span> <span class="s">"OK"</span><span class="x">,</span> <span class="mi">404</span> <span class="o">=&gt;</span> <span class="s">"Not Found"</span><span class="x">,</span> <span class="mi">500</span> <span class="o">=&gt;</span> <span class="s">"Internal Server Error"</span> <span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Dictionary value: "</span><span class="x">,</span> <span class="n">http_codes</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Dictionary type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">http_codes</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># 2. Access values using the key in square brackets.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Code 200 means: "</span><span class="x">,</span> <span class="n">http_codes</span><span class="x">[</span><span class="mi">200</span><span class="x">])</span> <span class="c"># 3. Add a new key-value pair or update an existing one.</span> <span class="n">http_codes</span><span class="x">[</span><span class="mi">302</span><span class="x">]</span> <span class="o">=</span> <span class="s">"Found"</span> <span class="c"># Add a new pair</span> <span class="n">http_codes</span><span class="x">[</span><span class="mi">500</span><span class="x">]</span> <span class="o">=</span> <span class="s">"Server Error"</span> <span class="c"># Update an existing value</span> <span class="n">println</span><span class="x">(</span><span class="s">"Updated dictionary: "</span><span class="x">,</span> <span class="n">http_codes</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># 4. Use `haskey()` to check if a key exists before accessing it.</span> <span class="n">key_to_check</span> <span class="o">=</span> <span class="mi">404</span> <span class="k">if</span> <span class="n">haskey</span><span class="x">(</span><span class="n">http_codes</span><span class="x">,</span> <span class="n">key_to_check</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Key </span><span class="si">$</span><span class="s">key_to_check exists with value: "</span><span class="x">,</span> <span class="n">http_codes</span><span class="x">[</span><span class="n">key_to_check</span><span class="x">])</span> <span class="k">else</span> <span class="n">println</span><span class="x">(</span><span class="s">"Key </span><span class="si">$</span><span class="s">key_to_check does not exist."</span><span class="x">)</span> <span class="k">end</span> <span class="c"># 5. Use `get()` for safe access with a default fallback value.</span> <span class="c"># This is often more concise than an if/else block.</span> <span class="n">value</span> <span class="o">=</span> <span class="n">get</span><span class="x">(</span><span class="n">http_codes</span><span class="x">,</span> <span class="mi">999</span><span class="x">,</span> <span class="s">"Unknown Code"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value for non-existent key 999: "</span><span class="x">,</span> <span class="n">value</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the <strong><code>Dict</code></strong>, Julia's primary hash map or associative array. It's the direct equivalent of <code>std::unordered_map</code> in C++, <code>HashMap</code> in Rust, or <code>dict</code> in Python.</p> <ul> <li><p><strong>Creation</strong>: A <code>Dict</code> is created with the <code>Dict()</code> constructor, which takes a collection of <code>Pair</code> objects. The most common way to create these pairs is with the intuitive <code>key =&gt; value</code> syntax. Julia infers the types, so the example creates a <code>Dict{Int64, String}</code>.</p></li> <li><p><strong>Access and Modification</strong>: Like vectors, <code>Dict</code>s are <strong>mutable</strong>. You use square bracket syntax (<code>my_dict[key]</code>) to both access and assign values. If the key already exists, the value is updated; otherwise, a new key-value pair is created.</p></li> <li><p><strong>Safe Access</strong>: Accessing a non-existent key with <code>my_dict[key]</code> will throw a <code>KeyError</code>. To avoid this, you have two primary methods for safe access:</p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. **`haskey(dict, key)`**: This function returns `true` or `false`, allowing you to check for a key's existence inside an `if` statement. 2. **`get(dict, key, default)`**: This is often the preferred method. It attempts to retrieve the value for the key. If the key doesn't exist, it returns the `default` value you provide instead of throwing an error. </code></pre> </div> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0034_dict_basics.jl Dictionary value: Dict<span class="o">(</span>404 <span class="o">=&gt;</span> <span class="s2">"Not Found"</span>, 200 <span class="o">=&gt;</span> <span class="s2">"OK"</span>, 500 <span class="o">=&gt;</span> <span class="s2">"Internal Server Error"</span><span class="o">)</span> Dictionary <span class="nb">type</span>: Dict<span class="o">{</span>Int64, String<span class="o">}</span> <span class="nt">--------------------</span> Code 200 means: OK Updated dictionary: Dict<span class="o">(</span>404 <span class="o">=&gt;</span> <span class="s2">"Not Found"</span>, 200 <span class="o">=&gt;</span> <span class="s2">"OK"</span>, 500 <span class="o">=&gt;</span> <span class="s2">"Server Error"</span>, 302 <span class="o">=&gt;</span> <span class="s2">"Found"</span><span class="o">)</span> <span class="nt">--------------------</span> Key 404 exists with value: Not Found Value <span class="k">for </span>non-existent key 999: Unknown Code </code></pre> </div> <h3> <code>0035_dict_iteration.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0035_dict_iteration.jl</span> <span class="n">http_codes</span> <span class="o">=</span> <span class="kt">Dict</span><span class="x">(</span> <span class="mi">200</span> <span class="o">=&gt;</span> <span class="s">"OK"</span><span class="x">,</span> <span class="mi">404</span> <span class="o">=&gt;</span> <span class="s">"Not Found"</span><span class="x">,</span> <span class="mi">301</span> <span class="o">=&gt;</span> <span class="s">"Moved Permanently"</span> <span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Iterating over keys ---"</span><span class="x">)</span> <span class="c"># The `keys()` function returns an iterable collection of the dictionary's keys.</span> <span class="k">for</span> <span class="n">key</span> <span class="k">in</span> <span class="n">keys</span><span class="x">(</span><span class="n">http_codes</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Key: "</span><span class="x">,</span> <span class="n">key</span><span class="x">)</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Iterating over values ---"</span><span class="x">)</span> <span class="c"># The `values()` function returns an iterable collection of the dictionary's values.</span> <span class="k">for</span> <span class="n">value</span> <span class="k">in</span> <span class="n">values</span><span class="x">(</span><span class="n">http_codes</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value: "</span><span class="x">,</span> <span class="n">value</span><span class="x">)</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Iterating over key-value pairs ---"</span><span class="x">)</span> <span class="c"># Iterating directly over the dictionary yields key-value pairs.</span> <span class="k">for</span> <span class="x">(</span><span class="n">key</span><span class="x">,</span> <span class="n">value</span><span class="x">)</span> <span class="k">in</span> <span class="n">http_codes</span> <span class="n">println</span><span class="x">(</span><span class="s">"Code </span><span class="si">$</span><span class="s">key means '</span><span class="si">$</span><span class="s">value'"</span><span class="x">)</span> <span class="k">end</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates the common ways to iterate over a <code>Dict</code>.</p> <ul> <li><p><strong><code>keys(dict)</code></strong>: This function returns an efficient iterator over the keys of the dictionary. You can use this when you only need to work with the keys.</p></li> <li><p><strong><code>values(dict)</code></strong>: Similarly, this function provides an iterator for the dictionary's values.</p></li> <li><p><strong>Direct Iteration (Key-Value Pairs)</strong>: The most common iteration pattern is to loop directly over the dictionary itself. When you do this, Julia yields a <code>Pair</code> object (<code>key =&gt; value</code>) for each element. You can immediately destructure this pair into separate <code>key</code> and <code>value</code> variables, as shown in the line <code>for (key, value) in http_codes</code>.</p></li> </ul> <p><strong>Important Note</strong>: The order of iteration over a standard <code>Dict</code> is not guaranteed. The elements will be returned based on the internal layout of the hash table, not the order in which they were inserted.</p> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0035_dict_iteration.jl <span class="nt">---</span> Iterating over keys <span class="nt">---</span> Key: 404 Key: 200 Key: 301 <span class="nt">---</span> Iterating over values <span class="nt">---</span> Value: Not Found Value: OK Value: Moved Permanently <span class="nt">---</span> Iterating over key-value pairs <span class="nt">---</span> Code 404 means <span class="s1">'Not Found'</span> Code 200 means <span class="s1">'OK'</span> Code 301 means <span class="s1">'Moved Permanently'</span> </code></pre> </div> <h3> <code>0036_pairs.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0036_pairs.jl</span> <span class="c"># 1. The `=&gt;` syntax is a convenient way to create a `Pair` object.</span> <span class="n">pair_obj</span> <span class="o">=</span> <span class="x">(</span><span class="mi">200</span> <span class="o">=&gt;</span> <span class="s">"OK"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value of the pair object: "</span><span class="x">,</span> <span class="n">pair_obj</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of the pair object: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">pair_obj</span><span class="x">))</span> <span class="c"># A Pair is a simple struct with 'first' and 'second' fields.</span> <span class="n">println</span><span class="x">(</span><span class="s">"First element: "</span><span class="x">,</span> <span class="n">pair_obj</span><span class="o">.</span><span class="n">first</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Second element: "</span><span class="x">,</span> <span class="n">pair_obj</span><span class="o">.</span><span class="n">second</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># 2. A Dict is fundamentally a collection of these Pair objects.</span> <span class="c"># The following two definitions are completely equivalent.</span> <span class="n">dict_syntax</span> <span class="o">=</span> <span class="kt">Dict</span><span class="x">(</span><span class="mi">404</span> <span class="o">=&gt;</span> <span class="s">"Not Found"</span><span class="x">,</span> <span class="mi">500</span> <span class="o">=&gt;</span> <span class="s">"Internal Server Error"</span><span class="x">)</span> <span class="n">pair1</span> <span class="o">=</span> <span class="kt">Pair</span><span class="x">(</span><span class="mi">404</span><span class="x">,</span> <span class="s">"Not Found"</span><span class="x">)</span> <span class="n">pair2</span> <span class="o">=</span> <span class="kt">Pair</span><span class="x">(</span><span class="mi">500</span><span class="x">,</span> <span class="s">"Internal Server Error"</span><span class="x">)</span> <span class="n">dict_constructor</span> <span class="o">=</span> <span class="kt">Dict</span><span class="x">(</span><span class="n">pair1</span><span class="x">,</span> <span class="n">pair2</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Dicts are equivalent: "</span><span class="x">,</span> <span class="n">dict_syntax</span> <span class="o">==</span> <span class="n">dict_constructor</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script clarifies the relationship between the <code>=&gt;</code> syntax, the <code>Pair</code> object, and the <code>Dict</code> data structure.</p> <ul> <li><p><strong><code>Pair</code> Object</strong>: The <code>=&gt;</code> operator is just syntactic sugar for creating a <code>Pair</code> object. A <code>Pair</code> is a simple, immutable struct that holds two values, accessible via the fields <code>.first</code> and <code>.second</code>. <code>key =&gt; value</code> is equivalent to <code>Pair(key, value)</code>.</p></li> <li><p><strong><code>Dict</code> and <code>Pair</code></strong>: A dictionary is, at its core, a hash table that stores a collection of <code>Pair</code> objects. When you write <code>Dict(key1 =&gt; val1, key2 =&gt; val2)</code>, you are simply creating several <code>Pair</code> objects and passing them to the <code>Dict</code> constructor to be stored.</p></li> </ul> <p>Understanding that <code>=&gt;</code> creates a <code>Pair</code> helps demystify how dictionaries are constructed and how iteration works. When you iterate over a dictionary, as in <code>for (k, v) in my_dict</code>, you are iterating over the <code>Pair</code>s it contains, and Julia's destructuring assignment automatically unpacks each <code>Pair</code> into the <code>k</code> and <code>v</code> variables.</p> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0036_pairs.jl Value of the pair object: 200 <span class="o">=&gt;</span> <span class="s2">"OK"</span> Type of the pair object: Pair<span class="o">{</span>Int64, String<span class="o">}</span> First element: 200 Second element: OK <span class="nt">--------------------</span> Dicts are equivalent: <span class="nb">true</span> </code></pre> </div> <h2> Symbol </h2> <h3> <code>0037_symbols.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0037_symbols.jl</span> <span class="c"># --- Symbols (Guaranteed Interning &amp; Fast Identity Check) ---</span> <span class="n">sym1</span> <span class="o">=</span> <span class="o">:</span><span class="n">http_status</span> <span class="n">sym2</span> <span class="o">=</span> <span class="o">:</span><span class="n">http_status</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Symbols ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Symbols are guaranteed to be interned (a single object in memory)."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"`sym1 === sym2` is `true` because it's a fast identity check: "</span><span class="x">,</span> <span class="n">sym1</span> <span class="o">===</span> <span class="n">sym2</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">"</span> <span class="o">*</span> <span class="s">"-"</span><span class="o">^</span><span class="mi">20</span> <span class="o">*</span> <span class="s">"</span><span class="se">\n</span><span class="s">"</span><span class="x">)</span> <span class="c"># --- Strings (Separate Objects &amp; Slower Content Check) ---</span> <span class="c"># This helper function ensures we create new, distinct string objects.</span> <span class="k">function</span><span class="nf"> build_string</span><span class="x">(</span><span class="n">parts</span><span class="o">...</span><span class="x">)</span> <span class="k">return</span> <span class="n">join</span><span class="x">(</span><span class="n">parts</span><span class="x">)</span> <span class="k">end</span> <span class="n">str1</span> <span class="o">=</span> <span class="n">build_string</span><span class="x">(</span><span class="s">"http"</span><span class="x">,</span> <span class="s">"_"</span><span class="x">,</span> <span class="s">"status"</span><span class="x">)</span> <span class="n">str2</span> <span class="o">=</span> <span class="n">build_string</span><span class="x">(</span><span class="s">"http"</span><span class="x">,</span> <span class="s">"_"</span><span class="x">,</span> <span class="s">"status"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Strings ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Dynamically created strings are separate objects in memory."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Memory address of str1: "</span><span class="x">,</span> <span class="n">pointer_from_objref</span><span class="x">(</span><span class="n">str1</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"Memory address of str2: "</span><span class="x">,</span> <span class="n">pointer_from_objref</span><span class="x">(</span><span class="n">str2</span><span class="x">))</span> <span class="c"># == checks for value equality by comparing content byte-by-byte.</span> <span class="n">println</span><span class="x">(</span><span class="s">"`str1 == str2` is `true` because contents are the same: "</span><span class="x">,</span> <span class="n">str1</span> <span class="o">==</span> <span class="n">str2</span><span class="x">)</span> <span class="c"># For immutable types like String, === ALSO compares content byte-by-byte.</span> <span class="c"># It returns `true` because they are bitwise identical, despite being different objects.</span> <span class="n">println</span><span class="x">(</span><span class="s">"`str1 === str2` is `true` because immutables are compared by content: "</span><span class="x">,</span> <span class="n">str1</span> <span class="o">===</span> <span class="n">str2</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates the critical performance distinction between <code>Symbol</code>s and <code>String</code>s, which stems from how they are stored and compared.</p> <ul> <li><p><strong><code>Symbol</code> (Identity Comparison)</strong>: A <code>Symbol</code> is <strong>interned</strong>, meaning the language <em>guarantees</em> that only one copy of <code>:http_status</code> exists in memory. When you compare two symbols with <code>===</code>, Julia performs a single, fast <strong>identity check</strong>, which is as cheap as comparing two integer pointers. (NOTE: I am not really sure if this is how it works but seems sensible for an interned string)</p></li> <li> <p><strong><code>String</code> (Content Comparison)</strong>: A <code>String</code> is an immutable, heap-allocated object. When you create strings at runtime, Julia allocates separate, distinct objects in memory. This is proven by the different memory addresses shown by <code>pointer_from_objref()</code>.</p> <ul> <li> <strong><code>==</code></strong>: Compares the strings' values, which involves a <strong>byte-by-byte comparison</strong> of their content.</li> <li> <strong><code>===</code></strong>: Because <code>String</code> is an immutable type, <code>===</code> also performs a <strong>byte-by-byte content comparison</strong>. It returns <code>true</code> because their contents are bitwise identical, even though they are different objects in memory.</li> </ul> </li> </ul> <h3> The Real Performance Takeaway </h3> <p>The crucial difference is not <em>what</em> <code>===</code> returns, but <em>how</em> the comparison is performed.</p> <ul> <li> <strong><code>Symbol</code> <code>===</code> <code>Symbol</code></strong>: A single, fast machine instruction (pointer comparison).</li> <li> <strong><code>String</code> <code>===</code> <code>String</code></strong>: A potentially slow, full-content comparison (like <code>memcmp</code> in C).</li> </ul> <p>This is why <code>Symbol</code>s are vastly more performant as <code>Dict</code> keys or in any scenario requiring frequent comparisons.</p> <h3> <code>0038_symbol_performance.md</code> </h3> <p>(NOTE: I am really unsure if any of this is right)</p> <h3> Explanation </h3> <p>For performance, the distinction between a <code>Symbol</code> and a <code>String</code> is one of the most important in Julia. While both can represent text, their performance characteristics for comparisons are fundamentally different, which directly impacts their use as dictionary keys.</p> <h2> The Performance Difference: Identity vs. Value </h2> <p>A <code>Symbol</code> is an <strong>interned string</strong>. The language <em>guarantees</em> that only one copy of a particular symbol exists in memory. This means comparing two symbols for equality is as fast as comparing two integers.</p> <p>A <code>String</code> is a <strong>heap-allocated object</strong>. When you create strings at runtime (e.g., by reading from a file), new, distinct objects are allocated.</p> <p>Let's analyze what happens during a comparison, which is a key step in a dictionary lookup:</p> <ul> <li><p><strong><code>sym1 === sym2</code></strong>: This is an <strong>identity check</strong>. Because <code>:http_status</code> is guaranteed to be a single, unique object in memory, this comparison is a single, fast machine instruction—essentially a pointer comparison.</p></li> <li><p><strong><code>str1 == str2</code></strong>: This is a <strong>value check</strong>. It must compare the content of the two string objects byte-by-byte to ensure they are the same. For long strings, this can be significantly slower than a simple pointer check.</p></li> </ul> <h3> Why This Matters for <code>Dict</code> Keys </h3> <p>When you use an object as a key in a <code>Dict</code>, Julia needs to find the correct value. This involves two main steps:</p> <ol> <li> <strong>Hashing</strong>: Calculating a hash value from the key to quickly find the right "bucket" in the hash table. Both <code>Symbol</code> and <code>String</code> have fast hash functions.</li> <li> <strong>Equality Checking</strong>: If multiple keys have the same hash (a "hash collision"), Julia must compare your key with the keys in the bucket to find the exact match.</li> </ol> <p>This second step is where the performance difference becomes critical:</p> <ul> <li> <strong>With <code>Symbol</code> keys</strong>: The equality check is a lightning-fast <code>===</code> identity check.</li> <li> <strong>With <code>String</code> keys</strong>: The equality check is a potentially slow, byte-by-byte <code>==</code> value check.</li> </ul> <p><strong>Rule of Thumb</strong>: When you need to use a text-based identifier as a key in a performance-sensitive <code>Dict</code> or in any situation requiring many comparisons, <strong>always prefer <code>Symbol</code> over <code>String</code></strong>.</p> <h1> Module 4: Functions and Dispatch </h1> <h2> Defining Functions </h2> <h3> <code>0039_function_basics.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0039_function_basics.jl</span> <span class="c"># 1. Standard function definition using the 'function' keyword.</span> <span class="c"># The return type can be annotated, but often Julia's inference is sufficient.</span> <span class="k">function</span><span class="nf"> add_numbers</span><span class="x">(</span><span class="n">x</span><span class="o">::</span><span class="kt">Int</span><span class="x">,</span> <span class="n">y</span><span class="o">::</span><span class="kt">Int</span><span class="x">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">x</span> <span class="o">+</span> <span class="n">y</span> <span class="c"># The last evaluated expression in a function is implicitly returned.</span> <span class="c"># No explicit 'return' keyword is needed here.</span> <span class="n">result</span> <span class="k">end</span> <span class="c"># 2. Compact, single-line function definition.</span> <span class="c"># This is suitable for simple functions. It's just syntactic sugar.</span> <span class="n">multiply_numbers</span><span class="x">(</span><span class="n">x</span><span class="x">,</span> <span class="n">y</span><span class="x">)</span> <span class="o">=</span> <span class="n">x</span> <span class="o">*</span> <span class="n">y</span> <span class="c"># Call the functions</span> <span class="n">sum_result</span> <span class="o">=</span> <span class="n">add_numbers</span><span class="x">(</span><span class="mi">5</span><span class="x">,</span> <span class="mi">3</span><span class="x">)</span> <span class="n">product_result</span> <span class="o">=</span> <span class="n">multiply_numbers</span><span class="x">(</span><span class="mi">5</span><span class="x">,</span> <span class="mi">3</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result of add_numbers(5, 3): "</span><span class="x">,</span> <span class="n">sum_result</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result of multiply_numbers(5, 3): "</span><span class="x">,</span> <span class="n">product_result</span><span class="x">)</span> <span class="c"># Demonstrate implicit return with a slightly more complex example</span> <span class="k">function</span><span class="nf"> check_positive</span><span class="x">(</span><span class="n">n</span><span class="x">)</span> <span class="k">if</span> <span class="n">n</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="s">"Positive"</span> <span class="c"># Implicit return if n &gt; 0</span> <span class="k">else</span> <span class="s">"Non-positive"</span> <span class="c"># Implicit return otherwise</span> <span class="k">end</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"Check positive for 10: "</span><span class="x">,</span> <span class="n">check_positive</span><span class="x">(</span><span class="mi">10</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"Check positive for -2: "</span><span class="x">,</span> <span class="n">check_positive</span><span class="x">(</span><span class="o">-</span><span class="mi">2</span><span class="x">))</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the two main ways to define functions in Julia and highlights the concept of implicit return.</p> <ul> <li> <p><strong>Standard Syntax (<code>function ... end</code>)</strong>: This is the block syntax used for longer or more complex functions.</p> <ul> <li> <code>function add_numbers(x::Int, y::Int)</code>: Defines a function named <code>add_numbers</code> that takes two arguments, <code>x</code> and <code>y</code>. The <code>::Int</code> are <strong>type annotations</strong>, which we'll cover next. They tell the compiler what type these arguments are expected to be.</li> <li>The code within the <code>function</code> and <code>end</code> keywords is the function body.</li> </ul> </li> <li><p><strong>Compact Syntax (<code>f(x) = ...</code>)</strong>: For simple, single-expression functions, Julia offers a concise assignment form: <code>multiply_numbers(x, y) = x * y</code>. This defines a function named <code>multiply_numbers</code> that takes two arguments and immediately returns the result of <code>x * y</code>. This is purely syntactic sugar for the standard form.</p></li> <li> <p><strong>Implicit Return</strong>: A defining feature of Julia is that the value of the <strong>last evaluated expression</strong> in a function's body is automatically returned. You do not need to use the <code>return</code> keyword unless you want to return early from the middle of a function.</p> <ul> <li>In <code>add_numbers</code>, the last expression is <code>result</code>, so its value is returned.</li> <li>In <code>check_positive</code>, the last expression evaluated is either <code>"Positive"</code> or <code>"Non-positive"</code>, depending on the <code>if</code> condition, and that string is returned.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0039_function_basics.jl Result of add_numbers<span class="o">(</span>5, 3<span class="o">)</span>: 8 Result of multiply_numbers<span class="o">(</span>5, 3<span class="o">)</span>: 15 Check positive <span class="k">for </span>10: Positive Check positive <span class="k">for</span> <span class="nt">-2</span>: Non-positive </code></pre> </div> <h3> <code>0040_type_annotations.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0040_type_annotations.jl</span> <span class="c"># 1. Function without type annotations.</span> <span class="c"># Julia will compile specialized versions based on the types it sees at runtime.</span> <span class="k">function</span><span class="nf"> process_unannotated</span><span class="x">(</span><span class="n">data</span><span class="x">)</span> <span class="c"># This might be fast if `data` is always the same type,</span> <span class="c"># but the compiler has less information upfront.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Processing data of type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">data</span><span class="x">))</span> <span class="k">return</span> <span class="n">data</span> <span class="c"># Return the data unmodified</span> <span class="k">end</span> <span class="c"># 2. Function WITH type annotations for arguments.</span> <span class="c"># This tells the compiler (and the programmer) that `x` MUST be an Int.</span> <span class="c"># It enables method dispatch and performance optimizations.</span> <span class="k">function</span><span class="nf"> calculate_area</span><span class="x">(</span><span class="n">width</span><span class="o">::</span><span class="kt">Int</span><span class="x">,</span> <span class="n">height</span><span class="o">::</span><span class="kt">Int</span><span class="x">)</span> <span class="k">return</span> <span class="n">width</span> <span class="o">*</span> <span class="n">height</span> <span class="k">end</span> <span class="c"># 3. Function WITH annotations for arguments AND return type.</span> <span class="c"># The `::Int` after the argument list guarantees the function will return an Int.</span> <span class="c"># If it tries to return something else, an error occurs.</span> <span class="k">function</span><span class="nf"> get_int_length</span><span class="x">(</span><span class="n">s</span><span class="o">::</span><span class="kt">String</span><span class="x">)</span><span class="o">::</span><span class="kt">Int</span> <span class="n">len</span> <span class="o">=</span> <span class="n">length</span><span class="x">(</span><span class="n">s</span><span class="x">)</span> <span class="c"># If we tried to return a float here, like `len + 0.5`, it would error.</span> <span class="k">return</span> <span class="n">len</span> <span class="k">end</span> <span class="c"># Call the functions</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Unannotated ---"</span><span class="x">)</span> <span class="n">process_unannotated</span><span class="x">(</span><span class="mi">10</span><span class="x">)</span> <span class="n">process_unannotated</span><span class="x">(</span><span class="s">"hello"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Annotated Arguments ---"</span><span class="x">)</span> <span class="n">area</span> <span class="o">=</span> <span class="n">calculate_area</span><span class="x">(</span><span class="mi">5</span><span class="x">,</span> <span class="mi">4</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Calculated area: "</span><span class="x">,</span> <span class="n">area</span><span class="x">)</span> <span class="c"># Calling with wrong types will cause a MethodError immediately</span> <span class="k">try</span> <span class="n">calculate_area</span><span class="x">(</span><span class="mf">5.0</span><span class="x">,</span> <span class="mi">4</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"Error calling with wrong type: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Annotated Return Type ---"</span><span class="x">)</span> <span class="n">str_len</span> <span class="o">=</span> <span class="n">get_int_length</span><span class="x">(</span><span class="s">"Julia"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Length of 'Julia': "</span><span class="x">,</span> <span class="n">str_len</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Return type is indeed Int: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">str_len</span><span class="x">))</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates <strong>type annotations</strong> in Julia functions, which are crucial for both correctness and performance. 📝</p> <ul> <li> <p><strong>Syntax</strong>: Annotations are added using the double colon <code>::</code> operator.</p> <ul> <li> <code>function func(arg::Type)</code>: Annotates the type of an argument.</li> <li> <code>function func(arg)::Type</code>: Annotates the expected return type of the function.</li> </ul> </li> <li><p><strong>Purpose</strong>:</p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. **Method Dispatch**: Annotations allow you to define different **methods** of the same function for different argument types (this is the core of multiple dispatch, coming next). When you call `calculate_area(5, 4)`, Julia knows *exactly* which version of the function to run because the types match the annotation `(width::Int, height::Int)`. 2. **Performance**: When the compiler knows the types of the arguments and the expected return type, it can generate highly specialized and optimized machine code. It eliminates the need for runtime type checks within the function body. Functions with fully annotated arguments and return types are much more likely to be **type-stable** and fast. 3. **Correctness &amp; Readability**: Annotations act as documentation and assertions. They make the function's contract clear. If you call a function with the wrong type, you get an immediate `MethodError` instead of a potentially obscure error later on. If a function annotated to return `::Int` accidentally returns a `Float64`, Julia will throw a `TypeError`. </code></pre> </div> <ul> <li> <strong>Omitting Annotations</strong>: You <em>can</em> omit annotations (like in <code>process_unannotated</code>). Julia will still compile specialized versions based on the types it observes when the function is first called. However, adding annotations provides stronger guarantees to the compiler and makes the code easier to understand and debug.</li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0040_type_annotations.jl <span class="nt">---</span> Unannotated <span class="nt">---</span> Processing data of <span class="nb">type</span>: Int64 Processing data of <span class="nb">type</span>: String <span class="nt">---</span> Annotated Arguments <span class="nt">---</span> Calculated area: 20 Error calling with wrong <span class="nb">type</span>: MethodError<span class="o">(</span><span class="nv">f</span><span class="o">=</span>calculate_area, <span class="nv">args</span><span class="o">=(</span>5.0, 4<span class="o">))</span> <span class="nt">---</span> Annotated Return Type <span class="nt">---</span> Length of <span class="s1">'Julia'</span>: 5 Return <span class="nb">type </span>is indeed Int: Int64 </code></pre> </div> <h2> Multiple Dispatch </h2> <h3> <code>0041_multiple_dispatch_basics.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0041_multiple_dispatch_basics.jl</span> <span class="c"># 1. Define a function name 'process'.</span> <span class="c"># We will define several *methods* for this function name.</span> <span class="c"># Method 1: Specific for Int arguments.</span> <span class="k">function</span><span class="nf"> process</span><span class="x">(</span><span class="n">data</span><span class="o">::</span><span class="kt">Int</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Processing an Integer: "</span><span class="x">,</span> <span class="n">data</span> <span class="o">*</span> <span class="mi">2</span><span class="x">)</span> <span class="k">end</span> <span class="c"># Method 2: Specific for String arguments.</span> <span class="k">function</span><span class="nf"> process</span><span class="x">(</span><span class="n">data</span><span class="o">::</span><span class="kt">String</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Processing a String: "</span><span class="x">,</span> <span class="n">uppercase</span><span class="x">(</span><span class="n">data</span><span class="x">))</span> <span class="k">end</span> <span class="c"># Method 3: A generic fallback for any other type (Any).</span> <span class="c"># 'Any' is the top-level abstract type in Julia.</span> <span class="k">function</span><span class="nf"> process</span><span class="x">(</span><span class="n">data</span><span class="o">::</span><span class="kt">Any</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Processing data of generic type '"</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">data</span><span class="x">),</span> <span class="s">"': "</span><span class="x">,</span> <span class="n">data</span><span class="x">)</span> <span class="k">end</span> <span class="c"># 2. Call the function with different argument types.</span> <span class="c"># Julia automatically selects the MOST specific method available at runtime.</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Calling process() with different types ---"</span><span class="x">)</span> <span class="n">process</span><span class="x">(</span><span class="mi">10</span><span class="x">)</span> <span class="c"># Calls Method 1</span> <span class="n">process</span><span class="x">(</span><span class="s">"hello"</span><span class="x">)</span> <span class="c"># Calls Method 2</span> <span class="n">process</span><span class="x">(</span><span class="mf">3.14</span><span class="x">)</span> <span class="c"># Calls Method 3 (Float64 is a subtype of Any)</span> <span class="n">process</span><span class="x">([</span><span class="mi">1</span><span class="x">,</span> <span class="mi">2</span><span class="x">,</span> <span class="mi">3</span><span class="x">])</span> <span class="c"># Calls Method 3 (Vector{Int64} is a subtype of Any)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <strong>multiple dispatch</strong>, the central organizing principle of Julia 🏛️. It's Julia's answer to function overloading (like in C++) and method overriding (like in Python/Java), but it's more general and powerful.</p> <ul> <li><p><strong>Functions vs. Methods</strong>: In Julia, you define a <strong>function</strong> by its name (e.g., <code>process</code>). You then define one or more <strong>methods</strong> for that function, where each method specifies the <em>types</em> of arguments it accepts using type annotations (e.g., <code>process(data::Int)</code>).</p></li> <li> <p><strong>Dispatch</strong>: When you call a function like <code>process(10)</code>, Julia looks at the <strong>runtime types</strong> of all the arguments you provided. It then selects and executes the <strong>most specific method</strong> whose type signature matches those arguments.</p> <ul> <li> <code>process(10)</code> matches <code>process(data::Int)</code>.</li> <li> <code>process("hello")</code> matches <code>process(data::String)</code>.</li> <li> <code>process(3.14)</code> doesn't match <code>Int</code> or <code>String</code>, so it falls back to the least specific method that matches, which is <code>process(data::Any)</code>.</li> </ul> </li> <li><p><strong>Why it's "Multiple"</strong>: Unlike object-oriented languages where dispatch usually happens only on the first argument (<code>object.method()</code>), Julia considers the types of <strong>all</strong> arguments when selecting the method. This is why it's called <em>multiple</em> dispatch.</p></li> <li><p><strong>Performance</strong>: Multiple dispatch is not just elegant; it's also <strong>fast</strong>. Because the method selection happens based on concrete types, the Julia JIT compiler can generate highly optimized, direct calls to the specific machine code for that method, completely avoiding the overhead of dynamic lookups often associated with traditional object-oriented method calls.</p></li> </ul> <p>Multiple dispatch encourages writing small, reusable functions that operate on different data types, leading to highly composable and performant code.</p> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0041_multiple_dispatch_basics.jl <span class="nt">---</span> Calling process<span class="o">()</span> with different types <span class="nt">---</span> Processing an Integer: 20 Processing a String: HELLO Processing data of generic <span class="nb">type</span> <span class="s1">'Float64'</span>: 3.14 Processing data of generic <span class="nb">type</span> <span class="s1">'Vector{Int64}'</span>: <span class="o">[</span>1, 2, 3] </code></pre> </div> <h3> <code>0042_parametric_methods.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0042_parametric_methods.jl</span> <span class="c"># 1. A generic method for any Vector.</span> <span class="c"># `Vector{T}` means "a Vector where the element type is some T".</span> <span class="k">function</span><span class="nf"> get_first_element</span><span class="x">(</span><span class="n">arr</span><span class="o">::</span><span class="kt">Vector</span><span class="x">{</span><span class="n">T</span><span class="x">})</span> <span class="k">where</span> <span class="x">{</span><span class="n">T</span><span class="x">}</span> <span class="n">println</span><span class="x">(</span><span class="s">"Generic method called for Vector of type: "</span><span class="x">,</span> <span class="n">T</span><span class="x">)</span> <span class="k">if</span> <span class="n">isempty</span><span class="x">(</span><span class="n">arr</span><span class="x">)</span> <span class="k">return</span> <span class="nb">nothing</span> <span class="c"># Or throw an error, depending on desired behavior</span> <span class="k">else</span> <span class="k">return</span> <span class="n">arr</span><span class="x">[</span><span class="mi">1</span><span class="x">]</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># 2. A more specific method JUST for Vectors containing Strings.</span> <span class="k">function</span><span class="nf"> get_first_element</span><span class="x">(</span><span class="n">arr</span><span class="o">::</span><span class="kt">Vector</span><span class="x">{</span><span class="kt">String</span><span class="x">})</span> <span class="n">println</span><span class="x">(</span><span class="s">"Specific method called for Vector{String}"</span><span class="x">)</span> <span class="k">if</span> <span class="n">isempty</span><span class="x">(</span><span class="n">arr</span><span class="x">)</span> <span class="k">return</span> <span class="nb">nothing</span> <span class="k">else</span> <span class="c"># We can call string-specific functions here because we know the type</span> <span class="k">return</span> <span class="n">uppercase</span><span class="x">(</span><span class="n">arr</span><span class="x">[</span><span class="mi">1</span><span class="x">])</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># 3. Call the function with different vector types.</span> <span class="n">int_vector</span> <span class="o">=</span> <span class="x">[</span><span class="mi">10</span><span class="x">,</span> <span class="mi">20</span><span class="x">,</span> <span class="mi">30</span><span class="x">]</span> <span class="n">string_vector</span> <span class="o">=</span> <span class="x">[</span><span class="s">"apple"</span><span class="x">,</span> <span class="s">"banana"</span><span class="x">]</span> <span class="n">float_vector</span> <span class="o">=</span> <span class="x">[</span><span class="mf">1.1</span><span class="x">,</span> <span class="mf">2.2</span><span class="x">]</span> <span class="n">empty_vector</span> <span class="o">=</span> <span class="kt">Int</span><span class="x">[]</span> <span class="c"># An empty Vector{Int}</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Calling get_first_element() ---"</span><span class="x">)</span> <span class="n">first_int</span> <span class="o">=</span> <span class="n">get_first_element</span><span class="x">(</span><span class="n">int_vector</span><span class="x">)</span> <span class="c"># Calls Method 1 (T=Int64)</span> <span class="n">println</span><span class="x">(</span><span class="s">"First int: "</span><span class="x">,</span> <span class="n">first_int</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="n">first_string</span> <span class="o">=</span> <span class="n">get_first_element</span><span class="x">(</span><span class="n">string_vector</span><span class="x">)</span> <span class="c"># Calls Method 2 (Specific match)</span> <span class="n">println</span><span class="x">(</span><span class="s">"First string (uppercase): "</span><span class="x">,</span> <span class="n">first_string</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="n">first_float</span> <span class="o">=</span> <span class="n">get_first_element</span><span class="x">(</span><span class="n">float_vector</span><span class="x">)</span> <span class="c"># Calls Method 1 (T=Float64)</span> <span class="n">println</span><span class="x">(</span><span class="s">"First float: "</span><span class="x">,</span> <span class="n">first_float</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="n">first_empty</span> <span class="o">=</span> <span class="n">get_first_element</span><span class="x">(</span><span class="n">empty_vector</span><span class="x">)</span> <span class="c"># Calls Method 1 (T=Int64)</span> <span class="n">println</span><span class="x">(</span><span class="s">"First empty: "</span><span class="x">,</span> <span class="n">first_empty</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates how <strong>multiple dispatch</strong> works with <strong>parametric types</strong> (generics). 🧬</p> <ul> <li><p><strong>Parametric Types</strong>: A type like <code>Vector{T}</code> is parametric. It represents a <code>Vector</code> that can hold elements of <em>any</em> type, represented by the type parameter <code>T</code>. When you have <code>[10, 20]</code>, its type is <code>Vector{Int64}</code>, where <code>T</code> is <code>Int64</code>.</p></li> <li> <p><strong>Generic Method (<code>where {T}</code> Syntax)</strong>: The first method, <code>get_first_element(arr::Vector{T}) where {T}</code>, defines a generic fallback.</p> <ul> <li> <code>arr::Vector{T}</code> means the argument <code>arr</code> must be a <code>Vector</code> containing elements of some type <code>T</code>.</li> <li> <code>where {T}</code> introduces the type parameter <code>T</code>. This allows the compiler to know about <code>T</code> within the function body and potentially use it (though this simple example doesn't need to).</li> <li>This method will be called for any <code>Vector</code> <em>unless</em> a more specific method exists.</li> </ul> </li> <li><p><strong>Specific Method</strong>: The second method, <code>get_first_element(arr::Vector{String})</code>, is highly specific. It explicitly states it only works for a <code>Vector</code> where the element type is exactly <code>String</code>.</p></li> <li> <p><strong>Dispatch Rules</strong>: When you call <code>get_first_element</code>, Julia again picks the <strong>most specific</strong> method that matches the argument types:</p> <ul> <li> <code>get_first_element([10, 20])</code> (a <code>Vector{Int64}</code>) doesn't match <code>Vector{String}</code>, so it falls back to the generic <code>Vector{T}</code> method, with <code>T</code> becoming <code>Int64</code>.</li> <li> <code>get_first_element(["apple", "banana"])</code> (a <code>Vector{String}</code>) perfectly matches the specific <code>Vector{String}</code> method, so that one is chosen.</li> <li> <code>get_first_element([1.1, 2.2])</code> (a <code>Vector{Float64}</code>) falls back to the generic <code>Vector{T}</code> method, with <code>T</code> becoming <code>Float64</code>.</li> </ul> </li> </ul> <p>This ability to dispatch based on the <strong>parameter</strong> of a generic type is a powerful feature of Julia, allowing you to write general algorithms and then provide highly optimized or specialized versions for specific contained types.</p> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0042_parametric_methods.jl <span class="nt">---</span> Calling get_first_element<span class="o">()</span> <span class="nt">---</span> Generic method called <span class="k">for </span>Vector of <span class="nb">type</span>: Int64 First int: 10 <span class="nt">--------------------</span> Specific method called <span class="k">for </span>Vector<span class="o">{</span>String<span class="o">}</span> First string <span class="o">(</span>uppercase<span class="o">)</span>: APPLE <span class="nt">--------------------</span> Generic method called <span class="k">for </span>Vector of <span class="nb">type</span>: Float64 First float: 1.1 <span class="nt">--------------------</span> Generic method called <span class="k">for </span>Vector of <span class="nb">type</span>: Int64 First empty: nothing </code></pre> </div> <h2> Function Arguments </h2> <h3> <code>0043_keyword_arguments.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0043_keyword_arguments.jl</span> <span class="c"># 1. Define a function with keyword arguments after a semicolon.</span> <span class="c"># Keyword arguments must have default values.</span> <span class="k">function</span><span class="nf"> create_greeting</span><span class="x">(</span><span class="n">name</span><span class="o">::</span><span class="kt">String</span><span class="x">;</span> <span class="n">greeting</span><span class="o">::</span><span class="kt">String</span><span class="o">=</span><span class="s">"Hello"</span><span class="x">,</span> <span class="n">punctuation</span><span class="o">::</span><span class="kt">String</span><span class="o">=</span><span class="s">"!"</span><span class="x">)</span> <span class="k">return</span> <span class="s">"</span><span class="si">$</span><span class="s">greeting, </span><span class="si">$</span><span class="s">name</span><span class="si">$</span><span class="s">punctuation"</span> <span class="k">end</span> <span class="c"># 2. Call the function using only positional arguments.</span> <span class="c"># Keyword arguments will use their default values.</span> <span class="n">default_greeting</span> <span class="o">=</span> <span class="n">create_greeting</span><span class="x">(</span><span class="s">"Julia"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Default greeting: "</span><span class="x">,</span> <span class="n">default_greeting</span><span class="x">)</span> <span class="c"># 3. Call the function, overriding some keyword arguments by name.</span> <span class="c"># The order of keyword arguments does not matter.</span> <span class="n">custom_greeting1</span> <span class="o">=</span> <span class="n">create_greeting</span><span class="x">(</span><span class="s">"World"</span><span class="x">,</span> <span class="n">greeting</span><span class="o">=</span><span class="s">"Hi"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Custom greeting 1: "</span><span class="x">,</span> <span class="n">custom_greeting1</span><span class="x">)</span> <span class="n">custom_greeting2</span> <span class="o">=</span> <span class="n">create_greeting</span><span class="x">(</span><span class="s">"Developers"</span><span class="x">,</span> <span class="n">punctuation</span><span class="o">=</span><span class="s">"!!!"</span><span class="x">,</span> <span class="n">greeting</span><span class="o">=</span><span class="s">"Welcome"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Custom greeting 2: "</span><span class="x">,</span> <span class="n">custom_greeting2</span><span class="x">)</span> <span class="c"># 4. Mixing positional and keyword arguments.</span> <span class="c"># Positional arguments must always come before keyword arguments.</span> <span class="c"># This syntax is clear: create_greeting("Positional"); kw1=val1, kw2=val2...</span> <span class="n">formal_greeting</span> <span class="o">=</span> <span class="n">create_greeting</span><span class="x">(</span><span class="s">"Dr. Turing"</span><span class="x">;</span> <span class="n">greeting</span><span class="o">=</span><span class="s">"Good day"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Formal greeting: "</span><span class="x">,</span> <span class="n">formal_greeting</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <strong>keyword arguments</strong>, which allow you to pass arguments to a function by name, making the call site more readable and allowing for optional parameters with default values. 🏷️</p> <ul> <li> <p><strong>Syntax</strong>: Keyword arguments are defined in the function signature <strong>after</strong> a semicolon (<code>;</code>). Each keyword argument must be given a <strong>default value</strong>.<br> </p> <pre class="highlight julia"><code><span class="k">function</span><span class="nf"> func</span><span class="x">(</span><span class="n">positional_arg</span><span class="x">;</span> <span class="n">keyword_arg1</span><span class="o">=</span><span class="n">default1</span><span class="x">,</span> <span class="n">keyword_arg2</span><span class="o">=</span><span class="n">default2</span><span class="x">)</span> <span class="c"># ...</span> <span class="k">end</span> </code></pre> </li> <li> <p><strong>Calling</strong>: When calling a function with keyword arguments:</p> <ul> <li>You can omit them entirely, in which case their default values are used (<code>create_greeting("Julia")</code>).</li> <li>You can provide values for specific keywords using the <code>keyword=value</code> syntax (<code>greeting="Hi"</code>).</li> <li>The order in which you provide keyword arguments does not matter (<code>punctuation="!!!", greeting="Welcome"</code> works).</li> <li>All <strong>positional arguments</strong> (if any) must come <strong>before</strong> any keyword arguments.</li> </ul> </li> <li> <p><strong>Use Cases</strong>: Keyword arguments are excellent for:</p> <ul> <li>Functions with many arguments where specifying them by name improves clarity.</li> <li>Optional configuration parameters.</li> <li>Providing a more stable API (adding new keyword arguments doesn't break existing calls that don't use them).</li> </ul> </li> </ul> <p>This feature is very similar to keyword arguments in Python.</p> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0043_keyword_arguments.jl Default greeting: Hello, Julia! Custom greeting 1: Hi, World! Custom greeting 2: Welcome, Developers!!! Formal greeting: Good day, Dr. Turing! </code></pre> </div> <h3> <code>0044_splatting_operator.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0044_splatting_operator.jl</span> <span class="c"># 1. A function that takes a variable number of arguments.</span> <span class="c"># `numbers...` collects all remaining arguments into a tuple named 'numbers'.</span> <span class="k">function</span><span class="nf"> sum_all</span><span class="x">(</span><span class="n">label</span><span class="o">::</span><span class="kt">String</span><span class="x">,</span> <span class="n">numbers</span><span class="o">...</span><span class="x">)</span> <span class="n">total</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">n</span> <span class="k">in</span> <span class="n">numbers</span> <span class="n">total</span> <span class="o">+=</span> <span class="n">n</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="n">label</span><span class="x">,</span> <span class="s">": "</span><span class="x">,</span> <span class="n">total</span><span class="x">)</span> <span class="k">end</span> <span class="c"># 2. Call the function with individual arguments.</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Calling with individual arguments ---"</span><span class="x">)</span> <span class="n">sum_all</span><span class="x">(</span><span class="s">"Individual args"</span><span class="x">,</span> <span class="mi">1</span><span class="x">,</span> <span class="mi">2</span><span class="x">,</span> <span class="mi">3</span><span class="x">,</span> <span class="mi">4</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Calling with splatting ---"</span><span class="x">)</span> <span class="c"># 3. Use the splatting operator '...' to pass elements from a collection</span> <span class="c"># as individual arguments.</span> <span class="n">my_numbers</span> <span class="o">=</span> <span class="x">[</span><span class="mi">10</span><span class="x">,</span> <span class="mi">20</span><span class="x">,</span> <span class="mi">30</span><span class="x">]</span> <span class="c"># This is equivalent to calling sum_all("Splatting", 10, 20, 30)</span> <span class="n">sum_all</span><span class="x">(</span><span class="s">"Splatting"</span><span class="x">,</span> <span class="n">my_numbers</span><span class="o">...</span><span class="x">)</span> <span class="c"># It also works with tuples</span> <span class="n">my_tuple</span> <span class="o">=</span> <span class="x">(</span><span class="mi">100</span><span class="x">,</span> <span class="mi">200</span><span class="x">)</span> <span class="n">sum_all</span><span class="x">(</span><span class="s">"Splatting tuple"</span><span class="x">,</span> <span class="n">my_tuple</span><span class="o">...</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the <strong>splatting operator (<code>...</code>)</strong>, which unpacks the elements of a collection into individual arguments for a function call. This is a powerful feature for working with functions that accept a variable number of arguments (varargs). ☄️</p> <ul> <li><p><strong>Varargs Functions (<code>numbers...</code>)</strong>: In the function definition <code>sum_all(label::String, numbers...)</code>, the <code>...</code> after <code>numbers</code> indicates that this parameter will collect any number of subsequent positional arguments into a single <strong>tuple</strong> named <code>numbers</code>. This is similar to <code>*args</code> in Python or variadic templates in C++.</p></li> <li> <p><strong>Splatting Operator (<code>...</code>)</strong>: When <em>calling</em> a function, placing <code>...</code> after a collection (like a <code>Vector</code> or <code>Tuple</code>) <strong>unpacks</strong> its elements and passes them as separate positional arguments.</p> <ul> <li> <code>sum_all("Splatting", my_numbers...)</code> takes the elements <code>10, 20, 30</code> from <code>my_numbers</code> and effectively calls <code>sum_all("Splatting", 10, 20, 30)</code>.</li> </ul> </li> <li> <p><strong>Use Cases</strong>: Splatting is commonly used when:</p> <ul> <li>You have a list or tuple of values that you need to pass to a function designed to accept them individually (like <code>sum_all</code> or functions like <code>max()</code>, <code>min()</code>).</li> <li>You are forwarding arguments from one varargs function to another.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0044_splatting_operator.jl <span class="nt">---</span> Calling with individual arguments <span class="nt">---</span> Individual args: 10 <span class="nt">---</span> Calling with splatting <span class="nt">---</span> Splatting: 60 Splatting tuple: 300 </code></pre> </div> <h2> Mutating Vs Non Mutating </h2> <h3> <code>0045_mutating_functions_convention.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0045_mutating_functions_convention.jl</span> <span class="c"># A mutable struct to hold some data</span> <span class="k">mutable struct</span><span class="nc"> Point</span> <span class="n">x</span><span class="o">::</span><span class="kt">Float64</span> <span class="n">y</span><span class="o">::</span><span class="kt">Float64</span> <span class="k">end</span> <span class="c"># 1. Non-mutating function: Creates and returns a NEW Point.</span> <span class="c"># Does not end with '!'</span> <span class="k">function</span><span class="nf"> move_point</span><span class="x">(</span><span class="n">p</span><span class="o">::</span><span class="n">Point</span><span class="x">,</span> <span class="n">dx</span><span class="o">::</span><span class="kt">Float64</span><span class="x">,</span> <span class="n">dy</span><span class="o">::</span><span class="kt">Float64</span><span class="x">)</span> <span class="c"># Create a new Point object with the modified coordinates</span> <span class="k">return</span> <span class="n">Point</span><span class="x">(</span><span class="n">p</span><span class="o">.</span><span class="n">x</span> <span class="o">+</span> <span class="n">dx</span><span class="x">,</span> <span class="n">p</span><span class="o">.</span><span class="n">y</span> <span class="o">+</span> <span class="n">dy</span><span class="x">)</span> <span class="k">end</span> <span class="c"># 2. Mutating function: Modifies the original Point object IN-PLACE.</span> <span class="c"># Ends with '!' by convention.</span> <span class="k">function</span><span class="nf"> move_point!</span><span class="x">(</span><span class="n">p</span><span class="o">::</span><span class="n">Point</span><span class="x">,</span> <span class="n">dx</span><span class="o">::</span><span class="kt">Float64</span><span class="x">,</span> <span class="n">dy</span><span class="o">::</span><span class="kt">Float64</span><span class="x">)</span> <span class="n">p</span><span class="o">.</span><span class="n">x</span> <span class="o">+=</span> <span class="n">dx</span> <span class="n">p</span><span class="o">.</span><span class="n">y</span> <span class="o">+=</span> <span class="n">dy</span> <span class="c"># Typically returns the modified object, or nothing</span> <span class="k">return</span> <span class="n">p</span> <span class="k">end</span> <span class="c"># Create an initial point</span> <span class="n">p1</span> <span class="o">=</span> <span class="n">Point</span><span class="x">(</span><span class="mf">10.0</span><span class="x">,</span> <span class="mf">20.0</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Original point p1: "</span><span class="x">,</span> <span class="n">p1</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Calling non-mutating function ---"</span><span class="x">)</span> <span class="c"># Call the non-mutating version</span> <span class="n">p2</span> <span class="o">=</span> <span class="n">move_point</span><span class="x">(</span><span class="n">p1</span><span class="x">,</span> <span class="mf">5.0</span><span class="x">,</span> <span class="o">-</span><span class="mf">5.0</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Returned new point p2: "</span><span class="x">,</span> <span class="n">p2</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Original p1 remains unchanged: "</span><span class="x">,</span> <span class="n">p1</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Calling mutating function ---"</span><span class="x">)</span> <span class="c"># Call the mutating version on p1</span> <span class="n">move_point!</span><span class="x">(</span><span class="n">p1</span><span class="x">,</span> <span class="mf">100.0</span><span class="x">,</span> <span class="mf">100.0</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Original p1 IS NOW modified: "</span><span class="x">,</span> <span class="n">p1</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script explains the crucial Julia <strong>naming convention</strong> for functions that modify their arguments: appending an exclamation mark (<code>!</code>).</p> <ul> <li><p><strong>The <code>!</code> Convention</strong>: If a function modifies the state of one or more of its input arguments (especially mutable collections like <code>Vector</code>s or <code>mutable struct</code>s), its name <strong>should</strong> end with <code>!</code>. This acts as a clear warning sign to the caller that the function has side effects and will change the input object.</p></li> <li><p><strong>Non-Mutating (<code>move_point</code>)</strong>: This function takes a <code>Point</code> and returns a <strong>new</strong> <code>Point</code> object with the updated coordinates. The original <code>p1</code> is completely untouched. This is often safer as it avoids unexpected side effects.</p></li> <li><p><strong>Mutating (<code>move_point!</code>)</strong>: This function directly modifies the fields (<code>p.x</code>, <code>p.y</code>) of the <code>Point</code> object passed into it. The original <code>p1</code> is altered.</p></li> <li> <p><strong>Why It Matters</strong>:</p> <ul> <li> <strong>Clarity</strong>: The <code>!</code> immediately tells you if a function might change your data.</li> <li> <strong>Performance</strong>: Mutating functions (<code>!</code>) can often be more performant, especially when working with large data structures. Modifying data in-place avoids allocating new memory for a result, which reduces work for the garbage collector. However, this comes at the cost of potential side effects if the original object is used elsewhere.</li> </ul> </li> <li><p><strong>Not Enforced</strong>: It's important to remember this is a <strong>convention</strong>, not a rule enforced by the compiler. You <em>can</em> write a function that modifies its arguments without a <code>!</code>, but it's strongly discouraged as it violates user expectations. Conversely, a function ending in <code>!</code> <em>should</em> modify at least one argument. Standard library functions strictly adhere to this convention (e.g., <code>sort</code> returns a sorted copy, <code>sort!</code> sorts the input vector in-place).</p></li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0045_mutating_functions_convention.jl Original point p1: Point<span class="o">(</span>10.0, 20.0<span class="o">)</span> <span class="nt">---</span> Calling non-mutating <span class="k">function</span> <span class="nt">---</span> Returned new point p2: Point<span class="o">(</span>15.0, 15.0<span class="o">)</span> Original p1 remains unchanged: Point<span class="o">(</span>10.0, 20.0<span class="o">)</span> <span class="nt">---</span> Calling mutating <span class="k">function</span> <span class="nt">---</span> Original p1 IS NOW modified: Point<span class="o">(</span>110.0, 120.0<span class="o">)</span> </code></pre> </div> <h2> Higher Order And Do </h2> <h3> <code>0046_anonymous_functions.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0046_anonymous_functions.jl</span> <span class="c"># 1. Standard function for mapping (e.g., doubling numbers)</span> <span class="k">function</span><span class="nf"> double</span><span class="x">(</span><span class="n">x</span><span class="x">)</span> <span class="k">return</span> <span class="n">x</span> <span class="o">*</span> <span class="mi">2</span> <span class="k">end</span> <span class="n">numbers</span> <span class="o">=</span> <span class="x">[</span><span class="mi">1</span><span class="x">,</span> <span class="mi">2</span><span class="x">,</span> <span class="mi">3</span><span class="x">,</span> <span class="mi">4</span><span class="x">]</span> <span class="n">doubled_numbers</span> <span class="o">=</span> <span class="n">map</span><span class="x">(</span><span class="n">double</span><span class="x">,</span> <span class="n">numbers</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Doubled with standard function: "</span><span class="x">,</span> <span class="n">doubled_numbers</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># 2. Using an anonymous function directly within the map call.</span> <span class="c"># The syntax `x -&gt; x * 2` creates a function without a name.</span> <span class="n">doubled_anon</span> <span class="o">=</span> <span class="n">map</span><span class="x">(</span><span class="n">x</span> <span class="o">-&gt;</span> <span class="n">x</span> <span class="o">*</span> <span class="mi">2</span><span class="x">,</span> <span class="n">numbers</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Doubled with anonymous function: "</span><span class="x">,</span> <span class="n">doubled_anon</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># 3. Anonymous functions can take multiple arguments.</span> <span class="c"># Here, we use `map` to add elements from two lists.</span> <span class="n">list1</span> <span class="o">=</span> <span class="x">[</span><span class="mi">10</span><span class="x">,</span> <span class="mi">20</span><span class="x">]</span> <span class="n">list2</span> <span class="o">=</span> <span class="x">[</span><span class="mi">1</span><span class="x">,</span> <span class="mi">2</span><span class="x">]</span> <span class="n">sums</span> <span class="o">=</span> <span class="n">map</span><span class="x">((</span><span class="n">a</span><span class="x">,</span> <span class="n">b</span><span class="x">)</span> <span class="o">-&gt;</span> <span class="n">a</span> <span class="o">+</span> <span class="n">b</span><span class="x">,</span> <span class="n">list1</span><span class="x">,</span> <span class="n">list2</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Sums using multi-arg anonymous function: "</span><span class="x">,</span> <span class="n">sums</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># 4. Anonymous functions implicitly capture variables from their surrounding scope.</span> <span class="n">multiplier</span> <span class="o">=</span> <span class="mi">3</span> <span class="n">multiplied_capture</span> <span class="o">=</span> <span class="n">map</span><span class="x">(</span><span class="n">x</span> <span class="o">-&gt;</span> <span class="n">x</span> <span class="o">*</span> <span class="n">multiplier</span><span class="x">,</span> <span class="n">numbers</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Using captured variable 'multiplier': "</span><span class="x">,</span> <span class="n">multiplied_capture</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <strong>anonymous functions</strong>, also known as <strong>lambda functions</strong>. These are functions defined without being given a specific name. They are essential for functional programming patterns and are frequently used as arguments to higher-order functions like <code>map</code>.</p> <ul> <li> <p><strong>Syntax (<code>-&gt;</code>)</strong>: The core syntax for creating an anonymous function is <code>arguments -&gt; expression</code>.</p> <ul> <li> <code>x -&gt; x * 2</code>: Defines a function that takes one argument <code>x</code> and returns <code>x * 2</code>.</li> <li> <code>(a, b) -&gt; a + b</code>: Defines a function that takes two arguments <code>a</code> and <code>b</code> and returns their sum.</li> </ul> </li> <li><p><strong><code>map()</code> Function</strong>: The <code>map(function, collection)</code> function is a standard higher-order function. It applies the given <code>function</code> to each element of the <code>collection</code> and returns a new collection containing the results.</p></li> <li><p><strong>Use Case</strong>: Anonymous functions are ideal when you need a simple function just once, typically as an argument to another function. Instead of defining a separate named function (like <code>double</code>), you can define the operation inline with <code>x -&gt; x * 2</code>, making the code more concise.</p></li> <li><p><strong>Closures (Variable Capture)</strong>: Anonymous functions automatically "capture" variables from the scope in which they are defined. In the last example, the function <code>x -&gt; x * multiplier</code> uses the <code>multiplier</code> variable defined outside of it. This behavior, where a function remembers the environment it was created in, is called a <strong>closure</strong>.</p></li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0046_anonymous_functions.jl Doubled with standard <span class="k">function</span>: <span class="o">[</span>2, 4, 6, 8] <span class="nt">--------------------</span> Doubled with anonymous <span class="k">function</span>: <span class="o">[</span>2, 4, 6, 8] <span class="nt">--------------------</span> Sums using multi-arg anonymous <span class="k">function</span>: <span class="o">[</span>11, 22] <span class="nt">--------------------</span> Using captured variable <span class="s1">'multiplier'</span>: <span class="o">[</span>3, 6, 9, 12] </code></pre> </div> <h3> <code>0047_do_blocks.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0047_do_blocks.jl</span> <span class="k">using</span> <span class="n">Printf</span> <span class="c"># 1. A function that takes another function as its first argument.</span> <span class="c"># This simulates managing a resource (like opening/closing a file).</span> <span class="k">function</span><span class="nf"> with_resource</span><span class="x">(</span><span class="n">func</span><span class="o">::</span><span class="kt">Function</span><span class="x">,</span> <span class="n">resource_name</span><span class="o">::</span><span class="kt">String</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Acquiring resource: "</span><span class="x">,</span> <span class="n">resource_name</span><span class="x">)</span> <span class="n">resource_id</span> <span class="o">=</span> <span class="n">rand</span><span class="x">(</span><span class="mi">1000</span><span class="o">:</span><span class="mi">9999</span><span class="x">)</span> <span class="c"># Simulate getting a resource handle</span> <span class="k">try</span> <span class="c"># Execute the function passed in, giving it the resource ID</span> <span class="n">result</span> <span class="o">=</span> <span class="n">func</span><span class="x">(</span><span class="n">resource_id</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Function executed, result: "</span><span class="x">,</span> <span class="n">result</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"An error occurred: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="k">finally</span> <span class="c"># Ensure the resource is always released, even if an error occurs.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Releasing resource: "</span><span class="x">,</span> <span class="n">resource_name</span><span class="x">,</span> <span class="s">" (ID: "</span><span class="x">,</span> <span class="n">resource_id</span><span class="x">,</span> <span class="s">")"</span><span class="x">)</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># 2. Call `with_resource` using a standard anonymous function argument.</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Calling with standard anonymous function ---"</span><span class="x">)</span> <span class="n">with_resource</span><span class="x">(</span><span class="n">id</span> <span class="o">-&gt;</span> <span class="nd">@sprintf</span><span class="x">(</span><span class="s">"Processing resource %d"</span><span class="x">,</span> <span class="n">id</span><span class="x">),</span> <span class="s">"MyData"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">"</span> <span class="o">*</span> <span class="s">"-"</span><span class="o">^</span><span class="mi">20</span> <span class="o">*</span> <span class="s">"</span><span class="se">\n</span><span class="s">"</span><span class="x">)</span> <span class="c"># 3. Call `with_resource` using the 'do' block syntax.</span> <span class="c"># This is syntactic sugar for the above, especially useful for multi-line functions.</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Calling with 'do' block ---"</span><span class="x">)</span> <span class="n">with_resource</span><span class="x">(</span><span class="s">"MyData"</span><span class="x">)</span> <span class="k">do</span> <span class="n">id</span> <span class="c"># This block of code is automatically turned into an anonymous function</span> <span class="c"># that takes 'id' as its argument.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Inside the do block, working with ID: "</span><span class="x">,</span> <span class="n">id</span><span class="x">)</span> <span class="n">processed_data</span> <span class="o">=</span> <span class="nd">@sprintf</span><span class="x">(</span><span class="s">"Processed resource %d successfully"</span><span class="x">,</span> <span class="n">id</span><span class="x">)</span> <span class="c"># The last expression is implicitly returned from the anonymous function</span> <span class="n">processed_data</span> <span class="k">end</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the <strong><code>do</code> block</strong> syntax, which is a convenient and readable way to pass a multi-line anonymous function as the <em>first</em> argument to another function. It's commonly used for managing resources safely, similar to Python's <code>with</code> statement or RAII in C++. 📝</p> <ul> <li><p><strong>The Pattern</strong>: Julia functions that manage resources (like opening files, network connections, or temporary directories) often follow a pattern: they take a function as their first argument. This function represents the code the user wants to execute <em>while</em> the resource is available. The managing function is responsible for setting up the resource before calling the user's function and guaranteeing cleanup afterwards, even if errors occur.</p></li> <li><p><strong><code>with_resource</code> Function</strong>: Our example function <code>with_resource(func, resource_name)</code> simulates this pattern. It acquires a dummy resource (an ID), uses a <code>try...finally</code> block to ensure cleanup, and calls the provided <code>func</code>, passing it the resource ID.</p></li> <li><p><strong>Standard Anonymous Function Call</strong>: The first call shows the standard way to pass an anonymous function: <code>with_resource(id -&gt; ..., "MyData")</code>. This works fine for simple, one-line functions.</p></li> <li> <p><strong><code>do</code> Block Syntax</strong>: The second call demonstrates the <code>do</code> block:<br> </p> <pre class="highlight julia"><code><span class="n">with_resource</span><span class="x">(</span><span class="s">"MyData"</span><span class="x">)</span> <span class="k">do</span> <span class="n">id</span> <span class="c"># Code block...</span> <span class="k">end</span> </code></pre> <p>This is <strong>syntactic sugar</strong> that Julia automatically rewrites into the standard anonymous function call.</p> <ul> <li>The arguments before <code>do</code> (<code>"MyData"</code>) become the arguments <em>after</em> the function argument in the actual call.</li> <li>The variable(s) after <code>do</code> (<code>id</code>) become the argument(s) to the anonymous function.</li> <li>The code between <code>do</code> and <code>end</code> becomes the body of the anonymous function.</li> </ul> </li> <li><p><strong>Readability</strong>: The <code>do</code> block is much more readable for multi-line operations, as it avoids deeply nested parentheses and clearly separates the resource being managed from the code operating on it.</p></li> <li><p><strong>Resource Management</strong>: This pattern, often used with <code>do</code>, ensures resources are properly released. The <code>finally</code> block in <code>with_resource</code> guarantees the "Releasing resource" message prints, whether the code inside the <code>do</code> block succeeds or throws an error.</p></li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0047_do_blocks.jl <span class="nt">---</span> Calling with standard anonymous <span class="k">function</span> <span class="nt">---</span> Acquiring resource: MyData Function executed, result: Processing resource &lt;ID&gt; Releasing resource: MyData <span class="o">(</span>ID: &lt;ID&gt;<span class="o">)</span> <span class="nt">--------------------</span> <span class="nt">---</span> Calling with <span class="s1">'do'</span> block <span class="nt">---</span> Acquiring resource: MyData Inside the <span class="k">do </span>block, working with ID: &lt;ID&gt; Function executed, result: Processed resource &lt;ID&gt; successfully Releasing resource: MyData <span class="o">(</span>ID: &lt;ID&gt;<span class="o">)</span> </code></pre> </div> <p><em>(Note: <code>&lt;ID&gt;</code> will be a random 4-digit number)</em></p> <h1> Module 5: Your Own Types and Code Organization </h1> <h2> Struct </h2> <h3> <code>0048_struct_basics.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0048_struct_basics.jl</span> <span class="c"># 1. Define a new composite data type using the 'struct' keyword.</span> <span class="c"># By default (without 'mutable'), a 'struct' is immutable.</span> <span class="c"># This creates a new type named 'Point'.</span> <span class="k">struct</span><span class="nc"> Point</span> <span class="c"># Fields are defined with their names and type annotations</span> <span class="n">x</span><span class="o">::</span><span class="kt">Float64</span> <span class="n">y</span><span class="o">::</span><span class="kt">Float64</span> <span class="k">end</span> <span class="c"># 2. Instantiate (create an instance of) the struct.</span> <span class="c"># Julia provides a default constructor that takes all fields as arguments.</span> <span class="n">p1</span> <span class="o">=</span> <span class="n">Point</span><span class="x">(</span><span class="mf">10.0</span><span class="x">,</span> <span class="mf">20.0</span><span class="x">)</span> <span class="c"># 3. Access fields using dot notation.</span> <span class="c"># Note: println separates arguments with a space by default.</span> <span class="c"># The call: println("Label: ", variable) is the standard, readable form.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Accessing field p1.x: "</span><span class="x">,</span> <span class="n">p1</span><span class="o">.</span><span class="n">x</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Accessing field p1.y: "</span><span class="x">,</span> <span class="n">p1</span><span class="o">.</span><span class="n">y</span><span class="x">)</span> <span class="c"># 4. Inspect the instance and its type.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Instance p1: "</span><span class="x">,</span> <span class="n">p1</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of p1: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">p1</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="c"># 5. Constructor Type Conversion</span> <span class="c"># Julia's default outer constructor calls convert() on its arguments.</span> <span class="c"># Point(x, y) is automatically defined as:</span> <span class="c"># Point(x, y) = new(convert(Float64, x), convert(Float64, y))</span> <span class="c"># Therefore, passing integers is valid, as they are convertible to Float64.</span> <span class="n">p2</span> <span class="o">=</span> <span class="n">Point</span><span class="x">(</span><span class="mi">10</span><span class="x">,</span> <span class="mi">20</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Constructed from Ints: "</span><span class="x">,</span> <span class="n">p2</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of p2: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">p2</span><span class="x">))</span> <span class="n">p3</span> <span class="o">=</span> <span class="n">Point</span><span class="x">(</span><span class="mi">10</span><span class="x">,</span> <span class="mf">20.0</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Constructed from Int/Float: "</span><span class="x">,</span> <span class="n">p3</span><span class="x">)</span> <span class="c"># 6. When does construction fail?</span> <span class="c"># It fails when convert() fails.</span> <span class="k">try</span> <span class="n">p_fail</span> <span class="o">=</span> <span class="n">Point</span><span class="x">(</span><span class="s">"hello"</span><span class="x">,</span> <span class="mf">20.0</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Error (as expected) on non-convertible type: "</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="n">e</span><span class="x">)</span> <span class="k">end</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the <code>struct</code>, the fundamental tool in Julia for creating your own <strong>composite data types</strong>. It is the direct equivalent of a C <code>struct</code>, a <code>std::tuple</code> in C++, or a "frozen" dataclass in Python.</p> <ul> <li><p><strong>Core Concept:</strong> A <code>struct</code> is a way to bundle multiple, related values (called <strong>fields</strong>) into a single, named object. You define the "blueprint" for the <code>struct</code> (its name and its fields' types), and then you can create <strong>instances</strong> of that blueprint.</p></li> <li><p><strong>Default Immutability:</strong> By default, a <code>struct</code> in Julia is <strong>immutable</strong>. This is a deliberate design choice. Once an instance like <code>p1</code> is created, its fields (<code>p1.x</code> and <code>p1.y</code>) <strong>cannot be changed</strong>.</p></li> <li> <p><strong>Constructor and Conversion:</strong></p> <ul> <li>The <code>::Float64</code> annotations are a <strong>strict contract</strong> defining the <em>physical memory layout</em> of the <code>struct</code>. <code>Point</code> is a contiguous 16-byte block of memory: 8 bytes for <code>x</code> followed by 8 bytes for <code>y</code>.</li> <li>When you define a <code>struct</code>, Julia <em>also</em> provides a default <strong>outer constructor</strong> that makes it easy to use. This constructor's behavior is <code>Point(x, y) = new(convert(Float64, x), convert(Float64, y))</code>.</li> <li>This is why <code>Point(10, 20)</code> and <code>Point(10, 20.0)</code> <strong>both succeed</strong>. Julia automatically calls <code>convert(Float64, 10)</code> and <code>convert(Float64, 20)</code>, creating the <code>Point(10.0, 20.0)</code> instance.</li> <li>A <code>MethodError</code> only occurs if you provide a type that <code>convert</code> cannot handle, such as <code>Point("hello", 20.0)</code>. This robust, "it-just-works" conversion is a core feature of Julia's constructor system.</li> </ul> </li> <li><p><strong>Performance Deep-Dive: The <code>isbits</code> Optimization</strong><br><br> This is the most critical concept for understanding <code>struct</code> performance.</p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. **`isbits` Type:** Our `Point` struct is an **`isbits`** type. The Julia documentation defines this as a type that is **immutable** and **contains no references** to other values. `Point` is immutable and contains only `Float64`s (which are `isbits`), so it qualifies. 2. **Stack Allocation:** Because `Point` is a small, immutable, self-contained block of data, the compiler can treat it as a single, simple value (like a single `Int128`). When created inside a function, it can be allocated on the **stack**, which is dramatically faster than heap allocation and avoids any work for the garbage collector (GC). 3. **Register Passing:** When you pass a `Point` object to another function, the compiler can pass it *directly* in **CPU registers** (e.g., two 64-bit registers) instead of allocating it and passing a pointer. This is the fastest possible way to pass an argument. 4. **Array Layout:** This is the key. A `Vector{Point}` is **not** an array of pointers. Because `Point` is `isbits`, Julia stores the values **inlined** in a single, flat, contiguous block of memory. The memory layout is literally `[p1.x, p1.y, p2.x, p2.y, ...]`. This "Array of Structs" (AoS) layout is C-like, cache-friendly, and enables the compiler to use powerful SIMD vector instructions when iterating. </code></pre> </div> <ul> <li> <p><strong>References:</strong></p> <ul> <li> <strong><code>isbits</code> Definition:</strong> Julia Official Documentation, <code>isbits</code> function. States <code>isbits(T)</code> is <code>true</code> if <code>T</code> is "immutable and contains no references to other values."</li> <li> <strong>Stack/Register Allocation:</strong> Julia Official Documentation, Manual, Types. States: "...small enough immutable values like integers and floats are typically passed to functions in registers (or stack allocated). Mutable values, on the other hand are heap-allocated..."</li> <li> <strong>Array Layout:</strong> Confirmed by Julia contributor <code>mbauman</code> in an authoritative Stack Overflow answer: "Julia's arrays will only store elements of type <code>T</code> unboxed if <code>isbits(T)</code> is true. That is, the elements must be both immutable and pointer-free."</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0048_struct_basics.jl Accessing field p1.x: 10.0 Accessing field p1.y: 20.0 Instance p1: Point<span class="o">(</span>10.0, 20.0<span class="o">)</span> Type of p1: Point <span class="nt">--------------------</span> Constructed from Ints: Point<span class="o">(</span>10.0, 20.0<span class="o">)</span> Type of p2: Point Constructed from Int/Float: Point<span class="o">(</span>10.0, 20.0<span class="o">)</span> Error <span class="o">(</span>as expected<span class="o">)</span> on non-convertible <span class="nb">type</span>: MethodError<span class="o">(</span><span class="nv">f</span><span class="o">=</span>convert, <span class="nv">args</span><span class="o">=(</span>Float64, <span class="s2">"hello"</span><span class="o">)</span>, <span class="nv">world</span><span class="o">=</span>...<span class="o">)</span> </code></pre> </div> <h3> <code>0049_struct_immutability.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0049_struct_immutability.jl</span> <span class="c"># 1. Define the same immutable 'Point' struct</span> <span class="k">struct</span><span class="nc"> Point</span> <span class="n">x</span><span class="o">::</span><span class="kt">Float64</span> <span class="n">y</span><span class="o">::</span><span class="kt">Float64</span> <span class="k">end</span> <span class="c"># 2. Create an instance</span> <span class="n">p1</span> <span class="o">=</span> <span class="n">Point</span><span class="x">(</span><span class="mf">10.0</span><span class="x">,</span> <span class="mf">20.0</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Original point p1: "</span><span class="x">,</span> <span class="n">p1</span><span class="x">)</span> <span class="c"># 3. Attempt to modify a field of the immutable struct</span> <span class="k">try</span> <span class="n">p1</span><span class="o">.</span><span class="n">x</span> <span class="o">=</span> <span class="mf">30.0</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Caught expected error:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="n">e</span><span class="x">)</span> <span class="k">end</span> <span class="c"># 4. The "correct" way to "modify" an immutable object</span> <span class="c"># is to create a new one based on the old one.</span> <span class="n">p2</span> <span class="o">=</span> <span class="n">Point</span><span class="x">(</span><span class="n">p1</span><span class="o">.</span><span class="n">x</span> <span class="o">+</span> <span class="mf">5.0</span><span class="x">,</span> <span class="n">p1</span><span class="o">.</span><span class="n">y</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Created new point p2: "</span><span class="x">,</span> <span class="n">p2</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Original point p1 is unchanged: "</span><span class="x">,</span> <span class="n">p1</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates the core concept of <strong>immutability</strong>, which is the default behavior for Julia <code>struct</code>s.</p> <ul> <li><p><strong>Core Concept:</strong> An immutable object is one whose state <strong>cannot be modified</strong> after it is created. The <code>struct Point</code> we defined is immutable. When we create <code>p1</code>, the values <code>10.0</code> and <code>20.0</code> are locked in.</p></li> <li><p><strong>The Error:</strong> The line <code>p1.x = 30.0</code> attempts to assign a new value to the <code>x</code> field. This is a fundamental violation of the <code>struct</code>'s immutable contract. Julia intercepts this and fails, resulting in a <code>Setfield! Error</code> which explicitly states that <code>Point</code> is immutable and its fields cannot be changed.</p></li> <li><p><strong>Why Immutability is a Feature, Not a Bug:</strong></p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. **Performance:** Immutability is a powerful signal to the compiler. Because the compiler *knows* the data inside `p1` will never change, it can perform aggressive optimizations. It can store `p1` directly in **CPU registers**, allocate it on the **stack** (which is much faster than the heap), or even eliminate the object entirely and just inline its fields. 2. **Thread Safety:** Immutable objects are inherently **thread-safe**. You can share `p1` across thousands of threads, and no locks are needed because no thread can *write* to it. This eliminates an entire class of complex concurrency bugs. 3. **Program Logic:** It makes code easier to reason about. When you pass `p1` to a function, you are 100% guaranteed that the function cannot change it, preventing "action at a distance" bugs. </code></pre> </div> <ul> <li><p><strong>The Idiomatic Pattern:</strong> The idiomatic way to "modify" an immutable object is to create a <strong>new</strong> object. The line <code>p2 = Point(p1.x + 5.0, p1.y)</code> does not change <code>p1</code>. It reads the values from <code>p1</code>, creates a <em>brand new</em> <code>Point</code> in memory, and assigns it to <code>p2</code>. The original <code>p1</code> remains untouched. This is a fundamental pattern in high-performance and functional programming.</p></li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, Types:</strong> "Code using immutable objects can be easier to reason about... An object with an immutable type may be copied freely by the compiler since its immutability makes it impossible to programmatically distinguish between the original object and a copy."</li> <li> <strong>Julia Official Documentation, Manual, Types (on Mutability):</strong> "It is not permitted to modify the value of an immutable type."</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0049_struct_immutability.jl Original point p1: Point<span class="o">(</span>10.0, 20.0<span class="o">)</span> Caught expected error: Setfield! Error: <span class="s1">'Point'</span> is immutable <span class="o">[</span>...] Created new point p2: Point<span class="o">(</span>15.0, 20.0<span class="o">)</span> Original point p1 is unchanged: Point<span class="o">(</span>10.0, 20.0<span class="o">)</span> </code></pre> </div> <h2> Mutable Struct </h2> <h3> <code>0050_mutable_struct.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0050_mutable_struct.jl</span> <span class="c"># 1. Define a MUTABLE composite type using the 'mutable struct' keywords.</span> <span class="k">mutable struct</span><span class="nc"> MutablePoint</span> <span class="n">x</span><span class="o">::</span><span class="kt">Float64</span> <span class="n">y</span><span class="o">::</span><span class="kt">Float64</span> <span class="k">end</span> <span class="c"># 2. Instantiate the mutable struct.</span> <span class="c"># The default constructor works identically.</span> <span class="n">p1</span> <span class="o">=</span> <span class="n">MutablePoint</span><span class="x">(</span><span class="mf">10.0</span><span class="x">,</span> <span class="mf">20.0</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Original mutable point p1: "</span><span class="x">,</span> <span class="n">p1</span><span class="x">)</span> <span class="c"># 3. Modify a field in-place.</span> <span class="c"># This operation is now legal and succeeds.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Mutating p1.x = 30.0..."</span><span class="x">)</span> <span class="n">p1</span><span class="o">.</span><span class="n">x</span> <span class="o">=</span> <span class="mf">30.0</span> <span class="n">println</span><span class="x">(</span><span class="s">"Mutated point p1: "</span><span class="x">,</span> <span class="n">p1</span><span class="x">)</span> <span class="c"># 4. Another in-place modification</span> <span class="n">p1</span><span class="o">.</span><span class="n">y</span> <span class="o">+=</span> <span class="mf">5.0</span> <span class="n">println</span><span class="x">(</span><span class="s">"Mutated point p1 again: "</span><span class="x">,</span> <span class="n">p1</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the <strong><code>mutable struct</code></strong>, which creates objects whose fields <strong>can be changed</strong> after creation.</p> <ul> <li><p><strong>Core Concept:</strong> The <code>mutable</code> keyword changes the fundamental contract of the type. <code>mutable struct</code> creates a "container" whose contents can be modified in-place, while the default <code>struct</code> creates a single, unchangeable "value".</p></li> <li><p><strong>Syntax:</strong> The only difference in the definition is the addition of the <code>mutable</code> keyword before <code>struct</code>. Instantiation and field access (<code>.x</code>) are syntactically identical.</p></li> <li><p><strong>In-Place Modification:</strong> The line <code>p1.x = 30.0</code> now succeeds. This operation directly modifies the memory of the <code>p1</code> object itself. Any other variable in the program that holds a reference to <code>p1</code> will instantly see this change.</p></li> <li><p><strong>The Performance Trade-Off: Heap vs. Stack</strong><br> This is one of the most important performance distinctions in Julia.</p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. **Allocation:** Because a `mutable struct` must have a single, stable identity in memory (so all references to it can be updated), it is **heap-allocated**. This is a slower operation than the stack-allocation that is possible for immutable `struct`s. 2. **`isbits`:** A `mutable struct` is **never** an `isbits` type. 3. **Array Layout:** A `Vector{MutablePoint}` is an **array of pointers** (or "references") to heap-allocated `MutablePoint` objects. It is *not* a flat, contiguous block of data. This memory layout (an "Array of Pointers") is less cache-friendly and prevents the compiler from using SIMD instructions. </code></pre> </div> <ul> <li><p><strong>Guideline:</strong> You pay a significant performance cost for mutability. Therefore, <strong>always default to an immutable <code>struct</code></strong>. Only use <code>mutable struct</code> when you have a specific, long-lived object that <em>must</em> have its state changed over time (e.g., a simulation environment, a network connection manager, a buffer). For small, data-carrying objects like coordinates or complex numbers, <code>struct</code> is almost always the correct, high-performance choice.</p></li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, Types:</strong> "Composite Types declared with <code>mutable struct</code> are mutable..."</li> <li> <strong>Julia Official Documentation, Manual, Types (on Mutability):</strong> "Mutable values, on the other hand are heap-allocated and passed to functions as pointers to heap-allocated values..."</li> <li> <strong>Julia Official Documentation, <code>isbits</code>:</strong> <code>isbits(MutablePoint)</code> would return <code>false</code>.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0050_mutable_struct.jl Original mutable point p1: MutablePoint<span class="o">(</span>10.0, 20.0<span class="o">)</span> Mutating p1.x <span class="o">=</span> 30.0... Mutated point p1: MutablePoint<span class="o">(</span>30.0, 20.0<span class="o">)</span> Mutated point p1 again: MutablePoint<span class="o">(</span>30.0, 25.0<span class="o">)</span> </code></pre> </div> <h3> <code>0051_mutable_vs_immutable_performance.md</code> </h3> <p>This is one of the most important performance trade-offs in the Julia language. The choice between an immutable <code>struct</code> and a <code>mutable struct</code> is not cosmetic; it fundamentally changes how the compiler handles your data, with massive performance implications.</p> <h3> Comparison: <code>struct</code> (Immutable) vs. <code>mutable struct</code> (Mutable) </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th> <code>struct Point</code> (Immutable)</th> <th> <code>mutable struct MutablePoint</code> (Mutable)</th> </tr> </thead> <tbody> <tr> <td><strong><code>isbits</code> Status</strong></td> <td> <strong><code>true</code></strong> (if fields are <code>isbits</code>)</td> <td> <strong><code>false</code></strong> (always)</td> </tr> <tr> <td><strong>Allocation</strong></td> <td> <strong>Stack</strong> (if possible)</td> <td> <strong>Heap</strong> (always)</td> </tr> <tr> <td><strong>Passing to Functions</strong></td> <td>By value (in <strong>CPU registers</strong>)</td> <td>By reference (as a <strong>pointer</strong>)</td> </tr> <tr> <td><strong>Array Layout (<code>Vector{T}</code>)</strong></td> <td> <strong>Inlined / Contiguous</strong> (Array of Structs)</td> <td> <strong>Array of Pointers</strong> (Array of Pointers)</td> </tr> <tr> <td><strong>Cache Performance</strong></td> <td> <strong>Excellent</strong> (cache-friendly)</td> <td> <strong>Poor</strong> (pointer-chasing, cache misses)</td> </tr> </tbody> </table></div> <h3> 1. Allocation: Stack vs. Heap </h3> <ul> <li> <strong><code>struct Point</code> (Immutable):</strong> Because an immutable <code>struct</code> is a self-contained, unchangeable block of bits (it's <code>isbits</code>), the compiler can treat it as a simple value, just like an <code>Int</code> or <code>Float64</code>. When created inside a function, it will typically be <strong>stack-allocated</strong>. Stack allocation is extremely fast—it's just a single instruction to move the stack pointer. It also means there is <strong>zero work for the garbage collector (GC)</strong>.</li> <li> <strong><code>mutable struct MutablePoint</code> (Mutable):</strong> Because a mutable object's fields can change at any time, it must have a single, stable address in memory so that all variables referencing it see the same changes. This requires it to be <strong>heap-allocated</strong>. Heap allocation is much slower: it requires a call to the memory manager (<code>malloc</code>) to find a free block of memory, and the GC must track this object for its entire lifetime.</li> </ul> <p><strong>Conclusion:</strong> Immutable <code>struct</code>s are significantly "cheaper" to create and destroy than mutable <code>struct</code>s.</p> <h3> 2. Array Layout: Inlined vs. Pointers </h3> <p>This is the most critical difference for high-performance computing.</p> <ul> <li> <strong><code>Vector{Point}</code> (Immutable <code>isbits</code>):</strong> Julia stores the <code>Point</code> objects <strong>inlined</strong> in the array's memory. The <code>Vector</code> is one single, contiguous block of <code>Float64</code> values. <ul> <li> <strong>Memory Layout:</strong> <code>[p1.x, p1.y, p2.x, p2.y, p3.x, p3.y, ...]</code> </li> </ul> </li> <li> <strong><code>Vector{MutablePoint}</code> (Mutable):</strong> Julia stores an array of <strong>pointers</strong>. Each pointer references a <em>separate</em> <code>MutablePoint</code> object allocated somewhere else on the heap. <ul> <li> <strong>Memory Layout:</strong> <code>[ptr1, ptr2, ptr3, ...]</code> </li> <li>...where <code>ptr1</code> points to <code>MutablePoint(x1, y1)</code>, <code>ptr2</code> points to <code>MutablePoint(x2, y2)</code>, etc.</li> </ul> </li> </ul> <h3> 3. CPU Cache and Iteration Performance </h3> <p>The array layout has a direct and massive impact on iteration speed.</p> <ul> <li> <strong>Iterating <code>Vector{Point}</code>:</strong> When you loop over this array, you are reading memory sequentially. The CPU's prefetcher can load this data directly into the L1/L2 cache <em>before</em> it's even needed. This results in an <strong>extremely fast, cache-friendly</strong> loop with no wasted cycles. The compiler can also <strong>vectorize</strong> the loop using <strong>SIMD</strong> instructions, processing multiple <code>Point</code>s per cycle.</li> <li> <strong>Iterating <code>Vector{MutablePoint}</code>:</strong> When you loop over this array, you get <strong>pointer-chasing</strong>. <ol> <li> Read <code>ptr1</code> from the array (potential cache miss).</li> <li> "Jump" (dereference) to the memory address of <code>ptr1</code> to fetch the <code>MutablePoint</code> object (another potential cache miss).</li> <li> Read <code>ptr2</code> from the array...</li> <li> Jump to the memory address of <code>ptr2</code>... This "jumpy" memory access pattern defeats the CPU's prefetcher, causes constant cache misses, and makes SIMD vectorization impossible.</li> </ol> </li> </ul> <p><strong>Conclusion:</strong> Iterating a <code>Vector</code> of immutable <code>isbits</code> <code>struct</code>s is often <strong>orders of magnitude faster</strong> than iterating a <code>Vector</code> of <code>mutable struct</code>s.</p> <h3> Guideline </h3> <ul> <li> <strong>Always default to immutable <code>struct</code></strong>. You should only use <code>mutable struct</code> when you have a specific, compelling reason to—such as a long-lived object that <em>must</em> have its state changed, like a buffer, a simulation environment, or a network connection manager.</li> <li>For any small, data-carrying object (coordinates, complex numbers, configuration parameters), immutability (<code>struct</code>) is the correct, safe, and high-performance choice.</li> </ul> <h2> Abstract Type </h2> <h3> <code>0052_abstract_types.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0052_abstract_types.jl</span> <span class="c"># 1. Define an 'abstract type'.</span> <span class="c"># An abstract type defines a general concept, not a concrete object.</span> <span class="c"># You cannot create an instance of it.</span> <span class="k">abstract type</span><span class="nc"> AbstractShape</span> <span class="k">end</span> <span class="c"># 2. Define a 'concrete type' that *subtypes* AbstractShape.</span> <span class="c"># The '&lt;:' operator means "is a subtype of".</span> <span class="c"># This struct is immutable and will be 'isbits'.</span> <span class="k">struct</span><span class="nc"> Circle</span> <span class="o">&lt;:</span> <span class="n">AbstractShape</span> <span class="n">radius</span><span class="o">::</span><span class="kt">Float64</span> <span class="k">end</span> <span class="c"># 3. Define another concrete 'isbits' subtype.</span> <span class="k">struct</span><span class="nc"> Rectangle</span> <span class="o">&lt;:</span> <span class="n">AbstractShape</span> <span class="n">width</span><span class="o">::</span><span class="kt">Float64</span> <span class="n">height</span><span class="o">::</span><span class="kt">Float64</span> <span class="k">end</span> <span class="c"># 4. Define a concrete *mutable* subtype.</span> <span class="c"># Because it is 'mutable', it will *not* be 'isbits'.</span> <span class="k">mutable struct</span><span class="nc"> MutableSquare</span> <span class="o">&lt;:</span> <span class="n">AbstractShape</span> <span class="n">side</span><span class="o">::</span><span class="kt">Float64</span> <span class="k">end</span> <span class="c"># 5. Attempting to instantiate the abstract type will fail.</span> <span class="c"># Abstract types are just concepts; they have no constructor.</span> <span class="k">try</span> <span class="n">shape_fail</span> <span class="o">=</span> <span class="n">AbstractShape</span><span class="x">()</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"Caught expected error (cannot instantiate abstract type):"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="n">e</span><span class="x">)</span> <span class="k">end</span> <span class="c"># 6. Instantiating the *concrete* types succeeds.</span> <span class="n">c</span> <span class="o">=</span> <span class="n">Circle</span><span class="x">(</span><span class="mf">10.0</span><span class="x">)</span> <span class="n">r</span> <span class="o">=</span> <span class="n">Rectangle</span><span class="x">(</span><span class="mf">5.0</span><span class="x">,</span> <span class="mf">10.0</span><span class="x">)</span> <span class="n">s</span> <span class="o">=</span> <span class="n">MutableSquare</span><span class="x">(</span><span class="mf">7.0</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Concrete instances:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"c = "</span><span class="x">,</span> <span class="n">c</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"r = "</span><span class="x">,</span> <span class="n">r</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"s = "</span><span class="x">,</span> <span class="n">s</span><span class="x">)</span> <span class="c"># 7. Check the type hierarchy using the subtype operator '&lt;:'.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Type hierarchy checks:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Circle &lt;: AbstractShape? "</span><span class="x">,</span> <span class="n">Circle</span> <span class="o">&lt;:</span> <span class="n">AbstractShape</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Rectangle &lt;: AbstractShape? "</span><span class="x">,</span> <span class="n">Rectangle</span> <span class="o">&lt;:</span> <span class="n">AbstractShape</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"MutableSquare &lt;: AbstractShape? "</span><span class="x">,</span> <span class="n">MutableSquare</span> <span class="o">&lt;:</span> <span class="n">AbstractShape</span><span class="x">)</span> <span class="c"># Check if the *instance's type* is a subtype.</span> <span class="n">println</span><span class="x">(</span><span class="s">"typeof(c) &lt;: AbstractShape? "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">c</span><span class="x">)</span> <span class="o">&lt;:</span> <span class="n">AbstractShape</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- The Nuance of isbits ---"</span><span class="x">)</span> <span class="c"># 8. 'isbits(x)' checks the property of an *instance*.</span> <span class="c"># It's a convenient shorthand for isbitstype(typeof(x)).</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbits(c): "</span><span class="x">,</span> <span class="n">isbits</span><span class="x">(</span><span class="n">c</span><span class="x">))</span> <span class="c"># true</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbits(r): "</span><span class="x">,</span> <span class="n">isbits</span><span class="x">(</span><span class="n">r</span><span class="x">))</span> <span class="c"># true</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbits(s): "</span><span class="x">,</span> <span class="n">isbits</span><span class="x">(</span><span class="n">s</span><span class="x">))</span> <span class="c"># false (it's mutable)</span> <span class="c"># 9. 'isbitstype(T)' checks the property of the *Type* itself.</span> <span class="c"># This is the canonical way to check if a type has a C-like,</span> <span class="c"># plain-data memory layout.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">isbitstype(Circle): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="n">Circle</span><span class="x">))</span> <span class="c"># true</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(Rectangle): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="n">Rectangle</span><span class="x">))</span> <span class="c"># true</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(MutableSquare): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="n">MutableSquare</span><span class="x">))</span> <span class="c"># false</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <strong><code>abstract type</code>s</strong>, which form the foundation of Julia's powerful type hierarchy and are the key to <strong>multiple dispatch</strong>.</p> <ul> <li> <p><strong>Core Concept:</strong> An <code>abstract type</code> defines a <strong>concept</strong> or an <strong>interface</strong>, not a specific "thing." You <strong>cannot</strong> create an instance of an abstract type.</p> <ul> <li>In our example, <code>AbstractShape</code> represents the general idea of "a shape." It makes no sense to create a generic "shape" without knowing if it's a circle, a square, etc.</li> <li>The <code>try...catch</code> block proves this: <code>AbstractShape()</code> fails with a <code>MethodError</code> because no constructor exists for this abstract concept.</li> </ul> </li> <li> <p><strong>Subtyping (<code>&lt;:</code>):</strong> The "is a subtype of" operator, <code>&lt;:</code>, is used to build the hierarchy.</p> <ul> <li> <code>struct Circle &lt;: AbstractShape</code> declares that a <code>Circle</code> <strong>is a kind of</strong> <code>AbstractShape</code>.</li> <li> <code>Circle</code> and <code>Rectangle</code> are called <strong>concrete types</strong>. They are "real" types that you <em>can</em> create instances of.</li> </ul> </li> <li><p><strong>The Purpose:</strong> Why define this? Abstract types allow you to write <strong>generic functions</strong>. You can write a function that accepts any <code>AbstractShape</code>, and Julia's dispatch system will automatically call the correct, specific implementation for a <code>Circle</code> or a <code>Rectangle</code>. This is the subject of the very next lesson.</p></li> <li> <p><strong><code>isbits</code> vs. <code>isbitstype</code>:</strong> This is a crucial, subtle distinction.</p> <ul> <li> <strong><code>isbitstype(T::Type)</code>:</strong> This is the authoritative function to ask: "Does the type <code>T</code> describe a plain-data, C-like memory layout?" As shown, <code>isbitstype(Circle)</code> is <code>true</code> because it's immutable and has <code>isbits</code> fields. <code>isbitstype(MutableSquare)</code> is <code>false</code> because it's mutable.</li> <li> <strong><code>isbits(x)</code>:</strong> This is a function that operates on a <strong>value</strong>. It's a convenient shorthand for <code>isbitstype(typeof(x))</code>. This is why <code>isbits(c)</code> is <code>true</code>. The <em>instance</em> <code>c</code> is of type <code>Circle</code>, and <code>isbitstype(Circle)</code> is <code>true</code>.</li> </ul> </li> <li> <p><strong>Container Performance:</strong> This hierarchy has direct performance implications for arrays.</p> <ul> <li>A <code>Vector{Circle}</code> is a <strong>homogeneous</strong> array. Because <code>isbitstype(Circle)</code> is <code>true</code>, the <code>Circle</code> objects will be stored <strong>inlined and contiguously</strong> in memory (an "Array of Structs"). This is fast.</li> <li>A <code>Vector{AbstractShape}</code> is a <strong>heterogeneous</strong> array. Since it must be able to hold <em>any</em> <code>AbstractShape</code>, including <code>Circle</code> (16 bytes) and <code>MutableSquare</code> (8-byte pointer), it <strong>must</strong> be an "array of pointers" (a "boxed" array). This is much slower to iterate.</li> </ul> </li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, Types, "Abstract Types":</strong> "Abstract types cannot be instantiated... Abstract types are a way to organize types into a hierarchy."</li> <li> <strong>Julia Official Documentation, Manual, Types, "Subtyping":</strong> "The <code>&lt;:</code> operator is declared as <code>(::Type, ::Type) -&gt; Bool</code>, and returns <code>true</code> if its left operand is a subtype of its right operand."</li> <li> <strong>Julia Official Documentation, <code>isbits(x)</code>:</strong> "Return <code>true</code> if the value <code>x</code> is of an <code>isbits</code> type." <code>isbitstype(T)</code> is noted as the canonical check for the type itself.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0052_abstract_types.jl Caught expected error <span class="o">(</span>cannot instantiate abstract <span class="nb">type</span><span class="o">)</span>: MethodError: no method matching AbstractShape<span class="o">()</span> Concrete instances: c <span class="o">=</span> Circle<span class="o">(</span>10.0<span class="o">)</span> r <span class="o">=</span> Rectangle<span class="o">(</span>5.0, 10.0<span class="o">)</span> s <span class="o">=</span> MutableSquare<span class="o">(</span>7.0<span class="o">)</span> Type hierarchy checks: Circle &lt;: AbstractShape? <span class="nb">true </span>Rectangle &lt;: AbstractShape? <span class="nb">true </span>MutableSquare &lt;: AbstractShape? <span class="nb">true </span>typeof<span class="o">(</span>c<span class="o">)</span> &lt;: AbstractShape? <span class="nb">true</span> <span class="nt">---</span> The Nuance of isbits <span class="nt">---</span> isbits<span class="o">(</span>c<span class="o">)</span>: <span class="nb">true </span>isbits<span class="o">(</span>r<span class="o">)</span>: <span class="nb">true </span>isbits<span class="o">(</span>s<span class="o">)</span>: <span class="nb">false </span>isbitstype<span class="o">(</span>Circle<span class="o">)</span>: <span class="nb">true </span>isbitstype<span class="o">(</span>Rectangle<span class="o">)</span>: <span class="nb">true </span>isbitstype<span class="o">(</span>MutableSquare<span class="o">)</span>: <span class="nb">false</span> </code></pre> </div> <h3> <code>0053_dispatch_on_abstract.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0053_dispatch_on_abstract.jl</span> <span class="c"># 1. Define the type hierarchy from the previous lesson</span> <span class="k">abstract type</span><span class="nc"> AbstractShape</span> <span class="k">end</span> <span class="k">struct</span><span class="nc"> Circle</span> <span class="o">&lt;:</span> <span class="n">AbstractShape</span> <span class="n">radius</span><span class="o">::</span><span class="kt">Float64</span> <span class="k">end</span> <span class="k">struct</span><span class="nc"> Rectangle</span> <span class="o">&lt;:</span> <span class="n">AbstractShape</span> <span class="n">width</span><span class="o">::</span><span class="kt">Float64</span> <span class="n">height</span><span class="o">::</span><span class="kt">Float64</span> <span class="k">end</span> <span class="k">mutable struct</span><span class="nc"> MutableSquare</span> <span class="o">&lt;:</span> <span class="n">AbstractShape</span> <span class="n">side</span><span class="o">::</span><span class="kt">Float64</span> <span class="k">end</span> <span class="c"># 2. Define a "generic" function that operates on the abstract type.</span> <span class="c"># This function defines the "interface" or "contract".</span> <span class="c"># We can provide a fallback method that throws an error.</span> <span class="k">function</span><span class="nf"> calculate_area</span><span class="x">(</span><span class="n">s</span><span class="o">::</span><span class="n">AbstractShape</span><span class="x">)</span> <span class="c"># This error will be hit by any subtype that doesn't</span> <span class="c"># provide its own specific method.</span> <span class="n">error</span><span class="x">(</span><span class="s">"calculate_area not implemented for type "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">s</span><span class="x">))</span> <span class="k">end</span> <span class="c"># 3. Define a specific METHOD for Circle.</span> <span class="c"># Julia will dispatch to this function when it sees a Circle.</span> <span class="k">function</span><span class="nf"> calculate_area</span><span class="x">(</span><span class="n">c</span><span class="o">::</span><span class="n">Circle</span><span class="x">)</span> <span class="k">return</span> <span class="nb">π</span> <span class="o">*</span> <span class="n">c</span><span class="o">.</span><span class="n">radius</span><span class="o">^</span><span class="mi">2</span> <span class="k">end</span> <span class="c"># 4. Define a specific METHOD for Rectangle.</span> <span class="c"># This is the same function name, 'calculate_area', but with</span> <span class="c"># a different type signature (a different method).</span> <span class="k">function</span><span class="nf"> calculate_area</span><span class="x">(</span><span class="n">r</span><span class="o">::</span><span class="n">Rectangle</span><span class="x">)</span> <span class="k">return</span> <span class="n">r</span><span class="o">.</span><span class="n">width</span> <span class="o">*</span> <span class="n">r</span><span class="o">.</span><span class="n">height</span> <span class="k">end</span> <span class="c"># 5. Create a heterogeneous list of shapes.</span> <span class="c"># This will be a Vector{AbstractShape}, which is an</span> <span class="c"># array of pointers (boxed objects).</span> <span class="n">shapes</span> <span class="o">=</span> <span class="x">[</span><span class="n">Circle</span><span class="x">(</span><span class="mf">1.0</span><span class="x">),</span> <span class="n">Rectangle</span><span class="x">(</span><span class="mf">2.0</span><span class="x">,</span> <span class="mf">3.0</span><span class="x">),</span> <span class="n">Circle</span><span class="x">(</span><span class="mf">4.0</span><span class="x">)]</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Processing heterogeneous array of shapes ---"</span><span class="x">)</span> <span class="k">for</span> <span class="n">shape</span> <span class="k">in</span> <span class="n">shapes</span> <span class="c"># 6. Call the generic function.</span> <span class="c"># At runtime, Julia inspects the *actual* type of 'shape'</span> <span class="c"># and calls the *most specific* method available.</span> <span class="n">area</span> <span class="o">=</span> <span class="n">calculate_area</span><span class="x">(</span><span class="n">shape</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Shape: "</span><span class="x">,</span> <span class="n">shape</span><span class="x">,</span> <span class="s">" | Area: "</span><span class="x">,</span> <span class="n">area</span><span class="x">)</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Testing unimplemented type ---"</span><span class="x">)</span> <span class="c"># 7. Test the fallback error</span> <span class="n">s</span> <span class="o">=</span> <span class="n">MutableSquare</span><span class="x">(</span><span class="mf">5.0</span><span class="x">)</span> <span class="k">try</span> <span class="n">calculate_area</span><span class="x">(</span><span class="n">s</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"Caught expected error:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="n">e</span><span class="x">)</span> <span class="k">end</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates <strong>multiple dispatch</strong>, which is the "payoff" for using the <code>abstract type</code> hierarchy. This is arguably the most important and powerful design pattern in Julia.</p> <ul> <li> <p><strong>Core Concept:</strong> We have defined one generic function name, <code>calculate_area</code>, but multiple <strong>methods</strong> for it.</p> <ul> <li> <code>calculate_area(s::AbstractShape)</code> is a generic fallback.</li> <li> <code>calculate_area(c::Circle)</code> is a specific method for <code>Circle</code>.</li> <li> <code>calculate_area(r::Rectangle)</code> is a specific method for <code>Rectangle</code>.</li> </ul> </li> <li><p><strong>Multiple Dispatch:</strong> When you call <code>calculate_area(shape)</code>, Julia performs a runtime lookup on the <em>concrete type</em> of the <code>shape</code> variable. This is called <strong>dynamic dispatch</strong>.</p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. In the first loop iteration, `shape` is a `Circle`. Julia sees this and **dispatches** the call to the `calculate_area(c::Circle)` method. 2. In the second iteration, `shape` is a `Rectangle`. Julia dispatches to the `calculate_area(r::Rectangle)` method. This mechanism allows you to write generic code (the `for` loop) that operates on the abstract concept (`AbstractShape`), while Julia handles executing the correct, specialized code automatically. </code></pre> </div> <ul> <li> <p><strong>Defining an Interface:</strong> The abstract type <code>AbstractShape</code> and the generic function <code>calculate_area(s::AbstractShape)</code> together define a "contract" or "interface." They state: "To be a usable shape in this system, you must provide a concrete method for <code>calculate_area</code>."</p> <ul> <li>The <code>MutableSquare</code> example proves this. We created <code>MutableSquare &lt;: AbstractShape</code>, but we <em>forgot</em> to provide a <code>calculate_area(s::MutableSquare)</code> method.</li> <li>When <code>calculate_area(s)</code> is called, Julia finds no specific method for <code>MutableSquare</code>. It falls back to the next most general method, <code>calculate_area(s::AbstractShape)</code>, which correctly throws our "not implemented" error. This is a feature, not a bug; it tells us our <code>MutableSquare</code> is incomplete.</li> </ul> </li> <li><p><strong>Performance:</strong> This is not the same as in many object-oriented languages. This dispatch is extremely fast. Even in this "worst-case" scenario of a heterogeneous, type-unstable array (<code>Vector{AbstractShape}</code>), Julia's dynamic dispatch is highly optimized. In cases where the compiler <em>can</em> infer the concrete type (e.g., in a loop over a <code>Vector{Circle}</code>), this dispatch is resolved at <strong>compile time</strong> and has <strong>zero runtime cost</strong>.</p></li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, "Methods":</strong> "In Julia, all named functions are <em>generic functions</em>. A generic function is conceptually a single function, but consists of many <em>methods</em>. A method is a definition of a function's behavior for a specific combination of argument types."</li> <li> <strong>Julia Official Documentation, Manual, "Dynamic Dispatch":</strong> "When a function is called, the most specific method applicable to the given arguments is executed."</li> </ul> </li> </ul> <h2> Parametric Types </h2> <h3> <code>0054_parametric_struct.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0054_parametric_struct.jl</span> <span class="c"># 1. Define a 'parametric struct'.</span> <span class="c"># The '{T}' is a type parameter. This makes 'Container' a</span> <span class="c"># generic blueprint, not a single concrete type.</span> <span class="c"># 'T' can be any type.</span> <span class="k">struct</span><span class="nc"> Container</span><span class="x">{</span><span class="n">T</span><span class="x">}</span> <span class="n">value</span><span class="o">::</span><span class="n">T</span> <span class="k">end</span> <span class="c"># 2. Instantiate with an explicit type parameter.</span> <span class="c"># We create a 'Container{Float64}', where T=Float64.</span> <span class="n">c_float</span> <span class="o">=</span> <span class="n">Container</span><span class="x">{</span><span class="kt">Float64</span><span class="x">}(</span><span class="mf">10.0</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Container with explicit Float64:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Value: "</span><span class="x">,</span> <span class="n">c_float</span><span class="o">.</span><span class="n">value</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">c_float</span><span class="x">))</span> <span class="c"># 3. Instantiate with an implicit type parameter.</span> <span class="c"># We let Julia's constructor *infer* the type 'T'.</span> <span class="c"># By passing an Int, Julia creates a 'Container{Int64}'.</span> <span class="n">c_int</span> <span class="o">=</span> <span class="n">Container</span><span class="x">(</span><span class="mi">20</span><span class="x">)</span> <span class="c"># Equivalent to Container{Int64}(20)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Container with inferred Int64:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Value: "</span><span class="x">,</span> <span class="n">c_int</span><span class="o">.</span><span class="n">value</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">c_int</span><span class="x">))</span> <span class="c"># 4. 'T' can be *any* type, including non-isbits types.</span> <span class="n">c_string</span> <span class="o">=</span> <span class="n">Container</span><span class="x">(</span><span class="s">"Hello"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Container with inferred String:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Value: "</span><span class="x">,</span> <span class="n">c_string</span><span class="o">.</span><span class="n">value</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">c_string</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Performance: isbits checks ---"</span><span class="x">)</span> <span class="c"># 5. The 'isbits' status of the struct depends on its *parameters*.</span> <span class="c"># Container{Float64} is immutable and holds an isbits type (Float64).</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(Container{Float64}): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="n">Container</span><span class="x">{</span><span class="kt">Float64</span><span class="x">}))</span> <span class="c"># true</span> <span class="c"># Container{String} is immutable but holds a non-isbits type (String).</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(Container{String}): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="n">Container</span><span class="x">{</span><span class="kt">String</span><span class="x">}))</span> <span class="c"># false</span> <span class="c"># 'Container' itself is not a concrete type, so it's not isbits.</span> <span class="c"># It's a "family" of types.</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(Container): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="n">Container</span><span class="x">))</span> <span class="c"># false</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <strong>parametric types</strong>, Julia's version of generics (like C++ templates or C# generics). This is a core feature for writing code that is both <strong>reusable</strong> and <strong>high-performance</strong>.</p> <ul> <li><p><strong>Core Concept:</strong> A parametric <code>struct</code> is a "blueprint for a type." The <code>struct Container{T}</code> definition does not create a single type. Instead, it creates a <em>factory</em> that can produce an infinite family of types, like <code>Container{Float64}</code>, <code>Container{Int64}</code>, and <code>Container{String}</code>.</p></li> <li><p><strong>Type Parameter <code>{T}</code>:</strong> The <code>{T}</code> introduces a "type variable" named <code>T</code>. This <code>T</code> can then be used as a type annotation for the fields inside the <code>struct</code>, as we did with <code>value::T</code>.</p></li> <li><p><strong>Instantiation (Explicit vs. Implicit):</strong></p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. **Explicit:** `Container{Float64}(10.0)`: We explicitly tell Julia to "use the `Container` blueprint, setting `T = Float64`." 2. **Implicit:** `Container(20)`: We call the default constructor, passing an `Int64`. Julia's compiler infers that `T` must be `Int64` and automatically creates a `Container{Int64}`. </code></pre> </div> <ul> <li> <p><strong>Zero-Cost Abstraction (Performance):</strong> This is the crucial takeaway. When you create <code>c_int = Container(20)</code>, Julia's compiler generates a <strong>new, specialized, concrete type</strong> <code>Container{Int64}</code>. This specialized type is <em>just as fast</em> as if you had manually defined <code>struct IntContainer { value::Int64 }</code>.</p> <ul> <li>This is <strong>not</strong> like <code>Object</code> in Java. There is no boxing or dynamic dispatch to access <code>c_int.value</code>. The compiled code knows <em>exactly</em> where the <code>Int64</code> is stored.</li> <li> <strong><code>isbits</code> Status:</strong> The performance of the <code>Container</code> depends on what <code>T</code> is. <ul> <li> <code>isbitstype(Container{Float64})</code> is <strong><code>true</code></strong>. This type is immutable and its field is <code>isbits</code>, so it gets all the performance benefits: stack allocation, register passing, and inlined, contiguous array layouts.</li> <li> <code>isbitstype(Container{String})</code> is <strong><code>false</code></strong>. Because <code>String</code> is not <code>isbits</code> (it's a pointer to heap data), the resulting <code>Container{String}</code> struct is <em>also</em> not <code>isbits</code>. A <code>Vector{Container{String}}</code> would be an "array of pointers."</li> </ul> </li> </ul> </li> <li><p>This pattern lets you write one, generic, reusable <code>struct</code> and trust Julia's compiler to stamp out a specialized, high-performance version for every concrete type you use it with.</p></li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, Types, "Parametric Composite Types":</strong> "It is a common pattern that a type definition declares a composite type <code>Foo</code> that can hold values of type <code>T</code>. This is written in Julia as <code>struct Foo{T} ... end</code>."</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0054_parametric_struct.jl Container with explicit Float64: Value: 10.0 Type: Container<span class="o">{</span>Float64<span class="o">}</span> Container with inferred Int64: Value: 20 Type: Container<span class="o">{</span>Int64<span class="o">}</span> Container with inferred String: Value: Hello Type: Container<span class="o">{</span>String<span class="o">}</span> <span class="nt">---</span> Performance: isbits checks <span class="nt">---</span> isbitstype<span class="o">(</span>Container<span class="o">{</span>Float64<span class="o">})</span>: <span class="nb">true </span>isbitstype<span class="o">(</span>Container<span class="o">{</span>String<span class="o">})</span>: <span class="nb">false </span>isbitstype<span class="o">(</span>Container<span class="o">)</span>: <span class="nb">false</span> </code></pre> </div> <h3> <code>0055_parametric_functions.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0055_parametric_functions.jl</span> <span class="c"># 1. Define our parametric struct from the previous lesson</span> <span class="k">struct</span><span class="nc"> Container</span><span class="x">{</span><span class="n">T</span><span class="x">}</span> <span class="n">value</span><span class="o">::</span><span class="n">T</span> <span class="k">end</span> <span class="c"># 2. A generic function using the 'where {T}' syntax.</span> <span class="c"># This is the standard way to write functions for parametric types.</span> <span class="c">#</span> <span class="c"># Read as: "A function 'get_value' that takes 'c' of type 'Container{T}',</span> <span class="c"># 'where T' is some type. This function returns a value of type T."</span> <span class="k">function</span><span class="nf"> get_value</span><span class="x">(</span><span class="n">c</span><span class="o">::</span><span class="n">Container</span><span class="x">{</span><span class="n">T</span><span class="x">})</span><span class="o">::</span><span class="n">T</span> <span class="k">where</span> <span class="x">{</span><span class="n">T</span><span class="x">}</span> <span class="c"># 'T' is available as a type *variable* inside the function.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Generic 'get_value(c::Container{T})' called, where T = "</span><span class="x">,</span> <span class="n">T</span><span class="x">)</span> <span class="k">return</span> <span class="n">c</span><span class="o">.</span><span class="n">value</span> <span class="k">end</span> <span class="c"># 3. A function that returns both the value and the *type*.</span> <span class="c"># This shows that 'T' is a real value (a 'DataType') inside the function.</span> <span class="k">function</span><span class="nf"> get_value_and_type</span><span class="x">(</span><span class="n">c</span><span class="o">::</span><span class="n">Container</span><span class="x">{</span><span class="n">T</span><span class="x">})</span> <span class="k">where</span> <span class="x">{</span><span class="n">T</span><span class="x">}</span> <span class="n">println</span><span class="x">(</span><span class="s">"Function 'get_value_and_type' called, where T = "</span><span class="x">,</span> <span class="n">T</span><span class="x">)</span> <span class="k">return</span> <span class="x">(</span><span class="n">c</span><span class="o">.</span><span class="n">value</span><span class="x">,</span> <span class="n">T</span><span class="x">)</span> <span class="c"># Return a tuple</span> <span class="k">end</span> <span class="c"># 4. A *specific method* for Container{String}.</span> <span class="c"># This method is *more specific* than the generic 'where {T}' version.</span> <span class="k">function</span><span class="nf"> get_value</span><span class="x">(</span><span class="n">c</span><span class="o">::</span><span class="n">Container</span><span class="x">{</span><span class="kt">String</span><span class="x">})</span><span class="o">::</span><span class="kt">String</span> <span class="n">println</span><span class="x">(</span><span class="s">"Specific 'get_value(c::Container{String})' called!"</span><span class="x">)</span> <span class="k">return</span> <span class="n">uppercase</span><span class="x">(</span><span class="n">c</span><span class="o">.</span><span class="n">value</span><span class="x">)</span> <span class="k">end</span> <span class="c"># --- Script Execution ---</span> <span class="c"># 5. Create instances</span> <span class="n">c_int</span> <span class="o">=</span> <span class="n">Container</span><span class="x">(</span><span class="mi">100</span><span class="x">)</span> <span class="c"># Container{Int64}</span> <span class="n">c_str</span> <span class="o">=</span> <span class="n">Container</span><span class="x">(</span><span class="s">"hello"</span><span class="x">)</span> <span class="c"># Container{String}</span> <span class="n">c_flt</span> <span class="o">=</span> <span class="n">Container</span><span class="x">(</span><span class="mf">3.14</span><span class="x">)</span> <span class="c"># Container{Float64}</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Calling generic methods ---"</span><span class="x">)</span> <span class="n">val_int</span> <span class="o">=</span> <span class="n">get_value</span><span class="x">(</span><span class="n">c_int</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Got value: "</span><span class="x">,</span> <span class="n">val_int</span><span class="x">)</span> <span class="n">val_flt</span><span class="x">,</span> <span class="n">type_flt</span> <span class="o">=</span> <span class="n">get_value_and_type</span><span class="x">(</span><span class="n">c_flt</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Got value: "</span><span class="x">,</span> <span class="n">val_flt</span><span class="x">,</span> <span class="s">" | Got type: "</span><span class="x">,</span> <span class="n">type_flt</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Calling specific method (dispatch) ---"</span><span class="x">)</span> <span class="c"># 6. Julia's dispatch system will see that c_str is a Container{String}</span> <span class="c"># and select the *most specific* method available.</span> <span class="n">val_str</span> <span class="o">=</span> <span class="n">get_value</span><span class="x">(</span><span class="n">c_str</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Got value: "</span><span class="x">,</span> <span class="n">val_str</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates how to write <strong>functions</strong> that operate on the <strong>parametric types</strong> we just defined. This is where parametric types and multiple dispatch combine to create Julia's high-performance, generic code.</p> <ul> <li> <p><strong>Core Concept: <code>where {T}</code>:</strong></p> <ul> <li>The <code>where {T}</code> syntax is the key. It's how you "get" the type parameter from an argument.</li> <li>In the signature <code>function get_value(c::Container{T})::T where {T}</code>, we are telling Julia: <ol> <li> <code>c::Container{T}</code>: "This function accepts a <code>Container</code>, and I don't care what type it holds. Let's call that type <code>T</code>."</li> <li> <code>where {T}</code>: "Bind that unknown type <code>T</code> to a variable named <code>T</code> that I can use inside my function."</li> <li> <code>::T</code>: "I promise that this function will return a value of that same type <code>T</code>."</li> </ol> </li> <li>As shown in <code>get_value_and_type</code>, the variable <code>T</code> is a real value (a <code>DataType</code> object) that you can inspect, return, or use.</li> </ul> </li> <li> <p><strong>Performance: Compile-Time Specialization:</strong></p> <ul> <li>This is <strong>not</strong> like a generic <code>function(c::Container{Object})</code> in Java. There is no runtime "unboxing."</li> <li>When you first call <code>get_value(c_int)</code>, the compiler <em>sees</em> that <code>T</code> is <code>Int64</code>. It then <strong>generates and compiles a new, specialized method</strong> just for <code>Int64</code>:</li> </ul> <pre class="highlight julia"><code><span class="c"># This is what Julia effectively compiles:</span> <span class="k">function</span><span class="nf"> get_value</span><span class="x">(</span><span class="n">c</span><span class="o">::</span><span class="n">Container</span><span class="x">{</span><span class="kt">Int64</span><span class="x">})</span><span class="o">::</span><span class="kt">Int64</span> <span class="k">return</span> <span class="n">c</span><span class="o">.</span><span class="n">value</span> <span class="k">end</span> </code></pre> <ul> <li>This specialized method is just as fast as if you had written it by hand. It knows <code>c.value</code> is an <code>Int64</code> and the return type is <code>Int64</code>. There is <strong>zero abstraction cost</strong>. A separate, fast version is also compiled for <code>Float64</code>.</li> </ul> </li> <li> <p><strong>Dispatch: Generic vs. Specific:</strong></p> <ul> <li>This script shows how parametric methods interact with multiple dispatch. We have two methods for the <code>get_value</code> function: <ol> <li> <code>get_value(c::Container{T}) where {T}</code> (The generic "catch-all")</li> <li> <code>get_value(c::Container{String})</code> (The specific "special case")</li> </ol> </li> <li>When we call <code>get_value(c_int)</code>, the <code>Container{Int64}</code> type does not match <code>Container{String}</code>. It falls back to the generic <code>where {T}</code> method, with <code>T</code> becoming <code>Int64</code>.</li> <li>When we call <code>get_value(c_str)</code>, the <code>Container{String}</code> type matches <strong>both</strong> methods. Julia's dispatch system follows the rule: <strong>"always pick the most specific method."</strong> </li> <li>Since <code>Container{String}</code> is <em>more specific</em> than <code>Container{T}</code>, the specialized string version is called, and we get the <code>uppercase</code> behavior.</li> </ul> </li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, "Methods", "Parametric Methods":</strong> "Method definitions can be parameterized... When a function is called, the method with the most specific matching signature is invoked."</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0055_parametric_functions.jl <span class="nt">---</span> Calling generic methods <span class="nt">---</span> Generic <span class="s1">'get_value(c::Container{T})'</span> called, where T <span class="o">=</span> Int64 Got value: 100 Function <span class="s1">'get_value_and_type'</span> called, where T <span class="o">=</span> Float64 Got value: 3.14 | Got <span class="nb">type</span>: Float64 <span class="nt">---</span> Calling specific method <span class="o">(</span>dispatch<span class="o">)</span> <span class="nt">---</span> Specific <span class="s1">'get_value(c::Container{String})'</span> called! Got value: HELLO </code></pre> </div> <h3> <code>0056_parametric_abstract.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0056_parametric_abstract.jl</span> <span class="c"># 1. Define a 'parametric abstract type'.</span> <span class="c"># This defines an interface for a *family* of generic types.</span> <span class="c"># It's a contract: "Any subtype must also be parameterized by a type T."</span> <span class="k">abstract type</span><span class="nc"> AbstractContainer</span><span class="x">{</span><span class="n">T</span><span class="x">}</span> <span class="k">end</span> <span class="c"># 2. Define a concrete parametric struct that subtypes it.</span> <span class="c"># We 'pass through' the type parameter T to the abstract type.</span> <span class="k">struct</span><span class="nc"> ConcreteContainer</span><span class="x">{</span><span class="n">T</span><span class="x">}</span> <span class="o">&lt;:</span> <span class="n">AbstractContainer</span><span class="x">{</span><span class="n">T</span><span class="x">}</span> <span class="n">value</span><span class="o">::</span><span class="n">T</span> <span class="k">end</span> <span class="c"># 3. Define another concrete struct that *fixes* the type parameter.</span> <span class="c"># This struct is *not* parametric itself, but it fulfills the</span> <span class="c"># contract by subtyping a *specific* variant of the abstract type.</span> <span class="k">struct</span><span class="nc"> StringContainer</span> <span class="o">&lt;:</span> <span class="n">AbstractContainer</span><span class="x">{</span><span class="kt">String</span><span class="x">}</span> <span class="n">name</span><span class="o">::</span><span class="kt">String</span> <span class="n">value</span><span class="o">::</span><span class="kt">String</span> <span class="k">end</span> <span class="c"># 4. Define a generic function that operates on the abstract interface.</span> <span class="c"># This function will work on *any* type 'S' that is a subtype</span> <span class="c"># of AbstractContainer{T}, 'where T' is some type.</span> <span class="k">function</span><span class="nf"> get_abstract_value</span><span class="x">(</span><span class="n">c</span><span class="o">::</span><span class="n">S</span><span class="x">)</span> <span class="k">where</span> <span class="x">{</span><span class="n">T</span><span class="x">,</span> <span class="n">S</span> <span class="o">&lt;:</span> <span class="n">AbstractContainer</span><span class="x">{</span><span class="n">T</span><span class="x">}}</span> <span class="n">println</span><span class="x">(</span><span class="s">"Dispatching to generic AbstractContainer{T} method where T="</span><span class="x">,</span> <span class="n">T</span><span class="x">)</span> <span class="c"># We can't access c.value because we don't know</span> <span class="c"># if the struct has a 'value' field (e.g., StringContainer)</span> <span class="c"># We just return the type parameter we found.</span> <span class="k">return</span> <span class="n">T</span> <span class="k">end</span> <span class="c"># 5. Define a more specific (but still abstract) method.</span> <span class="c"># This will dispatch for *any* AbstractContainer that holds a 'String'.</span> <span class="k">function</span><span class="nf"> process_text_container</span><span class="x">(</span><span class="n">c</span><span class="o">::</span><span class="n">AbstractContainer</span><span class="x">{</span><span class="kt">String</span><span class="x">})</span> <span class="n">println</span><span class="x">(</span><span class="s">"Dispatching to specific AbstractContainer{String} method."</span><span class="x">)</span> <span class="c"># Here we still can't access c.value, but we know T is String.</span> <span class="k">end</span> <span class="c"># --- Script Execution ---</span> <span class="n">c_int</span> <span class="o">=</span> <span class="n">ConcreteContainer</span><span class="x">(</span><span class="mi">10</span><span class="x">)</span> <span class="c"># ConcreteContainer{Int64}</span> <span class="n">c_str</span> <span class="o">=</span> <span class="n">ConcreteContainer</span><span class="x">(</span><span class="s">"Hello"</span><span class="x">)</span> <span class="c"># ConcreteContainer{String}</span> <span class="n">s_str</span> <span class="o">=</span> <span class="n">StringContainer</span><span class="x">(</span><span class="s">"ID"</span><span class="x">,</span> <span class="s">"Data"</span><span class="x">)</span> <span class="c"># StringContainer</span> <span class="c"># 6. Call the generic function</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Calling generic get_abstract_value ---"</span><span class="x">)</span> <span class="n">get_abstract_value</span><span class="x">(</span><span class="n">c_int</span><span class="x">)</span> <span class="n">get_abstract_value</span><span class="x">(</span><span class="n">c_str</span><span class="x">)</span> <span class="n">get_abstract_value</span><span class="x">(</span><span class="n">s_str</span><span class="x">)</span> <span class="c"># 7. Call the more specific function</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Calling specific process_text_container ---"</span><span class="x">)</span> <span class="c"># process_text_container(c_int) # This would fail (MethodError)</span> <span class="n">process_text_container</span><span class="x">(</span><span class="n">c_str</span><span class="x">)</span> <span class="n">process_text_container</span><span class="x">(</span><span class="n">s_str</span><span class="x">)</span> <span class="c"># 8. Check the type hierarchy</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Type hierarchy checks ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"ConcreteContainer{Int64} &lt;: AbstractContainer{Int64}? "</span><span class="x">,</span> <span class="n">ConcreteContainer</span><span class="x">{</span><span class="kt">Int64</span><span class="x">}</span> <span class="o">&lt;:</span> <span class="n">AbstractContainer</span><span class="x">{</span><span class="kt">Int64</span><span class="x">})</span> <span class="n">println</span><span class="x">(</span><span class="s">"StringContainer &lt;: AbstractContainer{String}? "</span><span class="x">,</span> <span class="n">StringContainer</span> <span class="o">&lt;:</span> <span class="n">AbstractContainer</span><span class="x">{</span><span class="kt">String</span><span class="x">})</span> <span class="n">println</span><span class="x">(</span><span class="s">"StringContainer &lt;: AbstractContainer{Int64}? "</span><span class="x">,</span> <span class="n">StringContainer</span> <span class="o">&lt;:</span> <span class="n">AbstractContainer</span><span class="x">{</span><span class="kt">Int64</span><span class="x">})</span> </code></pre> </div> <h3> Explanation </h3> <p>This script combines the two previous concepts—<code>abstract type</code>s and <code>struct{T}</code>s—to create <strong>parametric abstract types</strong>. This is a powerful pattern for defining a generic "interface" for a whole family of types.</p> <ul> <li><p><strong>Core Concept:</strong> An <code>abstract type AbstractContainer{T} end</code> defines a contract for <em>generic</em> containers. It says, "Any type that claims to be a subtype of me must also specify what <code>T</code> it is."</p></li> <li><p><strong>Fulfilling the Contract:</strong></p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. **`ConcreteContainer{T} &lt;: AbstractContainer{T}`:** This is the most direct way. We create a new parametric `struct` and "pass through" the type parameter `T`. This says, "A `ConcreteContainer{Int}` **is a kind of** `AbstractContainer{Int}`." 2. **`StringContainer &lt;: AbstractContainer{String}`:** This is a more specialized way. The `StringContainer` *is not* generic (it only holds `String`s), but it fulfills the contract by declaring that it **is a kind of** `AbstractContainer{String}`. </code></pre> </div> <ul> <li> <p><strong>Dispatching on Parametric Abstract Types:</strong></p> <ul> <li>The function <code>get_abstract_value</code> shows the most generic form. Its signature <code>where {T, S &lt;: AbstractContainer{T}}</code> is the full, explicit way of saying: "I accept any type <code>S</code>, as long as that type <code>S</code> is a subtype of <code>AbstractContainer{T}</code> for <em>some</em> <code>T</code>."</li> <li>The function <code>process_text_container(c::AbstractContainer{String})</code> is much simpler. It accepts <em>any</em> object whose type is a subtype of <code>AbstractContainer{String}</code>.</li> </ul> </li> <li> <p><strong>How Dispatch Works:</strong></p> <ul> <li>When we call <code>process_text_container(c_str)</code>, Julia checks: Is <code>typeof(c_str)</code> (which is <code>ConcreteContainer{String}</code>) a subtype of <code>AbstractContainer{String}</code>? The check is <code>true</code>, so the call succeeds.</li> <li>When we call <code>process_text_container(s_str)</code>, Julia checks: Is <code>typeof(s_str)</code> (which is <code>StringContainer</code>) a subtype of <code>AbstractContainer{String}</code>? The check is <code>true</code>, so the call succeeds.</li> <li>A call with <code>c_int</code> (<code>ConcreteContainer{Int64}</code>) would fail, because <code>ConcreteContainer{Int64}</code> is <strong>not</strong> a subtype of <code>AbstractContainer{String}</code>.</li> </ul> </li> <li><p><strong>Parametric Invariance:</strong> This last point is critical. <code>ConcreteContainer{Int64}</code> is <strong>not</strong> related to <code>ConcreteContainer{String}</code>. A generic type <code>Foo{T}</code> is <strong>invariant</strong> in its type parameter. This strictness is what allows the compiler to generate highly specialized, fast code, as it never has to guess what <code>T</code> might be.</p></li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, Types, "Parametric Abstract Types":</strong> "Parametric abstract types are a useful way to define a hierarchy of types on a common parametric structure."</li> <li> <strong>Julia Official Documentation, Manual, "Types", "Parametric Types" (on Invariance):</strong> "A <code>Container{Int}</code> is not a subtype of <code>Container{Number}</code>, even though <code>Int &lt;: Number</code>."</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0056_parametric_abstract.jl <span class="nt">---</span> Calling generic get_abstract_value <span class="nt">---</span> Dispatching to generic AbstractContainer<span class="o">{</span>T<span class="o">}</span> method where <span class="nv">T</span><span class="o">=</span>Int64 Dispatching to generic AbstractContainer<span class="o">{</span>T<span class="o">}</span> method where <span class="nv">T</span><span class="o">=</span>String Dispatching to generic AbstractContainer<span class="o">{</span>T<span class="o">}</span> method where <span class="nv">T</span><span class="o">=</span>String <span class="nt">---</span> Calling specific process_text_container <span class="nt">---</span> Dispatching to specific AbstractContainer<span class="o">{</span>String<span class="o">}</span> method. Dispatching to specific AbstractContainer<span class="o">{</span>String<span class="o">}</span> method. <span class="nt">---</span> Type hierarchy checks <span class="nt">---</span> ConcreteContainer<span class="o">{</span>Int64<span class="o">}</span> &lt;: AbstractContainer<span class="o">{</span>Int64<span class="o">}</span>? <span class="nb">true </span>StringContainer &lt;: AbstractContainer<span class="o">{</span>String<span class="o">}</span>? <span class="nb">true </span>StringContainer &lt;: AbstractContainer<span class="o">{</span>Int64<span class="o">}</span>? <span class="nb">false</span> </code></pre> </div> <h2> Modules Code Organisation </h2> <h3> <code>0057_module_basics.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0057_module_basics.jl</span> <span class="c"># 1. Define a 'module' to create a new, separate namespace.</span> <span class="c"># Modules are Julia's primary way to organize code into logical units</span> <span class="c"># and prevent name collisions.</span> <span class="k">module</span> <span class="n">MyGeometry</span> <span class="c"># 2. We can define types inside the module.</span> <span class="k">abstract type</span><span class="nc"> AbstractShape</span> <span class="k">end</span> <span class="k">struct</span><span class="nc"> Circle</span> <span class="o">&lt;:</span> <span class="n">AbstractShape</span> <span class="n">radius</span><span class="o">::</span><span class="kt">Float64</span> <span class="k">end</span> <span class="k">struct</span><span class="nc"> Rectangle</span> <span class="o">&lt;:</span> <span class="n">AbstractShape</span> <span class="n">width</span><span class="o">::</span><span class="kt">Float64</span> <span class="n">height</span><span class="o">::</span><span class="kt">Float64</span> <span class="k">end</span> <span class="c"># 3. We can define functions inside the module.</span> <span class="k">function</span><span class="nf"> calculate_area</span><span class="x">(</span><span class="n">c</span><span class="o">::</span><span class="n">Circle</span><span class="x">)</span> <span class="k">return</span> <span class="nb">π</span> <span class="o">*</span> <span class="n">c</span><span class="o">.</span><span class="n">radius</span><span class="o">^</span><span class="mi">2</span> <span class="k">end</span> <span class="k">function</span><span class="nf"> calculate_area</span><span class="x">(</span><span class="n">r</span><span class="o">::</span><span class="n">Rectangle</span><span class="x">)</span> <span class="k">return</span> <span class="n">r</span><span class="o">.</span><span class="n">width</span> <span class="o">*</span> <span class="n">r</span><span class="o">.</span><span class="n">height</span> <span class="k">end</span> <span class="c"># 4. We can define private helper functions.</span> <span class="c"># By default, all names are "private" (not exported).</span> <span class="k">function</span><span class="nf"> _helper_function</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">"This is a private helper."</span><span class="x">)</span> <span class="k">end</span> <span class="c"># 5. We can define global constants.</span> <span class="kd">const</span> <span class="n">PI_Approximation</span> <span class="o">=</span> <span class="mf">3.14159</span> <span class="k">end</span> <span class="c"># --- End of module MyGeometry ---</span> <span class="c"># 6. The module 'MyGeometry' now exists as a global object.</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Accessing the module from 'Main' ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of MyGeometry: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">MyGeometry</span><span class="x">))</span> <span class="c"># 7. To access anything *inside* the module, we MUST use dot-notation.</span> <span class="c"># This is called a "qualified name".</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Accessing constant: "</span><span class="x">,</span> <span class="n">MyGeometry</span><span class="o">.</span><span class="n">PI_Approximation</span><span class="x">)</span> <span class="c"># 8. Create an instance of a type defined in the module.</span> <span class="n">c</span> <span class="o">=</span> <span class="n">MyGeometry</span><span class="o">.</span><span class="n">Circle</span><span class="x">(</span><span class="mf">10.0</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Created instance: "</span><span class="x">,</span> <span class="n">c</span><span class="x">)</span> <span class="c"># 9. Call a function defined in the module.</span> <span class="n">area</span> <span class="o">=</span> <span class="n">MyGeometry</span><span class="o">.</span><span class="n">calculate_area</span><span class="x">(</span><span class="n">c</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Calculated area: "</span><span class="x">,</span> <span class="n">area</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <strong><code>module</code>s</strong>, which are Julia's system for code organization, encapsulation, and namespace management. They are the direct equivalent of Python modules/packages, C++ namespaces, or Rust modules.</p> <ul> <li> <p><strong>Core Concept: Namespace</strong><br> A <code>module</code> creates a new, isolated <strong>global scope</strong>. Names defined inside <code>module MyGeometry ... end</code> (like <code>Circle</code> or <code>calculate_area</code>) are completely separate from names defined outside (in the default <code>Main</code> scope).</p> <ul> <li>This is the primary tool for building large applications. It prevents you from accidentally overwriting a function from another library that has the same name. For example, <code>MyGeometry.calculate_area</code> is a different function from <code>SomeOtherLibrary.calculate_area</code>.</li> </ul> </li> <li> <p><strong>Accessing Module Contents: Dot Notation</strong></p> <ul> <li>Once the <code>MyGeometry</code> module is defined, it exists as a single object in the <code>Main</code> (top-level) scope.</li> <li>To access any name <em>inside</em> this module from the <em>outside</em>, you <strong>must</strong> use a <strong>qualified name</strong> with dot notation.</li> <li> <code>MyGeometry.Circle</code> refers to the <code>Circle</code> <code>struct</code> defined inside <code>MyGeometry</code>.</li> <li> <code>MyGeometry.calculate_area(c)</code> refers to the <code>calculate_area</code> function inside <code>MyGeometry</code>.</li> </ul> </li> <li> <p><strong>Encapsulation (Privacy)</strong></p> <ul> <li>By default, all names defined inside a module are "private" in the sense that they are not exported. You can <em>always</em> access them with the dot notation (e.g., <code>MyGeometry._helper_function()</code>), so it's not "true" privacy like in C++.</li> <li>The <code>export</code> keyword (covered in a later lesson) is used to <em>publicly</em> list which names are intended for users, allowing them to be brought into scope with <code>using</code>.</li> <li>The convention is that names beginning with an underscore (e.g., <code>_helper_function</code>) are considered internal to the module and should not be used by external code, even though it's technically possible.</li> </ul> </li> <li> <p><strong>Modules and Files</strong></p> <ul> <li>This example shows a module defined in the <em>same file</em> it's used in.</li> <li>The more common pattern is to put <code>module MyGeometry ... end</code> in its own file (e.g., <code>MyGeometry.jl</code>) and then load it into another file using <code>include("MyGeometry.jl")</code>. This will be the subject of the next lesson.</li> </ul> </li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, "Modules":</strong> "Modules are separate global variable workspaces... This prevents unrelated code from accidentally clobbering one another's global variables."</li> <li> <strong>Julia Official Documentation, Manual, "Modules":</strong> "A module is a new global scope... code in one module cannot directly access a global variable in another module."</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0057_module_basics.jl <span class="nt">---</span> Accessing the module from <span class="s1">'Main'</span> <span class="nt">---</span> Type of MyGeometry: Module Accessing constant: 3.14159 Created instance: MyGeometry.Circle<span class="o">(</span>10.0<span class="o">)</span> Calculated area: 314.1592653589793 </code></pre> </div> <p><em>This lesson requires you to first create a new file, <code>MyGeometry.jl</code>, containing the module from the previous lesson.</em></p> <h3> File 1: <code>MyGeometry.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># MyGeometry.jl</span> <span class="c"># This file contains our module definition.</span> <span class="k">module</span> <span class="n">MyGeometry</span> <span class="c"># 1. Define types</span> <span class="k">abstract type</span><span class="nc"> AbstractShape</span> <span class="k">end</span> <span class="k">struct</span><span class="nc"> Circle</span> <span class="o">&lt;:</span> <span class="n">AbstractShape</span> <span class="n">radius</span><span class="o">::</span><span class="kt">Float64</span> <span class="k">end</span> <span class="k">struct</span><span class="nc"> Rectangle</span> <span class="o">&lt;:</span> <span class="n">AbstractShape</span> <span class="n">width</span><span class="o">::</span><span class="kt">Float64</span> <span class="n">height</span><span class="o">::</span><span class="kt">Float64</span> <span class="k">end</span> <span class="c"># 2. Define functions</span> <span class="k">function</span><span class="nf"> calculate_area</span><span class="x">(</span><span class="n">c</span><span class="o">::</span><span class="n">Circle</span><span class="x">)</span> <span class="k">return</span> <span class="nb">π</span> <span class="o">*</span> <span class="n">c</span><span class="o">.</span><span class="n">radius</span><span class="o">^</span><span class="mi">2</span> <span class="k">end</span> <span class="k">function</span><span class="nf"> calculate_area</span><span class="x">(</span><span class="n">r</span><span class="o">::</span><span class="n">Rectangle</span><span class="x">)</span> <span class="k">return</span> <span class="n">r</span><span class="o">.</span><span class="n">width</span> <span class="o">*</span> <span class="n">r</span><span class="o">.</span><span class="n">height</span> <span class="k">end</span> <span class="c"># 3. Define a "private" helper</span> <span class="k">function</span><span class="nf"> _helper_function</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">"This is a private helper."</span><span class="x">)</span> <span class="k">end</span> <span class="c"># 4. Define a constant</span> <span class="kd">const</span> <span class="n">PI_Approximation</span> <span class="o">=</span> <span class="mf">3.14159</span> <span class="c"># We will add 'export' in a later lesson.</span> <span class="c"># For now, nothing is exported.</span> <span class="k">end</span> <span class="c"># --- End of module MyGeometry ---</span> </code></pre> </div> <h3> File 2: <code>0058_module_access.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0058_module_access.jl</span> <span class="c"># 1. 'include()' parses and executes the contents of the file.</span> <span class="c"># This is like copy-pasting 'MyGeometry.jl' right here.</span> <span class="c"># This line finds the file, runs it, and the 'MyGeometry'</span> <span class="c"># module becomes defined in our 'Main' global scope.</span> <span class="n">include</span><span class="x">(</span><span class="s">"MyGeometry.jl"</span><span class="x">)</span> <span class="c"># 2. We can now access the module, just as before.</span> <span class="c"># We MUST use the qualified name (dot-notation).</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Accessing module from separate file ---"</span><span class="x">)</span> <span class="n">c</span> <span class="o">=</span> <span class="n">MyGeometry</span><span class="o">.</span><span class="n">Circle</span><span class="x">(</span><span class="mf">5.0</span><span class="x">)</span> <span class="n">area</span> <span class="o">=</span> <span class="n">MyGeometry</span><span class="o">.</span><span class="n">calculate_area</span><span class="x">(</span><span class="n">c</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Created instance: "</span><span class="x">,</span> <span class="n">c</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Calculated area: "</span><span class="x">,</span> <span class="n">area</span><span class="x">)</span> <span class="c"># 3. The namespace 'Main' is *not* polluted.</span> <span class="c"># The name 'Circle' only exists *inside* MyGeometry.</span> <span class="c"># This line will fail, as 'Circle' is not defined in 'Main'.</span> <span class="k">try</span> <span class="n">c_fail</span> <span class="o">=</span> <span class="n">Circle</span><span class="x">(</span><span class="mf">2.0</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Caught expected error:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="n">e</span><span class="x">)</span> <span class="k">end</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates the standard way to load a module from a separate file using <code>include()</code>.</p> <ul> <li> <p><strong>Core Concept: <code>include()</code>:</strong></p> <ul> <li>The <code>include(path)</code> function is a simple, direct command. It tells Julia to "pause execution of this file, go read the file at <code>path</code>, execute all the code in it from top to bottom, and then come back and continue."</li> <li>It is <strong>equivalent to textual copy-pasting</strong>. After the <code>include("MyGeometry.jl")</code> line, our script behaves <em>exactly</em> as if the entire <code>module MyGeometry ... end</code> block was written at that spot.</li> <li>This is the primary mechanism for splitting a large program into multiple files.</li> </ul> </li> <li> <p><strong>Namespace is Still Separate:</strong></p> <ul> <li>A common mistake is to assume <code>include()</code> "imports" the names from the module. It does not.</li> <li> <code>include()</code> simply runs the file. The file's code defines a <em>single</em> new name in our <code>Main</code> scope: the module object <code>MyGeometry</code>.</li> <li>All the other names (<code>Circle</code>, <code>Rectangle</code>, <code>calculate_area</code>) still exist <strong>only inside</strong> the <code>MyGeometry</code> namespace.</li> <li>The <code>try...catch</code> block proves this. Attempting to access <code>Circle</code> directly fails with a <code>MethodError</code> (or <code>UndefVarError</code>) because the name <code>Circle</code> does not exist in <code>Main</code>. You <em>must</em> still use the fully qualified name: <code>MyGeometry.Circle</code>.</li> </ul> </li> <li> <p><strong><code>include</code> vs. <code>using</code>/<code>import</code>:</strong></p> <ul> <li> <code>include(filename)</code>: This is how you <strong>load code from a file</strong>. You do this <em>once</em> per file.</li> <li> <code>using ModuleName</code> / <code>import ModuleName</code>: This is how you <strong>bring names from an <em>already-loaded</em> module</strong> into your current namespace. This is the subject of the next lesson.</li> <li>The standard pattern is: <ol> <li> <code>include("MyGeometry.jl")</code> (to load the code and create the module)</li> <li> <code>using .MyGeometry</code> (to make its exported names available)</li> </ol> </li> </ul> </li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, "Modules":</strong> "Files are included using the <code>include</code> function... The <code>include</code> function evaluates the contents of a source file in the context of the <em>calling</em> module."</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(You must have <code>MyGeometry.jl</code> in the same directory)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0058_module_access.jl <span class="nt">---</span> Accessing module from separate file <span class="nt">---</span> Created instance: MyGeometry.Circle<span class="o">(</span>5.0<span class="o">)</span> Calculated area: 78.53981633974483 Caught expected error: UndefVarError: <span class="sb">`</span>Circle<span class="sb">`</span> not defined <span class="o">[</span>...] </code></pre> </div> <h2> Using Vs Import </h2> <h3> <code>0059_using_vs_import.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0059_using_vs_import.jl</span> <span class="c"># 1. First, we MUST load the code from the file.</span> <span class="c"># 'include' executes the file, defining the 'MyGeometry' module</span> <span class="c"># in our current (Main) scope.</span> <span class="n">include</span><span class="x">(</span><span class="s">"MyGeometry.jl"</span><span class="x">)</span> <span class="c"># We will now explore the three different ways to access</span> <span class="c"># the contents of the *already-loaded* 'MyGeometry' module.</span> <span class="c"># --- Method 1 (Recommended): Full Qualification ---</span> <span class="c"># We do nothing special, and just use the fully qualified name.</span> <span class="c"># This is what we did in the previous lesson.</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Method 1: Full Qualification ---"</span><span class="x">)</span> <span class="n">c1</span> <span class="o">=</span> <span class="n">MyGeometry</span><span class="o">.</span><span class="n">Circle</span><span class="x">(</span><span class="mf">1.0</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Created: "</span><span class="x">,</span> <span class="n">c1</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Area: "</span><span class="x">,</span> <span class="n">MyGeometry</span><span class="o">.</span><span class="n">calculate_area</span><span class="x">(</span><span class="n">c1</span><span class="x">))</span> <span class="c"># --- Method 2 (Safe &amp; Explicit): 'import .MyGeometry: Name, ...' ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Method 2: import .MyGeometry: Circle ---"</span><span class="x">)</span> <span class="c"># The '.' is critical. It tells Julia to look for 'MyGeometry'</span> <span class="c"># *relative* to our current module (Main), not in the list</span> <span class="c"># of installed packages.</span> <span class="k">import</span> <span class="o">.</span><span class="n">MyGeometry</span><span class="o">:</span> <span class="n">Circle</span><span class="x">,</span> <span class="n">calculate_area</span> <span class="c"># Now we can call 'Circle' and 'calculate_area' directly.</span> <span class="n">c2</span> <span class="o">=</span> <span class="n">Circle</span><span class="x">(</span><span class="mf">2.0</span><span class="x">)</span> <span class="c"># This is MyGeometry.Circle</span> <span class="n">area2</span> <span class="o">=</span> <span class="n">calculate_area</span><span class="x">(</span><span class="n">c2</span><span class="x">)</span> <span class="c"># This is MyGeometry.calculate_area</span> <span class="n">println</span><span class="x">(</span><span class="s">" Created: "</span><span class="x">,</span> <span class="n">c2</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Area: "</span><span class="x">,</span> <span class="n">area2</span><span class="x">)</span> <span class="c"># However, 'Rectangle' was *not* imported. We must still qualify it.</span> <span class="k">try</span> <span class="n">r_fail</span> <span class="o">=</span> <span class="n">Rectangle</span><span class="x">(</span><span class="mf">1.0</span><span class="x">,</span> <span class="mf">1.0</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">" Caught expected error: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="k">end</span> <span class="c"># This is the correct, qualified way:</span> <span class="n">r_ok</span> <span class="o">=</span> <span class="n">MyGeometry</span><span class="o">.</span><span class="n">Rectangle</span><span class="x">(</span><span class="mf">1.0</span><span class="x">,</span> <span class="mf">1.0</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Created Rectangle via qualified name: "</span><span class="x">,</span> <span class="n">r_ok</span><span class="x">)</span> <span class="c"># --- Method 3 (Discouraged): 'using .MyGeometry' ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Method 3: using .MyGeometry ---"</span><span class="x">)</span> <span class="c"># NEVER EVER DO THIS. DON'T EVEN TRY.</span> <span class="c"># There are cosmic forces at play here, who sense everying time</span> <span class="c"># you use 'using'. You do not want to incur their wrath.</span> <span class="c"># Stay away from importing the entire namespace into the global scope.</span> <span class="c"># Just don't do it.</span> <span class="c"># It's not worth it.</span> <span class="k">using</span> <span class="o">.</span><span class="n">MyGeometry</span> <span class="c"># But since we didn't 'export' anything, we aren't bringing anything into</span> <span class="c"># scope</span> <span class="k">try</span> <span class="c"># This fails, because 'Rectangle' was not exported.</span> <span class="n">r</span> <span class="o">=</span> <span class="n">Rectangle</span><span class="x">(</span><span class="mf">3.0</span><span class="x">,</span> <span class="mf">3.0</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">" Caught expected error: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="k">end</span> <span class="c"># We *still* have to use the qualified name.</span> <span class="n">r</span> <span class="o">=</span> <span class="n">MyGeometry</span><span class="o">.</span><span class="n">Rectangle</span><span class="x">(</span><span class="mf">3.0</span><span class="x">,</span> <span class="mf">3.0</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Must still use qualified name: "</span><span class="x">,</span> <span class="n">r</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates the critical differences between <code>import</code> and <code>using</code> for controlling how names from a module are accessed. A clean, explicit namespace is a key component of robust, maintainable systems.</p> <ul> <li> <p><strong>Step 0: <code>include()</code> and <code>.</code> Syntax</strong></p> <ul> <li>First, we <em>must</em> call <code>include("MyGeometry.jl")</code>. This is the <strong>loader</strong>. It executes the file, which defines the <code>MyGeometry</code> module object inside our current module (which is <code>Main</code> by default).</li> <li> <strong>The <code>.</code> Prefix:</strong> When we write <code>import MyGeometry</code>, Julia assumes we mean an <em>installed package</em> from our environment. This fails. The <code>.</code> prefix in <code>import .MyGeometry</code> is critical: it makes the path <strong>relative</strong>. It tells Julia, "Look for a module named <code>MyGeometry</code> that is <em>already loaded inside my current module</em>." This is the correct way to refer to modules you have loaded with <code>include</code>.</li> </ul> </li> <li> <p><strong>Method 1: Full Qualification (Safest)</strong><br> This is the simplest, safest, and most explicit method. You use the full <code>MyGeometry.Circle</code> and <code>MyGeometry.calculate_area</code> names.</p> <ul> <li> <strong>Pro:</strong> It is 100% clear where <code>Circle</code> and <code>calculate_area</code> are defined. There is zero chance of a name collision.</li> <li> <strong>Con:</strong> It can be verbose.</li> </ul> </li> <li> <p><strong>Method 2: <code>import .MyGeometry: Name</code> (Recommended)</strong><br> This is the recommended pattern for balancing clarity and convenience.</p> <ul> <li> <code>import .MyGeometry: Circle, calculate_area</code> states, "From the <code>MyGeometry</code> module in my current scope, bring <em>only</em> the <code>Circle</code> and <code>calculate_area</code> names into my namespace."</li> <li> <strong>Pro:</strong> It is still explicit. A developer reading the top of the file sees a precise list of imported names. You can use <code>Circle</code> directly, but <code>Rectangle</code> (which we didn't import) still requires <code>MyGeometry.Rectangle</code>.</li> <li> <strong>Con:</strong> You have to list every name you want to use.</li> </ul> </li> <li> <p><strong>Method 3: <code>using .MyGeometry</code> (Strongly Discouraged)</strong><br> This command is the most "magical" and the most likely to cause problems in large projects.</p> <ul> <li> <strong><code>using</code> vs. <code>export</code>:</strong> <code>using .MyGeometry</code> tells Julia, "Find all names that <code>MyGeometry</code> has <em>publicly exported</em> and dump them into my current scope." Our <code>MyGeometry.jl</code> file does not contain an <code>export</code> statement yet, so it exports <em>nothing</em>. This is why <code>using .MyGeometry</code> does not make <code>Rectangle</code> available.</li> <li> <strong>The "Namespace Pollution" Problem:</strong> Even if our module <em>did</em> export <code>Rectangle</code>, <code>using .MyGeometry</code> is discouraged. If you have ten <code>using</code> statements at the top of your file and you see the name <code>Rectangle()</code> in your code, you have no way of knowing which of those ten modules it came from. This is "namespace pollution."</li> <li> <strong>Guideline:</strong> Avoid <code>using</code>. It makes code harder to read and debug by obscuring the origin of names. The explicit <code>import .MyGeometry: ...</code> or fully qualified <code>MyGeometry.Rectangle</code> are strongly preferred for writing clear, maintainable, and unambiguous code.</li> </ul> </li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, "Modules":</strong> "The <code>import ... :</code> syntax allows importing specific names from a module... The <code>using</code> keyword... brings <em>all exported</em> names from a module into the current scope."</li> <li> <strong>Julia Official Documentation, Manual, "Code Loading":</strong> Explains relative imports: "A <code>using</code> or <code>import</code> statement with a leading dot (<code>.</code>) is a <em>relative</em> import."</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(You must have <code>MyGeometry.jl</code> from lesson 0058 in the same directory)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0059_using_vs_import.jl <span class="nt">---</span> Method 1: Full Qualification <span class="nt">---</span> Created: MyGeometry.Circle<span class="o">(</span>1.0<span class="o">)</span> Area: 3.141592653589793 <span class="nt">---</span> Method 2: import .MyGeometry: Circle <span class="nt">---</span> Created: Circle<span class="o">(</span>2.0<span class="o">)</span> Area: 12.566370614359172 Caught expected error: UndefVarError: <span class="sb">`</span>Rectangle<span class="sb">`</span> not defined Created Rectangle via qualified name: MyGeometry.Rectangle<span class="o">(</span>1.0, 1.0<span class="o">)</span> <span class="nt">---</span> Method 3: using .MyGeometry <span class="nt">---</span> Caught expected error: UndefVarError: <span class="sb">`</span>Rectangle<span class="sb">`</span> not defined Must still use qualified name: MyGeometry.Rectangle<span class="o">(</span>3.0, 3.0<span class="o">)</span> </code></pre> </div> <p><em>This lesson requires a new module file, <code>MyGeometry2.jl</code>, to demonstrate the <code>export</code> keyword.</em></p> <h3> File 1: <code>MyGeometry2.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># MyGeometry2.jl</span> <span class="c"># This file defines a module that uses the 'export' keyword.</span> <span class="k">module</span> <span class="n">MyGeometry2</span> <span class="c"># 1. 'export' lists the names that are considered the "public API"</span> <span class="c"># of this module. These are the names that 'using .MyGeometry2'</span> <span class="c"># will bring into the main namespace.</span> <span class="k">export</span> <span class="n">AbstractShape</span><span class="x">,</span> <span class="n">Circle</span><span class="x">,</span> <span class="n">Rectangle</span><span class="x">,</span> <span class="n">calculate_area</span> <span class="c"># 2. Define types</span> <span class="k">abstract type</span><span class="nc"> AbstractShape</span> <span class="k">end</span> <span class="k">struct</span><span class="nc"> Circle</span> <span class="o">&lt;:</span> <span class="n">AbstractShape</span> <span class="n">radius</span><span class="o">::</span><span class="kt">Float64</span> <span class="k">end</span> <span class="k">struct</span><span class="nc"> Rectangle</span> <span class="o">&lt;:</span> <span class="n">AbstractShape</span> <span class="n">width</span><span class="o">::</span><span class="kt">Float64</span> <span class="n">height</span><span class="o">::</span><span class="kt">Float64</span> <span class="k">end</span> <span class="c"># 3. Define functions</span> <span class="k">function</span><span class="nf"> calculate_area</span><span class="x">(</span><span class="n">c</span><span class="o">::</span><span class="n">Circle</span><span class="x">)</span> <span class="k">return</span> <span class="nb">π</span> <span class="o">*</span> <span class="n">c</span><span class="o">.</span><span class="n">radius</span><span class="o">^</span><span class="mi">2</span> <span class="k">end</span> <span class="k">function</span><span class="nf"> calculate_area</span><span class="x">(</span><span class="n">r</span><span class="o">::</span><span class="n">Rectangle</span><span class="x">)</span> <span class="k">return</span> <span class="n">r</span><span class="o">.</span><span class="n">width</span> <span class="o">*</span> <span class="n">r</span><span class="o">.</span><span class="n">height</span> <span class="k">end</span> <span class="c"># 4. This helper function is *NOT* exported.</span> <span class="c"># It is "private" and can only be accessed via</span> <span class="c"># the qualified name 'MyGeometry2._helper_function()'.</span> <span class="k">function</span><span class="nf"> _helper_function</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">"This is a private helper."</span><span class="x">)</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># --- End of module MyGeometry2 ---</span> </code></pre> </div> <h3> File 2: <code>0060_export.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0060_export.jl</span> <span class="c"># 1. Load the new module file.</span> <span class="n">include</span><span class="x">(</span><span class="s">"MyGeometry2.jl"</span><span class="x">)</span> <span class="c"># 2. Demonstrate 'using .MyGeometry2'</span> <span class="c"># Because MyGeometry2.jl *uses* 'export', this command</span> <span class="c"># now dumps all exported names into our 'Main' scope.</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Demonstrating 'using .MyGeometry2' ---"</span><span class="x">)</span> <span class="k">using</span> <span class="o">.</span><span class="n">MyGeometry2</span> <span class="c"># 3. We can now access the *exported* names directly.</span> <span class="c"># This is "namespace pollution" - it's unclear where</span> <span class="c"># 'Circle' and 'calculate_area' are coming from.</span> <span class="n">c</span> <span class="o">=</span> <span class="n">Circle</span><span class="x">(</span><span class="mf">10.0</span><span class="x">)</span> <span class="n">area</span> <span class="o">=</span> <span class="n">calculate_area</span><span class="x">(</span><span class="n">c</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Created instance: "</span><span class="x">,</span> <span class="n">c</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Calculated area: "</span><span class="x">,</span> <span class="n">area</span><span class="x">)</span> <span class="c"># 4. The *non-exported* name '_helper_function' is not in scope.</span> <span class="c"># This correctly fails.</span> <span class="k">try</span> <span class="n">_helper_function</span><span class="x">()</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s"> Caught expected error (not exported): "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="k">end</span> <span class="c"># 5. We can still access the non-exported name *with qualification*.</span> <span class="c"># 'export' only controls 'using'; it does not prevent</span> <span class="c"># direct, qualified access.</span> <span class="n">println</span><span class="x">(</span><span class="s">" Calling private function with qualification:"</span><span class="x">)</span> <span class="n">MyGeometry2</span><span class="o">.</span><span class="n">_helper_function</span><span class="x">()</span> </code></pre> </div> <h3> Explanation </h3> <p>This script completes our module lessons by introducing the <strong><code>export</code></strong> keyword, which creates a module's "public API."</p> <ul> <li> <p><strong>Core Concept: <code>export</code></strong><br> The <code>export</code> keyword specifies a list of names that are intended for public use. It works hand-in-hand with <code>using</code>:</p> <ul> <li> <code>export Circle, calculate_area</code> says: "If a user writes <code>using .MyGeometry2</code>, I give them permission to pull <code>Circle</code> and <code>calculate_area</code> into their namespace."</li> <li> <code>_helper_function</code> was <strong>not</strong> in the <code>export</code> list, so <code>using .MyGeometry2</code> does <strong>not</strong> bring it into the namespace.</li> </ul> </li> <li> <p><strong><code>using</code> Re-examined (The "Polluting" Behavior)</strong><br> As this lesson shows, <code>using .MyGeometry2</code> now "works." It finds the <code>export</code> list and defines <code>Circle</code>, <code>Rectangle</code>, <code>AbstractShape</code>, and <code>calculate_area</code> in our <code>Main</code> scope.</p> <ul> <li> <strong>The Problem:</strong> While this is convenient for small scripts, it is <strong>strongly discouraged</strong> in any serious project. When you read the line <code>c = Circle(10.0)</code>, you have no immediate, local information to tell you <em>which</em> module defined <code>Circle</code>. If you have ten <code>using</code> statements, you would have to check all ten modules to find its origin.</li> <li>This is known as <strong>namespace pollution</strong>, and it makes code difficult to read, debug, and maintain.</li> </ul> </li> <li> <p><strong><code>export</code> Does Not Mean "Private"</strong><br> A critical, final point: <code>export</code> does not enforce privacy. As shown in step 5, you can <em>always</em> access any name inside a module using the fully qualified <code>MyGeometry2._helper_function()</code> syntax.</p> <ul> <li> <code>export</code> is not a security feature; it is a <strong>namespace management</strong> feature. It's a "politeness" contract that allows <code>using</code> to be convenient, but it doesn't (and shouldn't) stop a determined user from accessing internal functions.</li> <li>The underscore prefix (e.g., <code>_helper_function</code>) is the <em>real</em> "do not touch" signal to other developers.</li> </ul> </li> <li><p><strong>Final Guideline:</strong></p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. **Full Qualification:** `MyGeometry2.Circle(10.0)` is the clearest and safest method. 2. **Explicit Import:** `import .MyGeometry2: Circle` is the best compromise. 3. **`using` (and `export`):** Avoid this pattern in favor of the first two. It is better to be explicit about where your names come from. </code></pre> </div> <ul> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, "Modules":</strong> "<code>export</code> specifies which names a module provides for other modules to use... When <code>using M</code>, only the names exported by <code>M</code> are brought into scope."</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(You must have <code>MyGeometry2.jl</code> from this lesson in the same directory)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0060_export.jl <span class="nt">---</span> Demonstrating <span class="s1">'using .MyGeometry2'</span> <span class="nt">---</span> Created instance: Circle<span class="o">(</span>10.0<span class="o">)</span> Calculated area: 314.1592653589793 Caught expected error <span class="o">(</span>not exported<span class="o">)</span>: UndefVarError: <span class="sb">`</span>_helper_function<span class="sb">`</span> not defined Calling private <span class="k">function </span>with qualification: This is a private helper. </code></pre> </div> <h1> Module 6: High-Performance Techniques </h1> <h2> Type Stability And Diagnosis </h2> <h3> <code>0061_type_stability_intro.md</code> </h3> <p>This is the <strong>single most important concept</strong> for writing high-performance Julia code.</p> <h3> What is Type Stability? </h3> <p>A function is <strong>type-stable</strong> if the <strong>type of its output</strong> can be inferred <em>by the compiler</em> purely from the <strong>types of its inputs</strong>.</p> <ul> <li><p><strong>Type-Stable (Fast):</strong><br> <code>function add_one(x::Int64) ... end</code><br> The compiler knows: "If I put an <code>Int64</code> in, I will <em>always</em> get an <code>Int64</code> out." It can generate specialized, fast machine code for this specific case.</p></li> <li><p><strong>Type-Unstable (Slow):</strong><br> <code>function parse_number(s::String) ... end</code><br> The compiler does not know what this function will return. If <code>s</code> is <code>"1"</code>, it might return an <code>Int</code>. If <code>s</code> is <code>"1.0"</code>, it might return a <code>Float64</code>. The output type is <em>unknowable</em> from the input type.</p></li> </ul> <h3> Why is This the Key to Performance? </h3> <p>Julia's performance comes from its Just-In-Time (JIT) compiler, which specializes and compiles code <em>for the specific types</em> it sees at runtime. <strong>Type-stability is what allows this specialization to happen.</strong></p> <p>Consider this function call: <code>my_func(x)</code>.</p> <h4> 1. The Fast Path (Type-Stable) </h4> <p>If <code>my_func</code> is type-stable, the compiler knows the <em>exact</em> type of its return value. This allows it to generate hyper-optimized machine code:</p> <ol> <li> <strong>Specialization:</strong> The compiler generates a version of the function <code>my_func_Int64</code> that <em>only</em> works on <code>Int</code>s.</li> <li> <strong>No Type-Checking:</strong> Inside this specialized function, it doesn't need to check the type of <code>x</code>. It <em>knows</em> <code>x</code> is an <code>Int64</code>.</li> <li> <strong>Static Dispatch:</strong> When <code>my_func</code> calls another function, like <code>x + 1</code>, the compiler knows this is <code>Int64 + Int64</code> and can emit the <em>single machine instruction</em> for integer addition (<code>addq</code>).</li> <li> <strong>Inlining:</strong> The compiler can "inline" the function, essentially copy-pasting its machine code directly into the code that called it, eliminating all function call overhead.</li> </ol> <p>The result is machine code that is identical in speed to C or Fortran.</p> <h4> 2. The Slow Path (Type-Unstable) </h4> <p>If <code>my_func</code> is type-unstable, the compiler <strong>cannot</strong> know the type of its return value. This forces it to generate slow, generic, "fallback" code:</p> <ol> <li> <strong>No Specialization:</strong> The compiler cannot create a specialized version because it doesn't know what types to specialize for.</li> <li> <strong>Runtime Type-Checking:</strong> When <code>my_func</code> returns, the code that called it must <em>check the type</em> of the returned value at runtime: "Did I get an <code>Int</code>? Or a <code>Float64</code>? Or a <code>String</code>?"</li> <li> <strong>Dynamic Dispatch:</strong> When this unstable value is used (e.g., <code>result + 1</code>), the program must <em>at runtime</em> look up the correct method. "I have a <code>result</code>... what is its type? OK, it's a <code>Float64</code>. Now, where is the function for <code>Float64 + Int64</code>? OK, call that." This lookup is called <strong>dynamic dispatch</strong> and it is orders of magnitude slower than a direct static call.</li> <li> <strong>Boxing:</strong> The compiler must "box" the value in a generic container that holds both the data and a <em>pointer to its type information</em>. This creates heap allocations and adds pointer-chasing overhead.</li> </ol> <p><strong>Analogy:</strong> A type-stable function is like a pre-plumbed pipe. An <code>Int64</code> flows in one end, and the compiler knows an <code>Int64</code> will come out the other. A type-unstable function is a pipe that ends in a "magic box," and you have no idea what will come out until it does.</p> <p>In the next lessons, we will learn to use the <code>@code_warntype</code> macro, our primary tool for <em>diagnosing</em> type instability.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Performance Tips":</strong> "Write 'type-stable' functions." (This is the #1 performance tip).</li> <li> <strong>Julia Official Documentation, Manual, "Performance Tips":</strong> "Avoid changing the type of a variable. When the type of a variable changes, the compiler may not be able to specialize... This is known as 'type-instability'."</li> </ul> </li> </ul> <h3> <code>0062_type_stable_function.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0062_type_stable_function.jl</span> <span class="k">import</span> <span class="n">InteractiveUtils</span><span class="o">:</span> <span class="nd">@code_warntype</span> <span class="c"># 1. A function that is type-stable.</span> <span class="c"># The compiler can infer 100% of the types.</span> <span class="c"># Input 'Int64' -&gt; Output 'Int64'</span> <span class="k">function</span><span class="nf"> add_one_stable</span><span class="x">(</span><span class="n">x</span><span class="o">::</span><span class="kt">Int64</span><span class="x">)</span> <span class="k">return</span> <span class="n">x</span> <span class="o">+</span> <span class="mi">1</span> <span class="k">end</span> <span class="c"># 2. A function that is also type-stable.</span> <span class="c"># Input 'Float64' -&gt; Output 'Float64'</span> <span class="k">function</span><span class="nf"> add_one_stable_float</span><span class="x">(</span><span class="n">x</span><span class="o">::</span><span class="kt">Float64</span><span class="x">)</span> <span class="c"># The '1.0' literal ensures the result is a Float64</span> <span class="k">return</span> <span class="n">x</span> <span class="o">+</span> <span class="mf">1.0</span> <span class="k">end</span> <span class="c"># 3. A generic, but still type-stable, function.</span> <span class="c"># The compiler knows: Input 'T' -&gt; Output 'T' (where T is a Number)</span> <span class="c"># It will compile a *specialized* version for each type.</span> <span class="k">function</span><span class="nf"> add_one_generic</span><span class="x">(</span><span class="n">x</span><span class="o">::</span><span class="n">T</span><span class="x">)</span> <span class="k">where</span> <span class="x">{</span><span class="n">T</span><span class="o">&lt;:</span><span class="kt">Number</span><span class="x">}</span> <span class="k">return</span> <span class="n">x</span> <span class="o">+</span> <span class="n">one</span><span class="x">(</span><span class="n">T</span><span class="x">)</span> <span class="c"># 'one(T)' returns 1 as type T</span> <span class="k">end</span> <span class="c"># 4. Use the @code_warntype macro to inspect the compiler's</span> <span class="c"># type inference. This is our primary diagnostic tool.</span> <span class="c"># We must 'execute' the macro in a function (e.g., in main)</span> <span class="c"># or at the REPL to see the output.</span> <span class="k">function</span><span class="nf"> analyze_stable</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- @code_warntype for add_one_stable(1) ---"</span><span class="x">)</span> <span class="nd">@code_warntype</span> <span class="n">add_one_stable</span><span class="x">(</span><span class="mi">1</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- @code_warntype for add_one_stable_float(1.0) ---"</span><span class="x">)</span> <span class="nd">@code_warntype</span> <span class="n">add_one_stable_float</span><span class="x">(</span><span class="mf">1.0</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- @code_warntype for add_one_generic(1) ---"</span><span class="x">)</span> <span class="nd">@code_warntype</span> <span class="n">add_one_generic</span><span class="x">(</span><span class="mi">1</span><span class="x">)</span> <span class="c"># Will infer T=Int64</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- @code_warntype for add_one_generic(1.0) ---"</span><span class="x">)</span> <span class="nd">@code_warntype</span> <span class="n">add_one_generic</span><span class="x">(</span><span class="mf">1.0</span><span class="x">)</span> <span class="c"># Will infer T=Float64</span> <span class="k">end</span> <span class="c"># Run the analysis</span> <span class="n">analyze_stable</span><span class="x">()</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates what a <strong>type-stable</strong> function looks like and introduces our primary diagnostic tool: the <strong><code>@code_warntype</code></strong> macro.</p> <ul> <li><p><strong>Core Concept: <code>add_one_stable(x::Int64)</code></strong><br> This function is the definition of type stability. The signature <code>(x::Int64)</code> and the operation <code>x + 1</code> (where <code>1</code> is an <code>Int64</code>) combine to create a contract: "This function <em>always</em> returns an <code>Int64</code>." The compiler can rely on this 100% and generate optimal, C-like machine code.</p></li> <li> <p><strong>Diagnostic Tool: <code>@code_warntype</code></strong></p> <ul> <li>The <code>@code_warntype</code> macro is your "X-ray vision" into the Julia compiler. It runs Julia's type-inference engine on a function call and reports what it found.</li> <li>It prints a detailed breakdown, but we only care about one line: the <code>Body</code> line.</li> <li> <strong><code>Body::Int64</code> (Good):</strong> When we run <code>@code_warntype add_one_stable(1)</code>, the output will include <code>Body::Int64</code>. This is the compiler's "all clear" sign. It is printed in green (in a color-supporting terminal) and means: "I have successfully inferred that the body of this function will always return an <code>Int64</code>."</li> <li> <strong><code>Body::Any</code> or <code>Body::Union{...}</code> (Bad):</strong> If you see this (especially in red), it means the compiler <em>gave up</em>. It could not determine the return type. This signifies type-instability and is the source of performance problems.</li> </ul> </li> <li> <p><strong>Generic Stability: <code>add_one_generic</code></strong></p> <ul> <li>This function is also type-stable, but in a more general way. The <code>where {T&lt;:Number}</code> tells the compiler, "Whatever numeric type <code>T</code> you put in, I will return that same type <code>T</code>."</li> <li>When you run <code>@code_warntype add_one_generic(1)</code>, the compiler <em>specializes</em> the function for <code>T=Int64</code> and infers a return type of <code>Body::Int64</code>.</li> <li>When you run <code>@code_warntype add_one_generic(1.0)</code>, it <em>specializes again</em> for <code>T=Float64</code> and infers <code>Body::Float64</code>.</li> <li>This specialization is the core of Julia's performance: it allows you to write one generic, readable function, and the compiler automatically creates multiple, hyper-specialized, fast versions for you.</li> </ul> </li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, "Performance Tips":</strong> Explains the use of <code>@code_warntype</code> to "find problems in your code."</li> <li> <strong>Julia Official Documentation, Manual, "@code_warntype":</strong> "Prints the inferred return types of a function call to <code>stdout</code>... highlighting any values that are not inferred to be of a concrete type."</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(Note: The exact output of <code>@code_warntype</code> is verbose and can change between Julia versions. We are only interested in the <code>Body::</code> line at the top.)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0062_type_stable_function.jl <span class="nt">---</span> @code_warntype <span class="k">for </span>add_one_stable<span class="o">(</span>1<span class="o">)</span> <span class="nt">---</span> Variables <span class="c">#self#::Core.Const(add_one_stable)</span> x::Int64 Body::Int64 <span class="o">[</span>...] <span class="nt">---</span> @code_warntype <span class="k">for </span>add_one_stable_float<span class="o">(</span>1.0<span class="o">)</span> <span class="nt">---</span> Variables <span class="c">#self#::Core.Const(add_one_stable_float)</span> x::Float64 Body::Float64 <span class="o">[</span>...] <span class="nt">---</span> @code_warntype <span class="k">for </span>add_one_generic<span class="o">(</span>1<span class="o">)</span> <span class="nt">---</span> Variables <span class="c">#self#::Core.Const(add_one_generic)</span> x::Int64 Body::Int64 <span class="o">[</span>...] <span class="nt">---</span> @code_warntype <span class="k">for </span>add_one_generic<span class="o">(</span>1.0<span class="o">)</span> <span class="nt">---</span> Variables <span class="c">#self#::Core.Const(add_one_generic)</span> x::Float64 Body::Float64 <span class="o">[</span>...] </code></pre> </div> <h3> <code>0063_type_instability.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0063_type_instability.jl</span> <span class="k">import</span> <span class="n">InteractiveUtils</span><span class="o">:</span> <span class="nd">@code_warntype</span> <span class="c"># 1. A function that is type-UNSTABLE.</span> <span class="c"># The return type depends on the *value* of 'x', not just its type.</span> <span class="k">function</span><span class="nf"> unstable_type_based_on_value</span><span class="x">(</span><span class="n">x</span><span class="o">::</span><span class="kt">Int</span><span class="x">)</span> <span class="k">if</span> <span class="n">x</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="k">return</span> <span class="n">x</span> <span class="c"># Returns Int</span> <span class="k">else</span> <span class="k">return</span> <span class="n">float</span><span class="x">(</span><span class="n">x</span><span class="x">)</span> <span class="c"># Returns Float64</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># 2. Another type-unstable function.</span> <span class="c"># Here, the type changes within the function body.</span> <span class="k">function</span><span class="nf"> unstable_variable_type</span><span class="x">()</span> <span class="c"># 'y' starts as an Int</span> <span class="n">y</span> <span class="o">=</span> <span class="mi">1</span> <span class="c"># 'y' might become a Float64</span> <span class="k">if</span> <span class="n">rand</span><span class="x">()</span> <span class="o">&gt;</span> <span class="mf">0.5</span> <span class="n">y</span> <span class="o">=</span> <span class="mf">1.0</span> <span class="k">end</span> <span class="c"># The return type depends on runtime randomness.</span> <span class="k">return</span> <span class="n">y</span> <span class="k">end</span> <span class="c"># 3. Use @code_warntype to diagnose the instability.</span> <span class="k">function</span><span class="nf"> analyze_unstable</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- @code_warntype for unstable_type_based_on_value(1) ---"</span><span class="x">)</span> <span class="c"># Even though we *know* 1 &gt; 0, the compiler analyzes the function</span> <span class="c"># based on the *type* Int, and sees it *could* return Float64.</span> <span class="nd">@code_warntype</span> <span class="n">unstable_type_based_on_value</span><span class="x">(</span><span class="mi">1</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- @code_warntype for unstable_variable_type() ---"</span><span class="x">)</span> <span class="nd">@code_warntype</span> <span class="n">unstable_variable_type</span><span class="x">()</span> <span class="k">end</span> <span class="c"># Run the analysis</span> <span class="n">analyze_unstable</span><span class="x">()</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates <strong>type-instability</strong> and how to use <code>@code_warntype</code> to detect it. Type instability is one of the most common causes of poor performance in Julia.</p> <ul> <li><p><strong>Core Concept: Unstable Return Type</strong><br> The function <code>unstable_type_based_on_value</code> is type-unstable because its return type <strong>cannot be predicted</strong> solely from the input type (<code>Int</code>). If the input <code>x</code> is positive, it returns an <code>Int</code>; otherwise, it returns a <code>Float64</code>. The compiler sees both possibilities and cannot guarantee a single, concrete return type.</p></li> <li> <p><strong>Diagnostic Tool: <code>@code_warntype</code> (Red Flags)</strong></p> <ul> <li>When we run <code>@code_warntype unstable_type_based_on_value(1)</code>, the output will show something like <code>Body::Union{Int64, Float64}</code>.</li> <li> <strong><code>Body::Union{Int64, Float64}</code> (Bad):</strong> This is a <strong>warning sign</strong>. It is often printed in <strong>red</strong> in the terminal. The compiler is telling you: "I cannot guarantee the return type. It might be an <code>Int64</code>, or it might be a <code>Float64</code>."</li> <li>This <strong>forces</strong> Julia to use slow, <strong>dynamic dispatch</strong> whenever the result of this function is used later. The program has to check <em>at runtime</em> which type was actually returned before it can perform any operation (like addition). It also likely involves <strong>boxing</strong> the return value on the heap.</li> </ul> </li> <li><p><strong>Core Concept: Unstable Variable Type</strong><br><br> The function <code>unstable_variable_type</code> demonstrates another common source of instability. The variable <code>y</code> starts as an <code>Int</code> but might be reassigned to a <code>Float64</code>. The compiler cannot predict the final type of <code>y</code>, so the function's return type is also unpredictable. <code>@code_warntype</code> will again report <code>Body::Union{Int64, Float64}</code> or potentially even <code>Body::Any</code> if the type changes were more complex.</p></li> <li><p><strong>Performance Impact:</strong><br><br> Type instability acts like a "poison" that spreads through your code. If a function is unstable, any other function that calls it might <em>also</em> become unstable, leading to cascading performance degradation. Identifying and fixing type instabilities using <code>@code_warntype</code> is therefore a critical skill for writing fast Julia code.</p></li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, "Performance Tips":</strong> "Avoid changing the type of a variable... When the type of a variable changes... this is known as 'type-instability'."</li> <li> <strong>Julia Official Documentation, Manual, "@code_warntype":</strong> "...highlighting any values that are not inferred to be of a concrete type." (<code>Union</code> types are generally not concrete).</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(Note: The exact output is verbose. Look for the <code>Body::</code> line, often highlighted in red.)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0063_type_instability.jl <span class="nt">---</span> @code_warntype <span class="k">for </span>unstable_type_based_on_value<span class="o">(</span>1<span class="o">)</span> <span class="nt">---</span> Variables <span class="c">#self#::Core.Const(unstable_type_based_on_value)</span> x::Int64 Body::Union<span class="o">{</span>Float64, Int64<span class="o">}</span> <span class="c"># &lt;--- Warning! (Often Red)</span> <span class="o">[</span>...] <span class="nt">---</span> @code_warntype <span class="k">for </span>unstable_variable_type<span class="o">()</span> <span class="nt">---</span> Variables <span class="c">#self#::Core.Const(unstable_variable_type)</span> y::Union<span class="o">{</span>Float64, Int64<span class="o">}</span> <span class="c"># &lt;--- Variable 'y' is unstable</span> Body::Union<span class="o">{</span>Float64, Int64<span class="o">}</span> <span class="c"># &lt;--- Warning! (Often Red)</span> <span class="o">[</span>...] </code></pre> </div> <h3> <code>0064_global_variable_pitfall.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0064_global_variable_pitfall.jl</span> <span class="k">import</span> <span class="n">InteractiveUtils</span><span class="o">:</span> <span class="nd">@code_warntype</span> <span class="c"># --- Case 1: Non-Constant Global ---</span> <span class="c"># 1. Define a global variable WITHOUT 'const'.</span> <span class="c"># Its type can change at any time.</span> <span class="n">non_const_global</span> <span class="o">=</span> <span class="mi">100</span> <span class="c"># 2. Define a function that uses the non-constant global.</span> <span class="k">function</span><span class="nf"> use_non_const_global</span><span class="x">()</span> <span class="c"># The compiler cannot know the type of 'non_const_global'.</span> <span class="c"># It might be an Int, or it might change to a String later.</span> <span class="k">return</span> <span class="n">non_const_global</span> <span class="o">*</span> <span class="mi">2</span> <span class="k">end</span> <span class="c"># --- Case 2: Constant Global ---</span> <span class="c"># 3. Define a global variable WITH 'const'.</span> <span class="c"># This is a promise to the compiler: the *type* of this</span> <span class="c"># variable will NEVER change (though its value can if mutable).</span> <span class="kd">const</span> <span class="n">const_global</span> <span class="o">=</span> <span class="mi">200</span> <span class="c"># 4. Define a function that uses the constant global.</span> <span class="k">function</span><span class="nf"> use_const_global</span><span class="x">()</span> <span class="c"># The compiler knows 'const_global' will always be an Int.</span> <span class="c"># It can generate specialized, fast code.</span> <span class="k">return</span> <span class="n">const_global</span> <span class="o">*</span> <span class="mi">2</span> <span class="k">end</span> <span class="c"># --- Analysis ---</span> <span class="k">function</span><span class="nf"> analyze_globals</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- @code_warntype for use_non_const_global() ---"</span><span class="x">)</span> <span class="c"># This will show type instability (Body::Any or similar).</span> <span class="nd">@code_warntype</span> <span class="n">use_non_const_global</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- @code_warntype for use_const_global() ---"</span><span class="x">)</span> <span class="c"># This will show type stability (Body::Int64).</span> <span class="nd">@code_warntype</span> <span class="n">use_const_global</span><span class="x">()</span> <span class="c"># Demonstrate that the functions work at runtime</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Runtime Results ---"</span><span class="x">)</span> <span class="n">res_non_const</span> <span class="o">=</span> <span class="n">use_non_const_global</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result (non-const global): "</span><span class="x">,</span> <span class="n">res_non_const</span><span class="x">)</span> <span class="c"># We can even change the non-const global's type (bad practice!)</span> <span class="kd">global</span> <span class="n">non_const_global</span> <span class="o">=</span> <span class="s">"Changed!"</span> <span class="n">println</span><span class="x">(</span><span class="s">"Non-const global changed to: "</span><span class="x">,</span> <span class="n">non_const_global</span><span class="x">)</span> <span class="c"># Calling the function again would now error at runtime</span> <span class="n">res_const</span> <span class="o">=</span> <span class="n">use_const_global</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result (const global): "</span><span class="x">,</span> <span class="n">res_const</span><span class="x">)</span> <span class="c"># Attempting to change the type of a const global errors</span> <span class="k">try</span> <span class="kd">global</span> <span class="n">const_global</span> <span class="o">=</span> <span class="s">"Cannot do this"</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"Caught expected error trying to change const global type: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="k">end</span> <span class="k">end</span> <span class="n">analyze_globals</span><span class="x">()</span> </code></pre> </div> <h3> Explanation </h3> <p>This script revisits a critical performance pitfall: accessing <strong>non-constant global variables</strong> from within functions. It demonstrates why this leads to type instability and how the <code>const</code> keyword solves the problem.</p> <ul> <li> <p><strong>The Problem: Non-<code>const</code> Globals</strong></p> <ul> <li>When you define a global variable like <code>non_const_global = 100</code>, you are telling the compiler very little. The type of this variable could change at <em>any moment</em> during the program's execution (as shown when we reassign it to a <code>String</code>).</li> <li>Inside the function <code>use_non_const_global()</code>, when the compiler sees <code>non_const_global * 2</code>, it has <strong>no way to know</strong> what type <code>non_const_global</code> will have <em>at runtime</em>. It cannot specialize the code. It must generate slow, generic code that: <ol> <li> Looks up the current value and type of <code>non_const_global</code> <strong>at runtime</strong>.</li> <li> Performs <strong>dynamic dispatch</strong> to find the correct <code>*</code> method for whatever type it found.</li> </ol> </li> </ul> </li> <li> <p><strong>Diagnosis with <code>@code_warntype</code>:</strong></p> <ul> <li>Running <code>@code_warntype use_non_const_global()</code> confirms this instability. The output will show <code>Body::Any</code> (or some other non-concrete type, often in red). This is the compiler telling you it cannot predict the return type because it depends on the unpredictable type of the global variable.</li> </ul> </li> <li> <p><strong>The Solution: <code>const</code> Globals</strong></p> <ul> <li>The <code>const const_global = 200</code> declaration is a <strong>promise</strong> to the compiler: "The <em>type</em> of <code>const_global</code> will <em>always</em> be <code>Int64</code>." (Note: If <code>const_global</code> was a mutable object like a <code>Vector</code>, its <em>contents</em> could still change, but it would always <em>refer</em> to that same <code>Vector</code>).</li> <li>Inside <code>use_const_global()</code>, the compiler now <strong>knows for certain</strong> that <code>const_global</code> is an <code>Int64</code>. It can generate fast, specialized machine code that directly multiplies two integers.</li> </ul> </li> <li> <p><strong>Diagnosis with <code>@code_warntype</code>:</strong></p> <ul> <li>Running <code>@code_warntype use_const_global()</code> shows the fix. The output will be <code>Body::Int64</code> (green). The compiler is confident about the return type because the global's type is guaranteed.</li> </ul> </li> <li><p><strong>Rule of Thumb:</strong> <strong>Always</strong> declare global variables used in performance-critical code as <code>const</code>. If you need a global whose <em>type</em> might change, reconsider your design – perhaps pass it as a function argument instead. Accessing non-<code>const</code> globals is one of the most common and easily fixed sources of poor performance in Julia.</p></li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, "Performance Tips":</strong> "Avoid global variables." and "Declare variables as constant." These sections explicitly warn about the performance cost and recommend <code>const</code>.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(Note: The exact output is verbose. Focus on the <code>Body::</code> lines.)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0064_global_variable_pitfall.jl <span class="nt">---</span> @code_warntype <span class="k">for </span>use_non_const_global<span class="o">()</span> <span class="nt">---</span> Variables <span class="c">#self#::Core.Const(use_non_const_global)</span> Body::Any <span class="c"># &lt;--- Warning! Instability from non-const global</span> <span class="o">[</span>...] <span class="nt">---</span> @code_warntype <span class="k">for </span>use_const_global<span class="o">()</span> <span class="nt">---</span> Variables <span class="c">#self#::Core.Const(use_const_global)</span> Body::Int64 <span class="c"># &lt;--- Good! Type stable due to const global</span> <span class="o">[</span>...] <span class="nt">---</span> Runtime Results <span class="nt">---</span> Result <span class="o">(</span>non-const global<span class="o">)</span>: 200 Non-const global changed to: Changed! Result <span class="o">(</span>const global<span class="o">)</span>: 400 Caught expected error trying to change const global <span class="nb">type</span>: <span class="o">[</span>...] invalid redefinition of constant const_global </code></pre> </div> <h2> Union Types </h2> <h3> <code>0065_union_types_basics.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0065_union_types_basics.jl</span> <span class="c"># 1. Define a function that might fail predictably.</span> <span class="c"># A dictionary lookup is a perfect example: the key might not exist.</span> <span class="kd">const</span> <span class="n">my_dictionary</span> <span class="o">=</span> <span class="kt">Dict</span><span class="x">(</span><span class="s">"a"</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="x">,</span> <span class="s">"b"</span> <span class="o">=&gt;</span> <span class="mi">2</span><span class="x">)</span> <span class="c"># 2. Function returning a Union type for error handling.</span> <span class="c"># The return type annotation 'Union{Int64, Nothing}' explicitly states</span> <span class="c"># that this function will return *either* an Int64 on success</span> <span class="c"># or the special value 'nothing' on failure.</span> <span class="k">function</span><span class="nf"> safe_get</span><span class="x">(</span><span class="n">key</span><span class="o">::</span><span class="kt">String</span><span class="x">)</span><span class="o">::</span><span class="kt">Union</span><span class="x">{</span><span class="kt">Int64</span><span class="x">,</span> <span class="kt">Nothing</span><span class="x">}</span> <span class="k">if</span> <span class="n">haskey</span><span class="x">(</span><span class="n">my_dictionary</span><span class="x">,</span> <span class="n">key</span><span class="x">)</span> <span class="k">return</span> <span class="n">my_dictionary</span><span class="x">[</span><span class="n">key</span><span class="x">]</span> <span class="c"># Returns Int64</span> <span class="k">else</span> <span class="k">return</span> <span class="nb">nothing</span> <span class="c"># Returns Nothing</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># 3. Call the function and handle the Union result.</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Calling safe_get ---"</span><span class="x">)</span> <span class="n">key_success</span> <span class="o">=</span> <span class="s">"a"</span> <span class="n">result_success</span> <span class="o">=</span> <span class="n">safe_get</span><span class="x">(</span><span class="n">key_success</span><span class="x">)</span> <span class="c"># Check the type of the result</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result for key '</span><span class="si">$</span><span class="s">key_success': "</span><span class="x">,</span> <span class="n">result_success</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of result: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">result_success</span><span class="x">))</span> <span class="c"># Int64</span> <span class="c"># Idiomatic check for the 'nothing' failure case</span> <span class="k">if</span> <span class="n">result_success</span> <span class="o">!==</span> <span class="nb">nothing</span> <span class="n">println</span><span class="x">(</span><span class="s">" Success! Value is: "</span><span class="x">,</span> <span class="n">result_success</span> <span class="o">*</span> <span class="mi">10</span><span class="x">)</span> <span class="k">else</span> <span class="n">println</span><span class="x">(</span><span class="s">" Key '</span><span class="si">$</span><span class="s">key_success' not found."</span><span class="x">)</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"-"</span><span class="o">^</span><span class="mi">20</span><span class="x">)</span> <span class="n">key_fail</span> <span class="o">=</span> <span class="s">"c"</span> <span class="n">result_fail</span> <span class="o">=</span> <span class="n">safe_get</span><span class="x">(</span><span class="n">key_fail</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result for key '</span><span class="si">$</span><span class="s">key_fail': "</span><span class="x">,</span> <span class="n">result_fail</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of result: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">result_fail</span><span class="x">))</span> <span class="c"># Nothing</span> <span class="k">if</span> <span class="n">result_fail</span> <span class="o">!==</span> <span class="nb">nothing</span> <span class="n">println</span><span class="x">(</span><span class="s">" Success! Value is: "</span><span class="x">,</span> <span class="n">result_fail</span> <span class="o">*</span> <span class="mi">10</span><span class="x">)</span> <span class="k">else</span> <span class="n">println</span><span class="x">(</span><span class="s">" Key '</span><span class="si">$</span><span class="s">key_fail' not found."</span><span class="x">)</span> <span class="k">end</span> <span class="c"># 4. 'isbitstype' vs 'isbits' check</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- isbits checks ---"</span><span class="x">)</span> <span class="c"># isbits(x) is true if typeof(x) is an isbitstype</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbits(result_success): "</span><span class="x">,</span> <span class="n">isbits</span><span class="x">(</span><span class="n">result_success</span><span class="x">))</span> <span class="c"># true (Int64 is isbits)</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbits(result_fail): "</span><span class="x">,</span> <span class="n">isbits</span><span class="x">(</span><span class="n">result_fail</span><span class="x">))</span> <span class="c"># true (Nothing is isbits)</span> <span class="c"># The Union *type* itself is not isbits because it's abstract.</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(Union{Int64, Nothing}): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="kt">Union</span><span class="x">{</span><span class="kt">Int64</span><span class="x">,</span> <span class="kt">Nothing</span><span class="x">}))</span> <span class="c"># false</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <strong><code>Union</code> types</strong>, demonstrating their idiomatic use for handling predictable failure conditions in a type-stable and efficient way.</p> <ul> <li><p><strong>Core Concept: <code>Union{TypeA, TypeB, ...}</code></strong><br> A <code>Union</code> type represents a value that could be one of several specified types. <code>Union{Int64, Nothing}</code> means "this variable can hold <em>either</em> an <code>Int64</code> <em>or</em> the value <code>nothing</code>."</p></li> <li> <p><strong>Error Handling Pattern:</strong><br> Returning a <code>Union</code> like <code>Union{ResultType, Nothing}</code> (or <code>Union{ResultType, ErrorCode}</code>) is Julia's preferred pattern for functions that might fail in expected ways. Instead of throwing an exception (which is computationally expensive), the function returns a value indicating success or failure.</p> <ul> <li> <code>safe_get</code> implements this: on success, it returns the <code>Int64</code> value; on failure (key not found), it returns the special singleton value <code>nothing</code>.</li> <li>The <strong>caller</strong> is then responsible for checking the return type. The idiomatic check is <code>if result !== nothing</code>. The <code>!==</code> operator checks for strict identity (and type) and is very fast.</li> </ul> </li> <li> <p><strong>Performance: Small <code>Union</code>s are Efficiently Stored</strong></p> <ul> <li>While the <code>Union{Int64, Nothing}</code> <em>type itself</em> is technically abstract and therefore <code>isbitstype</code> returns <code>false</code>, Julia's compiler includes <strong>crucial optimizations</strong> for small unions like this, especially when they are used <strong>inside arrays or structs</strong>.</li> <li> <strong>How? (Inline Storage + Type Tag):</strong> The compiler stores the data <strong>inline</strong> (using enough space for the largest member, <code>Int64</code>) and uses a hidden <strong>type tag</strong> byte to track whether an <code>Int64</code> or <code>Nothing</code> is currently stored.</li> <li> <strong>Result:</strong> Accessing values from such a <code>Union</code> field or array element is very fast (check tag, read inline data) and avoids heap allocation ("boxing") and pointer chasing. Checking <code>if result !== nothing</code> compiles down to a simple, fast check of this internal type tag.</li> <li>This optimization makes the <code>Union{ResultType, Nothing}</code> pattern a high-performance alternative to exceptions for predictable failure modes.</li> </ul> </li> <li> <p><strong><code>isbits</code> vs. <code>isbitstype</code> Clarification:</strong></p> <ul> <li> <code>isbitstype(T::Type)</code> asks: "Does the type <code>T</code> itself describe a single, fixed, C-like memory layout?" For <code>Union{Int64, Nothing}</code>, the answer is <strong><code>false</code></strong> because the <code>Union</code> type is abstract; its representation depends on the current value.</li> <li> <code>isbits(x)</code> asks: "Is the <em>value</em> <code>x</code> of an <code>isbits</code> type?" Since both <code>Int64</code> and <code>Nothing</code> are <code>isbits</code> types, <code>isbits(result_success)</code> and <code>isbits(result_fail)</code> both return <strong><code>true</code></strong>.</li> </ul> </li> <li><p><strong>Contrast with Exceptions:</strong><br><br> This <code>Union</code> return pattern should be preferred over <code>try...catch</code> for common, expected failure modes like dictionary lookups, parsing attempts (<code>tryparse</code>), or finding items in a list. Exceptions are reserved for truly <em>exceptional</em> or unexpected errors where the high cost of stack unwinding is acceptable.</p></li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, "Types", "Union Types":</strong> "Union types are a special abstract type..."</li> <li> <strong>Julia Official Documentation, <code>devdocs</code>, "isbits Union Optimizations":</strong> Details how Julia stores <code>isbits Union</code> fields and arrays inline using type tags for performance, confirming the efficiency despite the <code>Union</code> type being abstract.</li> <li> <strong>Julia Official Documentation, <code>isbits(x)</code> and <code>isbitstype(T)</code>:</strong> Clarify the distinction between checking a value and checking a type.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0065_union_types_basics.jl <span class="nt">---</span> Calling safe_get <span class="nt">---</span> Result <span class="k">for </span>key <span class="s1">'a'</span>: 1 Type of result: Int64 Success! Value is: 10 <span class="nt">--------------------</span> Result <span class="k">for </span>key <span class="s1">'c'</span>: nothing Type of result: Nothing Key <span class="s1">'c'</span> not found. <span class="nt">---</span> isbits checks <span class="nt">---</span> isbits<span class="o">(</span>result_success<span class="o">)</span>: <span class="nb">true </span>isbits<span class="o">(</span>result_fail<span class="o">)</span>: <span class="nb">true </span>isbitstype<span class="o">(</span>Union<span class="o">{</span>Int64, Nothing<span class="o">})</span>: <span class="nb">false</span> </code></pre> </div> <p>While <code>Union</code> types are a powerful feature, their performance characteristics depend heavily on <strong>how many types</strong> are included in the <code>Union</code> and <strong>whether those types are <code>isbits</code></strong>. There is a significant performance difference between "small" and "large" unions.</p> <h2> Small <code>isbits</code> Unions (Fast) ✨ </h2> <ul> <li> <strong>Example:</strong> <code>Union{Int64, Nothing}</code>, <code>Union{Float64, Bool}</code>, <code>Union{Int8, UInt8}</code> </li> <li> <strong>Performance:</strong> <strong>Excellent</strong>.</li> <li> <strong>Why? Compiler Optimization:</strong> Julia's compiler has specific, highly effective optimizations for <code>Union</code>s that contain a small number (typically 2-3) of <code>isbits</code> types (and/or <code>Nothing</code>). <ul> <li> <strong>Inline Storage:</strong> As seen in the previous lesson, the compiler can often store the value <strong>inline</strong> within the memory allocated for the variable or struct field. It allocates enough space for the largest <code>isbits</code> member.</li> <li> <strong>Type Tag:</strong> An extra hidden <strong>type tag byte</strong> is stored alongside the inline data. This byte efficiently encodes <em>which</em> of the possible types is currently stored.</li> <li> <strong>Fast Dispatch:</strong> Checking the type (e.g., <code>if x === nothing</code>) becomes a simple, fast check of this tag byte, often compiling down to a single conditional branch instruction.</li> <li> <strong>No Boxing:</strong> There is generally no heap allocation ("boxing") required for these small unions when used, for example, as struct fields or array elements.</li> </ul> </li> </ul> <p><strong>Use Case:</strong> Ideal for representing optional values (<code>Union{T, Nothing}</code>), return codes (<code>Union{Result, ErrorCode}</code>), or situations where a value can be one of just a few simple types.</p> <h2> Large Unions or Unions with Non-<code>isbits</code> Types (Slow) 🐌 </h2> <ul> <li> <strong>Example:</strong> <code>Union{Int64, Float64, String}</code>, <code>Union{Int64, Vector{Float64}}</code>, <code>Union{Circle, Rectangle, MutableSquare}</code> (from Module 5)</li> <li> <strong>Performance:</strong> <strong>Poor</strong>, approaching the performance of <code>Any</code>.</li> <li> <strong>Why? Lack of Optimization:</strong> The compiler's inline storage + type tag optimization breaks down or becomes inefficient when: <ol> <li> <strong>Too Many Types:</strong> Checking the type tag requires a complex series of branches (e.g., "is it type 1? no. is it type 2? no. is it type 3? ..."). This significantly slows down dispatch.</li> <li> <strong>Non-<code>isbits</code> Members:</strong> If the <code>Union</code> includes non-<code>isbits</code> types (like <code>String</code>, <code>Vector</code>, or <code>mutable struct</code>s), these types <em>must</em> be heap-allocated anyway. The compiler often cannot store them inline. It must fall back to storing a <strong>pointer</strong> to the heap-allocated object, similar to how <code>Any</code> works. This involves <strong>boxing</strong> and <strong>pointer chasing</strong>.</li> <li> <strong>Variable Size:</strong> If the types in the <code>Union</code> have different sizes, efficient inline storage becomes impossible.</li> </ol> </li> </ul> <p><strong>Performance Impact:</strong></p> <ul> <li> <strong>Boxing:</strong> Values might be heap-allocated ("boxed") even if they are simple types like <code>Int</code>.</li> <li> <strong>Dynamic Dispatch:</strong> Using a value from a large <code>Union</code> almost always requires slow, runtime dynamic dispatch.</li> <li> <strong>Type Instability:</strong> Functions returning large <code>Union</code>s are inherently type-unstable, preventing compiler specialization and optimization.</li> </ul> <p><strong>Guideline:</strong> Avoid large unions in performance-critical code. If a variable or field truly needs to hold many different types, it often indicates a design issue. Consider using abstract types with multiple dispatch (as in Module 5) or redesigning your data structures. Small, <code>isbits</code>-based unions are a targeted optimization; large unions are generally an anti-pattern for performance.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, <code>devdocs</code>, "isbits Union Optimizations":</strong> Explains the type tag mechanism and its limitations.</li> <li> <strong>Julia Official Documentation, Manual, "Performance Tips":</strong> Implicitly warns against large unions by emphasizing type stability and avoiding abstract containers.</li> </ul> </li> </ul> <h2> Array Slicing </h2> <h3> <code>0067_views_recap_performance.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0067_views_recap_performance.jl</span> <span class="c"># Import necessary tools</span> <span class="c"># BenchmarkTools is not in the standard library, so we need to add it.</span> <span class="c"># See Explanation section for installation instructions.</span> <span class="k">import</span> <span class="n">BenchmarkTools</span><span class="o">:</span> <span class="nd">@btime</span> <span class="c"># 1. A function that processes a vector (e.g., calculates sum)</span> <span class="c"># We make it type-stable by annotating the input.</span> <span class="k">function</span><span class="nf"> process_data</span><span class="x">(</span><span class="n">data</span><span class="o">::</span><span class="kt">AbstractVector</span><span class="x">{</span><span class="kt">Float64</span><span class="x">})</span> <span class="n">total</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="c"># Use @inbounds for performance; assumes data access is safe</span> <span class="nd">@inbounds</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="n">eachindex</span><span class="x">(</span><span class="n">data</span><span class="x">)</span> <span class="n">total</span> <span class="o">+=</span> <span class="n">data</span><span class="x">[</span><span class="n">i</span><span class="x">]</span> <span class="k">end</span> <span class="k">return</span> <span class="n">total</span> <span class="k">end</span> <span class="c"># 2. Create a large vector</span> <span class="n">N</span> <span class="o">=</span> <span class="mi">1_000_000</span> <span class="c"># 1 million elements</span> <span class="n">original_vector</span> <span class="o">=</span> <span class="n">rand</span><span class="x">(</span><span class="kt">Float64</span><span class="x">,</span> <span class="n">N</span><span class="x">)</span> <span class="c"># 3. Define the slice indices</span> <span class="n">start_idx</span> <span class="o">=</span> <span class="mi">1</span> <span class="n">end_idx</span> <span class="o">=</span> <span class="mi">500_000</span> <span class="c"># Half the array</span> <span class="c"># --- Benchmarking ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Benchmarking Slice (Copying) ---"</span><span class="x">)</span> <span class="c"># 4. Benchmark passing a slice (A[start:end])</span> <span class="c"># This creates a *new* vector containing a copy of the elements.</span> <span class="c"># The benchmark measures:</span> <span class="c"># a) Time to allocate the new vector</span> <span class="c"># b) Time to copy the 500k elements</span> <span class="c"># c) Time to run process_data() on the copy</span> <span class="nd">@btime</span> <span class="n">process_data</span><span class="x">(</span><span class="n">original_vector</span><span class="x">[</span><span class="o">$</span><span class="n">start_idx</span><span class="o">:$</span><span class="n">end_idx</span><span class="x">])</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Benchmarking View (Zero-Copy) ---"</span><span class="x">)</span> <span class="c"># 5. Benchmark passing a view (@view A[start:end])</span> <span class="c"># This creates a lightweight 'SubArray' object that *refers*</span> <span class="c"># to the original vector's memory. No allocation, no copying.</span> <span class="c"># The benchmark measures *only*:</span> <span class="c"># a) Time to run process_data() directly on the original data</span> <span class="nd">@btime</span> <span class="n">process_data</span><span class="x">(</span><span class="nd">@view</span> <span class="n">original_vector</span><span class="x">[</span><span class="o">$</span><span class="n">start_idx</span><span class="o">:$</span><span class="n">end_idx</span><span class="x">])</span> <span class="c"># 6. Verify the view type</span> <span class="n">view_obj</span> <span class="o">=</span> <span class="nd">@view</span> <span class="n">original_vector</span><span class="x">[</span><span class="n">start_idx</span><span class="o">:</span><span class="n">end_idx</span><span class="x">]</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Type of view object: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">view_obj</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"Does view share memory with original? "</span><span class="x">,</span> <span class="n">Base</span><span class="o">.</span><span class="n">mightalias</span><span class="x">(</span><span class="n">original_vector</span><span class="x">,</span> <span class="n">view_obj</span><span class="x">))</span> </code></pre> </div> <h3> Explanation </h3> <p>This script revisits <strong>array slicing</strong> and <strong>views</strong>, focusing explicitly on the <strong>performance implications</strong>. It uses the <code>BenchmarkTools.jl</code> package to provide accurate measurements, demonstrating why views (<code>@view</code>) are essential for high-performance code.</p> <p><strong>Installation Note:</strong></p> <p>This lesson uses <code>BenchmarkTools.jl</code>, which is not part of Julia's standard library. You need to add it to your environment once.</p> <ol> <li> Start the Julia REPL: <code>julia</code> </li> <li> Enter Pkg mode by typing <code>]</code> at the <code>julia&gt;</code> prompt. The prompt will change to <code>pkg&gt;</code>.</li> <li> Type <code>add BenchmarkTools</code> and press Enter. Julia will download and install the package.</li> <li> Exit Pkg mode by pressing Backspace or <code>Ctrl+C</code>.</li> <li> You can now run this script.</li> </ol> <ul> <li> <p><strong>Recap: Slice vs. View</strong></p> <ul> <li> <strong>Slice (<code>A[start:end]</code>):</strong> Creates a <strong>new</strong> <code>Array</code> object, allocates fresh memory, and <strong>copies</strong> the selected elements from the original array into the new one. This is memory-intensive and CPU-intensive if the slice is large or done frequently.</li> <li> <strong>View (<code>@view A[start:end]</code>):</strong> Creates a lightweight <code>SubArray</code> object. This object does <strong>not</strong> allocate memory for the data itself; it simply holds a <strong>reference</strong> to the <em>original</em> array and stores the selected indices. It is a zero-copy, zero-allocation operation.</li> </ul> </li> <li> <p><strong>Benchmarking with <code>@btime</code>:</strong></p> <ul> <li>The <code>@btime</code> macro (from <code>BenchmarkTools.jl</code>) is the standard tool for accurate performance measurement in Julia. It runs the expression many times, measures the minimum execution time, and reports memory allocations.</li> <li> <strong>Crucial Interpolation (<code>$</code>):</strong> Notice <code>original_vector[$start_idx:$end_idx]</code> inside <code>@btime</code>. The <code>$</code> is <strong>essential</strong> here. It tells <code>@btime</code> to treat <code>original_vector</code>, <code>start_idx</code>, and <code>end_idx</code> as pre-computed <em>values</em> rather than global variables to be looked up inside the timing loop. Without the <code>$</code>, you would be benchmarking global variable access time, polluting the results.</li> </ul> </li> <li> <p><strong>Interpreting the Results:</strong></p> <ul> <li> <strong>Slice Benchmark:</strong> The <code>@btime</code> output for the slice will show a significant amount of <strong>memory allocation</strong> (e.g., <code>allocs: 1</code>) and a non-trivial execution time. This time includes the cost of allocating the new vector, copying half a million <code>Float64</code>s, and <em>then</em> running <code>process_data</code>.</li> <li> <strong>View Benchmark:</strong> The <code>@btime</code> output for the <code>@view</code> will show <strong>zero memory allocations</strong> (<code>allocs: 0</code>) and a significantly <strong>faster</strong> execution time. This time represents <em>only</em> the cost of running <code>process_data</code> directly on the relevant portion of the original data.</li> <li> <strong><code>Base.mightalias</code>:</strong> This function returning <code>true</code> confirms that the view object potentially shares memory with the original vector (which it does).</li> </ul> </li> <li><p><strong>Performance Guideline (HFT Context):</strong><br><br> In performance-critical code, especially within loops or functions called frequently, <strong>always use views (<code>@view</code>) when you need to pass a portion of an array to another function without needing an independent copy</strong>. Slicing (<code>A[start:end]</code>) should only be used when you explicitly require a separate, mutable copy of the data. Unnecessary copying is a major source of avoidable overhead and GC pressure.</p></li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, "Multi-dimensional Arrays", "Views (SubArrays and other relevant types)":</strong> Explains the concept of <code>SubArray</code> and the <code>@view</code> macro.</li> <li> <strong>Julia Official Documentation, <code>BenchmarkTools.jl</code>:</strong> Describes the usage of <code>@btime</code> and the importance of variable interpolation (<code>$</code>).</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(You must first install <code>BenchmarkTools.jl</code> as described above.)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0067_views_recap_performance.jl <span class="nt">---</span> Benchmarking Slice <span class="o">(</span>Copying<span class="o">)</span> <span class="nt">---</span> 293.589 μs <span class="o">(</span>5 allocations: 3.81 MiB<span class="o">)</span> <span class="nt">---</span> Benchmarking View <span class="o">(</span>Zero-Copy<span class="o">)</span> <span class="nt">---</span> 185.664 μs <span class="o">(</span>3 allocations: 96 bytes<span class="o">)</span> Type of view object: SubArray<span class="o">{</span>Float64, 1, Vector<span class="o">{</span>Float64<span class="o">}</span>, Tuple<span class="o">{</span>UnitRange<span class="o">{</span>Int64<span class="o">}}</span>, <span class="nb">true</span><span class="o">}</span> Does view share memory with original? <span class="nb">true</span> </code></pre> </div> <p><em>(Replace <code>### μs minimum time: X/Y ###</code> with the actual timings you observe. Time X should be significantly larger than Time Y, and allocations should be 1 vs 0.)</em></p> <h2> Broadcasting </h2> <h3> <code>0068_broadcasting_basics.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0068_broadcasting_basics.jl</span> <span class="c"># 1. Define a simple scalar function.</span> <span class="c"># This function works on single numbers.</span> <span class="k">function</span><span class="nf"> square_element</span><span class="x">(</span><span class="n">x</span><span class="o">::</span><span class="kt">Number</span><span class="x">)</span> <span class="k">return</span> <span class="n">x</span> <span class="o">*</span> <span class="n">x</span> <span class="k">end</span> <span class="c"># 2. Create a vector of numbers.</span> <span class="n">numbers</span> <span class="o">=</span> <span class="x">[</span><span class="mi">1</span><span class="x">,</span> <span class="mi">2</span><span class="x">,</span> <span class="mi">3</span><span class="x">,</span> <span class="mi">4</span><span class="x">]</span> <span class="c"># 3. Attempting to call the scalar function directly on the vector fails.</span> <span class="c"># Julia doesn't automatically assume element-wise operation.</span> <span class="k">try</span> <span class="n">result_fail</span> <span class="o">=</span> <span class="n">square_element</span><span class="x">(</span><span class="n">numbers</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"Caught expected error (scalar function on vector):"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="n">e</span><span class="x">)</span> <span class="k">end</span> <span class="c"># 4. The Broadcasting Dot '.' Syntax.</span> <span class="c"># Placing a dot '.' after the function name tells Julia to apply</span> <span class="c"># the function element-wise to the collection.</span> <span class="n">result_broadcast</span> <span class="o">=</span> <span class="n">square_element</span><span class="o">.</span><span class="x">(</span><span class="n">numbers</span><span class="x">)</span> <span class="c"># Note the dot!</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Result of broadcasting square_element.(numbers): "</span><span class="x">,</span> <span class="n">result_broadcast</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of result: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">result_broadcast</span><span class="x">))</span> <span class="c"># A new Vector</span> <span class="c"># 5. Broadcasting works with standard operators too.</span> <span class="c"># The dot goes *before* the operator.</span> <span class="n">plus_one</span> <span class="o">=</span> <span class="n">numbers</span> <span class="o">.+</span> <span class="mi">1</span> <span class="n">times_two</span> <span class="o">=</span> <span class="n">numbers</span> <span class="o">.*</span> <span class="mi">2</span> <span class="n">powers</span> <span class="o">=</span> <span class="n">numbers</span> <span class="o">.^</span> <span class="mi">2</span> <span class="c"># Element-wise exponentiation</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Broadcasting operators:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" numbers .+ 1: "</span><span class="x">,</span> <span class="n">plus_one</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" numbers .* 2: "</span><span class="x">,</span> <span class="n">times_two</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" numbers .^ 2: "</span><span class="x">,</span> <span class="n">powers</span><span class="x">)</span> <span class="c"># 6. Broadcasting with multiple arguments.</span> <span class="c"># Arrays must have compatible dimensions (or be scalars).</span> <span class="n">a</span> <span class="o">=</span> <span class="x">[</span><span class="mi">10</span><span class="x">,</span> <span class="mi">20</span><span class="x">]</span> <span class="n">b</span> <span class="o">=</span> <span class="x">[</span><span class="mi">1</span><span class="x">,</span> <span class="mi">2</span><span class="x">]</span> <span class="n">sums_broadcast</span> <span class="o">=</span> <span class="n">a</span> <span class="o">.+</span> <span class="n">b</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Broadcasting a .+ b: "</span><span class="x">,</span> <span class="n">sums_broadcast</span><span class="x">)</span> <span class="c"># Scalar broadcasting: The scalar '100' is automatically "expanded".</span> <span class="n">sums_scalar</span> <span class="o">=</span> <span class="n">a</span> <span class="o">.+</span> <span class="mi">100</span> <span class="n">println</span><span class="x">(</span><span class="s">"Broadcasting a .+ 100: "</span><span class="x">,</span> <span class="n">sums_scalar</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <strong>broadcasting</strong>, one of Julia's most powerful and idiomatic features for working with arrays and collections, denoted by the dot (<code>.</code>) syntax.</p> <ul> <li> <p><strong>Core Concept:</strong> Broadcasting provides a concise syntax to apply a function designed for <strong>scalar</strong> (single) values <strong>element-wise</strong> to arrays or collections.</p> <ul> <li>Our <code>square_element</code> function only knows how to square one number. Trying to pass it a <code>Vector</code> fails because there's no method <code>square_element(::Vector)</code>.</li> </ul> </li> <li> <p><strong>The Dot (<code>.</code>): Vectorizing Functions</strong></p> <ul> <li>Placing a dot <code>.</code> immediately after a function name (or before an operator) transforms it into a <strong>broadcasting operation</strong>.</li> <li> <code>square_element.(numbers)</code> tells Julia: "Take the <code>square_element</code> function and apply it to <em>each element</em> of the <code>numbers</code> vector, collecting the results into a new vector."</li> <li>Similarly, <code>numbers .+ 1</code> applies the scalar addition <code>+ 1</code> to each element.</li> </ul> </li> <li> <p><strong>Syntax:</strong></p> <ul> <li>For function calls: <code>my_function.(arg1, arg2, ...)</code> </li> <li>For operators: <code>arg1 .&lt;operator&gt; arg2</code> (e.g., <code>.+</code>, <code>.*</code>, <code>.&gt;</code>)</li> </ul> </li> <li><p><strong>Why is this important?</strong></p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. **Readability:** It avoids writing explicit `for` loops for simple element-wise operations. `y = sin.(x)` is much clearer than a manual loop. 2. **Generality:** It works on *any* function and *any* iterable collection (arrays, tuples, ranges, etc.). You don't need specially written "vectorized" versions of your functions. 3. **Performance (Next Lesson):** Broadcasting is **not just syntactic sugar for a loop**. Julia's compiler performs **loop fusion**, which can make broadcasted operations significantly faster than manual loops by avoiding temporary arrays. </code></pre> </div> <ul> <li> <p><strong>Multiple Arguments &amp; Dimension Rules:</strong></p> <ul> <li>Broadcasting works with functions/operators taking multiple arguments (e.g., <code>a .+ b</code>).</li> <li>The arrays must have <strong>compatible dimensions</strong>. This generally means they either have the same dimensions, or one of the arguments is a scalar (which is implicitly "expanded" to match the other argument's shape). More complex rules exist for arrays of different dimensions (e.g., adding a vector to a matrix column-wise), following standard broadcasting conventions found in languages like Python (NumPy) and R.</li> </ul> </li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, "Functions", "Dot Syntax for Vectorizing Functions":</strong> "For every function <code>f</code>, the syntax <code>f.(args...)</code> is automatically defined to perform <code>f</code> elementwise over the collections <code>args...</code>"</li> <li> <strong>Julia Official Documentation, Manual, "Multi-dimensional Arrays", "Broadcasting":</strong> Provides detailed rules for dimension compatibility.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0068_broadcasting_basics.jl Caught expected error <span class="o">(</span>scalar <span class="k">function </span>on vector<span class="o">)</span>: MethodError: no method matching square_element<span class="o">(</span>::Vector<span class="o">{</span>Int64<span class="o">})</span> <span class="o">[</span>...] Result of broadcasting square_element.<span class="o">(</span>numbers<span class="o">)</span>: <span class="o">[</span>1, 4, 9, 16] Type of result: Vector<span class="o">{</span>Int64<span class="o">}</span> Broadcasting operators: numbers .+ 1: <span class="o">[</span>2, 3, 4, 5] numbers .<span class="k">*</span> 2: <span class="o">[</span>2, 4, 6, 8] numbers .^ 2: <span class="o">[</span>1, 4, 9, 16] Broadcasting a .+ b: <span class="o">[</span>11, 22] Broadcasting a .+ 100: <span class="o">[</span>110, 120] </code></pre> </div> <h3> <code>0069_broadcasting_performance.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0069_broadcasting_performance.jl</span> <span class="k">import</span> <span class="n">BenchmarkTools</span><span class="o">:</span> <span class="nd">@btime</span> <span class="c"># 1. Define input data</span> <span class="n">x</span> <span class="o">=</span> <span class="n">rand</span><span class="x">(</span><span class="kt">Float64</span><span class="x">,</span> <span class="mi">1_000_000</span><span class="x">)</span> <span class="c"># --- Method 1: Fused Broadcasting (Allocating) ---</span> <span class="c"># 2. Perform multiple operations using broadcasting dots.</span> <span class="c"># This creates and returns a NEW array.</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Benchmarking Fused Broadcasting (Allocating): sin.(x .* 2.0 .+ 1.0) ---"</span><span class="x">)</span> <span class="nd">@btime</span> <span class="n">sin</span><span class="o">.</span><span class="x">((</span><span class="o">$</span><span class="n">x</span><span class="x">)</span> <span class="o">.*</span> <span class="mf">2.0</span> <span class="o">.+</span> <span class="mf">1.0</span><span class="x">);</span> <span class="c"># --- Method 2: Non-Fused Operations (Allocating) ---</span> <span class="c"># 3. Perform the same operations step-by-step, storing intermediates.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Benchmarking Non-Fused Operations (Allocating) ---"</span><span class="x">)</span> <span class="k">function</span><span class="nf"> non_fused_calculation</span><span class="x">(</span><span class="n">x</span><span class="x">)</span> <span class="n">temp1</span> <span class="o">=</span> <span class="n">x</span> <span class="o">.*</span> <span class="mf">2.0</span> <span class="n">temp2</span> <span class="o">=</span> <span class="n">temp1</span> <span class="o">.+</span> <span class="mf">1.0</span> <span class="n">result</span> <span class="o">=</span> <span class="n">sin</span><span class="o">.</span><span class="x">(</span><span class="n">temp2</span><span class="x">)</span> <span class="k">return</span> <span class="n">result</span> <span class="k">end</span> <span class="nd">@btime</span> <span class="n">non_fused_calculation</span><span class="x">(</span><span class="o">$</span><span class="n">x</span><span class="x">);</span> <span class="c"># --- Method 3: Manual Loop (Allocating) ---</span> <span class="c"># 4. Perform the same operation with a manual loop, allocating a result.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Benchmarking Manual Loop (Allocating) ---"</span><span class="x">)</span> <span class="k">function</span><span class="nf"> manual_loop_calculation</span><span class="x">(</span><span class="n">x</span><span class="x">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">similar</span><span class="x">(</span><span class="n">x</span><span class="x">)</span> <span class="nd">@inbounds</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="n">eachindex</span><span class="x">(</span><span class="n">x</span><span class="x">)</span> <span class="n">val_step1</span> <span class="o">=</span> <span class="n">x</span><span class="x">[</span><span class="n">i</span><span class="x">]</span> <span class="o">*</span> <span class="mf">2.0</span> <span class="n">val_step2</span> <span class="o">=</span> <span class="n">val_step1</span> <span class="o">+</span> <span class="mf">1.0</span> <span class="n">result</span><span class="x">[</span><span class="n">i</span><span class="x">]</span> <span class="o">=</span> <span class="n">sin</span><span class="x">(</span><span class="n">val_step2</span><span class="x">)</span> <span class="k">end</span> <span class="k">return</span> <span class="n">result</span> <span class="k">end</span> <span class="nd">@btime</span> <span class="n">manual_loop_calculation</span><span class="x">(</span><span class="o">$</span><span class="n">x</span><span class="x">);</span> <span class="c"># --- Method 4: In-Place Broadcasting on a View ---</span> <span class="c"># 5. Define a function that modifies a view IN-PLACE.</span> <span class="c"># The '.=' operator performs broadcasting and assigns the result</span> <span class="c"># back into the original array (or view).</span> <span class="k">function</span><span class="nf"> inplace_calculation_view!</span><span class="x">(</span><span class="n">y_view</span><span class="x">,</span> <span class="n">x_view</span><span class="x">)</span> <span class="c"># y_view .= sin.(x_view .* 2.0 .+ 1.0) # Modifies y_view</span> <span class="c"># OR, if modifying x_view itself:</span> <span class="n">x_view</span> <span class="o">.=</span> <span class="n">sin</span><span class="o">.</span><span class="x">(</span><span class="n">x_view</span> <span class="o">.*</span> <span class="mf">2.0</span> <span class="o">.+</span> <span class="mf">1.0</span><span class="x">)</span> <span class="c"># Modifies x_view</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Benchmarking In-Place Broadcasting on View ---"</span><span class="x">)</span> <span class="c"># Create a view (zero-cost)</span> <span class="n">x_view</span> <span class="o">=</span> <span class="nd">@view</span> <span class="n">x</span><span class="x">[</span><span class="mi">1</span><span class="o">:</span><span class="k">end</span><span class="x">]</span> <span class="c"># IMPORTANT: Create a COPY for the benchmark, so we don't</span> <span class="c"># modify the 'x' needed for other benchmarks if we run this multiple times.</span> <span class="n">x_view_copy</span> <span class="o">=</span> <span class="n">copy</span><span class="x">(</span><span class="n">x_view</span><span class="x">)</span> <span class="c"># Benchmark modifying the view copy in-place.</span> <span class="c"># This should have ZERO allocations related to the result array.</span> <span class="nd">@btime</span> <span class="n">inplace_calculation_view!</span><span class="x">(</span><span class="o">$</span><span class="n">x_view_copy</span><span class="x">,</span> <span class="o">$</span><span class="n">x_view_copy</span><span class="x">);</span> <span class="c"># Modify in place</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates <strong>why broadcasting (<code>.</code>) is fast</strong> in Julia. It's not merely syntactic sugar for a <code>for</code> loop; it enables a powerful compiler optimization called <strong>loop fusion</strong>. We also compare allocating vs. in-place operations.</p> <ul> <li><p><strong>Core Concept: Loop Fusion</strong><br> When Julia encounters a sequence of broadcasted operations like <code>sin.(x .* 2.0 .+ 1.0)</code>, it <strong>fuses</strong> them into a <strong>single loop</strong>. Instead of calculating intermediates and storing them in temporary arrays, Julia compiles code that does all steps for one element at a time, directly writing the final result.</p></li> <li> <p><strong>Fused Broadcasting (<code>Method 1</code>)</strong></p> <ul> <li>The expression <code>sin.(x .* 2.0 .+ 1.0)</code> is executed in a <strong>single pass</strong>, allocating only the final result array.</li> <li> <strong>Benchmark:</strong> Minimal allocations (1 for the result) and fast execution.</li> </ul> </li> <li> <p><strong>Non-Fused Operations (<code>Method 2</code>)</strong></p> <ul> <li> <code>temp1 = x .* 2.0; temp2 = temp1 .+ 1.0; result = sin.(temp2)</code> forces <strong>three separate passes</strong> and allocates <strong>three large arrays</strong> (<code>temp1</code>, <code>temp2</code>, <code>result</code>).</li> <li> <strong>Benchmark:</strong> Multiple large allocations and the slowest execution time.</li> </ul> </li> <li> <p><strong>Manual Loop (<code>Method 3</code>)</strong></p> <ul> <li>Manually writing the loop and pre-allocating the <code>result</code> also uses a <strong>single pass</strong> and avoids intermediate allocations.</li> <li> <strong>Benchmark:</strong> Performance similar to Method 1, minimal allocations (1 for the result).</li> </ul> </li> <li> <p><strong>In-Place Broadcasting on a View (<code>Method 4</code>)</strong></p> <ul> <li> <strong><code>.=</code> Operator:</strong> The "dot-equals" operator (<code>.=</code>) performs an <strong>in-place</strong> broadcasting assignment. <code>y .= f.(x)</code> calculates <code>f.(x)</code> element-wise and stores the results directly <em>into the existing array <code>y</code></em>, overwriting its previous contents.</li> <li> <strong><code>inplace_calculation_view!</code>:</strong> This function takes a view and modifies it directly using <code>.=</code>.</li> <li> <strong>Benchmarking:</strong> We benchmark modifying a <code>copy</code> of the view. The <code>@btime</code> result for this method should show <strong>zero allocations</strong> related to the data itself (perhaps a few small constant allocations from the benchmark overhead). Its execution time should be very similar to Method 1 and Method 3, confirming that fused broadcasting (Method 1) is essentially as fast as the optimal manual loop (Method 3) and the in-place operation (Method 4), but often more concise.</li> </ul> </li> <li><p><strong>Performance Takeaway:</strong><br><br> Broadcasting (<code>.</code>) is the idiomatic, readable, and highly performant way to express element-wise operations due to loop fusion. For maximum efficiency when you don't need the original data, use the in-place <code>.=</code> operator to avoid allocating a result array entirely.</p></li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, "Performance Tips", "More dots: Fuse vectorized operations":</strong> Describes loop fusion.</li> <li> <strong>Julia Official Documentation, Manual, "Functions", "Dot Syntax for Vectorizing Functions":</strong> Introduces <code>.=</code> for in-place assignment.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(Requires <code>BenchmarkTools.jl</code> installed: <code>import Pkg; Pkg.add("BenchmarkTools")</code>)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0069_broadcasting_performance.jl <span class="nt">---</span> Benchmarking Fused Broadcasting <span class="o">(</span>Allocating<span class="o">)</span>: sin.<span class="o">(</span>x .<span class="k">*</span> 2.0 .+ 1.0<span class="o">)</span> <span class="nt">---</span> 5.510 ms <span class="o">(</span>3 allocations: 7.63 MiB<span class="o">)</span> <span class="nt">---</span> Benchmarking Non-Fused Operations <span class="o">(</span>Allocating<span class="o">)</span> <span class="nt">---</span> 6.465 ms <span class="o">(</span>9 allocations: 22.89 MiB<span class="o">)</span> <span class="nt">---</span> Benchmarking Manual Loop <span class="o">(</span>Allocating<span class="o">)</span> <span class="nt">---</span> 6.065 ms <span class="o">(</span>3 allocations: 7.63 MiB<span class="o">)</span> <span class="nt">---</span> Benchmarking In-Place Broadcasting on View <span class="nt">---</span> 5.348 ms <span class="o">(</span>0 allocations: 0 bytes<span class="o">)</span> </code></pre> </div> <h1> Module 7: I/O and Concurrency </h1> <h2> Streams And Basic Io </h2> <h3> <code>0070_streams_intro.md</code> </h3> <p>Input/Output (I/O) is fundamental to any real-world application, involving reading data from files, writing to the network, or interacting with other processes. Julia provides a clean and unified abstraction for all these operations through the <strong><code>IO</code> abstract type</strong>, often referred to as a <strong>stream</strong>.</p> <h2> The <code>IO</code> Abstraction </h2> <ul> <li> <strong>Core Concept:</strong> <code>abstract type IO end</code> defines the <strong>interface</strong> for all byte streams in Julia. It's a contract, not a concrete object. Any type that subtypes <code>IO</code> represents a sequence of bytes that can be read from or written to.</li> <li> <strong>Why Abstract?</strong> You don't just "read data"; you read data <em>from</em> something specific (a file, a network socket, an in-memory buffer). The <code>IO</code> type allows us to write <strong>generic functions</strong> that work correctly regardless of the underlying source or destination of the bytes.</li> <li> <strong>Common Concrete Subtypes:</strong> <ul> <li> <strong><code>IOStream</code>:</strong> Represents a file opened on the filesystem. Created by <code>open()</code>.</li> <li> <strong><code>TCPSocket</code>:</strong> Represents a network connection. Created by <code>Sockets.connect()</code> or <code>Sockets.accept()</code>.</li> <li> <strong><code>Pipe</code>:</strong> Represents a connection between processes (e.g., standard input/output).</li> <li> <strong><code>IOBuffer</code>:</strong> An in-memory buffer that acts like a stream. Useful for building data before writing it elsewhere.</li> </ul> </li> </ul> <h2> Generic Stream Functions </h2> <p>The power of the <code>IO</code> abstraction comes from the generic functions that operate on <em>any</em> <code>IO</code> subtype. You don't need separate functions for writing to a file versus writing to a socket.</p> <ul> <li> <strong>Writing:</strong> <ul> <li> <code>write(io::IO, x)</code>: Writes the canonical binary representation of <code>x</code> to the stream. Crucial for raw data.</li> <li> <code>print(io::IO, args...)</code>: Writes the textual representation of <code>args</code> (like <code>string(arg)</code>).</li> <li> <code>println(io::IO, args...)</code>: Same as <code>print</code>, but adds a newline (<code>\n</code>).</li> </ul> </li> <li> <strong>Reading:</strong> <ul> <li> <code>read(io::IO, T)</code>: Reads a single value of binary type <code>T</code> (e.g., <code>read(io, UInt8)</code>).</li> <li> <code>read(io::IO, nb::Integer)</code>: Reads <code>nb</code> bytes into a <code>Vector{UInt8}</code>.</li> <li> <code>read(io::IO)</code>: Reads all remaining bytes into a <code>Vector{UInt8}</code>.</li> <li> <code>readline(io::IO)</code>: Reads a line of text (up to <code>\n</code>), returning it as a <code>String</code>.</li> <li> <code>readchomp(io::IO)</code>: Reads all remaining data as a string, removing trailing whitespace.</li> <li> <code>readstring(io::IO)</code>: Reads all remaining data as a string.</li> </ul> </li> <li> <strong>Other Operations:</strong> <ul> <li> <code>close(io::IO)</code>: Closes the stream, releasing associated resources (like file handles or network ports).</li> <li> <code>flush(io::IO)</code>: Forces any buffered output to be written to the underlying device.</li> <li> <code>seek(io::IO, pos)</code>: Moves the stream's current position (for seekable streams like files or <code>IOBuffer</code>).</li> <li> <code>eof(io::IO)</code>: Checks if the end of the stream has been reached.</li> </ul> </li> </ul> <h2> Significance for Systems Programming </h2> <ul> <li> <strong>Unified Interface:</strong> The <code>IO</code> system means you can write generic data processing logic (e.g., parsing a specific binary format) that works identically whether the data comes from a file, a network socket, or an in-memory buffer.</li> <li> <strong>Performance:</strong> While the interface is generic, Julia compiles specialized, fast methods for concrete types like <code>IOStream</code> or <code>TCPSocket</code>. When you <code>write</code> to a file, it ultimately compiles down to efficient system calls.</li> <li> <strong>Resource Management:</strong> Understanding that streams represent underlying OS resources (file descriptors, sockets) is crucial. They <strong>must be closed</strong> to avoid resource leaks. The <code>open(...) do ... end</code> pattern (next lesson) is the standard, safe way to manage this automatically.</li> </ul> <p>In the following lessons, we will see how to create and use specific <code>IO</code> subtypes like <code>IOStream</code> and <code>IOBuffer</code>.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Networking and Streams":</strong> Introduces the <code>IO</code> type and basic stream operations.</li> <li> <strong>Julia Official Documentation, Base Documentation, "I/O and Network":</strong> Lists the concrete subtypes and the generic functions available for <code>IO</code> objects.</li> </ul> </li> </ul> <h3> <code>0071_file_io.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0071_file_io.jl</span> <span class="c"># Define the filename we'll work with</span> <span class="kd">const</span> <span class="n">filename</span> <span class="o">=</span> <span class="s">"my_test_file.txt"</span> <span class="c"># --- Method 1: The Idiomatic 'do' Block (Recommended) ---</span> <span class="c"># 1. Writing to a file using 'open' with a 'do' block.</span> <span class="c"># 'open(filename, "w")' opens the file for writing ("w").</span> <span class="c"># If the file exists, it's truncated (emptied). If not, it's created.</span> <span class="c"># The 'do f -&gt; ... end' syntax passes an anonymous function.</span> <span class="c"># 'f' (an IOStream) is the opened file stream, passed to the function.</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Writing using 'open...do' block ---"</span><span class="x">)</span> <span class="k">try</span> <span class="n">open</span><span class="x">(</span><span class="n">filename</span><span class="x">,</span> <span class="s">"w"</span><span class="x">)</span> <span class="k">do</span> <span class="n">f</span> <span class="c"># f is the IOStream</span> <span class="n">println</span><span class="x">(</span><span class="s">"File opened successfully for writing."</span><span class="x">)</span> <span class="c"># Use generic IO functions on the file stream 'f'</span> <span class="n">write</span><span class="x">(</span><span class="n">f</span><span class="x">,</span> <span class="s">"Hello, file!</span><span class="se">\n</span><span class="s">"</span><span class="x">)</span> <span class="n">print</span><span class="x">(</span><span class="n">f</span><span class="x">,</span> <span class="s">"This is line 2."</span><span class="x">)</span> <span class="c"># No newline added by print</span> <span class="n">println</span><span class="x">(</span><span class="n">f</span><span class="x">)</span> <span class="c"># Add a newline</span> <span class="n">println</span><span class="x">(</span><span class="n">f</span><span class="x">,</span> <span class="s">"The value is: "</span><span class="x">,</span> <span class="mi">123</span><span class="x">)</span> <span class="c"># The file 'f' is AUTOMATICALLY closed when the 'do' block ends,</span> <span class="c"># even if an error occurs inside.</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"File writing complete, file closed."</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"Error during file writing: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="k">end</span> <span class="c"># 2. Reading from a file using 'open' with a 'do' block.</span> <span class="c"># 'open(filename, "r")' or just 'open(filename)' opens for reading ("r").</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Reading using 'open...do' block ---"</span><span class="x">)</span> <span class="k">try</span> <span class="n">open</span><span class="x">(</span><span class="n">filename</span><span class="x">,</span> <span class="s">"r"</span><span class="x">)</span> <span class="k">do</span> <span class="n">f</span> <span class="c"># f is the IOStream</span> <span class="n">println</span><span class="x">(</span><span class="s">"File opened successfully for reading."</span><span class="x">)</span> <span class="c"># Read the entire file content as a single string</span> <span class="n">content</span> <span class="o">=</span> <span class="n">read</span><span class="x">(</span><span class="n">f</span><span class="x">,</span> <span class="kt">String</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- File Content ---"</span><span class="x">)</span> <span class="n">print</span><span class="x">(</span><span class="n">content</span><span class="x">)</span> <span class="c"># Use print to show exact content</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- End of Content ---"</span><span class="x">)</span> <span class="c"># File 'f' is automatically closed here.</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"File reading complete, file closed."</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"Error during file reading: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="k">end</span> <span class="c"># --- Method 2: Manual Open and Close (Use with Caution) ---</span> <span class="c"># 3. Manually opening a file for appending ("a").</span> <span class="c"># This adds to the end of the file without truncating.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Appending using manual open/close ---"</span><span class="x">)</span> <span class="n">f_manual</span> <span class="o">=</span> <span class="nb">nothing</span> <span class="c"># Initialize outside try block</span> <span class="k">try</span> <span class="n">f_manual</span> <span class="o">=</span> <span class="n">open</span><span class="x">(</span><span class="n">filename</span><span class="x">,</span> <span class="s">"a"</span><span class="x">)</span> <span class="c"># Open for append</span> <span class="n">println</span><span class="x">(</span><span class="n">f_manual</span><span class="x">,</span> <span class="s">"Appending a new line."</span><span class="x">)</span> <span class="c"># MUST explicitly close the file!</span> <span class="n">close</span><span class="x">(</span><span class="n">f_manual</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"File appended and manually closed."</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"Error during manual append: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="c"># Ensure close is attempted even if write fails</span> <span class="k">if</span> <span class="n">f_manual</span> <span class="o">!==</span> <span class="nb">nothing</span> <span class="o">&amp;&amp;</span> <span class="n">isopen</span><span class="x">(</span><span class="n">f_manual</span><span class="x">)</span> <span class="n">close</span><span class="x">(</span><span class="n">f_manual</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"File closed after error."</span><span class="x">)</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># --- Cleanup ---</span> <span class="c"># Remove the test file afterwards</span> <span class="k">try</span> <span class="n">rm</span><span class="x">(</span><span class="n">filename</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Removed test file: "</span><span class="x">,</span> <span class="n">filename</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Error removing test file: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="k">end</span> <span class="c"># --- Investigation: IOBuffer Resizing (Not part of article) ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Investigating IOBuffer Resizing ---"</span><span class="x">)</span> <span class="n">investigation_buffer</span> <span class="o">=</span> <span class="kt">IOBuffer</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">"Initial state:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Size: </span><span class="si">$</span><span class="s">(investigation_buffer.size) bytes"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Capacity (maxsize): </span><span class="si">$</span><span class="s">(investigation_buffer.maxsize) bytes"</span><span class="x">)</span> <span class="c"># Write ~512 KB</span> <span class="n">kb_512</span> <span class="o">=</span> <span class="mi">512</span> <span class="o">*</span> <span class="mi">1024</span> <span class="n">data_512kb</span> <span class="o">=</span> <span class="n">rand</span><span class="x">(</span><span class="kt">UInt8</span><span class="x">,</span> <span class="n">kb_512</span><span class="x">)</span> <span class="n">write</span><span class="x">(</span><span class="n">investigation_buffer</span><span class="x">,</span> <span class="n">data_512kb</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">After writing 512 KB:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Size: </span><span class="si">$</span><span class="s">(investigation_buffer.size) bytes"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Capacity (maxsize): </span><span class="si">$</span><span class="s">(investigation_buffer.maxsize) bytes"</span><span class="x">)</span> <span class="c"># Should have grown</span> <span class="c"># Take the data</span> <span class="n">taken_data</span> <span class="o">=</span> <span class="n">take!</span><span class="x">(</span><span class="n">investigation_buffer</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">After take!:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Size: </span><span class="si">$</span><span class="s">(investigation_buffer.size) bytes"</span><span class="x">)</span> <span class="c"># Should be 0</span> <span class="n">println</span><span class="x">(</span><span class="s">" Capacity (maxsize): </span><span class="si">$</span><span class="s">(investigation_buffer.maxsize) bytes"</span><span class="x">)</span> <span class="c"># Does it reset?</span> <span class="c"># Write ~16 MB</span> <span class="n">mb_16</span> <span class="o">=</span> <span class="mi">16</span> <span class="o">*</span> <span class="mi">1024</span> <span class="o">*</span> <span class="mi">1024</span> <span class="n">data_16mb</span> <span class="o">=</span> <span class="n">rand</span><span class="x">(</span><span class="kt">UInt8</span><span class="x">,</span> <span class="n">mb_16</span><span class="x">)</span> <span class="n">write</span><span class="x">(</span><span class="n">investigation_buffer</span><span class="x">,</span> <span class="n">data_16mb</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">After writing 16 MB:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Size: </span><span class="si">$</span><span class="s">(investigation_buffer.size) bytes"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Capacity (maxsize): </span><span class="si">$</span><span class="s">(investigation_buffer.maxsize) bytes"</span><span class="x">)</span> <span class="c"># Should have grown significantly</span> <span class="c"># Empty the buffer using seekstart + truncate</span> <span class="n">seekstart</span><span class="x">(</span><span class="n">investigation_buffer</span><span class="x">)</span> <span class="n">truncate</span><span class="x">(</span><span class="n">investigation_buffer</span><span class="x">,</span> <span class="mi">0</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">After seekstart() + truncate(0):"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Size: </span><span class="si">$</span><span class="s">(investigation_buffer.size) bytes"</span><span class="x">)</span> <span class="c"># Should be 0</span> <span class="n">println</span><span class="x">(</span><span class="s">" Capacity (maxsize): </span><span class="si">$</span><span class="s">(investigation_buffer.maxsize) bytes"</span><span class="x">)</span> <span class="c"># Does it reset?</span> <span class="n">close</span><span class="x">(</span><span class="n">investigation_buffer</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Investigation buffer closed."</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates basic file Input/Output (I/O) operations in Julia, focusing on the safe and idiomatic <code>open(...) do ... end</code> pattern.</p> <ul> <li> <p><strong>Core Concept: <code>open()</code> and <code>IOStream</code></strong><br> The <code>open(filename, mode)</code> function interacts with the operating system to access a file.</p> <ul> <li> <code>filename::String</code>: The path to the file.</li> <li> <code>mode::String</code> (optional, defaults to <code>"r"</code>): Specifies how to open the file: <ul> <li> <code>"r"</code>: Read (default). File must exist.</li> <li> <code>"w"</code>: Write. Create if non-existent, <strong>truncate (empty)</strong> if it exists.</li> <li> <code>"a"</code>: Append. Create if non-existent, add to the end if it exists.</li> <li> <code>"r+"</code>: Read and Write. File must exist.</li> <li> <code>"w+"</code>: Read and Write. Create/Truncate.</li> <li> <code>"a+"</code>: Read and Append. Create.</li> </ul> </li> <li>On success, <code>open</code> returns an <code>IOStream</code> object, which is a concrete subtype of the <code>IO</code> abstract type we discussed. This <code>IOStream</code> represents the opened file.</li> </ul> </li> <li><p><strong>The Idiomatic <code>do</code> Block Pattern (Resource Management)</strong><br><br> The most crucial pattern for file I/O (and other resources like network connections) is <code>open(filename, mode) do file_stream ... end</code>.</p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. `open` acquires the resource (the file handle from the OS). 2. It passes the opened `IOStream` object (`f` in our example) as an argument to the anonymous function defined by the `do ... end` block. 3. Your code inside the `do` block operates on the stream `f` using generic `IO` functions like `write`, `println`, `read`. 4. **Automatic Cleanup:** When the `do` block finishes (either normally or due to an error), Julia **automatically guarantees** that the `close(f)` function is called. This releases the file handle back to the operating system. &lt;!-- end list --&gt; * **Why it's Essential:** Forgetting to `close` files is a common source of bugs and resource leaks. The `do` block makes correct resource management effortless and robust. It's the direct equivalent of Python's `with open(...) as f:` or C\#'s `using`. </code></pre> </div> <ul> <li> <p><strong>Manual <code>open</code>/<code>close</code> (Less Safe)</strong><br> You <em>can</em> manually call <code>f = open(...)</code> and later <code>close(f)</code>. However, this is strongly discouraged because it's easy to forget <code>close</code>, especially if an error occurs between <code>open</code> and <code>close</code>.</p> <ul> <li>If you <em>must</em> do it manually, you <strong>absolutely must</strong> use a <code>try...finally</code> block to guarantee <code>close</code> is called, as demonstrated (partially) in the append example. The <code>do</code> block is simply syntactic sugar for this <code>try...finally</code> pattern.</li> </ul> </li> <li><p><strong>Generic <code>IO</code> Functions:</strong><br><br> Notice that once the file is opened (<code>f</code> is an <code>IOStream</code>), we use the <em>same</em> functions (<code>write</code>, <code>println</code>, <code>read</code>) that work on <em>any</em> <code>IO</code> object. This demonstrates the power of the <code>IO</code> abstraction.</p></li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Base Documentation, <code>open</code>:</strong> Describes the function signatures and modes.</li> <li> <strong>Julia Official Documentation, Manual, "Networking and Streams":</strong> Shows the <code>open(...) do ... end</code> pattern as the standard way to handle files.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(This will create and then delete <code>my_test_file.txt</code> in the current directory.)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0071_file_io.jl <span class="nt">---</span> Writing using <span class="s1">'open...do'</span> block <span class="nt">---</span> File opened successfully <span class="k">for </span>writing. File writing <span class="nb">complete</span>, file closed. <span class="nt">---</span> Reading using <span class="s1">'open...do'</span> block <span class="nt">---</span> File opened successfully <span class="k">for </span>reading. <span class="nt">---</span> File Content <span class="nt">---</span> Hello, file! This is line 2. The value is: 123 <span class="nt">---</span> End of Content <span class="nt">---</span> File reading <span class="nb">complete</span>, file closed. <span class="nt">---</span> Appending using manual open/close <span class="nt">---</span> File appended and manually closed. Removed <span class="nb">test </span>file: my_test_file.txt </code></pre> </div> <h3> <code>0072_iobuffer.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0072_iobuffer.jl</span> <span class="c"># IOBuffer provides an in-memory I/O stream.</span> <span class="c"># Useful for efficiently building byte sequences or strings</span> <span class="c"># without creating many intermediate objects.</span> <span class="c"># 1. Create an IOBuffer.</span> <span class="c"># By default, it's writable and dynamically sized.</span> <span class="n">io</span> <span class="o">=</span> <span class="kt">IOBuffer</span><span class="x">()</span> <span class="c"># 2. Write data to the buffer using generic IO functions.</span> <span class="c"># These operations append to the buffer.</span> <span class="n">write</span><span class="x">(</span><span class="n">io</span><span class="x">,</span> <span class="s">"Hello"</span><span class="x">)</span> <span class="n">print</span><span class="x">(</span><span class="n">io</span><span class="x">,</span> <span class="s">", "</span><span class="x">)</span> <span class="c"># Use print for text</span> <span class="n">println</span><span class="x">(</span><span class="n">io</span><span class="x">,</span> <span class="s">"World!"</span><span class="x">)</span> <span class="c"># Adds a newline character</span> <span class="n">write</span><span class="x">(</span><span class="n">io</span><span class="x">,</span> <span class="kt">UInt8</span><span class="x">(</span><span class="mh">0xFF</span><span class="x">))</span> <span class="c"># Write a raw byte</span> <span class="c"># 3. Check the current size of the buffer.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Current buffer size: "</span><span class="x">,</span> <span class="n">io</span><span class="o">.</span><span class="n">size</span><span class="x">,</span> <span class="s">" bytes"</span><span class="x">)</span> <span class="c"># 4. Get the buffer's content as a Vector{UInt8}.</span> <span class="c"># 'take!' reads all data *and clears the buffer*.</span> <span class="n">data_bytes</span> <span class="o">=</span> <span class="n">take!</span><span class="x">(</span><span class="n">io</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Data as bytes: "</span><span class="x">,</span> <span class="n">data_bytes</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of data: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">data_bytes</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"Buffer size after take!: "</span><span class="x">,</span> <span class="n">io</span><span class="o">.</span><span class="n">size</span><span class="x">)</span> <span class="c"># Should be 0</span> <span class="c"># --- Re-populate and read as String ---</span> <span class="c"># 5. Write some string data again.</span> <span class="n">write</span><span class="x">(</span><span class="n">io</span><span class="x">,</span> <span class="s">"Line 1</span><span class="se">\n</span><span class="s">"</span><span class="x">)</span> <span class="n">write</span><span class="x">(</span><span class="n">io</span><span class="x">,</span> <span class="s">"Line 2"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Reading as String ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Buffer size before reading string: "</span><span class="x">,</span> <span class="n">io</span><span class="o">.</span><span class="n">size</span><span class="x">)</span> <span class="c"># 6. Reading requires 'seeking' back to the beginning.</span> <span class="c"># Buffers maintain a read/write position.</span> <span class="n">seekstart</span><span class="x">(</span><span class="n">io</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Position after seekstart: "</span><span class="x">,</span> <span class="n">position</span><span class="x">(</span><span class="n">io</span><span class="x">))</span> <span class="c"># 7. Read the entire buffer content as a String.</span> <span class="c"># This reads from the current position to the end.</span> <span class="n">content_string</span> <span class="o">=</span> <span class="n">read</span><span class="x">(</span><span class="n">io</span><span class="x">,</span> <span class="kt">String</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Content as string:</span><span class="se">\n</span><span class="s">"</span><span class="x">,</span> <span class="n">content_string</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of content: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">content_string</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"Position after reading string: "</span><span class="x">,</span> <span class="n">position</span><span class="x">(</span><span class="n">io</span><span class="x">))</span> <span class="c"># Should be at the end</span> <span class="c"># 8. Using IOBuffer to build a string efficiently.</span> <span class="c"># Contrast with repeated string concatenation (Module 1, lesson 0015)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Efficient String Building ---"</span><span class="x">)</span> <span class="n">buffer</span> <span class="o">=</span> <span class="kt">IOBuffer</span><span class="x">()</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="mi">5</span> <span class="n">print</span><span class="x">(</span><span class="n">buffer</span><span class="x">,</span> <span class="s">"Item "</span><span class="x">,</span> <span class="n">i</span><span class="x">,</span> <span class="s">"; "</span><span class="x">)</span> <span class="k">end</span> <span class="c"># Get the final string *once* at the end.</span> <span class="n">final_string</span> <span class="o">=</span> <span class="kt">String</span><span class="x">(</span><span class="n">take!</span><span class="x">(</span><span class="n">buffer</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"Built string: "</span><span class="x">,</span> <span class="n">final_string</span><span class="x">)</span> <span class="c"># Close the buffer (optional for IOBuffer, but good practice)</span> <span class="n">close</span><span class="x">(</span><span class="n">io</span><span class="x">)</span> <span class="n">close</span><span class="x">(</span><span class="n">buffer</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Buffers closed."</span><span class="x">)</span> <span class="c">###################################</span> <span class="c"># --- Investigation: IOBuffer Resizing (Not part of article) ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Investigating IOBuffer Resizing ---"</span><span class="x">)</span> <span class="n">investigation_buffer</span> <span class="o">=</span> <span class="kt">IOBuffer</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">"Initial state:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Size: </span><span class="si">$</span><span class="s">(investigation_buffer.size) bytes"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Capacity (maxsize): </span><span class="si">$</span><span class="s">(investigation_buffer.maxsize) bytes"</span><span class="x">)</span> <span class="c"># Write ~512 KB</span> <span class="n">kb_512</span> <span class="o">=</span> <span class="mi">512</span> <span class="o">*</span> <span class="mi">1024</span> <span class="n">data_512kb</span> <span class="o">=</span> <span class="n">rand</span><span class="x">(</span><span class="kt">UInt8</span><span class="x">,</span> <span class="n">kb_512</span><span class="x">)</span> <span class="n">write</span><span class="x">(</span><span class="n">investigation_buffer</span><span class="x">,</span> <span class="n">data_512kb</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">After writing 512 KB:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Size: </span><span class="si">$</span><span class="s">(investigation_buffer.size) bytes"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Capacity (maxsize): </span><span class="si">$</span><span class="s">(investigation_buffer.maxsize) bytes"</span><span class="x">)</span> <span class="c"># Should have grown</span> <span class="c"># Take the data</span> <span class="n">taken_data</span> <span class="o">=</span> <span class="n">take!</span><span class="x">(</span><span class="n">investigation_buffer</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">After take!:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Size: </span><span class="si">$</span><span class="s">(investigation_buffer.size) bytes"</span><span class="x">)</span> <span class="c"># Should be 0</span> <span class="n">println</span><span class="x">(</span><span class="s">" Capacity (maxsize): </span><span class="si">$</span><span class="s">(investigation_buffer.maxsize) bytes"</span><span class="x">)</span> <span class="c"># Does it reset?</span> <span class="c"># Write ~16 MB</span> <span class="n">mb_16</span> <span class="o">=</span> <span class="mi">16</span> <span class="o">*</span> <span class="mi">1024</span> <span class="o">*</span> <span class="mi">1024</span> <span class="n">data_16mb</span> <span class="o">=</span> <span class="n">rand</span><span class="x">(</span><span class="kt">UInt8</span><span class="x">,</span> <span class="n">mb_16</span><span class="x">)</span> <span class="n">write</span><span class="x">(</span><span class="n">investigation_buffer</span><span class="x">,</span> <span class="n">data_16mb</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">After writing 16 MB:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Size: </span><span class="si">$</span><span class="s">(investigation_buffer.size) bytes"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Capacity (maxsize): </span><span class="si">$</span><span class="s">(investigation_buffer.maxsize) bytes"</span><span class="x">)</span> <span class="c"># Should have grown significantly</span> <span class="c"># Empty the buffer using seekstart + truncate</span> <span class="n">seekstart</span><span class="x">(</span><span class="n">investigation_buffer</span><span class="x">)</span> <span class="n">truncate</span><span class="x">(</span><span class="n">investigation_buffer</span><span class="x">,</span> <span class="mi">0</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">After seekstart() + truncate(0):"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Size: </span><span class="si">$</span><span class="s">(investigation_buffer.size) bytes"</span><span class="x">)</span> <span class="c"># Should be 0</span> <span class="n">println</span><span class="x">(</span><span class="s">" Capacity (maxsize): </span><span class="si">$</span><span class="s">(investigation_buffer.maxsize) bytes"</span><span class="x">)</span> <span class="c"># Does it reset?</span> <span class="n">close</span><span class="x">(</span><span class="n">investigation_buffer</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Investigation buffer closed."</span><span class="x">)</span> <span class="c"># --- Investigation: IOBuffer with Supplied Vector (Not part of article) ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Investigating IOBuffer with Supplied Vector ---"</span><span class="x">)</span> <span class="c"># 1. Create our initial vector</span> <span class="n">initial_size</span> <span class="o">=</span> <span class="mi">10</span> <span class="c"># Start small</span> <span class="n">backing_vector</span> <span class="o">=</span> <span class="kt">Vector</span><span class="x">{</span><span class="kt">UInt8</span><span class="x">}(</span><span class="nb">undef</span><span class="x">,</span> <span class="n">initial_size</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Initial state:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Vector length: </span><span class="si">$</span><span class="s">(length(backing_vector)) bytes"</span><span class="x">)</span> <span class="c"># We cannot check capacity directly.</span> <span class="c"># 2. Create IOBuffer with the vector, making it writable</span> <span class="c"># WARNING: IOBuffer now "takes ownership" conceptually</span> <span class="n">investigation_buffer</span> <span class="o">=</span> <span class="kt">IOBuffer</span><span class="x">(</span><span class="n">backing_vector</span><span class="x">;</span> <span class="n">write</span><span class="o">=</span><span class="nb">true</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"IOBuffer created with backing_vector:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" IOBuffer size: </span><span class="si">$</span><span class="s">(investigation_buffer.size) bytes"</span><span class="x">)</span> <span class="c"># Should be 0 initially</span> <span class="c"># 3. Write data *within* the initial size</span> <span class="n">write</span><span class="x">(</span><span class="n">investigation_buffer</span><span class="x">,</span> <span class="s">"Hello"</span><span class="x">)</span> <span class="c"># 5 bytes &lt; 10</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">After writing 'Hello' (5 bytes):"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" IOBuffer size: </span><span class="si">$</span><span class="s">(investigation_buffer.size) bytes"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Backing vector length: </span><span class="si">$</span><span class="s">(length(backing_vector)) bytes"</span><span class="x">)</span> <span class="c"># Should still be 10</span> <span class="c"># 4. Write data that *exceeds* the initial size</span> <span class="c"># This will likely force IOBuffer to resize its internal storage.</span> <span class="c"># It *might* resize our 'backing_vector' in place, or it might</span> <span class="c"># allocate a completely new vector internally.</span> <span class="n">write</span><span class="x">(</span><span class="n">investigation_buffer</span><span class="x">,</span> <span class="s">" World! This is a longer string."</span><span class="x">)</span> <span class="c"># &gt; 10 bytes total</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">After writing more data (exceeding initial 10 bytes):"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" IOBuffer size: </span><span class="si">$</span><span class="s">(investigation_buffer.size) bytes"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Backing vector length: </span><span class="si">$</span><span class="s">(length(backing_vector)) bytes"</span><span class="x">)</span> <span class="c"># Did it change? Maybe, maybe not.</span> <span class="c"># 5. Let's see the content via take!</span> <span class="n">seekstart</span><span class="x">(</span><span class="n">investigation_buffer</span><span class="x">)</span> <span class="c"># Need to rewind before take!</span> <span class="n">taken_data</span> <span class="o">=</span> <span class="n">take!</span><span class="x">(</span><span class="n">investigation_buffer</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">After take!:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Taken data length: </span><span class="si">$</span><span class="s">(length(taken_data)) bytes"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" IOBuffer size: </span><span class="si">$</span><span class="s">(investigation_buffer.size) bytes"</span><span class="x">)</span> <span class="c"># Should be 0</span> <span class="n">println</span><span class="x">(</span><span class="s">" Backing vector length: </span><span class="si">$</span><span class="s">(length(backing_vector)) bytes"</span><span class="x">)</span> <span class="c"># Unlikely to shrink</span> <span class="c"># 6. Check if the original vector reference was modified (unlikely but possible)</span> <span class="n">println</span><span class="x">(</span><span class="s">"First 5 bytes of original backing_vector now: "</span><span class="x">,</span> <span class="n">backing_vector</span><span class="x">[</span><span class="mi">1</span><span class="o">:</span><span class="n">min</span><span class="x">(</span><span class="mi">5</span><span class="x">,</span> <span class="k">end</span><span class="x">)])</span> <span class="n">close</span><span class="x">(</span><span class="n">investigation_buffer</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Investigation buffer closed."</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <code>IOBuffer</code>, an in-memory byte stream that conforms to the <code>IO</code> interface. It's a highly useful tool for efficiently building up data (like strings or binary messages) piece by piece before using the final result.</p> <ul> <li><p><strong>Core Concept:</strong> An <code>IOBuffer</code> acts like a virtual file that exists only in RAM. You can <code>write</code>, <code>print</code>, <code>read</code>, <code>seek</code>, etc., just like with a file (<code>IOStream</code>), but all operations happen directly in memory, making them very fast.</p></li> <li><p><strong>Creating an <code>IOBuffer</code>:</strong> <code>IOBuffer()</code> creates an empty, dynamically resizable buffer ready for writing.</p></li> <li><p><strong>Writing:</strong> You use the standard <code>IO</code> functions like <code>write</code>, <code>print</code>, and <code>println</code>. These append data to the buffer, automatically resizing it as needed.</p></li> <li><p><strong>Retrieving Data:</strong> There are two main ways to get the accumulated data out:</p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. **`take!(io)`:** This function returns the entire contents of the buffer as a `Vector{UInt8}` (a byte array). Crucially, `take!` also **resets the buffer**, making it empty again. This is useful when you want to "consume" the data. 2. **`seekstart(io)` + `read(io, String)` (or other reads):** `IOBuffer` maintains an internal position for reading and writing. After writing, the position is at the end. To read the data back, you must first move the position to the beginning using `seekstart(io)`. Then, you can use standard read functions like `read(io, String)` to get the content. This method does **not** clear the buffer. </code></pre> </div> <ul> <li> <p><strong>Efficient String Building:</strong><br> A key use case for <code>IOBuffer</code> is efficiently constructing complex strings. Recall from Module 1 (lesson <code>0015_string_concatenation.jl</code>) that repeated string concatenation (<code>s *= "part"</code>) is very slow because it creates many intermediate temporary strings.</p> <ul> <li>The pattern shown here (<code>buffer = IOBuffer(); for ... print(buffer, ...) end; final_string = String(take!(buffer))</code>) is the <strong>high-performance, idiomatic way</strong> to build a string from many pieces.</li> <li>You perform all the <code>print</code> operations into the fast, in-memory buffer (which minimizes allocations), and only create the single, final <code>String</code> object at the very end using <code>String(take!(buffer))</code>.</li> </ul> </li> <li><p><strong>Resource Management:</strong> While <code>IOBuffer</code> doesn't hold an operating system resource like a file handle, it does hold allocated memory. Calling <code>close(io)</code> signals that the buffer is no longer needed and allows its memory to be garbage collected sooner. It's good practice, though not strictly required as the GC will eventually collect it anyway.</p></li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Base Documentation, <code>IOBuffer</code>:</strong> "Create an in-memory I/O stream."</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>take!</code>:</strong> "Take ownership of the contents of an <code>IOBuffer</code>... leaving the <code>IOBuffer</code> empty."</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>seekstart</code>:</strong> "Seek a stream to its beginning."</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0072_iobuffer.jl Current buffer size: 15bytes Data as bytes: UInt8[0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x2c, 0x20, 0x57, 0x6f, 0x72, 0x6c, 0x64, 0x21, 0x0a, 0xff] Type of data: Vector<span class="o">{</span>UInt8<span class="o">}</span> Buffer size after take!: 0 <span class="nt">---</span> Reading as String <span class="nt">---</span> Buffer size before reading string: 13 Position after seekstart: 0 Content as string: Line 1 Line 2 Type of content: String Position after reading string: 13 <span class="nt">---</span> Efficient String Building <span class="nt">---</span> Build string: Item 1<span class="p">;</span> Item 2<span class="p">;</span> Item 3<span class="p">;</span> Item 4<span class="p">;</span> Item 5<span class="p">;</span> Buffers closed. <span class="nt">---</span> Investigating IOBuffer Resizing <span class="nt">---</span> Initial state: Size: 0 bytes Capacity <span class="o">(</span>maxsize<span class="o">)</span>: 9223372036854775807 bytes After writing 512 KB: Size: 524288 bytes Capacity <span class="o">(</span>maxsize<span class="o">)</span>: 9223372036854775807 bytes After take!: Size: 0 bytes Capacity <span class="o">(</span>maxsize<span class="o">)</span>: 9223372036854775807 bytes After writing 16 MB: Size: 16777216 bytes Capacity <span class="o">(</span>maxsize<span class="o">)</span>: 9223372036854775807 bytes After seekstart<span class="o">()</span> + <span class="nb">truncate</span><span class="o">(</span>0<span class="o">)</span>: Size: 0 bytes Capacity <span class="o">(</span>maxsize<span class="o">)</span>: 9223372036854775807 bytes Investigation buffer closed. <span class="nt">---</span> Investigating IOBuffer with Supplied Vector <span class="nt">---</span> Initial state: Vector length: 10 bytes IOBuffer created with backing_vector: IOBuffer size: 0 bytes After writing <span class="s1">'Hello'</span> <span class="o">(</span>5 bytes<span class="o">)</span>: IOBuffer size: 5 bytes Backing vector length: 10 bytes After writing more data <span class="o">(</span>exceeding initial 10 bytes<span class="o">)</span>: IOBuffer size: 37 bytes Backing vector length: 10 bytes After take!: Taken data length: 37 bytes IOBuffer size: 0 bytes Backing vector length: 10 bytes First 5 bytes of original backing_vector now: UInt8[0x48, 0x65, 0x6c, 0x6c, 0x6f] </code></pre> </div> <h2> Appendix: Investigating IOBuffer Resizing </h2> <p><em>(This section details experiments run after the main script and is for informational purposes)</em></p> <p>We performed two experiments to understand <code>IOBuffer</code>'s memory management:</p> <ol> <li> <p><strong>Default <code>IOBuffer</code>:</strong></p> <ul> <li>We observed that the <code>io.maxsize</code> field reported <code>typemax(Int)</code>, indicating the theoretical maximum size, <strong>not</strong> the currently allocated capacity.</li> <li>Writing data increased <code>io.size</code>, but <code>io.maxsize</code> remained unchanged.</li> <li>Operations like <code>take!</code> and <code>truncate</code> reset <code>io.size</code> to 0 but did not change <code>io.maxsize</code>.</li> <li> <strong>Conclusion:</strong> There is no public API to directly inspect the current <em>allocated capacity</em> of a default <code>IOBuffer</code>. Julia manages this internally.</li> </ul> </li> <li> <p><strong><code>IOBuffer</code> with a Supplied <code>Vector{UInt8}</code>:</strong></p> <ul> <li>We created an <code>IOBuffer</code> using a pre-allocated <code>backing_vector</code> of size 10, passing <code>write=true</code>.</li> <li>Writing data <em>within</em> the initial 10 bytes updated <code>io.size</code> but left <code>length(backing_vector)</code> unchanged.</li> <li>Writing data <em>exceeding</em> the initial 10 bytes updated <code>io.size</code> but <strong>still left <code>length(backing_vector)</code> unchanged at 10</strong>.</li> <li> <strong>Conclusion:</strong> When the provided vector's capacity was exceeded, the <code>IOBuffer</code> allocated its own <strong>internal, larger buffer</strong> rather than resizing the original <code>backing_vector</code>. The original vector reference remained unchanged and only contained the data written before the resize occurred. This confirms the documentation's warning that <code>IOBuffer</code> takes ownership and may replace the provided buffer.</li> </ul> </li> </ol> <h2> Concurrency With Tasks And Channels </h2> <h3> <code>0073_tasks_async.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0073_tasks_async.jl</span> <span class="c"># 1. Define a function that simulates a slow operation (like I/O).</span> <span class="c"># 'sleep()' yields control to Julia's scheduler, allowing other Tasks to run.</span> <span class="k">function</span><span class="nf"> slow_operation</span><span class="x">(</span><span class="n">id</span><span class="o">::</span><span class="kt">Int</span><span class="x">,</span> <span class="n">duration</span><span class="o">::</span><span class="kt">Float64</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Task </span><span class="si">$</span><span class="s">id: Starting on thread "</span><span class="x">,</span> <span class="n">Threads</span><span class="o">.</span><span class="n">threadid</span><span class="x">())</span> <span class="n">sleep</span><span class="x">(</span><span class="n">duration</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Task </span><span class="si">$</span><span class="s">id: Finished after </span><span class="si">$</span><span class="s">duration seconds."</span><span class="x">)</span> <span class="k">end</span> <span class="c"># --- Part 1: @async without @sync ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Part 1: @async without @sync ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Main code running on thread "</span><span class="x">,</span> <span class="n">Threads</span><span class="o">.</span><span class="n">threadid</span><span class="x">())</span> <span class="c"># 2. Launch tasks asynchronously using '@async'.</span> <span class="c"># '@async' starts the task and immediately returns control.</span> <span class="c"># The main code continues *without* waiting.</span> <span class="n">t1</span> <span class="o">=</span> <span class="nd">@async</span> <span class="n">slow_operation</span><span class="x">(</span><span class="mi">1</span><span class="x">,</span> <span class="mf">1.0</span><span class="x">)</span> <span class="n">t2</span> <span class="o">=</span> <span class="nd">@async</span> <span class="n">slow_operation</span><span class="x">(</span><span class="mi">2</span><span class="x">,</span> <span class="mf">0.5</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Tasks 1 and 2 launched. Main code continues..."</span><span class="x">)</span> <span class="c"># The script might end here *before* the tasks finish, depending on timing.</span> <span class="c"># We add a sleep to give them a chance to complete for demonstration.</span> <span class="n">sleep</span><span class="x">(</span><span class="mf">1.5</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Main code finished Part 1."</span><span class="x">)</span> <span class="c"># --- Part 2: @async within @sync ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Part 2: @async within @sync ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Main code starting @sync block..."</span><span class="x">)</span> <span class="c"># 3. Use '@sync' to wait for all enclosed '@async' tasks.</span> <span class="nd">@sync</span> <span class="k">begin</span> <span class="n">println</span><span class="x">(</span><span class="s">"Inside @sync block, launching tasks..."</span><span class="x">)</span> <span class="c"># These tasks are launched concurrently.</span> <span class="nd">@async</span> <span class="n">slow_operation</span><span class="x">(</span><span class="mi">3</span><span class="x">,</span> <span class="mf">1.0</span><span class="x">)</span> <span class="nd">@async</span> <span class="n">slow_operation</span><span class="x">(</span><span class="mi">4</span><span class="x">,</span> <span class="mf">0.5</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Tasks 3 and 4 launched within @sync."</span><span class="x">)</span> <span class="c"># Control flow waits *here* (at the 'end' of the @sync block)</span> <span class="c"># until both task 3 and task 4 have completed.</span> <span class="k">end</span> <span class="c"># &lt;--- Synchronization point</span> <span class="c"># 4. This line only executes *after* both task 3 and task 4 are finished.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Main code finished @sync block. All tasks completed."</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <strong><code>Task</code>s</strong> and the <strong><code>@async</code></strong> macro, which are Julia's fundamental tools for <strong>concurrency</strong>. Concurrency allows managing multiple operations seemingly simultaneously, crucial for responsive applications dealing with I/O or background processing.</p> <ul> <li> <p><strong>Concurrency vs. Parallelism:</strong></p> <ul> <li> <strong>Concurrency:</strong> Managing multiple tasks over time, often interleaving their execution on a <strong>single OS thread</strong>. Tasks yield control during blocking operations (like I/O or <code>sleep</code>). This prevents one slow task from blocking others. This is what <code>@async</code> provides by default.</li> <li> <strong>Parallelism:</strong> Executing multiple tasks simultaneously on <strong>multiple CPU cores</strong> using multiple OS threads. (This is covered later with <code>Threads.@spawn</code>).</li> <li> <strong>Key Point:</strong> Notice that <code>Threads.threadid()</code> typically prints <code>1</code> for all tasks here. <code>@async</code> achieves concurrency, not necessarily parallelism by default.</li> </ul> </li> <li><p><strong><code>Task</code>:</strong><br><br> A <code>Task</code> is Julia's basic unit of concurrent execution. It's a lightweight construct (lighter than an OS thread) that represents a computation that can be paused and resumed. They are managed by Julia's cooperative scheduler.</p></li> <li> <p><strong><code>@async expression</code>:</strong></p> <ul> <li>This macro takes an expression (like a function call), wraps it in a <code>Task</code>, and submits it to Julia's scheduler to run <strong>asynchronously</strong>.</li> <li> <strong>Non-blocking:</strong> The key feature is that <code>@async</code> returns <strong>immediately</strong>, allowing the code following it to execute without waiting for the task to finish. It returns a <code>Task</code> object, which is a handle to the running task.</li> <li>In Part 1, the main script launches tasks 1 and 2 and continues. Without the <code>sleep(1.5)</code>, the script might exit before the tasks even get a chance to print their "Finished" messages.</li> </ul> </li> <li> <p><strong><code>@sync begin ... end</code>:</strong></p> <ul> <li>This macro creates a <strong>synchronization point</strong>. It executes the code within its <code>begin...end</code> block.</li> <li> <strong>Waiting:</strong> The crucial behavior is that the code <em>after</em> the <code>@sync</code> block's <code>end</code> will <strong>only execute once all <code>@async</code> tasks launched <em>directly within</em> that block have completed</strong>.</li> <li>In Part 2, tasks 3 and 4 are launched. The <code>@sync</code> block waits at its <code>end</code> until both <code>slow_operation(3, ...)</code> and <code>slow_operation(4, ...)</code> have finished. Only then does the final <code>println</code> execute. This guarantees completion.</li> </ul> </li> <li><p><strong>Cooperative Scheduling:</strong><br><br> Julia's <code>Task</code>s are scheduled <strong>cooperatively</strong>. A <code>Task</code> runs until it hits an operation that yields control, such as <code>sleep()</code>, network I/O, <code>yield()</code>, or waiting on a <code>Channel</code> (next lesson). This yielding allows the scheduler to run another waiting <code>Task</code>. This is efficient for I/O-bound workloads but means a CPU-bound task (<code>for i in 1:1e12 end</code>) will hog the thread unless it explicitly <code>yield</code>s.</p></li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, "Asynchronous Programming":</strong> Explains <code>Task</code>s, <code>@async</code>, <code>@sync</code>, and cooperative scheduling.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>@async</code> and <code>@sync</code>:</strong> Detailed descriptions of the macros.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(The exact interleaving of "Starting" and "Finished" messages may vary slightly due to scheduling.)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0073_tasks_async.jl <span class="nt">---</span> Part 1: @async without @sync <span class="nt">---</span> Main code running on thread 1 Tasks 1 and 2 launched. Main code continues... Task 1: Starting on thread 1 Task 2: Starting on thread 1 Task 2: Finished after 0.5 seconds. Task 1: Finished after 1.0 seconds. Main code finished Part 1. <span class="nt">---</span> Part 2: @async within @sync <span class="nt">---</span> Main code starting @sync block... Inside @sync block, launching tasks... Tasks 3 and 4 launched within @sync. Task 3: Starting on thread 1 Task 4: Starting on thread 1 Task 4: Finished after 0.5 seconds. Task 3: Finished after 1.0 seconds. Main code finished @sync block. All tasks completed. </code></pre> </div> <h3> <code>0074_tasks_fetch.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0074_tasks_fetch.jl</span> <span class="c"># 1. Define a function that returns a value after some work.</span> <span class="k">function</span><span class="nf"> compute_value</span><span class="x">(</span><span class="n">id</span><span class="o">::</span><span class="kt">Int</span><span class="x">,</span> <span class="n">duration</span><span class="o">::</span><span class="kt">Float64</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Task </span><span class="si">$</span><span class="s">id: Starting computation..."</span><span class="x">)</span> <span class="n">sleep</span><span class="x">(</span><span class="n">duration</span><span class="x">)</span> <span class="c"># Simulate work</span> <span class="n">result</span> <span class="o">=</span> <span class="n">id</span> <span class="o">*</span> <span class="mi">100</span> <span class="n">println</span><span class="x">(</span><span class="s">"Task </span><span class="si">$</span><span class="s">id: Finished computation, returning </span><span class="si">$</span><span class="s">result."</span><span class="x">)</span> <span class="k">return</span> <span class="n">result</span> <span class="c"># Return the computed value</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Launching tasks with @async ---"</span><span class="x">)</span> <span class="c"># 2. Launch tasks asynchronously. '@async' returns Task objects.</span> <span class="n">task_a</span> <span class="o">=</span> <span class="nd">@async</span> <span class="n">compute_value</span><span class="x">(</span><span class="mi">1</span><span class="x">,</span> <span class="mf">1.0</span><span class="x">)</span> <span class="n">task_b</span> <span class="o">=</span> <span class="nd">@async</span> <span class="n">compute_value</span><span class="x">(</span><span class="mi">2</span><span class="x">,</span> <span class="mf">0.5</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Tasks launched. Main code continues..."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of task_a: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">task_a</span><span class="x">))</span> <span class="c"># 3. Use 'fetch()' to wait for a task and get its result.</span> <span class="c"># 'fetch(t)' blocks the *current* task until task 't' completes.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Waiting for Task B..."</span><span class="x">)</span> <span class="n">result_b</span> <span class="o">=</span> <span class="n">fetch</span><span class="x">(</span><span class="n">task_b</span><span class="x">)</span> <span class="c"># Waits for task_b (0.5s)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result from Task B: "</span><span class="x">,</span> <span class="n">result_b</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of result_b: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">result_b</span><span class="x">))</span> <span class="c"># Int64</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Waiting for Task A..."</span><span class="x">)</span> <span class="n">result_a</span> <span class="o">=</span> <span class="n">fetch</span><span class="x">(</span><span class="n">task_a</span><span class="x">)</span> <span class="c"># Waits for task_a (remaining 0.5s)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result from Task A: "</span><span class="x">,</span> <span class="n">result_a</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of result_a: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">result_a</span><span class="x">))</span> <span class="c"># Int64</span> <span class="c"># 4. Fetching multiple tasks (often done after a @sync block conceptually)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Fetching after @sync ---"</span><span class="x">)</span> <span class="kd">local</span> <span class="n">result_c</span><span class="x">,</span> <span class="n">result_d</span> <span class="c"># Define variables outside the sync block scope</span> <span class="nd">@sync</span> <span class="k">begin</span> <span class="kd">local</span> <span class="n">task_c</span> <span class="o">=</span> <span class="nd">@async</span> <span class="n">compute_value</span><span class="x">(</span><span class="mi">3</span><span class="x">,</span> <span class="mf">0.8</span><span class="x">)</span> <span class="kd">local</span> <span class="n">task_d</span> <span class="o">=</span> <span class="nd">@async</span> <span class="n">compute_value</span><span class="x">(</span><span class="mi">4</span><span class="x">,</span> <span class="mf">0.3</span><span class="x">)</span> <span class="c"># The @sync block waits here until both task_c and task_d finish.</span> <span class="c"># We can fetch inside the @sync block *after* they finish if needed,</span> <span class="c"># but often you fetch afterwards. Fetching here is redundant due to @sync.</span> <span class="c"># result_c = fetch(task_c)</span> <span class="c"># result_d = fetch(task_d)</span> <span class="k">end</span> <span class="c"># Both tasks are guaranteed complete now</span> <span class="c"># Fetching after the @sync block is guaranteed not to block</span> <span class="c"># (unless accessing task handles defined outside the block scope requires care).</span> <span class="c"># For tasks defined *inside* @sync, accessing them outside requires care with scope.</span> <span class="c"># A better pattern involves storing tasks in a collection defined outside @sync.</span> <span class="c"># Better pattern for collecting results after @sync</span> <span class="n">tasks</span> <span class="o">=</span> <span class="x">[]</span> <span class="nd">@sync</span> <span class="k">begin</span> <span class="n">push!</span><span class="x">(</span><span class="n">tasks</span><span class="x">,</span> <span class="nd">@async</span> <span class="n">compute_value</span><span class="x">(</span><span class="mi">5</span><span class="x">,</span> <span class="mf">0.6</span><span class="x">))</span> <span class="n">push!</span><span class="x">(</span><span class="n">tasks</span><span class="x">,</span> <span class="nd">@async</span> <span class="n">compute_value</span><span class="x">(</span><span class="mi">6</span><span class="x">,</span> <span class="mf">0.2</span><span class="x">))</span> <span class="k">end</span> <span class="c"># Both tasks 5 &amp; 6 are done</span> <span class="n">println</span><span class="x">(</span><span class="s">"Fetching results after @sync using a collection:"</span><span class="x">)</span> <span class="n">results</span> <span class="o">=</span> <span class="n">fetch</span><span class="o">.</span><span class="x">(</span><span class="n">tasks</span><span class="x">)</span> <span class="c"># Use broadcasting '.' for fetch on a collection</span> <span class="n">println</span><span class="x">(</span><span class="s">"Results [5, 6]: "</span><span class="x">,</span> <span class="n">results</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Main code finished."</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates how to retrieve the <strong>return value</strong> from a concurrently running <code>Task</code> using the <code>fetch()</code> function.</p> <ul> <li><p><strong>Core Concept: Tasks Return Values</strong><br> Just like regular functions, computations wrapped in <code>@async</code> can <code>return</code> a value. The <code>@async</code> macro captures this eventual return value.</p></li> <li> <p><strong><code>fetch(t::Task)</code> Function</strong></p> <ul> <li> <code>fetch(t)</code> is the primary mechanism to <strong>wait for a specific task <code>t</code> to complete</strong> and then retrieve its return value.</li> <li> <strong>Blocking Behavior:</strong> If task <code>t</code> has not yet finished when <code>fetch(t)</code> is called, the <em>current</em> task (the one calling <code>fetch</code>) will <strong>block</strong> (pause execution and yield control) until task <code>t</code> completes.</li> <li> <strong>Return Value:</strong> Once task <code>t</code> completes, <code>fetch(t)</code> returns the value that the task's expression evaluated to (i.e., the value returned by the function wrapped in <code>@async</code>). The type of the value returned by <code>fetch</code> is the type returned by the task's function.</li> <li> <strong>Fetching Again:</strong> If you call <code>fetch(t)</code> on a task that has already completed, it immediately returns the stored result without blocking.</li> </ul> </li> <li><p><strong>Example Walkthrough:</strong></p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. `task_a` and `task_b` are launched concurrently. The main code continues. 2. `fetch(task_b)` is called. Since `task_b` only needs 0.5s and likely hasn't finished immediately, the main task blocks here. 3. After \~0.5s, `task_b` finishes, returns `200`. `fetch(task_b)` unblocks and returns `200`. 4. `fetch(task_a)` is called. `task_a` needs 1.0s total. Since \~0.5s has already passed, the main task blocks for the remaining \~0.5s. 5. After \~1.0s total, `task_a` finishes, returns `100`. `fetch(task_a)` unblocks and returns `100`. </code></pre> </div> <ul> <li> <p><strong><code>fetch</code> and <code>@sync</code>:</strong></p> <ul> <li>The <code>@sync</code> block guarantees that all <code>@async</code> tasks launched <em>directly within it</em> are complete before the block finishes.</li> <li>Therefore, calling <code>fetch</code> on a task <em>after</em> the <code>@sync</code> block it was defined in will <strong>not block</strong>, because the task is already guaranteed to be finished.</li> <li>A common pattern is to collect <code>Task</code> objects created within <code>@sync</code> into an array defined <em>outside</em> the block, and then use broadcasted <code>fetch.</code> after the block to gather all results efficiently.</li> </ul> </li> <li><p><strong>Error Handling:</strong> If a task terminates due to an exception, <code>fetch(t)</code> will <strong>re-throw that same exception</strong> in the calling task. This allows you to handle errors from asynchronous tasks using standard <code>try...catch</code> blocks around the <code>fetch</code> call.</p></li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Base Documentation, <code>fetch</code>:</strong> "Wait for a <code>Task</code> to complete and return its value."</li> <li> <strong>Julia Official Documentation, Manual, "Asynchronous Programming":</strong> Shows examples of using <code>fetch</code> to get results from tasks.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(Output timing and interleaving may vary slightly.)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0074_tasks_fetch.jl <span class="nt">---</span> Launching tasks with @async <span class="nt">---</span> Tasks launched. Main code continues... Type of task_a: Task <span class="o">(</span>runnable<span class="o">)</span> @0x... Task 1: Starting computation... Task 2: Starting computation... Waiting <span class="k">for </span>Task B... Task 2: Finished computation, returning 200. Result from Task B: 200 Type of result_b: Int64 Waiting <span class="k">for </span>Task A... Task 1: Finished computation, returning 100. Result from Task A: 100 Type of result_a: Int64 <span class="nt">---</span> Fetching after @sync <span class="nt">---</span> Task 5: Starting computation... Task 6: Starting computation... Task 6: Finished computation, returning 600. Task 5: Finished computation, returning 500. Fetching results after @sync using a collection: Results <span class="o">[</span>5, 6]: <span class="o">[</span>500, 600] Main code finished. </code></pre> </div> <h3> <code>0075_channels_basics.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0075_channels_basics.jl</span> <span class="c"># 1. Create a Channel.</span> <span class="c"># A Channel is a thread-safe FIFO (First-In, First-Out) queue</span> <span class="c"># for passing messages between Tasks.</span> <span class="c"># Channel{String}(3) creates a channel that can hold Strings,</span> <span class="c"># with an internal buffer size of 3.</span> <span class="n">chan</span> <span class="o">=</span> <span class="kt">Channel</span><span class="x">{</span><span class="kt">String</span><span class="x">}(</span><span class="mi">3</span><span class="x">)</span> <span class="c"># 2. Define a "producer" task.</span> <span class="c"># This task will put data *into* the channel.</span> <span class="k">function</span><span class="nf"> producer</span><span class="x">(</span><span class="n">c</span><span class="o">::</span><span class="kt">Channel</span><span class="x">,</span> <span class="n">id</span><span class="o">::</span><span class="kt">Int</span><span class="x">,</span> <span class="n">num_messages</span><span class="o">::</span><span class="kt">Int</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Producer </span><span class="si">$</span><span class="s">id: Starting..."</span><span class="x">)</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="n">num_messages</span> <span class="n">message</span> <span class="o">=</span> <span class="s">"Producer </span><span class="si">$</span><span class="s">id - Message </span><span class="si">$</span><span class="s">i"</span> <span class="n">println</span><span class="x">(</span><span class="s">"Producer </span><span class="si">$</span><span class="s">id: Putting '</span><span class="si">$</span><span class="s">message'"</span><span class="x">)</span> <span class="c"># 'put!' blocks if the channel buffer is full.</span> <span class="n">put!</span><span class="x">(</span><span class="n">c</span><span class="x">,</span> <span class="n">message</span><span class="x">)</span> <span class="n">sleep</span><span class="x">(</span><span class="n">rand</span><span class="x">()</span> <span class="o">*</span> <span class="mf">0.5</span><span class="x">)</span> <span class="c"># Simulate some work</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"Producer </span><span class="si">$</span><span class="s">id: Finished putting messages."</span><span class="x">)</span> <span class="c"># Note: The producer often closes the channel if it's the only one.</span> <span class="k">end</span> <span class="c"># 3. Define a "consumer" task.</span> <span class="c"># This task will take data *out* of the channel.</span> <span class="k">function</span><span class="nf"> consumer</span><span class="x">(</span><span class="n">c</span><span class="o">::</span><span class="kt">Channel</span><span class="x">,</span> <span class="n">id</span><span class="o">::</span><span class="kt">Int</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Consumer </span><span class="si">$</span><span class="s">id: Starting..."</span><span class="x">)</span> <span class="c"># Iterating over a channel is the idiomatic way to consume.</span> <span class="c"># The loop blocks if the channel is empty and waits for data.</span> <span class="c"># It automatically terminates when the channel is closed AND empty.</span> <span class="k">for</span> <span class="n">message</span> <span class="k">in</span> <span class="n">c</span> <span class="n">println</span><span class="x">(</span><span class="s">"Consumer </span><span class="si">$</span><span class="s">id: Received '</span><span class="si">$</span><span class="s">message'"</span><span class="x">)</span> <span class="n">sleep</span><span class="x">(</span><span class="n">rand</span><span class="x">()</span> <span class="o">*</span> <span class="mf">0.7</span><span class="x">)</span> <span class="c"># Simulate processing</span> <span class="k">end</span> <span class="c"># This line is reached only after the channel is closed and emptied.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Consumer </span><span class="si">$</span><span class="s">id: Channel closed and empty. Finishing."</span><span class="x">)</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Starting Producer/Consumer with Channel ---"</span><span class="x">)</span> <span class="c"># 4. Launch the tasks concurrently.</span> <span class="nd">@sync</span> <span class="k">begin</span> <span class="c"># Start two consumers listening on the *same* channel.</span> <span class="nd">@async</span> <span class="n">consumer</span><span class="x">(</span><span class="n">chan</span><span class="x">,</span> <span class="mi">1</span><span class="x">)</span> <span class="nd">@async</span> <span class="n">consumer</span><span class="x">(</span><span class="n">chan</span><span class="x">,</span> <span class="mi">2</span><span class="x">)</span> <span class="c"># Give consumers a moment to start up (optional, for demo clarity)</span> <span class="n">sleep</span><span class="x">(</span><span class="mf">0.1</span><span class="x">)</span> <span class="c"># Start two producers putting data into the *same* channel.</span> <span class="nd">@async</span> <span class="n">producer</span><span class="x">(</span><span class="n">chan</span><span class="x">,</span> <span class="mi">1</span><span class="x">,</span> <span class="mi">4</span><span class="x">)</span> <span class="nd">@async</span> <span class="n">producer</span><span class="x">(</span><span class="n">chan</span><span class="x">,</span> <span class="mi">2</span><span class="x">,</span> <span class="mi">3</span><span class="x">)</span> <span class="c"># Wait here until *all* launched tasks (consumers &amp; producers) finish</span> <span class="c"># OR until we manually intervene (like closing the channel).</span> <span class="c"># Since consumers loop until the channel is closed, @sync would wait</span> <span class="c"># forever without a close operation.</span> <span class="c"># 5. Wait for producers specifically (alternative to @sync on everything)</span> <span class="c"># We need a way to know when all data has been sent before closing.</span> <span class="c"># (A more robust system might use multiple channels or atomic counters)</span> <span class="c"># For simplicity, we'll just wait a fixed time, assuming producers finish.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Main: Waiting for producers to likely finish..."</span><span class="x">)</span> <span class="n">sleep</span><span class="x">(</span><span class="mf">4.0</span><span class="x">)</span> <span class="c"># Adjust time based on producer work/sleep</span> <span class="c"># 6. Close the channel.</span> <span class="c"># This signals to consumers that no more data will ever be put!.</span> <span class="c"># Consumers will finish their current loop iteration and then exit.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Main: Closing the channel..."</span><span class="x">)</span> <span class="n">close</span><span class="x">(</span><span class="n">chan</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Main: Channel closed. @sync will now wait for consumers to finish."</span><span class="x">)</span> <span class="k">end</span> <span class="c"># @sync waits for consumers to exit their loops</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- All tasks finished ---"</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <strong><code>Channel</code>s</strong>, the primary mechanism in Julia for safe and efficient communication <strong>between concurrent <code>Task</code>s</strong>. They act as thread-safe queues for passing messages.</p> <ul> <li><p><strong>Core Concept:</strong> A <code>Channel</code> is like a conveyor belt between tasks. One or more "producer" tasks can <code>put!</code> items onto the belt, and one or more "consumer" tasks can <code>take!</code> items off the belt. The channel manages synchronization and buffering automatically.</p></li> <li> <p><strong>Creating a Channel: <code>Channel{T}(size)</code></strong></p> <ul> <li> <code>Channel{String}(3)</code> creates a channel designed to hold <code>String</code> messages.</li> <li>The <code>size</code> argument (<code>3</code> in this case) defines the <strong>buffer capacity</strong>. This channel can hold up to 3 messages internally before blocking. A <code>size</code> of 0 creates an unbuffered (rendezvous) channel where <code>put!</code> blocks until a <code>take!</code> occurs.</li> </ul> </li> <li> <p><strong>Sending Data: <code>put!(channel, value)</code></strong></p> <ul> <li>The producer uses <code>put!(c, message)</code> to place a message onto the channel.</li> <li> <strong>Blocking Behavior:</strong> If the channel's buffer is <strong>full</strong> (already holding <code>size</code> items), the <code>put!</code> call will <strong>block</strong> the producer task until a consumer task calls <code>take!</code> and makes space.</li> </ul> </li> <li><p><strong>Receiving Data: <code>take!(channel)</code> or Iteration</strong></p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. **`take!(channel)`:** Explicitly removes and returns one item from the channel. If the channel is **empty**, `take!` **blocks** the consumer task until a producer `put!`s an item. 2. **Iteration (`for message in channel`):** This is the **idiomatic** way to consume data. The `for` loop automatically calls `take!` internally. * It **blocks** if the channel is empty, waiting for the next item. * It **automatically terminates** only when two conditions are met: the channel has been `close`d AND the buffer is empty. </code></pre> </div> <ul> <li> <p><strong>Closing the Channel: <code>close(channel)</code></strong></p> <ul> <li> <code>close(c)</code> signals that <strong>no more items will ever be <code>put!</code></strong> into the channel.</li> <li>This is crucial for terminating consumer loops that iterate (<code>for message in c</code>). Once closed, <code>put!</code> will error. <code>take!</code> and iteration will continue to drain any remaining items in the buffer and then stop.</li> </ul> </li> <li><p><strong>Thread Safety:</strong> Channels are <strong>guaranteed to be thread-safe</strong>. You can have multiple producers and multiple consumers interacting with the same channel from different tasks (and potentially different OS threads if using <code>Threads.@spawn</code>) without needing any external locks. The channel handles all the internal synchronization.</p></li> <li><p><strong>Producer/Consumer Pattern:</strong> This example demonstrates the classic producer-consumer pattern. Producers generate data independently, and consumers process data independently, decoupled by the channel acting as a synchronized buffer. This is fundamental for building concurrent systems (e.g., one task reads network data, puts messages on a channel, another task processes those messages).</p></li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Manual, "Asynchronous Programming", "Channels":</strong> Introduces channels for inter-task communication.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>Channel</code>, <code>put!</code>, <code>take!</code>, <code>close</code>:</strong> Detailed API descriptions.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(The exact order of messages will vary due to concurrent execution and random sleeps, but all messages should be produced and consumed.)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0075_channels_basics.jl <span class="nt">---</span> Starting Producer/Consumer with Channel <span class="nt">---</span> Inside @sync block, launching tasks... Consumer 1: Starting... Consumer 2: Starting... Main: Waiting <span class="k">for </span>producers to likely finish... Producer 1: Starting... Producer 1: Putting <span class="s1">'Producer 1 - Message 1'</span> Producer 2: Starting... Producer 2: Putting <span class="s1">'Producer 2 - Message 1'</span> Consumer 1: Received <span class="s1">'Producer 1 - Message 1'</span> Consumer 2: Received <span class="s1">'Producer 2 - Message 1'</span> Producer 1: Putting <span class="s1">'Producer 1 - Message 2'</span> Producer 2: Putting <span class="s1">'Producer 2 - Message 2'</span> Consumer 1: Received <span class="s1">'Producer 1 - Message 2'</span> Consumer 2: Received <span class="s1">'Producer 2 - Message 2'</span> Producer 1: Putting <span class="s1">'Producer 1 - Message 3'</span> Producer 2: Putting <span class="s1">'Producer 2 - Message 3'</span> Consumer 1: Received <span class="s1">'Producer 1 - Message 3'</span> Producer 2: Finished putting messages. Consumer 2: Received <span class="s1">'Producer 2 - Message 3'</span> Producer 1: Putting <span class="s1">'Producer 1 - Message 4'</span> Consumer 1: Received <span class="s1">'Producer 1 - Message 4'</span> Producer 1: Finished putting messages. Main: Closing the channel... Main: Channel closed. @sync will now <span class="nb">wait </span><span class="k">for </span>consumers to finish. Consumer 2: Channel closed and empty. Finishing. Consumer 1: Channel closed and empty. Finishing. <span class="nt">---</span> All tasks finished <span class="nt">---</span> </code></pre> </div> <h2> Network Programming Sockets </h2> <h3> <code>0076_sockets_tcp_server.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0076_sockets_tcp_server.jl</span> <span class="c"># Import the Sockets standard library</span> <span class="k">import</span> <span class="n">Sockets</span> <span class="c"># Define the host IP and port to listen on.</span> <span class="c"># Sockets.localhost (typically 127.0.0.1) means listen only for connections</span> <span class="c"># from the same machine. Use Sockets.ip"0.0.0.0" to listen on all interfaces.</span> <span class="kd">const</span> <span class="n">HOST</span> <span class="o">=</span> <span class="n">Sockets</span><span class="o">.</span><span class="n">localhost</span> <span class="kd">const</span> <span class="n">PORT</span> <span class="o">=</span> <span class="mi">8080</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Starting TCP Echo Server ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Listening on </span><span class="si">$</span><span class="s">HOST:</span><span class="si">$</span><span class="s">PORT..."</span><span class="x">)</span> <span class="c"># 1. Create a TCP Server object.</span> <span class="c"># 'listen()' binds to the address and starts listening for connections.</span> <span class="c"># It returns a TCPServer object, which is itself an IO stream used</span> <span class="c"># only for accepting new connections.</span> <span class="n">server</span> <span class="o">=</span> <span class="n">Sockets</span><span class="o">.</span><span class="n">listen</span><span class="x">(</span><span class="n">HOST</span><span class="x">,</span> <span class="n">PORT</span><span class="x">)</span> <span class="k">try</span> <span class="c"># 2. Loop indefinitely to accept incoming connections.</span> <span class="k">while</span> <span class="nb">true</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Server: Waiting for a new client connection..."</span><span class="x">)</span> <span class="c"># 3. Accept a connection.</span> <span class="c"># 'accept()' blocks until a client connects.</span> <span class="c"># It returns a TCPSocket object representing the connection to *that* client.</span> <span class="c"># The TCPSocket is also an IO stream (subtype of IO).</span> <span class="n">client_socket</span> <span class="o">=</span> <span class="n">Sockets</span><span class="o">.</span><span class="n">accept</span><span class="x">(</span><span class="n">server</span><span class="x">)</span> <span class="n">client_addr</span> <span class="o">=</span> <span class="n">Sockets</span><span class="o">.</span><span class="n">getpeername</span><span class="x">(</span><span class="n">client_socket</span><span class="x">)</span> <span class="c"># Get client IP and port</span> <span class="n">println</span><span class="x">(</span><span class="s">"Server: Accepted connection from </span><span class="si">$</span><span class="s">client_addr"</span><span class="x">)</span> <span class="c"># 4. Handle the client connection asynchronously.</span> <span class="c"># We launch a new Task for each client using '@async'.</span> <span class="c"># This allows the server to immediately go back to 'accept()'</span> <span class="c"># and handle other clients concurrently without blocking.</span> <span class="nd">@async</span> <span class="k">begin</span> <span class="n">println</span><span class="x">(</span><span class="s">" [Client </span><span class="si">$</span><span class="s">client_addr]: Handling connection in new Task."</span><span class="x">)</span> <span class="k">try</span> <span class="c"># 5. Interact with the client using the client_socket IO stream.</span> <span class="k">while</span> <span class="o">!</span><span class="n">eof</span><span class="x">(</span><span class="n">client_socket</span><span class="x">)</span> <span class="c"># Loop until client closes connection</span> <span class="c"># Read a line of text sent by the client.</span> <span class="n">line</span> <span class="o">=</span> <span class="n">readline</span><span class="x">(</span><span class="n">client_socket</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" [Client </span><span class="si">$</span><span class="s">client_addr]: Received: "</span><span class="x">,</span> <span class="n">repr</span><span class="x">(</span><span class="n">line</span><span class="x">))</span> <span class="c"># repr shows quotes/newlines</span> <span class="c"># Check if client wants to quit</span> <span class="k">if</span> <span class="n">line</span> <span class="o">==</span> <span class="s">"quit"</span> <span class="n">println</span><span class="x">(</span><span class="s">" [Client </span><span class="si">$</span><span class="s">client_addr]: Quit command received. Closing connection."</span><span class="x">)</span> <span class="n">write</span><span class="x">(</span><span class="n">client_socket</span><span class="x">,</span> <span class="s">"Goodbye!</span><span class="se">\n</span><span class="s">"</span><span class="x">)</span> <span class="n">break</span> <span class="c"># Exit the while loop for this client</span> <span class="k">end</span> <span class="c"># Echo the line back to the client.</span> <span class="n">response</span> <span class="o">=</span> <span class="s">"Server Echo: "</span> <span class="o">*</span> <span class="n">line</span> <span class="o">*</span> <span class="s">"</span><span class="se">\n</span><span class="s">"</span> <span class="n">write</span><span class="x">(</span><span class="n">client_socket</span><span class="x">,</span> <span class="n">response</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" [Client </span><span class="si">$</span><span class="s">client_addr]: Sent: "</span><span class="x">,</span> <span class="n">repr</span><span class="x">(</span><span class="n">response</span><span class="x">))</span> <span class="k">end</span> <span class="k">catch</span> <span class="n">e</span> <span class="c"># Handle potential errors during client communication (e.g., connection reset)</span> <span class="n">println</span><span class="x">(</span><span class="s">" [Client </span><span class="si">$</span><span class="s">client_addr]: Error: </span><span class="si">$</span><span class="s">e"</span><span class="x">)</span> <span class="k">finally</span> <span class="c"># 6. Ensure the client socket is closed when done or on error.</span> <span class="n">println</span><span class="x">(</span><span class="s">" [Client </span><span class="si">$</span><span class="s">client_addr]: Closing socket."</span><span class="x">)</span> <span class="n">close</span><span class="x">(</span><span class="n">client_socket</span><span class="x">)</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># End of @async block for this client</span> <span class="k">end</span> <span class="c"># End of while true loop (accepting connections)</span> <span class="k">catch</span> <span class="n">e</span> <span class="c"># Handle potential errors with the server itself (e.g., port already in use)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Server Error: </span><span class="si">$</span><span class="s">e"</span><span class="x">)</span> <span class="k">finally</span> <span class="c"># 7. Ensure the main server socket is closed when the server stops.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Server: Shutting down."</span><span class="x">)</span> <span class="n">close</span><span class="x">(</span><span class="n">server</span><span class="x">)</span> <span class="k">end</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates how to create a basic <strong>TCP server</strong> using Julia's built-in <code>Sockets</code> standard library. The server listens for incoming connections and handles each client concurrently using <code>@async</code>, echoing back any text the client sends.</p> <ul> <li> <strong>Core Concept: Server Socket vs. Client Socket</strong> Networking involves two types of sockets:</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. **Server Socket (`TCPServer`):** Created by `Sockets.listen()`. Its *only* job is to wait for incoming connection requests on a specific IP address and port. It acts like a receptionist waiting for the phone to ring. 2. **Client Socket (`TCPSocket`):** Created by `Sockets.accept()` on the server side (or `Sockets.connect()` on the client side). This represents the **actual two-way communication channel** with a *specific* client. It's the phone line used for the conversation after the receptionist connects the call. Both `TCPServer` and `TCPSocket` are subtypes of `IO`. </code></pre> </div> <ul> <li><strong>Steps to Create a Server:</strong></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. **`Sockets.listen(HOST, PORT)`:** Binds the server to the specified `HOST` IP address and `PORT` number. If the port is already in use, this will error. It returns the `TCPServer` object. 2. **`while true ... Sockets.accept(server) ... end`:** The main server loop. `Sockets.accept(server)` **blocks** execution until a client attempts to connect. When a client connects, `accept` returns a **new `TCPSocket` object** dedicated to that client. 3. **`@async begin ... end`:** To handle multiple clients simultaneously, we immediately launch a **new `Task`** using `@async` to handle the `client_socket`. The main server loop then instantly goes back to `accept`, ready for the next client, without waiting for the first client's session to finish. This is crucial for server responsiveness. 4. **Client Handling Loop (`while !eof(...) ... end`):** Inside the `@async` block, we interact with the specific client using the `client_socket` (which is an `IO` stream). We use standard `IO` functions like `readline()` to receive data and `write()` to send data. The `eof(client_socket)` function checks if the client has closed their end of the connection. `Sockets.getpeername(client_socket)` retrieves the IP address and port of the connected client. 5. **`close(client_socket)`:** When communication with a specific client is finished (or an error occurs), its dedicated `TCPSocket` **must be closed** within the `@async` task to release the connection resources. Using `try...finally` guarantees this. 6. **`close(server)`:** When the server itself shuts down (e.g., due to an error or `Ctrl+C`), the main listening `TCPServer` socket must also be closed to unbind the port. The outer `try...finally` ensures this. </code></pre> </div> <ul> <li><p><strong>Concurrency Model:</strong><br> This server uses the <strong>Task-per-Client</strong> concurrency model. Each incoming connection spawns a new Julia <code>Task</code>. Thanks to Julia's efficient, non-blocking I/O and lightweight tasks, this model can handle many concurrent connections effectively on a single OS thread (though multi-threading can be added for CPU-bound work within tasks).</p></li> <li><p><strong><code>repr()</code> Function:</strong> We use <code>repr(line)</code> in the output. This function provides a string representation that includes quotes and escape sequences (like <code>\n</code>), making it clearer exactly what data was received or sent over the network.</p></li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Standard Library, <code>Sockets</code>:</strong> Documents <code>listen</code>, <code>accept</code>, <code>connect</code>, <code>getpeername</code>, <code>TCPSocket</code>, etc.</li> <li> <strong>Julia Official Documentation, Manual, "Networking and Streams":</strong> Provides examples of socket programming.</li> </ul> </li> </ul> <p>To run the script:</p> <ol> <li> Save the code as <code>0076_sockets_tcp_server.jl</code>.</li> <li> Run it from your terminal: <code>julia 0076_sockets_tcp_server.jl</code> </li> <li> The server will start and print <code>Listening on 127.0.0.1:8080...</code> and <code>Waiting for a new client connection...</code>. It is now waiting.</li> <li> You will need a <strong>client</strong> (like the one in the next lesson, or a tool like <code>telnet</code> or <code>netcat</code>) to connect to it. For example, in another terminal: <code>telnet 127.0.0.1 8080</code>.</li> <li> Type messages in the <code>telnet</code> window and press Enter. The server should echo them back. Type <code>quit</code> to disconnect that client.</li> <li> Press <code>Ctrl+C</code> in the server's terminal to stop it.</li> </ol> <p><em>(Expected output when running and connecting with a client will show the accept/receive/send messages, including the client address from <code>getpeername</code>.)</em></p> <h3> <code>0077_sockets_tcp_client.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0077_sockets_tcp_client.jl</span> <span class="c"># Import the Sockets standard library</span> <span class="k">import</span> <span class="n">Sockets</span> <span class="c"># Define the host and port of the server we want to connect to.</span> <span class="c"># This should match the HOST and PORT in the server script (0076).</span> <span class="kd">const</span> <span class="n">SERVER_HOST</span> <span class="o">=</span> <span class="n">Sockets</span><span class="o">.</span><span class="n">localhost</span> <span class="kd">const</span> <span class="n">SERVER_PORT</span> <span class="o">=</span> <span class="mi">8080</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Starting TCP Client ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Attempting to connect to </span><span class="si">$</span><span class="s">SERVER_HOST:</span><span class="si">$</span><span class="s">SERVER_PORT..."</span><span class="x">)</span> <span class="c"># Initialize socket variable for the finally block</span> <span class="c"># We use 'Ref' trick or declare outside if needed in 'finally' reliably</span> <span class="c"># Simpler: Use @isdefined check in finally block</span> <span class="k">try</span> <span class="kd">local</span> <span class="n">client_socket</span> <span class="c"># Declare local to avoid scope ambiguity warning</span> <span class="c"># 1. Connect to the server.</span> <span class="c"># 'Sockets.connect()' attempts to establish a TCP connection.</span> <span class="c"># It blocks until the connection succeeds or fails.</span> <span class="c"># On success, it returns a TCPSocket representing the connection.</span> <span class="n">client_socket</span> <span class="o">=</span> <span class="n">Sockets</span><span class="o">.</span><span class="n">connect</span><span class="x">(</span><span class="n">SERVER_HOST</span><span class="x">,</span> <span class="n">SERVER_PORT</span><span class="x">)</span> <span class="n">server_addr</span> <span class="o">=</span> <span class="n">Sockets</span><span class="o">.</span><span class="n">getpeername</span><span class="x">(</span><span class="n">client_socket</span><span class="x">)</span> <span class="c"># Get server IP and port</span> <span class="n">println</span><span class="x">(</span><span class="s">"Successfully connected to server at </span><span class="si">$</span><span class="s">server_addr"</span><span class="x">)</span> <span class="c"># 2. Start interaction loop.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Enter messages to send to the server. Type 'quit' to exit."</span><span class="x">)</span> <span class="k">while</span> <span class="nb">true</span> <span class="c"># Read a line of input from the user's terminal (stdin).</span> <span class="n">print</span><span class="x">(</span><span class="s">"&gt; "</span><span class="x">)</span> <span class="c"># Prompt</span> <span class="n">user_input</span> <span class="o">=</span> <span class="n">readline</span><span class="x">()</span> <span class="c"># Send the user's input to the server using 'write()'.</span> <span class="c"># We must add the newline character for the server's 'readline()'.</span> <span class="n">bytes_written</span> <span class="o">=</span> <span class="n">write</span><span class="x">(</span><span class="n">client_socket</span><span class="x">,</span> <span class="n">user_input</span> <span class="o">*</span> <span class="s">"</span><span class="se">\n</span><span class="s">"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Client: Sent </span><span class="si">$</span><span class="s">bytes_written bytes: "</span><span class="x">,</span> <span class="n">repr</span><span class="x">(</span><span class="n">user_input</span> <span class="o">*</span> <span class="s">"</span><span class="se">\n</span><span class="s">"</span><span class="x">))</span> <span class="c"># If the user typed 'quit', break the loop after sending.</span> <span class="k">if</span> <span class="n">user_input</span> <span class="o">==</span> <span class="s">"quit"</span> <span class="c"># Read the server's final "Goodbye!" message before closing.</span> <span class="k">if</span> <span class="o">!</span><span class="n">eof</span><span class="x">(</span><span class="n">client_socket</span><span class="x">)</span> <span class="n">server_response</span> <span class="o">=</span> <span class="n">readline</span><span class="x">(</span><span class="n">client_socket</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Client: Received: "</span><span class="x">,</span> <span class="n">repr</span><span class="x">(</span><span class="n">server_response</span><span class="x">))</span> <span class="k">end</span> <span class="n">break</span> <span class="k">end</span> <span class="c"># Read the server's echo response using 'readline()'.</span> <span class="c"># This blocks until the server sends a line ending in '\n'.</span> <span class="k">if</span> <span class="o">!</span><span class="n">eof</span><span class="x">(</span><span class="n">client_socket</span><span class="x">)</span> <span class="c"># Check if server closed connection unexpectedly</span> <span class="n">server_response</span> <span class="o">=</span> <span class="n">readline</span><span class="x">(</span><span class="n">client_socket</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Client: Received: "</span><span class="x">,</span> <span class="n">repr</span><span class="x">(</span><span class="n">server_response</span><span class="x">))</span> <span class="k">else</span> <span class="n">println</span><span class="x">(</span><span class="s">"Client: Server closed the connection unexpectedly."</span><span class="x">)</span> <span class="n">break</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># End of while loop</span> <span class="k">catch</span> <span class="n">e</span> <span class="c"># Handle connection errors (e.g., server not running)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Client Error: </span><span class="si">$</span><span class="s">e"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Ensure the server script (0076_sockets_tcp_server.jl) is running."</span><span class="x">)</span> <span class="k">finally</span> <span class="c"># 3. Ensure the socket is closed if it was successfully opened.</span> <span class="c"># Check '@isdefined' in case 'connect' failed before assignment.</span> <span class="k">if</span> <span class="nd">@isdefined</span><span class="x">(</span><span class="n">client_socket</span><span class="x">)</span> <span class="o">&amp;&amp;</span> <span class="n">client_socket</span> <span class="o">!==</span> <span class="nb">nothing</span> <span class="o">&amp;&amp;</span> <span class="n">isopen</span><span class="x">(</span><span class="n">client_socket</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Client: Closing connection."</span><span class="x">)</span> <span class="n">close</span><span class="x">(</span><span class="n">client_socket</span><span class="x">)</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"Client finished."</span><span class="x">)</span> <span class="k">end</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates how to create a simple <strong>TCP client</strong> using the <code>Sockets</code> library. It connects to the echo server created in the previous lesson (<code>0076_sockets_tcp_server.jl</code>), sends user input to it, and prints the server's response.</p> <ul> <li><p><strong>Core Concept: Client Connection</strong><br> While a server <code>listen</code>s and <code>accept</code>s, a client actively initiates a connection using <code>Sockets.connect()</code>.</p></li> <li><p><strong>Steps to Create a Client:</strong></p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. **`Sockets.connect(HOST, PORT)`:** This function attempts to establish a TCP connection to the server running at the specified `HOST` and `PORT`. * **Blocking:** This call **blocks** until the TCP handshake completes successfully or an error occurs (e.g., the server isn't running (`ECONNREFUSED`), a firewall blocks the connection, or it times out). * **Return Value:** On success, it returns a `TCPSocket` object, which is an `IO` stream representing the established two-way communication channel with the server. 2. **Interact using `IO` functions:** Once connected, the `client_socket` is used just like any other `IO` stream (e.g., the file stream from `open()`). * **`write(socket, data)`:** Sends data *to* the server. We append `\n` because our server uses `readline()`, which expects newline-terminated messages. * **`readline(socket)`:** Reads data *from* the server, blocking until a complete line (ending in `\n`) is received. * **`eof(socket)`:** Checks if the server has closed its end of the connection. 3. **`close(socket)`:** When the client is finished interacting, it **must close** its socket using `close(client_socket)`. This signals the server that the conversation is over and releases the associated operating system resources. Using `try...finally` ensures the socket is closed even if errors occur during communication. The `@isdefined` check in `finally` ensures we don't try to close a socket that was never successfully created (e.g., if `connect` itself failed). </code></pre> </div> <ul> <li> <p><strong>Client-Server Interaction:</strong><br> This script, together with the server script, forms a complete client-server application.</p> <ul> <li>The client connects.</li> <li>The client reads user input from the terminal (<code>stdin</code>).</li> <li>The client sends the input (plus <code>\n</code>) to the server (<code>write</code>).</li> <li>The server reads the line (<code>readline</code>).</li> <li>The server sends the echoed response (plus <code>\n</code>) back (<code>write</code>).</li> <li>The client reads the echo (<code>readline</code>) and displays it.</li> <li>This continues until the client sends <code>"quit"</code>.</li> </ul> </li> <li><p><strong>Error Handling:</strong> The <code>try...catch</code> block is essential for handling potential network errors, most commonly <code>Sockets.ECONNREFUSED</code> if the server is not running when the client tries to connect.</p></li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Standard Library, <code>Sockets</code>:</strong> Documents <code>connect</code>, <code>TCPSocket</code>, etc.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>readline</code>:</strong> "Read a single line of text from the given I/O stream..."</li> </ul> </li> </ul> <p>To run the script:</p> <ol> <li> <strong>Start the server first:</strong> In one terminal, run <code>julia 0076_sockets_tcp_server.jl</code>. Wait until it says <code>Waiting for a new client connection...</code>.</li> <li> <strong>Run the client:</strong> In a <em>second</em> terminal, run <code>julia 0077_sockets_tcp_client.jl</code>.</li> <li> You should see the client connect successfully.</li> <li> Type messages (e.g., <code>Hello Server!</code>) in the client terminal and press Enter. The server should echo them back.</li> <li> Type <code>quit</code> in the client terminal to disconnect cleanly.</li> <li> You can then stop the server with <code>Ctrl+C</code>.</li> </ol> <p><em>(Expected output will show the connection message, prompts, sent/received lines, and disconnection messages.)</em></p> <h1> Module 8: Project Tooling </h1> <h2> Package Management </h2> <h3> <code>0078_pkg_mode.md</code> </h3> <p>Julia comes with a built-in <strong>package manager</strong>, <code>Pkg</code>, which handles installing, updating, and managing project dependencies (the libraries your code uses). The easiest way to interact with <code>Pkg</code> is through its dedicated <strong>REPL mode</strong>.</p> <h2> Entering and Exiting Pkg Mode </h2> <ul> <li> <p><strong>How to Enter:</strong> From the standard Julia REPL (<code>julia&gt;</code>), simply type the <strong>right square bracket <code>]</code></strong> key. The prompt will change to a blue <code>pkg&gt;</code>.<br> </p> <pre class="highlight julia"><code><span class="n">julia</span><span class="o">&gt;</span> <span class="x">]</span> <span class="n">pkg</span><span class="o">&gt;</span> </code></pre> </li> <li><p><strong>How to Exit:</strong> Press <strong>Backspace</strong> (if the current line is empty) or <strong>Ctrl+C</strong>. The prompt will return to <code>julia&gt;</code>.</p></li> </ul> <h2> Basic Pkg Commands </h2> <p>Once in <code>pkg&gt;</code> mode, you use simple commands to manage your environment:</p> <ul> <li> <p><strong><code>status</code> (or <code>st</code>)</strong>: Shows the packages currently installed in the <strong>active environment</strong>, along with their versions. This is the first command you should use to see what's going on.<br> </p> <p>``<code>pkg&gt; st<br> Status</code>~/.julia/environments/v1.10/Project.toml`<br> [7876af07] Example v0.5.1</p> <pre class="highlight plaintext"><code> </code></pre> </li> </ul> <ul> <li> <p><strong><code>activate .</code></strong>: This is crucial for <strong>project-specific environments</strong>. It tells Pkg to manage dependencies for the <em>current directory</em> (<code>.</code>). If <code>Project.toml</code> and <code>Manifest.toml</code> files don't exist, it creates them. If they do exist, it makes that project the active environment. <strong>Always use this</strong> when starting a new project.<br> </p> <p>``<code>pkg&gt; activate .<br> Activating project at</code>~/MyJuliaProject`</p> <pre class="highlight plaintext"><code> </code></pre> </li> </ul> <ul> <li> <p><strong><code>add PackageName</code></strong>: Adds a package (like <code>BenchmarkTools</code> or <code>JSON</code>) to the active environment. Pkg downloads it from the central registry, resolves its dependencies, and adds it to your <code>Project.toml</code> and <code>Manifest.toml</code> files.<br> </p> <p>``<code>pkg&gt; add BenchmarkTools<br> Resolving package versions...<br> Updating</code>~/MyJuliaProject/Project.toml<code><br> [6e4b80f9] + BenchmarkTools<br> Updating</code>~/MyJuliaProject/Manifest.toml`<br> [...]</p> <pre class="highlight plaintext"><code> </code></pre> </li> </ul> <ul> <li> <p><strong><code>rm PackageName</code></strong>: Removes a package from the active environment.<br> </p> <p>``<code>pkg&gt; rm BenchmarkTools<br> Updating</code>~/MyJuliaProject/Project.toml<code><br> [6e4b80f9] - BenchmarkTools<br> Updating</code>~/MyJuliaProject/Manifest.toml`<br> [...]</p> <pre class="highlight plaintext"><code> </code></pre> </li> </ul> <ul> <li> <p><strong><code>update</code> (or <code>up</code>)</strong>: Updates all packages in the active environment to their latest compatible versions, respecting the constraints in <code>Project.toml</code>.<br> </p> <p>``<code>pkg&gt; up<br> Updating registry at</code>~/.julia/registries/General.toml<code><br> No Changes to</code>~/MyJuliaProject/Project.toml<code><br> No Changes to</code>~/MyJuliaProject/Manifest.toml`</p> <pre class="highlight plaintext"><code> </code></pre> </li> </ul> <ul> <li> <strong><code>help</code></strong>: Shows a list of available Pkg commands.</li> </ul> <h2> Why Environments Matter </h2> <p>Using <code>activate .</code> creates an <strong>isolated environment</strong> for each project. This means:</p> <ol> <li> <strong>Reproducibility:</strong> Project A can use version 1.0 of a package, while Project B uses version 2.0, without conflicts. The <code>Manifest.toml</code> file (next lesson) records the <em>exact</em> versions, ensuring anyone else can reproduce your environment perfectly.</li> <li> <strong>Dependency Management:</strong> Pkg handles finding and installing all the <em>indirect</em> dependencies (libraries that your libraries depend on).</li> </ol> <p>The <code>pkg&gt;</code> mode provides a convenient, interactive way to manage these environments directly within Julia.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, <code>Pkg.jl</code> Manual:</strong> Comprehensive guide to the package manager.</li> <li> <strong>Julia Official Documentation, Manual, "Getting Started", "Interacting With Julia":</strong> Briefly mentions the REPL modes including Pkg mode.</li> </ul> </li> </ul> <h3> <code>0079_project_manifest.md</code> </h3> <p>When you use <code>Pkg.jl</code> commands like <code>activate .</code> and <code>add PackageName</code>, two crucial files are created and managed in your project directory: <code>Project.toml</code> and <code>Manifest.toml</code>. Understanding their roles is essential for managing dependencies and ensuring your project is <strong>reproducible</strong>.</p> <h2> <code>Project.toml</code> - Your Direct Dependencies </h2> <ul> <li> <strong>Purpose:</strong> This file lists the packages that your project <strong>directly depends on</strong>. It specifies the <strong>names</strong> of these packages and the <strong>range of versions</strong> that are compatible with your code.</li> <li> <strong>Format:</strong> It uses the <a href="https://toml.io/en/" rel="noopener noreferrer">TOML</a> (Tom's Obvious, Minimal Language) format, which is designed to be easy for humans to read.</li> <li> <p><strong>Example <code>Project.toml</code>:</strong><br> </p> <pre class="highlight toml"><code><span class="nn">[deps]</span> <span class="py">BenchmarkTools</span> <span class="p">=</span> <span class="s">"6e4b80f9-dd63-53aa-95a3-0cdb28fa8baf"</span> <span class="py">JSON</span> <span class="p">=</span> <span class="s">"682c06a0-de6a-54ab-a142-c8b1cf79cde6"</span> <span class="nn">[compat]</span> <span class="py">julia</span> <span class="p">=</span> <span class="s">"1.6"</span> <span class="c"># Specifies compatible Julia versions</span> <span class="py">BenchmarkTools</span> <span class="p">=</span> <span class="s">"1.0"</span> <span class="c"># Allows version 1.0 or any later 1.x version</span> <span class="py">JSON</span> <span class="p">=</span> <span class="s">"0.21"</span> <span class="c"># Allows version 0.21 or any later 0.x version</span> </code></pre> </li> <li> <p><strong>Key Sections:</strong></p> <ul> <li> <strong><code>[deps]</code>:</strong> Lists the direct dependencies by name and their <strong>UUID</strong> (Universally Unique Identifier). The UUID is how <code>Pkg</code> uniquely identifies packages, even if names clash. <code>Pkg add PackageName</code> automatically finds the UUID and adds it here.</li> <li> <strong><code>[compat]</code>:</strong> This is the most important section for <strong>version constraints</strong>. It tells <code>Pkg</code> which versions of Julia and which versions of each dependency are compatible with your project. <ul> <li> <code>julia = "1.6"</code> means your code requires Julia version 1.6 or higher (but less than 2.0).</li> <li> <code>BenchmarkTools = "1.0"</code> uses semantic versioning (SemVer) compatibility rules. It means your code works with version 1.0 and any later <em>minor</em> or <em>patch</em> release within version 1 (e.g., 1.1, 1.2.3), but <strong>not</strong> version 2.0. This prevents breaking changes from major version updates. <code>Pkg add</code> usually adds a compatible entry here automatically.</li> </ul> </li> </ul> </li> <li><p><strong>Version Control:</strong> You <strong>should commit</strong> <code>Project.toml</code> to your version control system (like Git). It defines the intended dependencies of your project.</p></li> </ul> <h2> <code>Manifest.toml</code> - The Exact Blueprint 📜 </h2> <ul> <li> <strong>Purpose:</strong> This file is an <strong>exact snapshot</strong> of <em>all</em> the packages in your project environment, including not just your direct dependencies (<code>Project.toml</code>) but also <strong>all indirect dependencies</strong> (dependencies of dependencies, recursively). Crucially, it lists the <strong>exact version</strong> of every single package used.</li> <li> <strong>Format:</strong> Also TOML, but much longer and more detailed. It's primarily intended for <code>Pkg</code> to read, not for humans to edit directly.</li> <li> <p><strong>Example Snippet <code>Manifest.toml</code>:</strong><br> </p> <pre class="highlight toml"><code><span class="c"># This file is machine-generated - editing it directly is not advised</span> <span class="py">julia_version</span> <span class="p">=</span> <span class="s">"1.10.0"</span> <span class="nn">[[deps.BenchmarkTools]]</span> <span class="py">deps</span> <span class="p">=</span> <span class="p">[</span><span class="s">"JSON"</span><span class="p">,</span> <span class="s">"Logging"</span><span class="p">,</span> <span class="s">"Printf"</span><span class="p">,</span> <span class="s">"Statistics"</span><span class="p">,</span> <span class="s">"UUIDs"</span><span class="p">]</span> <span class="py">git-tree-sha1</span> <span class="p">=</span> <span class="s">"..."</span> <span class="py">uuid</span> <span class="p">=</span> <span class="s">"6e4b80f9-dd63-53aa-95a3-0cdb28fa8baf"</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"1.3.1"</span> <span class="nn">[[deps.JSON]]</span> <span class="py">deps</span> <span class="p">=</span> <span class="p">[</span><span class="s">"Dates"</span><span class="p">,</span> <span class="s">"Mmap"</span><span class="p">]</span> <span class="py">git-tree-sha1</span> <span class="p">=</span> <span class="s">"..."</span> <span class="py">uuid</span> <span class="p">=</span> <span class="s">"682c06a0-de6a-54ab-a142-c8b1cf79cde6"</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"0.21.3"</span> <span class="c"># ... entries for Dates, Logging, Mmap, Printf, Statistics, UUIDs, etc. ...</span> </code></pre> </li> <li><p><strong>Reproducibility:</strong> This file is the key to <strong>100% reproducible builds</strong>. When someone else (or you, on a different machine or later time) clones your project and runs <code>Pkg.instantiate()</code>, <code>Pkg</code> reads <em>only</em> <code>Manifest.toml</code>. It ignores <code>Project.toml</code>'s version ranges and installs the <em>exact</em> versions specified in the manifest. This guarantees everyone runs the code with the exact same set of dependencies, eliminating "works on my machine" problems.</p></li> <li><p><strong>Version Control:</strong> You <strong>should commit</strong> <code>Manifest.toml</code> to your version control system alongside <code>Project.toml</code>.</p></li> </ul> <h2> The Workflow </h2> <ol> <li> <strong>Start:</strong> <code>cd MyProject; julia</code> </li> <li> <strong>Activate:</strong> <code>pkg&gt; activate .</code> (Creates <code>Project.toml</code> if needed)</li> <li> <strong>Add:</strong> <code>pkg&gt; add PackageA PackageB</code> (Adds to <code>[deps]</code> in <code>Project.toml</code>, adds compat entries, resolves <em>all</em> dependencies, and writes exact versions to <code>Manifest.toml</code>)</li> <li> <strong>Develop:</strong> Write your code (<code>import .MyModule: ...</code> etc.)</li> <li> <strong>Share:</strong> Commit <code>Project.toml</code>, <code>Manifest.toml</code>, and your source code (<code>src/</code>, <code>test/</code>) to Git.</li> <li> <strong>Collaborator Clones:</strong> <code>git clone ...; cd MyProject; julia</code> </li> <li> <strong>Instantiate:</strong> <code>pkg&gt; activate .; instantiate</code> (<code>instantiate</code> reads <code>Manifest.toml</code> and installs the exact versions listed). Now the collaborator has an identical environment.</li> </ol> <p>Understanding these two files is fundamental to professional Julia development, ensuring projects are manageable, shareable, and reproducible.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, <code>Pkg.jl</code> Manual, "Project.toml and Manifest.toml":</strong> Provides the definitive explanation of these files.</li> <li> <strong>TOML Specification:</strong> <a href="https://toml.io/en/" rel="noopener noreferrer">https://toml.io/en/</a> </li> </ul> </li> </ul> <h2> Unit Testing </h2> <h3> <code>0080_test_basics.jl</code> </h3> <p><em>This lesson requires creating **two</em>* files: the code to be tested (<code>my_math.jl</code>) and the test script itself (<code>run_tests.jl</code>).*</p> <h4> File 1: <code>my_math.jl</code> </h4> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># my_math.jl</span> <span class="c"># Contains the function(s) we want to test.</span> <span class="c"># (We define it inside a module for good practice, though not strictly required)</span> <span class="k">module</span> <span class="n">MyMath</span> <span class="c"># Function to test: adds 2 to its input</span> <span class="k">function</span><span class="nf"> add_two</span><span class="x">(</span><span class="n">x</span><span class="x">)</span> <span class="k">return</span> <span class="n">x</span> <span class="o">+</span> <span class="mi">2</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># module MyMath</span> </code></pre> </div> <h4> File 2: <code>run_tests.jl</code> </h4> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># run_tests.jl</span> <span class="c"># Contains the tests for the code in my_math.jl</span> <span class="c"># 1. Import the '@test' macro from the standard 'Test' library.</span> <span class="c"># 'Test' is always available, no need to add it via Pkg.</span> <span class="k">import</span> <span class="n">Test</span><span class="o">:</span> <span class="nd">@test</span> <span class="c"># 2. Include the source code file we want to test.</span> <span class="c"># This executes 'my_math.jl', defining the 'MyMath' module.</span> <span class="n">include</span><span class="x">(</span><span class="s">"my_math.jl"</span><span class="x">)</span> <span class="c"># 3. Write a basic test using the '@test' macro.</span> <span class="c"># '@test' evaluates the expression that follows it.</span> <span class="c"># - If the expression is 'true', the test passes (silently by default).</span> <span class="c"># - If the expression is 'false', the test fails (prints an error).</span> <span class="c"># - If the expression throws an error, the test errors.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Running basic tests..."</span><span class="x">)</span> <span class="c"># Test case 1: Check if adding 2 to 3 gives 5.</span> <span class="nd">@test</span> <span class="n">MyMath</span><span class="o">.</span><span class="n">add_two</span><span class="x">(</span><span class="mi">3</span><span class="x">)</span> <span class="o">==</span> <span class="mi">5</span> <span class="c"># Test case 2: Check if adding 2 to 0 gives 2.</span> <span class="nd">@test</span> <span class="n">MyMath</span><span class="o">.</span><span class="n">add_two</span><span class="x">(</span><span class="mi">0</span><span class="x">)</span> <span class="o">==</span> <span class="mi">2</span> <span class="c"># Test case 3: A failing test (uncomment to see failure)</span> <span class="c"># println("\nRunning a failing test...")</span> <span class="c"># @test MyMath.add_two(1) == 4 # This will fail</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Basic tests finished."</span><span class="x">)</span> <span class="c"># You run this file from the command line: julia run_tests.jl</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the built-in <strong><code>Test</code> standard library</strong>, which is Julia's primary tool for writing <strong>unit tests</strong>. Unit tests are small, automated checks that verify the correctness of individual pieces of code (like functions).</p> <ul> <li><p><strong>Core Concept:</strong> Testing is fundamental to writing reliable software. The <code>Test</code> library provides macros and functions to make writing and running these checks easy.</p></li> <li> <p><strong>Structure: Code File vs. Test File</strong></p> <ul> <li>It's standard practice to keep your main application code (e.g., <code>my_math.jl</code>) separate from your test code (e.g., <code>run_tests.jl</code>).</li> <li>The test file uses <code>include("my_math.jl")</code> to load the code it needs to test. This ensures the tests run against the actual source code.</li> </ul> </li> <li> <p><strong>The <code>@test</code> Macro:</strong></p> <ul> <li>This is the most basic assertion tool. You wrap a boolean expression inside <code>@test</code>.</li> <li> <code>@test MyMath.add_two(3) == 5</code>: This checks if the result of calling <code>MyMath.add_two(3)</code> is equal (<code>==</code>) to <code>5</code>.</li> <li> <strong>Pass:</strong> If the expression evaluates to <code>true</code>, the test passes. By default, passing tests don't print anything to keep output clean.</li> <li> <strong>Fail:</strong> If the expression evaluates to <code>false</code> (like in the commented-out example where <code>1 + 2 == 4</code> is false), the <code>@test</code> macro prints a detailed failure message, including the expression, the expected value, and the actual result.</li> <li> <strong>Error:</strong> If evaluating the expression <em>itself</em> throws an error (e.g., if <code>add_two</code> was called with a <code>String</code>), the test errors and prints the exception.</li> </ul> </li> <li><p><strong>Running Tests:</strong> You typically run your test suite by executing the test script directly from the terminal: <code>julia run_tests.jl</code>. A clean run (no output other than your <code>println</code> statements) means all tests passed.</p></li> <li><p><strong>Why Test?</strong> Automated tests catch regressions (when a change breaks existing functionality), document how code is supposed to work, and give you confidence to refactor and improve your code base.</p></li> <li> <p><strong>References:</strong></p> <ul> <li> <strong>Julia Official Documentation, Standard Library, <code>Test</code>:</strong> Complete guide to the testing framework.</li> </ul> </li> </ul> <p>To run the script:</p> <ol> <li> Save the first code block as <code>my_math.jl</code>.</li> <li> Save the second code block as <code>run_tests.jl</code> in the <em>same directory</em>.</li> <li> Run <code>julia run_tests.jl</code> from your terminal.</li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia run_tests.jl Running basic tests... Basic tests finished. </code></pre> </div> <p><em>(If you uncomment the failing test, you will see detailed failure output.)</em></p> <h3> <code>0081_testset_test.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0081_testset_test.jl</span> <span class="c"># Demonstrates using @testset for better test organization.</span> <span class="c"># 1. Import macros from the 'Test' library.</span> <span class="c"># We now import '@testset' in addition to '@test'.</span> <span class="k">import</span> <span class="n">Test</span><span class="o">:</span> <span class="nd">@test</span><span class="x">,</span> <span class="nd">@testset</span> <span class="c"># 2. Include the source code file we want to test.</span> <span class="n">include</span><span class="x">(</span><span class="s">"my_math.jl"</span><span class="x">)</span> <span class="c"># 3. Use '@testset' to group related tests.</span> <span class="c"># The string argument provides a descriptive name for the group.</span> <span class="nd">@testset</span> <span class="s">"MyMath.add_two Tests"</span> <span class="k">begin</span> <span class="c"># 4. Place individual '@test' calls inside the 'begin...end' block.</span> <span class="nd">@test</span> <span class="n">MyMath</span><span class="o">.</span><span class="n">add_two</span><span class="x">(</span><span class="mi">3</span><span class="x">)</span> <span class="o">==</span> <span class="mi">5</span> <span class="nd">@test</span> <span class="n">MyMath</span><span class="o">.</span><span class="n">add_two</span><span class="x">(</span><span class="mi">0</span><span class="x">)</span> <span class="o">==</span> <span class="mi">2</span> <span class="nd">@test</span> <span class="n">MyMath</span><span class="o">.</span><span class="n">add_two</span><span class="x">(</span><span class="o">-</span><span class="mi">5</span><span class="x">)</span> <span class="o">==</span> <span class="o">-</span><span class="mi">3</span> <span class="c"># 5. Testsets can be nested for further organization.</span> <span class="nd">@testset</span> <span class="s">"Floating Point Tests"</span> <span class="k">begin</span> <span class="c"># Use '≈' (\approx&lt;tab&gt;) for approximate floating-point comparison.</span> <span class="nd">@test</span> <span class="n">MyMath</span><span class="o">.</span><span class="n">add_two</span><span class="x">(</span><span class="mf">1.5</span><span class="x">)</span> <span class="n">≈</span> <span class="mf">3.5</span> <span class="nd">@test</span> <span class="n">MyMath</span><span class="o">.</span><span class="n">add_two</span><span class="x">(</span><span class="o">-</span><span class="mf">0.5</span><span class="x">)</span> <span class="n">≈</span> <span class="mf">1.5</span> <span class="k">end</span> <span class="c"># 6. Include a failing test to see the output.</span> <span class="nd">@testset</span> <span class="s">"Failing Test Example"</span> <span class="k">begin</span> <span class="nd">@test</span> <span class="n">MyMath</span><span class="o">.</span><span class="n">add_two</span><span class="x">(</span><span class="mi">10</span><span class="x">)</span> <span class="o">==</span> <span class="mi">11</span> <span class="c"># This will fail</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># End of "MyMath.add_two Tests" testset</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Test execution finished."</span><span class="x">)</span> <span class="c"># Run this file: julia 0081_testset_test.jl</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the <strong><code>@testset</code></strong> macro, which is the standard and highly recommended way to <strong>organize</strong> tests and get <strong>summarized results</strong>.</p> <h2> <code>@testset</code> </h2> <ul> <li> <strong>Grouping Tests:</strong> <code>@testset "Description" begin ... end</code> groups related <code>@test</code> calls under a descriptive name. This makes it much easier to understand the structure of your test suite. You can <strong>nest testsets</strong> to create hierarchical organization (e.g., grouping all tests for a module, then sub-groups for each function).</li> <li> <strong>Summarized Output:</strong> This is the primary benefit. Instead of just running silently on success, <code>@testset</code> <strong>counts</strong> the number of passing and failing tests within it. At the end of the testset, it prints a <strong>summary</strong> line. If all tests within the set pass, it prints a concise "Pass" summary. If any test fails, it prints the details of the failure <em>and</em> a summary indicating how many passed and failed. This makes it much easier to quickly see the overall status of your tests.</li> <li> <strong>Failure Isolation (Default):</strong> By default, if one <code>@test</code> within a <code>@testset</code> fails, the testset records the failure but <strong>continues executing</strong> the remaining tests within that set. This helps you see <em>all</em> failures in a group at once, rather than stopping at the first one. (This behavior can be changed with options if needed).</li> <li> <strong>Floating-Point Comparison (<code>≈</code>):</strong> When testing floating-point numbers, direct equality (<code>==</code>) is often unreliable due to tiny precision errors. The <code>Test</code> library automatically loads the <code>isapprox</code> function (aliased as <code>≈</code>, typed <code>\approx&lt;tab&gt;</code>). Using <code>@test a ≈ b</code> checks if <code>a</code> and <code>b</code> are approximately equal within a default tolerance, which is the correct way to compare floats.</li> </ul> <p>Using <code>@testset</code> transforms your tests from simple assertion scripts into a structured, informative test suite, which is essential for maintaining larger projects.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Standard Library, <code>Test</code>, "Organizing Tests":</strong> Explains <code>@testset</code> and its benefits.</li> <li> <strong>Julia Official Documentation, Standard Library, <code>Test</code>, "Testing Floating Point Numbers":</strong> Recommends using <code>isapprox</code> or <code>≈</code>.</li> </ul> </li> </ul> <p>To run the script:</p> <ol> <li> Make sure <code>my_math.jl</code> (from lesson 0080) is in the same directory.</li> <li> Run <code>julia 0081_testset_test.jl</code> from your terminal.</li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0081_testset_test.jl Test Summary: | Pass Fail Total Time MyMath.add_two Tests | 5 1 6 0.0s Floating Point Tests | 2 2 0.0s Failing Test Example | 1 1 0.0s Test Failed at 0081_testset_test.jl:30 Expression: MyMath.add_two<span class="o">(</span>10<span class="o">)</span> <span class="o">==</span> 11 Evaluated: 12 <span class="o">==</span> 11 </code></pre> </div> <p><em>(Note: The exact time will vary. The output clearly shows the nested structure, the failure details, and the final summary.)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> Test execution finished. </code></pre> </div> <h3> <code>0082_test_assertions.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0082_test_assertions.jl</span> <span class="c"># Demonstrates other useful assertion macros from the Test standard library.</span> <span class="c"># 1. Import necessary macros.</span> <span class="k">import</span> <span class="n">Test</span><span class="o">:</span> <span class="nd">@test</span><span class="x">,</span> <span class="nd">@testset</span><span class="x">,</span> <span class="nd">@test_throws</span><span class="x">,</span> <span class="nd">@test_broken</span><span class="x">,</span> <span class="nd">@test_skip</span> <span class="c"># 2. Include the source code file.</span> <span class="n">include</span><span class="x">(</span><span class="s">"my_math.jl"</span><span class="x">)</span> <span class="c"># 3. Use '@test_throws' to check for expected errors.</span> <span class="nd">@testset</span> <span class="s">"@test_throws Examples"</span> <span class="k">begin</span> <span class="c"># This function expects a Number. Passing a String should error.</span> <span class="c"># @test_throws ExpectedErrorType Expression</span> <span class="nd">@test_throws</span> <span class="kt">MethodError</span> <span class="n">MyMath</span><span class="o">.</span><span class="n">add_two</span><span class="x">(</span><span class="s">"hello"</span><span class="x">)</span> <span class="c"># You can also test for specific exception types beyond MethodError,</span> <span class="c"># like DivideError, DomainError, ArgumentError etc.</span> <span class="nd">@test_throws</span> <span class="kt">DivideError</span> <span class="n">div</span><span class="x">(</span><span class="mi">1</span><span class="x">,</span> <span class="mi">0</span><span class="x">)</span> <span class="c"># Example of a test that *fails* because the expected error doesn't happen</span> <span class="c"># @test_throws DomainError MyMath.add_two(5) # This would fail the testset</span> <span class="k">end</span> <span class="c"># 4. Use '@test_broken' for tests that are known to fail but shouldn't stop CI.</span> <span class="nd">@testset</span> <span class="s">"@test_broken Example"</span> <span class="k">begin</span> <span class="c"># Perhaps this feature isn't implemented yet, or there's a known bug.</span> <span class="c"># The test runs, and if it FAILS (as expected), it's recorded as 'Broken'.</span> <span class="c"># If it unexpectedly PASSES, it's recorded as an 'Error' (because it should be fixed).</span> <span class="nd">@test_broken</span> <span class="n">MyMath</span><span class="o">.</span><span class="n">add_two</span><span class="x">(</span><span class="mf">0.1</span> <span class="o">+</span> <span class="mf">0.2</span><span class="x">)</span> <span class="o">==</span> <span class="mf">0.3</span> <span class="o">+</span> <span class="mf">2.0</span> <span class="c"># Fails due to floating point inaccuracy</span> <span class="c"># Example: If this test unexpectedly passed, it would error</span> <span class="c"># @test_broken MyMath.add_two(1) == 3 # This would unexpectedly pass and error</span> <span class="k">end</span> <span class="c"># 5. Use '@test_skip' for tests that should not be run at all.</span> <span class="nd">@testset</span> <span class="s">"@test_skip Example"</span> <span class="k">begin</span> <span class="c"># Use this for tests that are incomplete, depend on unavailable resources,</span> <span class="c"># or are temporarily disabled.</span> <span class="c"># The expression is *not* evaluated.</span> <span class="nd">@test_skip</span> <span class="n">MyMath</span><span class="o">.</span><span class="n">add_two</span><span class="x">(</span><span class="s">"this code won't even run"</span><span class="x">)</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Test execution finished."</span><span class="x">)</span> <span class="c"># Run this file: julia 0082_test_assertions.jl</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces several other useful assertion macros provided by the <code>Test</code> standard library beyond the basic <code>@test</code>.</p> <ul> <li> <p><strong><code>@test_throws ExpectedErrorType Expression</code></strong></p> <ul> <li> <strong>Purpose:</strong> Use this when you <em>expect</em> a specific piece of code to throw an error. This is crucial for testing error handling, invalid inputs, and boundary conditions.</li> <li> <strong>How it Works:</strong> It runs the <code>Expression</code>. <ul> <li>If the expression throws an error that <strong>is a subtype of</strong> <code>ExpectedErrorType</code>, the test <strong>passes</strong>. ✅</li> <li>If the expression throws an error of a <strong>different type</strong>, the test <strong>errors</strong>. ❌</li> <li>If the expression <strong>does not throw any error</strong>, the test <strong>fails</strong>. ❌</li> </ul> </li> <li> <strong>Example:</strong> <code>@test_throws MethodError MyMath.add_two("hello")</code> passes because calling <code>add_two</code> with a <code>String</code> correctly throws a <code>MethodError</code>. <code>@test_throws DivideError div(1, 0)</code> passes because integer division by zero throws a <code>DivideError</code>.</li> </ul> </li> <li> <p><strong><code>@test_broken Expression</code></strong></p> <ul> <li> <strong>Purpose:</strong> Marks a test that is <strong>currently failing</strong> due to a known bug or unimplemented feature.</li> <li> <strong>How it Works:</strong> It runs the <code>Expression</code>. <ul> <li>If the expression is <code>false</code> or throws an error (i.e., the test <strong>fails</strong> as expected), it's recorded as <strong>"Broken"</strong>. This does <em>not</em> typically fail your overall test suite in CI environments. ✅💔</li> <li>If the expression is <code>true</code> (i.e., the test <strong>unexpectedly passes</strong>), it's recorded as an <strong>"Error"</strong>. This <em>does</em> typically fail the test suite, signaling that the underlying issue might be fixed and the <code>@test_broken</code> should be changed back to <code>@test</code>. ❗✅</li> </ul> </li> <li> <strong>Example:</strong> <code>@test_broken MyMath.add_two(0.1 + 0.2) == 0.3 + 2.0</code> correctly identifies a known floating-point inaccuracy issue. NOTE: seems to pass, probably need a better example.</li> </ul> </li> <li> <p><strong><code>@test_skip Expression</code></strong></p> <ul> <li> <strong>Purpose:</strong> Completely <strong>skips</strong> the evaluation of a test.</li> <li> <strong>How it Works:</strong> The <code>Expression</code> is <strong>never executed</strong>. The test is simply recorded as <strong>"Skipped"</strong>. ⏭️</li> <li> <strong>Use Cases:</strong> Useful for tests that are incomplete, rely on external resources that might not be available (like a network service), or need to be temporarily disabled for debugging.</li> </ul> </li> </ul> <p>These macros provide more nuanced ways to handle expected failures, known issues, and temporary skips, making your test suite more robust and informative.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Standard Library, <code>Test</code>:</strong> Describes <code>@test_throws</code>, <code>@test_broken</code>, and <code>@test_skip</code>.</li> </ul> </li> </ul> <p>To run the script:</p> <ol> <li> Make sure <code>my_math.jl</code> (from lesson 0080) is in the same directory.</li> <li> Run <code>julia 0082_test_assertions.jl</code> from your terminal.</li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0082_test_assertions.jl Test Summary: | Pass Broken Skip Total Time @test_throws Examples | 2 2 0.0s @test_broken Example | 1 1 0.0s @test_skip Example | 1 1 0.0s Test execution finished. </code></pre> </div> <p><em>(Note: The output shows the different test outcomes correctly recorded by the testsets.)</em></p> <h2> Benchmarking </h2> <h3> <code>0083_benchmark_tools.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0083_benchmark_tools.jl</span> <span class="c"># Introduces BenchmarkTools.jl for accurate performance measurement.</span> <span class="c"># 1. Import the '@btime' macro.</span> <span class="c"># Requires BenchmarkTools.jl to be installed. See Explanation.</span> <span class="k">import</span> <span class="n">BenchmarkTools</span><span class="o">:</span> <span class="nd">@btime</span> <span class="c"># 2. Include the code we want to benchmark.</span> <span class="n">include</span><span class="x">(</span><span class="s">"my_math.jl"</span><span class="x">)</span> <span class="c"># 3. Define a slightly more complex function to benchmark.</span> <span class="k">function</span><span class="nf"> sum_of_add_two</span><span class="x">(</span><span class="n">n</span><span class="o">::</span><span class="kt">Int</span><span class="x">)</span> <span class="n">total</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="n">n</span> <span class="c"># Call the function inside the loop</span> <span class="n">total</span> <span class="o">+=</span> <span class="n">MyMath</span><span class="o">.</span><span class="n">add_two</span><span class="x">(</span><span class="n">i</span><span class="x">)</span> <span class="k">end</span> <span class="k">return</span> <span class="n">total</span> <span class="k">end</span> <span class="c"># --- Benchmarking ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Benchmarking sum_of_add_two(1000) ---"</span><span class="x">)</span> <span class="c"># 4. Use the '@btime' macro.</span> <span class="c"># '@btime Expression' runs the expression many times to get a</span> <span class="c"># statistically accurate measurement of its *minimum* execution time.</span> <span class="c"># It automatically handles things like warmup runs.</span> <span class="nd">@btime</span> <span class="n">sum_of_add_two</span><span class="x">(</span><span class="mi">1000</span><span class="x">)</span> <span class="c"># 5. Benchmark with input variables (Incorrectly - see next lesson)</span> <span class="c"># If the input is a variable, simply putting it in the expression</span> <span class="c"># can lead to inaccurate results because it might measure</span> <span class="c"># global variable lookup time.</span> <span class="n">input_size</span> <span class="o">=</span> <span class="mi">10000</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Benchmarking sum_of_add_two(input_size) ---"</span><span class="x">)</span> <span class="nd">@btime</span> <span class="n">sum_of_add_two</span><span class="x">(</span><span class="n">input_size</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"(Note: This result might be inaccurate, see next lesson on interpolation)"</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the <strong><code>BenchmarkTools.jl</code></strong> package, the standard and most reliable tool in Julia for measuring the performance of code accurately.</p> <p><strong>Installation Note:</strong></p> <p><code>BenchmarkTools.jl</code> is not part of Julia's standard library. You need to add it to your project environment once.</p> <ol> <li> Start the Julia REPL: <code>julia</code> </li> <li> Enter Pkg mode: <code>]</code> </li> <li> Add the package: <code>add BenchmarkTools</code> </li> <li> Exit Pkg mode: Press Backspace or <code>Ctrl+C</code>.</li> <li> You can now run this script.</li> </ol> <ul> <li><p><strong>Core Concept: Accurate Measurement</strong><br> Simply running code once with <code>@time</code> (Julia's basic timing macro) is often unreliable for measuring performance. Results can be noisy due to JIT compilation overhead on the first run, system background tasks, CPU frequency scaling, etc. <code>BenchmarkTools.jl</code> is designed to overcome these issues.</p></li> <li> <p><strong>The <code>@btime</code> Macro:</strong></p> <ul> <li> <strong>Purpose:</strong> <code>@btime Expression</code> provides a quick and easy way to get a reliable estimate of the <strong>minimum execution time</strong> of an <code>Expression</code>.</li> <li> <strong>How it Works (Simplified):</strong> <ol> <li> <strong>Warmup:</strong> It runs the <code>Expression</code> once or twice initially to ensure everything (including the function itself and any functions it calls) is compiled by the JIT.</li> <li> <strong>Sampling:</strong> It then runs the <code>Expression</code> in a loop many times, collecting execution times for each run.</li> <li> <strong>Statistics:</strong> It calculates statistics on these times, paying special attention to the <strong>minimum</strong> time, which is usually the best estimate of the code's performance when system conditions are optimal (e.g., caches are hot).</li> <li> <strong>Output:</strong> It prints a concise summary including the minimum time, the number of memory allocations, and the total memory allocated.</li> </ol> </li> </ul> </li> <li><p><strong>Why Minimum Time?</strong> In performance tuning, we are often most interested in the best possible execution time the code can achieve under ideal conditions. Average time can be skewed upwards by random system events, but the minimum time reflects the code's inherent speed limit more closely.</p></li> <li><p><strong>Memory Allocations:</strong> <code>@btime</code> also reports memory allocations (<code>allocs:</code> and memory size). This is <strong>critical</strong>. Unexpected memory allocations are a major sign of type instability or inefficient code (like creating temporary arrays). Aiming for <code>0 allocations</code> is often a key goal in high-performance code.</p></li> <li><p><strong>Benchmarking with Variables (Caveat):</strong><br><br> As noted in the script, simply using a global variable like <code>input_size</code> inside <code>@btime</code> can skew the results. <code>@btime</code> might include the time it takes to look up that global variable in its measurement. The next lesson (<code>0084_benchmark_interpolation.jl</code>) will show the correct way to handle this using <code>$</code> interpolation.</p></li> <li><p><strong>Rule of Thumb:</strong> Use <code>@btime</code> whenever you need a quick but reliable measurement of a function call or code snippet's speed and memory usage. It's the go-to tool for performance iteration.</p></li> </ul> <ul> <li> <strong>References:</strong> <ul> <li> <strong><code>BenchmarkTools.jl</code> Documentation:</strong> <a href="https://github.com/JuliaCI/BenchmarkTools.jl" rel="noopener noreferrer">https://github.com/JuliaCI/BenchmarkTools.jl</a> </li> <li> <strong>Julia Official Documentation, Manual, "Performance Tips":</strong> Recommends using <code>BenchmarkTools.jl</code> for accurate measurements.</li> </ul> </li> </ul> <p>To run the script:</p> <ol> <li> Make sure <code>my_math.jl</code> (from lesson 0080) is in the same directory.</li> <li> Ensure <code>BenchmarkTools.jl</code> is installed (see installation note).</li> <li> Run <code>julia 0083_benchmark_tools.jl</code> from your terminal.</li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0083_benchmark_tools.jl <span class="nt">---</span> Benchmarking sum_of_add_two<span class="o">(</span>1000<span class="o">)</span> <span class="nt">---</span> 1.485 ns <span class="o">(</span>0 allocations: 0 bytes<span class="o">)</span> <span class="nt">---</span> Benchmarking sum_of_add_two<span class="o">(</span>input_size<span class="o">)</span> <span class="nt">---</span> 5.192 ns <span class="o">(</span>0 allocations: 0 bytes<span class="o">)</span> <span class="o">(</span>Note: This result might be inaccurate, see next lesson on interpolation<span class="o">)</span> </code></pre> </div> <p><em>(Replace <code>### ns minimum time: ... ###</code> with the actual timings and allocations you observe. The exact numbers will vary based on your CPU.)</em></p> <h3> <code>0084_benchmark_interpolation.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0084_benchmark_interpolation.jl</span> <span class="c"># Demonstrates the CRUCIAL use of '$' interpolation in BenchmarkTools.</span> <span class="c"># 1. Import the '@btime' macro.</span> <span class="c"># (Assumes BenchmarkTools.jl is installed)</span> <span class="k">import</span> <span class="n">BenchmarkTools</span><span class="o">:</span> <span class="nd">@btime</span> <span class="c"># 2. Define a simple function to benchmark (we'll use a built-in one).</span> <span class="c"># Using 'sin()' which is fast, making overhead more visible.</span> <span class="c"># 3. Define a NON-CONST global variable.</span> <span class="c"># This is key to reliably showing the lookup overhead.</span> <span class="n">global_x</span> <span class="o">=</span> <span class="mf">100.0</span> <span class="c"># Use a Float64 for sin</span> <span class="c"># --- Benchmarking ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Benchmark 1: Non-Const Global Directly (INCORRECT) ---"</span><span class="x">)</span> <span class="c"># 4. Incorrect way: Use the non-const global variable directly.</span> <span class="c"># '@btime' creates a timing function internally. Accessing</span> <span class="c"># 'global_x' involves a slow, runtime global lookup.</span> <span class="c"># We measure lookup cost + sin() cost.</span> <span class="nd">@btime</span> <span class="n">sin</span><span class="x">(</span><span class="n">global_x</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Benchmark 2: Non-Const Global Interpolated (CORRECT) ---"</span><span class="x">)</span> <span class="c"># 5. Correct way: Use '$' to interpolate the *value* of 'global_x'.</span> <span class="c"># Before timing, '@btime' evaluates '$global_x' (getting 100.0)</span> <span class="c"># and substitutes this *value* into the expression.</span> <span class="c"># The benchmark effectively becomes '@btime sin(100.0)'.</span> <span class="c"># This eliminates the global lookup overhead.</span> <span class="nd">@btime</span> <span class="n">sin</span><span class="x">(</span><span class="o">$</span><span class="n">global_x</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Benchmark 3: Using a Literal (Reference) ---"</span><span class="x">)</span> <span class="c"># 6. For comparison, benchmark with the literal value.</span> <span class="c"># Allows maximum compiler optimization (constant propagation).</span> <span class="nd">@btime</span> <span class="n">sin</span><span class="x">(</span><span class="mf">100.0</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates one of the most critical details for using <code>BenchmarkTools.jl</code> correctly: <strong>variable interpolation</strong> using the dollar sign (<code>$</code>). Failing to use <code>$</code> when benchmarking expressions involving variables (especially non-<code>const</code> globals) is the <strong>#1 mistake</strong> leading to inaccurate results.</p> <ul> <li> <p><strong>The Problem: Benchmarking Global Variable Access</strong></p> <ul> <li>The <code>@btime</code> macro wraps the expression in a function for timing.</li> <li>When you write <code>@btime sin(global_x)</code> using a <strong>non-<code>const</code> global</strong>, the timing function must perform a <strong>runtime lookup</strong> for <code>global_x</code> <em>every time</em> it runs. Accessing non-<code>const</code> globals is <strong>slow</strong> because the compiler cannot know its type or value beforehand.</li> <li>Therefore, the first benchmark <strong>incorrectly measures</strong> the combined time of: <ol> <li> Looking up the global variable <code>global_x</code>.</li> <li> Calling <code>sin</code> with the retrieved value.</li> </ol> </li> <li>This <strong>pollutes</strong> the measurement; you're not just timing <code>sin</code>, but also the slow global access, often leading to extra memory allocations as well.</li> </ul> </li> <li> <p><strong>The Solution: <code>$</code> Interpolation</strong></p> <ul> <li>The <code>$</code> symbol within <code>@btime</code> (and other <code>BenchmarkTools</code> macros) triggers <strong>interpolation</strong>.</li> <li>When <code>@btime</code> sees <code>$global_x</code>, it <strong>first evaluates</strong> <code>global_x</code> in the current scope to get its <em>value</em> (which is <code>100.0</code>).</li> <li>It then <strong>substitutes this value</strong> into the expression <em>before</em> creating the timing function.</li> <li>So, <code>@btime sin($global_x)</code> becomes equivalent to <code>@btime sin(100.0)</code>.</li> <li>The internal timing function now operates on a <strong>constant value</strong>, eliminating the slow global lookup and allowing the compiler to generate type-stable code.</li> <li>This <strong>correctly measures</strong> only the execution time of <code>sin</code> operating on that value.</li> </ul> </li> <li> <p><strong>Interpreting Results:</strong></p> <ul> <li> <strong>Benchmark 1 (No <code>$</code>)</strong>: Shows a <strong>slower</strong> time and likely <strong>memory allocations</strong> (e.g., <code>1 allocation: 16 bytes</code>) due to the runtime global lookup and potential type instability.</li> <li> <strong>Benchmark 2 (<code>$</code>)</strong>: Shows a <strong>significantly faster</strong> time and <strong>zero allocations</strong>. This accurately reflects the cost of the <code>sin</code> call itself.</li> <li> <strong>Benchmark 3 (Literal)</strong>: May show an even <strong>faster</strong> time than Benchmark 2, also with <strong>zero allocations</strong>. This is because the compiler can perform the most aggressive constant propagation optimizations when it sees the literal value directly in the code at compile time. It represents the absolute lower bound.</li> </ul> </li> <li><p><strong>Rule of Thumb:</strong> <strong>ALWAYS</strong> use <code>$</code> to interpolate variables (global or local) into expressions benchmarked with <code>@btime</code> or <code>@benchmark</code>. Treat the expression inside <code>@btime</code> as if it were running in its own little function world where it can't see outside variables unless you explicitly pass their values in via <code>$</code>.</p></li> </ul> <ul> <li> <strong>References:</strong> <ul> <li> <strong><code>BenchmarkTools.jl</code> Documentation, Manual, "Interpolating values into benchmark expressions":</strong> This section explicitly explains the purpose and necessity of <code>$</code>.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(Requires <code>BenchmarkTools.jl</code> installed)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0084_benchmark_interpolation.jl <span class="nt">---</span> Benchmark 1: Non-Const Global Directly <span class="o">(</span>INCORRECT<span class="o">)</span> <span class="nt">---</span> 14.647 ns <span class="o">(</span>1 allocation: 16 bytes<span class="o">)</span> <span class="c"># Slow, Allocates</span> <span class="nt">---</span> Benchmark 2: Non-Const Global Interpolated <span class="o">(</span>CORRECT<span class="o">)</span> <span class="nt">---</span> 3.706 ns <span class="o">(</span>0 allocations: 0 bytes<span class="o">)</span> <span class="c"># Faster, No Allocations</span> <span class="nt">---</span> Benchmark 3: Using a Literal <span class="o">(</span>Reference<span class="o">)</span> <span class="nt">---</span> 0.743 ns <span class="o">(</span>0 allocations: 0 bytes<span class="o">)</span> <span class="c"># Fastest (Constant Propagation), No Allocations</span> </code></pre> </div> <p><em>(Your exact times will vary based on CPU, but the relative differences and allocation patterns should be similar.)</em></p> <h3> <code>0085_benchmark_suite.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0085_benchmark_suite.jl</span> <span class="c"># Briefly demonstrates @benchmark for detailed stats and BenchmarkGroup.</span> <span class="c"># 1. Import necessary components.</span> <span class="k">import</span> <span class="n">BenchmarkTools</span><span class="o">:</span> <span class="nd">@benchmark</span><span class="x">,</span> <span class="nd">@benchmarkable</span><span class="x">,</span> <span class="n">BenchmarkGroup</span><span class="x">,</span> <span class="n">run</span><span class="x">,</span> <span class="n">minimum</span><span class="x">,</span> <span class="n">median</span> <span class="c"># 2. Include our math functions.</span> <span class="n">include</span><span class="x">(</span><span class="s">"my_math.jl"</span><span class="x">)</span> <span class="c"># Contains MyMath.add_two(x)</span> <span class="c"># 3. Define another function to compare.</span> <span class="k">function</span><span class="nf"> add_two_alternative</span><span class="x">(</span><span class="n">x</span><span class="x">)</span> <span class="c"># A slightly different (though likely optimized identically) way</span> <span class="n">y</span> <span class="o">=</span> <span class="n">x</span> <span class="n">y</span> <span class="o">+=</span> <span class="mi">1</span> <span class="n">y</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">return</span> <span class="n">y</span> <span class="k">end</span> <span class="c"># --- @benchmark Macro ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- @benchmark for detailed analysis ---"</span><span class="x">)</span> <span class="c"># 4. Use '@benchmark' for a more thorough analysis than '@btime'.</span> <span class="c"># It runs many more samples and provides richer statistical output.</span> <span class="c"># Remember to interpolate the argument!</span> <span class="n">input_val</span> <span class="o">=</span> <span class="mi">1000</span> <span class="n">bench_result</span> <span class="o">=</span> <span class="nd">@benchmark</span> <span class="n">MyMath</span><span class="o">.</span><span class="n">add_two</span><span class="x">(</span><span class="o">$</span><span class="n">input_val</span><span class="x">)</span> <span class="c"># 5. Display the detailed result.</span> <span class="c"># The raw result object contains a lot of information.</span> <span class="c"># Printing it shows detailed quantiles, memory, etc.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Detailed @benchmark result for MyMath.add_two:"</span><span class="x">)</span> <span class="n">display</span><span class="x">(</span><span class="n">bench_result</span><span class="x">)</span> <span class="c"># In interactive sessions (like REPL), just running '@benchmark' prints this.</span> <span class="c"># --- BenchmarkGroup ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Comparing functions with BenchmarkGroup ---"</span><span class="x">)</span> <span class="c"># 6. Create a BenchmarkGroup to organize related benchmarks.</span> <span class="c"># It acts like a dictionary mapping names (Strings) to benchmarks.</span> <span class="n">suite</span> <span class="o">=</span> <span class="n">BenchmarkGroup</span><span class="x">()</span> <span class="c"># 7. Add benchmarks to the suite using dictionary-like syntax.</span> <span class="c"># The value side uses '@benchmarkable' which *defines* a benchmark</span> <span class="c"># without running it immediately. Remember interpolation!</span> <span class="n">suite</span><span class="x">[</span><span class="s">"original"</span><span class="x">]</span> <span class="o">=</span> <span class="nd">@benchmarkable</span> <span class="n">MyMath</span><span class="o">.</span><span class="n">add_two</span><span class="x">(</span><span class="o">$</span><span class="n">input_val</span><span class="x">)</span> <span class="n">suite</span><span class="x">[</span><span class="s">"alternative"</span><span class="x">]</span> <span class="o">=</span> <span class="nd">@benchmarkable</span> <span class="n">add_two_alternative</span><span class="x">(</span><span class="o">$</span><span class="n">input_val</span><span class="x">)</span> <span class="c"># 8. Run the entire suite.</span> <span class="c"># 'run(suite, verbose=true)' executes all defined benchmarks.</span> <span class="c"># 'verbose=true' prints results as they complete.</span> <span class="n">results</span> <span class="o">=</span> <span class="n">run</span><span class="x">(</span><span class="n">suite</span><span class="x">,</span> <span class="n">verbose</span><span class="o">=</span><span class="nb">true</span><span class="x">)</span> <span class="c"># 9. Access results programmatically.</span> <span class="c"># 'results' is also like a dictionary holding the Trial objects.</span> <span class="c"># BenchmarkTools provides 'minimum()' and 'median()' functions</span> <span class="c"># that extract the relevant TrialEstimate from a Trial. Access '.time'.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Accessing results programmatically:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Minimum time for 'original': "</span><span class="x">,</span> <span class="n">minimum</span><span class="x">(</span><span class="n">results</span><span class="x">[</span><span class="s">"original"</span><span class="x">])</span><span class="o">.</span><span class="n">time</span><span class="x">,</span> <span class="s">" ns"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Median time for 'alternative': "</span><span class="x">,</span> <span class="n">median</span><span class="x">(</span><span class="n">results</span><span class="x">[</span><span class="s">"alternative"</span><span class="x">])</span><span class="o">.</span><span class="n">time</span><span class="x">,</span> <span class="s">" ns"</span><span class="x">)</span> <span class="c"># Note: More advanced comparison/judging tools exist within BenchmarkTools.jl</span> </code></pre> </div> <h3> Explanation </h3> <p>This script briefly introduces more advanced features of <code>BenchmarkTools.jl</code>: the <strong><code>@benchmark</code></strong> macro for detailed statistics and <strong><code>BenchmarkGroup</code></strong> for organizing and comparing multiple benchmarks.</p> <ul> <li> <p><strong><code>@benchmark</code> vs. <code>@btime</code></strong></p> <ul> <li> <strong><code>@btime Expression</code></strong>: Quick, easy, provides the <strong>minimum</strong> time and basic allocation info. Ideal for rapid iteration during development.</li> <li> <strong><code>@benchmark Expression</code></strong>: Performs a more <strong>rigorous</strong> analysis. It runs many more samples across different evaluation counts, collects detailed timing and memory data, and returns a <code>BenchmarkTools.Trial</code> object containing rich statistical information (minimum, median, mean, standard deviation, quantiles, GC times, etc.).</li> <li> <strong>When to use <code>@benchmark</code>:</strong> Use it when you need a more statistically robust measurement, want to see the distribution of execution times (not just the minimum), or need to analyze GC behavior in detail. In scripts, you need to explicitly <code>display()</code> or <code>println()</code> the result object to see the full output.</li> </ul> </li> <li> <p><strong><code>BenchmarkGroup</code> and <code>@benchmarkable</code></strong></p> <ul> <li> <strong><code>BenchmarkGroup()</code>:</strong> Creates a container (like a <code>Dict</code>) to organize multiple, related benchmarks. You assign names (strings) to different benchmark definitions within the group.</li> <li> <strong><code>@benchmarkable Expression</code>:</strong> This macro <strong>defines</strong> a benchmark without running it immediately. It creates a <code>Benchmark</code> object that can be stored (e.g., in a <code>BenchmarkGroup</code>). This is useful for setting up a "suite" of tests.</li> <li> <strong><code>run(suite, verbose=true)</code>:</strong> Executes all benchmarks defined within the <code>BenchmarkGroup</code> (<code>suite</code>). <code>verbose=true</code> prints the results for each benchmark as it completes. The <code>run</code> function returns a nested structure mirroring the <code>BenchmarkGroup</code>, but containing the <code>Trial</code> result objects instead of the definitions.</li> </ul> </li> <li><p><strong>Accessing Results:</strong><br><br> The <code>results</code> object returned by <code>run</code> contains the <code>Trial</code> objects for each benchmark. <code>BenchmarkTools</code> provides convenient functions like <code>minimum(trial)</code> and <code>median(trial)</code> which return a <code>TrialEstimate</code> containing timing, allocation, and GC information. You access the specific time value using <code>.time</code>.</p></li> <li><p><strong>Organizing Benchmarks:</strong><br><br> <code>BenchmarkGroup</code> is essential for systematically comparing the performance of different implementations of the same function (like <code>MyMath.add_two</code> vs. <code>add_two_alternative</code>), different algorithms, or the same algorithm under varying conditions. It allows you to run a whole suite of performance tests with a single command and programmatically access or compare the results.</p></li> </ul> <ul> <li> <strong>References:</strong> <ul> <li> <strong><code>BenchmarkTools.jl</code> Documentation:</strong> Covers <code>@benchmark</code>, <code>BenchmarkGroup</code>, <code>@benchmarkable</code>, <code>run</code>, and result analysis in detail.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(Requires <code>BenchmarkTools.jl</code> installed and <code>my_math.jl</code> from lesson 0080)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0085_benchmark_suite.jl <span class="nt">---</span> @benchmark <span class="k">for </span>detailed analysis <span class="nt">---</span> Detailed @benchmark result <span class="k">for </span>MyMath.add_two: BenchmarkTools.Trial: 10000 samples with 1000 evaluations per sample. Range <span class="o">(</span>min … max<span class="o">)</span>: 1.300 ns … 6.093 ns ┊ GC <span class="o">(</span>min … max<span class="o">)</span>: 0.00% … 0.00% Time <span class="o">(</span>median<span class="o">)</span>: 1.310 ns ┊ GC <span class="o">(</span>median<span class="o">)</span>: 0.00% Time <span class="o">(</span>mean ± σ<span class="o">)</span>: 1.315 ns ± 0.088 ns ┊ GC <span class="o">(</span>mean ± σ<span class="o">)</span>: 0.00% ± 0.00% █▁ ▂▅██▄▄▂▂▂▂▁▂▂▂▂▂▁▁▁▁▁▁▁▂▂▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▂▁▁▁▁▁▁▁▁▁▁▁▁▁▂▂ ▂ 1.3 ns Histogram: frequency by <span class="nb">time </span>1.49 ns &lt; Memory estimate: 0 bytes, allocs estimate: 0. <span class="nt">---</span> Comparing functions with BenchmarkGroup <span class="nt">---</span> <span class="o">(</span>1/2<span class="o">)</span> benchmarking <span class="s2">"original"</span>... <span class="k">done</span> <span class="o">(</span>took 0.241308971 seconds<span class="o">)</span> <span class="o">(</span>2/2<span class="o">)</span> benchmarking <span class="s2">"alternative"</span>... <span class="k">done</span> <span class="o">(</span>took 0.231766299 seconds<span class="o">)</span> Accessing results programmatically: Minimum <span class="nb">time </span><span class="k">for</span> <span class="s1">'original'</span>: 9.0 ns <span class="c"># investigate discrepancy</span> Median <span class="nb">time </span><span class="k">for</span> <span class="s1">'alternative'</span>: 11.0 ns <span class="c"># investigate discrepancy</span> </code></pre> </div> <h1> Module 9: Memory, Data Layout and Unsafe Operations </h1> <h2> Memory Layout And Isbits </h2> <h3> <code>0086_module_intro.md</code> </h3> <p>This module marks a significant shift. We move from the high-level, mostly "safe" world of Julia programming into the low-level, C-style memory model that underpins its remarkable performance. Here, we'll learn to think about Julia objects not just by their type, but as <strong>raw blocks of bytes</strong> in memory.</p> <h2> Breaking the Contract </h2> <p>In previous modules, we operated under Julia's implicit "social contract": write clear, type-stable code, and the compiler will reward you with performance comparable to C or Fortran. This module deliberately steps outside that contract.</p> <p>We will dive <em>beneath</em> the compiler's safety net to understand the <strong>physical memory layout</strong> of Julia objects. This isn't just academic; it's the foundation for:</p> <ol> <li> <strong>Ultimate Performance:</strong> Writing code that ensures optimal data locality and allows the compiler to generate the most efficient machine instructions possible.</li> <li> <strong>C Interoperability:</strong> Seamlessly passing data to C, C++, or Fortran libraries <strong>without copying</strong>, by ensuring Julia's data structures are represented identically in memory to their native counterparts.</li> <li> <strong>Advanced Techniques:</strong> Building zero-copy views directly from memory buffers, implementing custom data structures with specific layouts, and performing bit-level manipulation on raw data representations.</li> </ol> <h2> Power and Responsibility </h2> <p>The functions and concepts introduced here often have names prefixed with <code>unsafe_</code>. This is a deliberate and serious warning. These tools bypass Julia's extensive safety checks (like bounds checking and type checking). They grant you C-level power over memory, which comes with C-level risks:</p> <ul> <li>Reading uninitialized memory.</li> <li>Writing past the allocated bounds of an object.</li> <li>Corrupting Julia's internal data structures or the garbage collector state.</li> <li>Causing immediate segmentation faults and process crashes.</li> </ul> <p>This is the domain of <strong>systems programming</strong>: you gain maximum control, but you bear maximum responsibility for correctness and safety. Mastering these concepts allows you to push Julia to its absolute performance limits and integrate it deeply with other systems. </p> <ul> <li> <strong>References:</strong> <ul> <li>Julia Official Documentation, Manual, "Calling C and Fortran Code": Introduces the concepts needed for interoperability, many of which rely on understanding memory layout.</li> <li>Julia Official Documentation, Base Documentation, <code>unsafe_*</code> functions (e.g., <code>unsafe_load</code>, <code>unsafe_wrap</code>): Explicitly document the dangers and responsibilities of using these low-level operations.</li> </ul> </li> </ul> <h3> <code>0087_isbits_and_memory_layout.md</code> </h3> <p>Before we can analyze the size (<code>sizeof</code>) or layout (<code>fieldoffset</code>) of a Julia <code>struct</code>, we must understand a fundamental distinction in Julia's type system: <strong><code>isbits</code></strong> versus <strong>non-<code>isbits</code></strong> types. This distinction dictates whether the data for an object is stored directly ("inline") or accessed indirectly via a pointer ("referenced").</p> <h2> The Core Question: Where is the Data? </h2> <p>Julia's type system classifies types based on how their data is represented in memory.</p> <h3> <code>isbits</code> Types (Data is "In-Place") </h3> <ul> <li> <strong>Definition:</strong> These are types whose in-memory representation consists <strong>solely of the data itself</strong>. They are self-contained, fixed-size blocks of bits with no pointers to other memory locations. The official documentation refers to them as "plain data" types.</li> <li> <strong>Characteristics:</strong> <ul> <li> <strong>Immutable:</strong> All <code>isbits</code> types must be immutable.</li> <li> <strong>No References:</strong> They cannot contain fields that are pointers or references to other objects (like <code>String</code>, <code>Vector</code>, <code>mutable struct</code> instances).</li> </ul> </li> <li> <strong>Examples:</strong> <ul> <li> <strong>Primitives:</strong> <code>Int64</code>, <code>Float64</code>, <code>Bool</code>, <code>Char</code>, <code>UInt8</code>, etc.</li> <li> <strong>Immutable Composites:</strong> An <strong>immutable <code>struct</code></strong> or <code>NTuple</code> (fixed-size tuple) is also <code>isbits</code> <strong>if and only if</strong> all of its fields are themselves <code>isbits</code> types.</li> </ul> </li> <li> <strong>Analogy (C <code>struct</code>):</strong> Think of an <code>isbits struct</code> as directly equivalent to a C <code>struct</code>. A Julia <code>struct Point { x::Float64; y::Float64 }</code> has the exact same 16-byte memory layout as its C counterpart. This block of data can be efficiently copied, stack-allocated by the compiler, passed in CPU registers, or stored contiguously ("inlined") within an array without any indirection.</li> </ul> <h3> Non-<code>isbits</code> Types (Data is "Referenced") </h3> <ul> <li> <strong>Definition:</strong> These are types whose instances contain <strong>references (pointers)</strong> to data stored elsewhere, typically on the heap. The object itself might be small (just a pointer or a header with pointers), but it points to potentially large amounts of data.</li> <li> <strong>Characteristics:</strong> <ul> <li> <strong>May Contain Pointers:</strong> They have fields whose types are non-<code>isbits</code> (like <code>String</code>, <code>Array</code>, <code>Dict</code>).</li> <li> <strong>Includes All Mutables:</strong> All <code>mutable struct</code>s are <strong>always non-<code>isbits</code></strong>, even if they only contain <code>isbits</code> fields (e.g., <code>mutable struct MutablePoint { x::Float64; y::Float64 }</code>).</li> </ul> </li> <li> <strong>Why Mutables are Non-<code>isbits</code>:</strong> A mutable object must have a stable, unique identity (memory address) so that modifications made through one reference are visible to all other references. This requires heap allocation and access via pointers.</li> <li> <strong>Examples:</strong> <ul> <li> <code>String</code> (contains a pointer to its UTF-8 byte data on the heap).</li> <li> <code>Vector{T}</code> (contains a pointer to its element buffer on the heap).</li> <li> <code>Dict{K,V}</code>.</li> <li>Any <code>mutable struct</code>.</li> <li>Any immutable <code>struct</code> that contains a non-<code>isbits</code> field (e.g., <code>struct LabeledPoint { p::Point; label::String }</code> is non-<code>isbits</code> because <code>String</code> is non-<code>isbits</code>).</li> </ul> </li> <li> <strong>Analogy (Array Layout):</strong> A <code>Vector{Point}</code> (where <code>Point</code> is <code>isbits</code>) is stored as a single, contiguous block of <code>Float64</code> data: <code>[x1, y1, x2, y2, ...]</code>. This is an <strong>Array of Structs (AoS)</strong>. In contrast, a <code>Vector{String}</code> is stored as a contiguous block of <strong>pointers</strong>: <code>[ptr1, ptr2, ptr3, ...]</code>, where each <code>ptr</code> points to a separate <code>String</code> object on the heap. This is an <strong>Array of Pointers</strong>. Understanding this difference is paramount for achieving cache efficiency and enabling SIMD optimizations.</li> </ul> <p>The <code>isbits</code> property is the key determinant of an object's memory layout and performance characteristics in Julia. We can check this property using the <code>isbitstype</code> function, as shown in the next lesson.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, <code>isbitstype</code>:</strong> "Return <code>true</code> if type <code>T</code> is a 'plain data' type..."</li> <li> <strong>Julia Official Documentation, Manual, Types:</strong> Describes the properties of immutable and mutable composite types and their memory implications.</li> <li> <strong>Julia Official Documentation, <code>devdocs</code>, "Memory layout of Julia Objects":</strong> (Internal documentation) Provides deeper details on object representation.</li> </ul> </li> </ul> <h3> <code>0088_isbits_examples.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0088_isbits_examples.jl</span> <span class="c"># Demonstrates the 'isbitstype' check.</span> <span class="c"># 1. Primitives are isbits types.</span> <span class="c"># They are immutable and contain only data bits.</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Primitives ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(Int64): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="kt">Int64</span><span class="x">))</span> <span class="c"># true</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(Float64): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="kt">Float64</span><span class="x">))</span> <span class="c"># true</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(Bool): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="kt">Bool</span><span class="x">))</span> <span class="c"># true</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(Char): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="kt">Char</span><span class="x">))</span> <span class="c"># true</span> <span class="c"># --- Immutable Composites ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Immutable Composites ---"</span><span class="x">)</span> <span class="c"># 2. Immutable struct with ONLY isbits fields IS an isbits type.</span> <span class="k">struct</span><span class="nc"> Point</span> <span class="n">x</span><span class="o">::</span><span class="kt">Float64</span> <span class="n">y</span><span class="o">::</span><span class="kt">Float64</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(Point): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="n">Point</span><span class="x">))</span> <span class="c"># true</span> <span class="c"># 3. NTuple (fixed-size tuple) of isbits types IS an isbits type.</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(NTuple{3, Int}): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="kt">NTuple</span><span class="x">{</span><span class="mi">3</span><span class="x">,</span> <span class="kt">Int</span><span class="x">}))</span> <span class="c"># true</span> <span class="c"># 4. Immutable struct containing a non-isbits field is NOT isbits.</span> <span class="c"># 'String' holds a pointer to heap data, making it non-isbits.</span> <span class="k">struct</span><span class="nc"> LabeledPoint</span> <span class="n">p</span><span class="o">::</span><span class="n">Point</span> <span class="c"># Point is isbits</span> <span class="n">label</span><span class="o">::</span><span class="kt">String</span> <span class="c"># String is NOT isbits</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(LabeledPoint): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="n">LabeledPoint</span><span class="x">))</span> <span class="c"># false</span> <span class="c"># --- Mutables and References ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Mutables and References ---"</span><span class="x">)</span> <span class="c"># 5. Mutable struct is NEVER an isbits type, even with isbits fields.</span> <span class="c"># It must be heap-allocated to have a stable identity.</span> <span class="k">mutable struct</span><span class="nc"> MutablePoint</span> <span class="n">x</span><span class="o">::</span><span class="kt">Float64</span> <span class="n">y</span><span class="o">::</span><span class="kt">Float64</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(MutablePoint): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="n">MutablePoint</span><span class="x">))</span> <span class="c"># false</span> <span class="c"># 6. Types that inherently involve pointers/references are NOT isbits types.</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(String): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="kt">String</span><span class="x">))</span> <span class="c"># false</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(Vector{Int}): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="kt">Vector</span><span class="x">{</span><span class="kt">Int</span><span class="x">}))</span> <span class="c"># false</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(Dict{Int, Int}): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="kt">Dict</span><span class="x">{</span><span class="kt">Int</span><span class="x">,</span> <span class="kt">Int</span><span class="x">}))</span> <span class="c"># false</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(Channel{Int}): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="kt">Channel</span><span class="x">{</span><span class="kt">Int</span><span class="x">}))</span> <span class="c"># false</span> <span class="c"># 7. Abstract types are NOT isbits types.</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(Number): "</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="kt">Number</span><span class="x">))</span> <span class="c"># false</span> <span class="n">println</span><span class="x">(</span><span class="s">"isbitstype(AbstractArray):"</span><span class="x">,</span> <span class="n">isbitstype</span><span class="x">(</span><span class="kt">AbstractArray</span><span class="x">))</span> <span class="c"># false</span> </code></pre> </div> <h3> Explanation </h3> <p>This script uses the built-in <code>isbitstype(T)</code> function to concretely demonstrate the rules outlined in the previous lesson for determining if a type is an <strong><code>isbits</code> type</strong> (a plain-data type). Understanding this classification is crucial for predicting memory layout and performance.</p> <ul> <li> <strong>Core Concept: <code>isbitstype(T::Type)</code></strong> This function takes a <strong>Type</strong> object (like <code>Int64</code>, <code>Point</code>, <code>String</code>) as input and returns <code>true</code> if that type meets the criteria for being an <code>isbits</code> type, and <code>false</code> otherwise. Recall, the criteria are:</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. The type must be **immutable**. 2. The type must **contain no references** (pointers) to other memory locations; all its data must be stored directly within its own memory footprint. </code></pre> </div> <ul> <li> <p><strong>Verification of Rules:</strong></p> <ul> <li> <strong>Primitives (<code>Int64</code>, <code>Float64</code>, etc.):</strong> As expected, these fundamental types are <code>isbits</code> (<code>true</code>).</li> <li> <strong>Immutable <code>struct</code> (<code>Point</code>):</strong> Because <code>Point</code> is immutable and contains only <code>Float64</code> fields (which are <code>isbits</code>), <code>isbitstype(Point)</code> is <code>true</code>. This confirms it has a C-like, contiguous memory layout.</li> <li> <strong><code>NTuple</code>:</strong> Similarly, <code>NTuple{3, Int}</code> is a fixed-size, immutable collection of <code>isbits</code> types, making it <code>isbits</code> (<code>true</code>).</li> <li> <strong>Immutable <code>struct</code> with Non-<code>isbits</code> Field (<code>LabeledPoint</code>):</strong> <code>LabeledPoint</code> contains a <code>String</code>. Since <code>String</code> itself is not <code>isbits</code> (it holds a pointer to heap data), the entire <code>LabeledPoint</code> struct becomes non-<code>isbits</code> (<code>false</code>).</li> <li> <strong><code>mutable struct</code> (<code>MutablePoint</code>):</strong> <code>isbitstype(MutablePoint)</code> is <code>false</code>. This confirms the rule: <strong>all <code>mutable struct</code>s are non-<code>isbits</code></strong>, regardless of their fields, because they require heap allocation for a stable identity.</li> <li> <strong>Reference Types (<code>String</code>, <code>Vector</code>, <code>Dict</code>):</strong> These types inherently involve pointers to heap-allocated data, so they are non-<code>isbits</code> (<code>false</code>).</li> <li> <strong>Abstract Types (<code>Number</code>, <code>AbstractArray</code>):</strong> Abstract types do not have a single, fixed memory layout; they represent a <em>set</em> of possible concrete types. Therefore, they cannot be <code>isbits</code> (<code>false</code>).</li> </ul> </li> <li> <p><strong>Performance Implication Summary:</strong></p> <ul> <li>Types for which <code>isbitstype</code> returns <code>true</code> (like <code>Point</code>) are candidates for <strong>stack allocation</strong>, <strong>register passing</strong>, and <strong>inlined storage</strong> in arrays (<code>Vector{Point}</code> is contiguous).</li> <li>Types for which <code>isbitstype</code> returns <code>false</code> (like <code>MutablePoint</code> or <code>LabeledPoint</code>) are generally <strong>heap-allocated</strong>, passed <strong>by reference (pointer)</strong>, and stored as <strong>pointers</strong> in arrays (<code>Vector{MutablePoint}</code> is an array of pointers).</li> </ul> </li> </ul> <p>Knowing how to check <code>isbitstype</code> allows you to verify your assumptions about how your custom types will be handled by the compiler and predict their performance characteristics.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Base Documentation, <code>isbitstype</code>:</strong> "Return <code>true</code> if type <code>T</code> is a 'plain data' type..."</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0088_isbits_examples.jl <span class="nt">---</span> Primitives <span class="nt">---</span> isbitstype<span class="o">(</span>Int64<span class="o">)</span>: <span class="nb">true </span>isbitstype<span class="o">(</span>Float64<span class="o">)</span>: <span class="nb">true </span>isbitstype<span class="o">(</span>Bool<span class="o">)</span>: <span class="nb">true </span>isbitstype<span class="o">(</span>Char<span class="o">)</span>: <span class="nb">true</span> <span class="nt">---</span> Immutable Composites <span class="nt">---</span> isbitstype<span class="o">(</span>Point<span class="o">)</span>: <span class="nb">true </span>isbitstype<span class="o">(</span>NTuple<span class="o">{</span>3, Int<span class="o">})</span>: <span class="nb">true </span>isbitstype<span class="o">(</span>LabeledPoint<span class="o">)</span>: <span class="nb">false</span> <span class="nt">---</span> Mutables and References <span class="nt">---</span> isbitstype<span class="o">(</span>MutablePoint<span class="o">)</span>: <span class="nb">false </span>isbitstype<span class="o">(</span>String<span class="o">)</span>: <span class="nb">false </span>isbitstype<span class="o">(</span>Vector<span class="o">{</span>Int<span class="o">})</span>: <span class="nb">false </span>isbitstype<span class="o">(</span>Dict<span class="o">{</span>Int, Int<span class="o">})</span>: <span class="nb">false </span>isbitstype<span class="o">(</span>Channel<span class="o">{</span>Int<span class="o">})</span>: <span class="nb">false </span>isbitstype<span class="o">(</span>Number<span class="o">)</span>: <span class="nb">false </span>isbitstype<span class="o">(</span>AbstractArray<span class="o">)</span>:false </code></pre> </div> <h3> <code>0089_sizeof.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0089_sizeof.jl</span> <span class="c"># Demonstrates 'sizeof()' and introduces data alignment/padding.</span> <span class="c"># 1. 'sizeof()' on primitive (isbits) types.</span> <span class="c"># Returns the number of bytes occupied by the type in memory.</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Primitive Types ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"sizeof(Int8): "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="kt">Int8</span><span class="x">))</span> <span class="c"># 1 byte</span> <span class="n">println</span><span class="x">(</span><span class="s">"sizeof(Int16): "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="kt">Int16</span><span class="x">))</span> <span class="c"># 2 bytes</span> <span class="n">println</span><span class="x">(</span><span class="s">"sizeof(Int32): "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="kt">Int32</span><span class="x">))</span> <span class="c"># 4 bytes</span> <span class="n">println</span><span class="x">(</span><span class="s">"sizeof(Int64): "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="kt">Int64</span><span class="x">))</span> <span class="c"># 8 bytes</span> <span class="n">println</span><span class="x">(</span><span class="s">"sizeof(Float64):"</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="kt">Float64</span><span class="x">))</span> <span class="c"># 8 bytes</span> <span class="n">println</span><span class="x">(</span><span class="s">"sizeof(Bool): "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="kt">Bool</span><span class="x">))</span> <span class="c"># 1 byte</span> <span class="c"># Size of a pointer (depends on architecture, typically 8 on 64-bit)</span> <span class="n">println</span><span class="x">(</span><span class="s">"sizeof(Ptr{Nothing}): "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="kt">Ptr</span><span class="x">{</span><span class="kt">Nothing</span><span class="x">}))</span> <span class="c"># --- isbits Structs ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- isbits Structs ---"</span><span class="x">)</span> <span class="c"># 2. 'sizeof()' on a simple isbits struct.</span> <span class="c"># Size is the sum of the sizes of its fields (plus padding).</span> <span class="k">struct</span><span class="nc"> Point</span> <span class="c"># isbits</span> <span class="n">x</span><span class="o">::</span><span class="kt">Float64</span> <span class="c"># 8 bytes</span> <span class="n">y</span><span class="o">::</span><span class="kt">Float64</span> <span class="c"># 8 bytes</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"sizeof(Point): "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="n">Point</span><span class="x">))</span> <span class="c"># 8 + 8 = 16 bytes</span> <span class="c"># 3. 'sizeof()' on an isbits struct requiring padding.</span> <span class="k">struct</span><span class="nc"> PaddedData</span> <span class="c"># isbits</span> <span class="n">a</span><span class="o">::</span><span class="kt">Int8</span> <span class="c"># 1 byte</span> <span class="n">b</span><span class="o">::</span><span class="kt">Int64</span> <span class="c"># 8 bytes</span> <span class="k">end</span> <span class="c"># Expected size might seem like 1 + 8 = 9 bytes. Due to alignment</span> <span class="c"># padding is added, resulting in 16 bytes.</span> <span class="n">println</span><span class="x">(</span><span class="s">"sizeof(PaddedData): "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="n">PaddedData</span><span class="x">))</span> <span class="c"># Usually 16 bytes!</span> <span class="c"># --- Non-isbits Types (Instances) ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Non-isbits Types (Instances) ---"</span><span class="x">)</span> <span class="c"># 4. 'sizeof(T)' errors for non-isbits *types* like String or Vector{Int}.</span> <span class="c"># However, 'sizeof(instance)' has specific definitions for some types:</span> <span class="n">s</span> <span class="o">=</span> <span class="s">"hello"</span> <span class="c"># 5 characters (5 bytes in UTF-8)</span> <span class="n">v</span> <span class="o">=</span> <span class="x">[</span><span class="mi">1</span><span class="x">,</span> <span class="mi">2</span><span class="x">,</span> <span class="mi">3</span><span class="x">]</span> <span class="c"># 3 Int64 elements (3 * 8 = 24 bytes of data)</span> <span class="c"># sizeof(s::String) returns the number of code units (bytes for UTF-8).</span> <span class="n">println</span><span class="x">(</span><span class="s">"sizeof(instance s): "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="n">s</span><span class="x">))</span> <span class="c"># 5 bytes</span> <span class="c"># sizeof(v::Array) returns the size of the data buffer in bytes.</span> <span class="n">println</span><span class="x">(</span><span class="s">"sizeof(instance v): "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="n">v</span><span class="x">))</span> <span class="c"># 24 bytes (length * element size)</span> <span class="c"># NOTE: Neither of these returns the size of the object *header* itself.</span> <span class="c"># --- Total Memory Usage ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Total Memory (Base.summarysize) ---"</span><span class="x">)</span> <span class="c"># 5. 'Base.summarysize()' calculates the total memory used by an object,</span> <span class="c"># including the object header/metadata AND any heap-allocated data it points to.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Base.summarysize(s): "</span><span class="x">,</span> <span class="n">Base</span><span class="o">.</span><span class="n">summarysize</span><span class="x">(</span><span class="n">s</span><span class="x">))</span> <span class="c"># Size of String object + size of "hello" bytes + overhead</span> <span class="n">println</span><span class="x">(</span><span class="s">"Base.summarysize(v): "</span><span class="x">,</span> <span class="n">Base</span><span class="o">.</span><span class="n">summarysize</span><span class="x">(</span><span class="n">v</span><span class="x">))</span> <span class="c"># Size of Vector object + size of [1, 2, 3] data + overhead</span> <span class="n">p</span> <span class="o">=</span> <span class="n">Point</span><span class="x">(</span><span class="mf">1.0</span><span class="x">,</span> <span class="mf">2.0</span><span class="x">)</span> <span class="c"># isbits struct</span> <span class="n">println</span><span class="x">(</span><span class="s">"Base.summarysize(p): "</span><span class="x">,</span> <span class="n">Base</span><span class="o">.</span><span class="n">summarysize</span><span class="x">(</span><span class="n">p</span><span class="x">))</span> <span class="c"># Same as sizeof(Point)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the <code>sizeof()</code> function, which reports the memory size occupied by a type or value, and reveals the important concept of <strong>data alignment</strong> and <strong>padding</strong> in <code>struct</code> layouts.</p> <ul> <li> <p><strong>Core Concept: <code>sizeof(T)</code> and <code>sizeof(x)</code></strong><br> The <code>sizeof()</code> function returns the number of bytes required to store a value of type <code>T</code> or the specific value <code>x</code>. Its behavior depends on the type:</p> <ul> <li>For <strong><code>isbits</code> types</strong> (primitives, immutable structs with <code>isbits</code> fields), <code>sizeof(T)</code> gives the total size of the actual data representation, including any padding needed for alignment. For <code>Point</code>, it's <code>16</code>.</li> <li>For <strong>non-<code>isbits</code> *types</strong>* (like <code>String</code> or <code>Vector{Int}</code>), <code>sizeof(T)</code> <strong>throws an error</strong> because these types don't have a single, fixed-size binary representation.</li> <li>For <strong>instances</strong> of <em>some</em> non-<code>isbits</code> types, <code>sizeof(x)</code> has specific definitions: <ul> <li> <code>sizeof(s::String)</code> returns the number of bytes in the string's data (<code>ncodeunits(s)</code>).</li> <li> <code>sizeof(v::Array)</code> returns the size in bytes of the array's <strong>data buffer</strong> (<code>length(v) * sizeof(eltype(v))</code>).</li> </ul> </li> <li> <strong>Important:</strong> For non-<code>isbits</code> instances like <code>s</code> and <code>v</code>, <code>sizeof(instance)</code> <strong>does not</strong> report the size of the object's header or reference part; it reports the size of the referenced <em>data</em>.</li> </ul> </li> <li> <p><strong>Data Alignment and Padding</strong><br> The output for <code>sizeof(PaddedData)</code> (16 bytes, not 9) is crucial. It demonstrates <strong>data alignment</strong>. CPUs access memory most efficiently when data is aligned (e.g., an 8-byte <code>Int64</code> starts at an address multiple of 8). To ensure <code>b::Int64</code> is aligned, the compiler inserts <strong>7 bytes of unused padding</strong> after <code>a::Int8</code>.</p> <ul> <li> <strong>Memory Layout:</strong> <code>[ a (1 byte) | padding (7 bytes) | b (8 bytes) ]</code> </li> <li>This padding is added automatically for performance. The next lesson (<code>fieldoffset</code>) will show this explicitly.</li> </ul> </li> <li> <p><strong><code>Base.summarysize(obj)</code> vs. <code>sizeof(obj)</code></strong></p> <ul> <li> <code>sizeof(obj)</code> gives the size of the inline data (<code>isbits</code>) or the referenced data (<code>String</code>, <code>Array</code>).</li> <li> <code>Base.summarysize(obj)</code> is the function for the <strong>total memory footprint</strong>, including the object's header/reference itself <strong>and</strong> any out-of-line (heap-allocated) data it references, plus potential GC overhead.</li> <li>For <code>isbits</code> types like <code>p</code>, <code>summarysize(p) == sizeof(p)</code>.</li> <li>For non-<code>isbits</code> types like <code>s</code> and <code>v</code>, <code>summarysize(obj)</code> is generally larger than <code>sizeof(obj)</code> because it includes the header size and overhead. The results (<code>summarysize(s)=13</code>, <code>summarysize(v)=64</code>) reflect this accurately (e.g., <code>13 = 5 bytes data + 8 bytes header? + overhead?</code>).</li> </ul> </li> </ul> <p>Understanding <code>sizeof</code> (especially its specific behavior for <code>String</code> and <code>Array</code> instances) and <code>Base.summarysize</code> is vital for analyzing memory usage. Understanding alignment is key for optimizing data structures and C interop.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Base Documentation, <code>sizeof</code>:</strong> "Return the size, in bytes, of the canonical binary representation..." Also notes the specific method <code>sizeof(s::String) = ncodeunits(s)</code>. Behavior for <code>Array</code> instances seems less explicitly documented but empirically matches data buffer size.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>Base.summarysize</code>:</strong> "Compute the total size, in bytes, of an object and all its fields and elements."</li> <li>(Data alignment is a general computer architecture concept).</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0089_sizeof.jl <span class="nt">---</span> Primitive Types <span class="nt">---</span> sizeof<span class="o">(</span>Int8<span class="o">)</span>: 1 sizeof<span class="o">(</span>Int16<span class="o">)</span>: 2 sizeof<span class="o">(</span>Int32<span class="o">)</span>: 4 sizeof<span class="o">(</span>Int64<span class="o">)</span>: 8 sizeof<span class="o">(</span>Float64<span class="o">)</span>:8 sizeof<span class="o">(</span>Bool<span class="o">)</span>: 1 sizeof<span class="o">(</span>Ptr<span class="o">{</span>Nothing<span class="o">})</span>: 8 <span class="nt">---</span> isbits Structs <span class="nt">---</span> sizeof<span class="o">(</span>Point<span class="o">)</span>: 16 sizeof<span class="o">(</span>PaddedData<span class="o">)</span>: 16 <span class="nt">---</span> Non-isbits Types <span class="o">(</span>Instances<span class="o">)</span> <span class="nt">---</span> sizeof<span class="o">(</span>instance s<span class="o">)</span>: 5 sizeof<span class="o">(</span>instance v<span class="o">)</span>: 24 <span class="nt">---</span> Total Memory <span class="o">(</span>Base.summarysize<span class="o">)</span> <span class="nt">---</span> Base.summarysize<span class="o">(</span>s<span class="o">)</span>: 13 Base.summarysize<span class="o">(</span>v<span class="o">)</span>: 64 Base.summarysize<span class="o">(</span>p<span class="o">)</span>: 16 </code></pre> </div> <h3> <code>0090_fieldoffset_and_alignment.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0090_fieldoffset_and_alignment.jl</span> <span class="c"># Demonstrates field offsets and alignment explicitly.</span> <span class="c"># 1. Reuse the structs from the previous lesson.</span> <span class="k">struct</span><span class="nc"> PaddedData</span> <span class="c"># isbits, sizeof = 16</span> <span class="n">a</span><span class="o">::</span><span class="kt">Int8</span> <span class="c"># 1 byte</span> <span class="n">b</span><span class="o">::</span><span class="kt">Int64</span> <span class="c"># 8 bytes</span> <span class="k">end</span> <span class="k">struct</span><span class="nc"> OptimizedData</span> <span class="c"># isbits, sizeof = 16 (often)</span> <span class="n">b</span><span class="o">::</span><span class="kt">Int64</span> <span class="c"># 8 bytes</span> <span class="n">a</span><span class="o">::</span><span class="kt">Int8</span> <span class="c"># 1 byte</span> <span class="k">end</span> <span class="k">struct</span><span class="nc"> CompactData</span> <span class="c"># isbits, sizeof = 16 (often)</span> <span class="n">a</span><span class="o">::</span><span class="kt">Int64</span> <span class="c"># 8 bytes</span> <span class="n">b</span><span class="o">::</span><span class="kt">Int32</span> <span class="c"># 4 bytes</span> <span class="n">c</span><span class="o">::</span><span class="kt">Int16</span> <span class="c"># 2 bytes</span> <span class="n">d</span><span class="o">::</span><span class="kt">Int8</span> <span class="c"># 1 byte</span> <span class="k">end</span> <span class="c"># --- Alignment ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Data Alignment Requirements ---"</span><span class="x">)</span> <span class="c"># 2. Base.datatype_alignment(T)</span> <span class="c"># Returns the minimum required alignment boundary (in bytes) for type T.</span> <span class="c"># Usually determined by the size of the largest primitive field.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Alignment of Int8: "</span><span class="x">,</span> <span class="n">Base</span><span class="o">.</span><span class="n">datatype_alignment</span><span class="x">(</span><span class="kt">Int8</span><span class="x">))</span> <span class="c"># 1</span> <span class="n">println</span><span class="x">(</span><span class="s">"Alignment of Int64: "</span><span class="x">,</span> <span class="n">Base</span><span class="o">.</span><span class="n">datatype_alignment</span><span class="x">(</span><span class="kt">Int64</span><span class="x">))</span> <span class="c"># 8 (on 64-bit)</span> <span class="c"># Alignment of a struct is usually the maximum alignment of its fields.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Alignment of PaddedData: "</span><span class="x">,</span> <span class="n">Base</span><span class="o">.</span><span class="n">datatype_alignment</span><span class="x">(</span><span class="n">PaddedData</span><span class="x">))</span> <span class="c"># 8</span> <span class="n">println</span><span class="x">(</span><span class="s">"Alignment of OptimizedData: "</span><span class="x">,</span> <span class="n">Base</span><span class="o">.</span><span class="n">datatype_alignment</span><span class="x">(</span><span class="n">OptimizedData</span><span class="x">))</span> <span class="c"># 8</span> <span class="n">println</span><span class="x">(</span><span class="s">"Alignment of CompactData: "</span><span class="x">,</span> <span class="n">Base</span><span class="o">.</span><span class="n">datatype_alignment</span><span class="x">(</span><span class="n">CompactData</span><span class="x">))</span> <span class="c"># 8</span> <span class="c"># --- Field Offsets ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Field Offsets (Proof of Padding) ---"</span><span class="x">)</span> <span class="c"># 3. fieldoffset(Type, field_index)</span> <span class="c"># Returns the byte offset of a field from the beginning of the struct.</span> <span class="c"># Field indices are 1-based.</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- PaddedData (size </span><span class="si">$</span><span class="s">(sizeof(PaddedData))) ---"</span><span class="x">)</span> <span class="c"># Field 'a' (index 1) starts at byte 0.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Offset of a (field 1): "</span><span class="x">,</span> <span class="n">fieldoffset</span><span class="x">(</span><span class="n">PaddedData</span><span class="x">,</span> <span class="mi">1</span><span class="x">))</span> <span class="c"># 0</span> <span class="c"># Field 'b' (index 2) requires 8-byte alignment.</span> <span class="c"># Compiler inserts 7 bytes padding after 'a'.</span> <span class="c"># 'b' starts at byte 8.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Offset of b (field 2): "</span><span class="x">,</span> <span class="n">fieldoffset</span><span class="x">(</span><span class="n">PaddedData</span><span class="x">,</span> <span class="mi">2</span><span class="x">))</span> <span class="c"># 8 (NOT 1!)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- OptimizedData (size </span><span class="si">$</span><span class="s">(sizeof(OptimizedData))) ---"</span><span class="x">)</span> <span class="c"># Field 'b' (index 1) starts at byte 0.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Offset of b (field 1): "</span><span class="x">,</span> <span class="n">fieldoffset</span><span class="x">(</span><span class="n">OptimizedData</span><span class="x">,</span> <span class="mi">1</span><span class="x">))</span> <span class="c"># 0</span> <span class="c"># Field 'a' (index 2) starts immediately after 'b' at byte 8.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Offset of a (field 2): "</span><span class="x">,</span> <span class="n">fieldoffset</span><span class="x">(</span><span class="n">OptimizedData</span><span class="x">,</span> <span class="mi">2</span><span class="x">))</span> <span class="c"># 8</span> <span class="c"># Note: The total size might still be 16 due to struct-level alignment</span> <span class="c"># requirements (struct size often padded to match its alignment).</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- CompactData (size </span><span class="si">$</span><span class="s">(sizeof(CompactData))) ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Offset of a (field 1): "</span><span class="x">,</span> <span class="n">fieldoffset</span><span class="x">(</span><span class="n">CompactData</span><span class="x">,</span> <span class="mi">1</span><span class="x">))</span> <span class="c"># 0 (Int64, size 8)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Offset of b (field 2): "</span><span class="x">,</span> <span class="n">fieldoffset</span><span class="x">(</span><span class="n">CompactData</span><span class="x">,</span> <span class="mi">2</span><span class="x">))</span> <span class="c"># 8 (Int32, size 4)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Offset of c (field 3): "</span><span class="x">,</span> <span class="n">fieldoffset</span><span class="x">(</span><span class="n">CompactData</span><span class="x">,</span> <span class="mi">3</span><span class="x">))</span> <span class="c"># 12 (Int16, size 2)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Offset of d (field 4): "</span><span class="x">,</span> <span class="n">fieldoffset</span><span class="x">(</span><span class="n">CompactData</span><span class="x">,</span> <span class="mi">4</span><span class="x">))</span> <span class="c"># 14 (Int8, size 1)</span> <span class="c"># Total size used by fields: 8+4+2+1 = 15 bytes.</span> <span class="c"># Struct size is 16 bytes due to struct-level padding to meet alignment of 8.</span> </code></pre> </div> <h3> Explanation </h3> <p>This script delves deeper into the memory layout concepts introduced with <code>sizeof</code>, specifically demonstrating <strong>data alignment requirements</strong> and using <code>fieldoffset</code> to explicitly <strong>reveal the padding</strong> inserted by the compiler.</p> <ul> <li> <p><strong>Core Concept: Alignment</strong></p> <ul> <li> <strong><code>Base.datatype_alignment(T)</code>:</strong> This function reports the <strong>alignment requirement</strong> (in bytes) for a type <code>T</code>. For optimal performance, the starting memory address of a value of type <code>T</code> should be a multiple of its alignment.</li> <li> <strong>Primitives:</strong> The alignment of a primitive type (like <code>Int8</code>, <code>Int64</code>) is usually equal to its size (up to a maximum, often 8 or 16 bytes, depending on the architecture). <code>Int64</code> requires 8-byte alignment.</li> <li> <strong>Structs:</strong> The alignment requirement of a <code>struct</code> is typically the <strong>maximum</strong> alignment requirement of any of its fields. Since <code>PaddedData</code>, <code>OptimizedData</code>, and <code>CompactData</code> all contain an <code>Int64</code>, their alignment requirement is 8 bytes.</li> </ul> </li> <li> <p><strong>Core Concept: <code>fieldoffset(Type, field_index)</code></strong></p> <ul> <li>This function is the Julia equivalent of C's <code>offsetof</code> macro. It takes a <code>struct</code> type and the <strong>1-based index</strong> of a field and returns the <strong>byte offset</strong> of that field from the start of the <code>struct</code>.</li> <li>This allows us to precisely see where each field is placed in memory.</li> </ul> </li> <li> <p><strong>Proof of Padding (<code>PaddedData</code>)</strong></p> <ul> <li><code>struct PaddedData { a::Int8; b::Int64 }</code></li> <li> <code>fieldoffset(PaddedData, 1)</code> (for <code>a</code>) is <code>0</code>. The first field starts at the beginning.</li> <li> <code>fieldoffset(PaddedData, 2)</code> (for <code>b</code>) is <code>8</code>, <strong>not</strong> <code>1</code>. This provides concrete proof of padding. <code>a</code> occupies byte 0. <code>b</code> requires 8-byte alignment, so it cannot start at byte 1. The compiler inserts <strong>7 bytes of padding</strong> (bytes 1 through 7) so that <code>b</code> can start at the correctly aligned byte 8.</li> <li> <strong>Memory Layout:</strong> <code>[ a (byte 0) | padding (bytes 1-7) | b (bytes 8-15) ]</code> </li> <li>The total size becomes 16 bytes.</li> </ul> </li> <li> <p><strong>Field Order (<code>OptimizedData</code>)</strong></p> <ul> <li><code>struct OptimizedData { b::Int64; a::Int8 }</code></li> <li> <code>fieldoffset(OptimizedData, 1)</code> (for <code>b</code>) is <code>0</code>.</li> <li> <code>fieldoffset(OptimizedData, 2)</code> (for <code>a</code>) is <code>8</code>. It starts immediately after <code>b</code>.</li> <li> <strong>Packing:</strong> No padding is needed <em>between</em> <code>b</code> and <code>a</code>. However, the total <code>sizeof(OptimizedData)</code> is often still 16. This is because the struct <em>itself</em> must meet its alignment requirement (8 bytes). To ensure that in an array <code>Vector{OptimizedData}</code> each element starts on an 8-byte boundary, the compiler may add padding <em>at the end</em> of the struct, bringing the total size from 9 (8+1) up to the next multiple of 8, which is 16.</li> </ul> </li> <li> <p><strong>Performance Guideline (<code>CompactData</code>)</strong></p> <ul> <li><code>struct CompactData { a::Int64; b::Int32; c::Int16; d::Int8 }</code></li> <li>Offsets: 0, 8, 12, 14.</li> <li>By ordering fields from <strong>largest alignment to smallest alignment</strong>, we minimize the padding <em>between</em> fields. In this case, no padding is needed between fields.</li> <li>The total size occupied by data is <code>8+4+2+1 = 15</code> bytes.</li> <li>The final <code>sizeof(CompactData)</code> is 16 bytes because of the struct-level padding added at the end to satisfy the overall 8-byte alignment requirement.</li> <li> <strong>Best Practice:</strong> While Julia's compiler handles this automatically, manually ordering struct fields from largest to smallest is a standard C/C++ practice that guarantees the most compact memory layout and is good habit for performance-conscious code.</li> </ul> </li> </ul> <p>Understanding alignment and offsets is essential for writing highly optimized code (minimizing wasted memory and ensuring cache efficiency) and for correctly interfacing with C/C++ libraries that rely on specific struct layouts.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Base Documentation, <code>fieldoffset</code>:</strong> "Get the byte offset of a field relative to the start of the composite type."</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>Base.datatype_alignment</code>:</strong> "Get the default alignment for a type."</li> <li>(CPU architecture manuals and C language standards define alignment rules, which Julia generally follows.)</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0090_fieldoffset_and_alignment.jl <span class="nt">---</span> Data Alignment Requirements <span class="nt">---</span> Alignment of Int8: 1 Alignment of Int64: 8 Alignment of PaddedData: 8 Alignment of OptimizedData: 8 Alignment of CompactData: 8 <span class="nt">---</span> Field Offsets <span class="o">(</span>Proof of Padding<span class="o">)</span> <span class="nt">---</span> <span class="nt">---</span> PaddedData <span class="o">(</span>size 16<span class="o">)</span> <span class="nt">---</span> Offset of a <span class="o">(</span>field 1<span class="o">)</span>: 0 Offset of b <span class="o">(</span>field 2<span class="o">)</span>: 8 <span class="nt">---</span> OptimizedData <span class="o">(</span>size 16<span class="o">)</span> <span class="nt">---</span> Offset of b <span class="o">(</span>field 1<span class="o">)</span>: 0 Offset of a <span class="o">(</span>field 2<span class="o">)</span>: 8 <span class="nt">---</span> CompactData <span class="o">(</span>size 16<span class="o">)</span> <span class="nt">---</span> Offset of a <span class="o">(</span>field 1<span class="o">)</span>: 0 Offset of b <span class="o">(</span>field 2<span class="o">)</span>: 8 Offset of c <span class="o">(</span>field 3<span class="o">)</span>: 12 Offset of d <span class="o">(</span>field 4<span class="o">)</span>: 14 </code></pre> </div> <h2> Pointers And Unsafe Memory Access </h2> <h3> <code>0091_pointer_from_objref.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0091_pointer_from_objref.jl</span> <span class="c"># Getting raw pointers to Julia objects.</span> <span class="c"># --- Case 1: Mutable Struct (Heap-Allocated Object) ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Mutable Struct ---"</span><span class="x">)</span> <span class="c"># A mutable struct instance 'd' lives on the heap.</span> <span class="k">mutable struct</span><span class="nc"> MyData</span> <span class="n">val</span><span class="o">::</span><span class="kt">Int64</span> <span class="k">end</span> <span class="n">d</span> <span class="o">=</span> <span class="n">MyData</span><span class="x">(</span><span class="mi">100</span><span class="x">)</span> <span class="c"># 'pointer_from_objref(obj)' returns a raw Ptr{Nothing} (like void*)</span> <span class="c"># pointing to the beginning of the object's memory block on the heap.</span> <span class="c"># The GC knows about 'd' and won't collect it while 'd' is reachable.</span> <span class="n">ptr_d_obj</span> <span class="o">=</span> <span class="n">pointer_from_objref</span><span class="x">(</span><span class="n">d</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Object d: "</span><span class="x">,</span> <span class="n">d</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Pointer to d object (Ptr{Nothing}): "</span><span class="x">,</span> <span class="n">ptr_d_obj</span><span class="x">)</span> <span class="c"># --- Case 2: Array (Special Handling) ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Array ---"</span><span class="x">)</span> <span class="n">A</span> <span class="o">=</span> <span class="x">[</span><span class="mi">10</span><span class="x">,</span> <span class="mi">20</span><span class="x">,</span> <span class="mi">30</span><span class="x">]</span> <span class="c"># Vector{Int64}</span> <span class="c"># 'pointer(A)' is the *safe and standard* way to get a pointer for arrays.</span> <span class="c"># It returns a *typed* pointer (Ptr{Int64}) pointing directly to the</span> <span class="c"># *first data element* (A[1]).</span> <span class="c"># This is the pointer you pass to C functions expecting 'int*'.</span> <span class="c"># The GC guarantees the array's data won't move while this pointer is live</span> <span class="c"># (e.g., during a ccall).</span> <span class="n">ptr_A_data</span> <span class="o">=</span> <span class="n">pointer</span><span class="x">(</span><span class="n">A</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Array A: "</span><span class="x">,</span> <span class="n">A</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Pointer to A's data (Ptr{Int64}): "</span><span class="x">,</span> <span class="n">ptr_A_data</span><span class="x">)</span> <span class="c"># 'pointer_from_objref(A)' points to the *Array object header* itself,</span> <span class="c"># NOT the data buffer. This header contains metadata like dimensions and length.</span> <span class="c"># This is generally less useful than pointer(A).</span> <span class="n">ptr_A_header</span> <span class="o">=</span> <span class="n">pointer_from_objref</span><span class="x">(</span><span class="n">A</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Pointer to A's *header* (Ptr{Nothing}): "</span><span class="x">,</span> <span class="n">ptr_A_header</span><span class="x">)</span> <span class="c"># --- Case 3: Immutable `isbits` Struct (Requires Boxing) ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Immutable isbits Struct ---"</span><span class="x">)</span> <span class="k">struct</span><span class="nc"> Point</span> <span class="c"># isbits</span> <span class="n">x</span><span class="o">::</span><span class="kt">Float64</span> <span class="n">y</span><span class="o">::</span><span class="kt">Float64</span> <span class="k">end</span> <span class="n">p</span> <span class="o">=</span> <span class="n">Point</span><span class="x">(</span><span class="mf">1.0</span><span class="x">,</span> <span class="mf">2.0</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Point p: "</span><span class="x">,</span> <span class="n">p</span><span class="x">)</span> <span class="c"># !! DANGER !! Attempting pointer_from_objref directly on an isbits value 'p' is UNSAFE.</span> <span class="c"># The SAFE way to get a stable pointer to an isbits value is to "box" it</span> <span class="c"># using a 'Ref'. A 'Ref' is a tiny mutable container designed for this.</span> <span class="n">p_boxed</span> <span class="o">=</span> <span class="kt">Ref</span><span class="x">(</span><span class="n">p</span><span class="x">)</span> <span class="c"># Creates a Ref{Point} object on the heap, holding 'p'.</span> <span class="c"># Now we get a pointer to the *Ref object* on the heap.</span> <span class="n">ptr_p_ref_obj</span> <span class="o">=</span> <span class="n">pointer_from_objref</span><span class="x">(</span><span class="n">p_boxed</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Boxed Point (Ref): "</span><span class="x">,</span> <span class="n">p_boxed</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Pointer to Ref object: "</span><span class="x">,</span> <span class="n">ptr_p_ref_obj</span><span class="x">)</span> <span class="c"># Use 'Base.unsafe_convert' to get a pointer to the *data inside* the Ref.</span> <span class="c"># This is the low-level function that ccall uses for Ref arguments.</span> <span class="n">ptr_p_data_in_ref</span> <span class="o">=</span> <span class="n">Base</span><span class="o">.</span><span class="n">unsafe_convert</span><span class="x">(</span><span class="kt">Ptr</span><span class="x">{</span><span class="n">Point</span><span class="x">},</span> <span class="n">p_boxed</span><span class="x">)</span> <span class="c"># Returns Ptr{Point}</span> <span class="n">println</span><span class="x">(</span><span class="s">"Pointer to Point data inside Ref: "</span><span class="x">,</span> <span class="n">ptr_p_data_in_ref</span><span class="x">)</span> <span class="c"># This 'ptr_p_data_in_ref' is what you'd pass to a C function expecting 'Point*'.</span> </code></pre> </div> <h3> Explanation </h3> <p>This script explores how to obtain raw memory pointers (<code>Ptr{T}</code>) to Julia objects, highlighting the crucial differences between <code>pointer()</code> for arrays and the lower-level <code>pointer_from_objref()</code>. Understanding these is essential for unsafe memory operations and C interoperability.</p> <h2> <code>pointer(A::Array)</code> - The Safe Pointer to Data </h2> <ul> <li> <strong>Purpose:</strong> <code>pointer(A)</code> is the <strong>standard, safe, and recommended</strong> way to get a pointer associated with an <code>Array</code> (or <code>String</code>).</li> <li> <strong>Return Type:</strong> It returns a <strong>typed pointer</strong> (e.g., <code>Ptr{Int64}</code> for <code>Vector{Int64}</code>) that points directly to the <strong>first data element</strong> (<code>A[1]</code>) in the array's contiguous memory buffer.</li> <li> <strong>Use Case:</strong> This is the pointer you pass to C functions that expect a C-style array pointer (like <code>double*</code> or <code>int*</code>).</li> <li> <strong>GC Safety:</strong> Julia's Garbage Collector (GC) is aware of pointers created via <code>pointer(A)</code>. When such a pointer is passed to <code>ccall</code>, the GC <strong>guarantees</strong> that the underlying array <code>A</code> will not be moved or garbage collected while the C function is executing ("pinning"). This prevents memory corruption.</li> </ul> <h2> <code>pointer_from_objref(obj)</code> - The Unsafe Pointer to Object </h2> <ul> <li> <strong>Purpose:</strong> <code>pointer_from_objref(obj)</code> is a lower-level, generally <strong>unsafe</strong> function. It provides a raw pointer to the <strong>beginning of the Julia object <code>obj</code> itself</strong> in memory.</li> <li> <strong>Return Type:</strong> It returns an <strong>untyped pointer</strong>, <code>Ptr{Nothing}</code> (equivalent to C's <code>void*</code>).</li> <li> <strong>Behavior:</strong> <ul> <li>For <strong>heap-allocated objects</strong> (like <code>mutable struct</code> <code>d</code>), it returns the address of the object's block on the heap.</li> <li>For <strong>Arrays</strong> (like <code>A</code>), it returns the address of the <strong>array header object</strong>, which contains metadata like dimensions and length, <strong>not</strong> the address of the data buffer returned by <code>pointer(A)</code>.</li> </ul> </li> <li> <strong>GC Safety Warning:</strong> The GC <em>does</em> know about the object <code>obj</code> itself, but it provides <strong>no guarantees</strong> about the object's location <em>unless</em> you are careful. If you simply store <code>ptr = pointer_from_objref(obj)</code> in a variable, the GC might later move the object <code>obj</code> during compaction, leaving <code>ptr</code> dangling (pointing to invalid memory). It's generally only safe to use this pointer immediately, for example, within a <code>ccall</code> where the object reference itself keeps the object rooted.</li> </ul> <h2> Handling <code>isbits</code> Values (Boxing with <code>Ref</code>) </h2> <ul> <li> <strong>The Danger:</strong> You <strong>cannot</strong> safely use <code>pointer_from_objref</code> directly on an <strong><code>isbits</code> value</strong> (like an <code>Int</code>, <code>Float64</code>, or an immutable <code>isbits struct</code> like <code>Point</code>). These values often live on the <strong>stack</strong> or even just in <strong>CPU registers</strong>. They don't necessarily have a stable memory address tracked by the GC.</li> <li> <strong>The Solution: Boxing with <code>Ref</code>:</strong> To get a stable, GC-tracked pointer to an <code>isbits</code> value (e.g., to pass its address to a C function expecting <code>Point*</code>), you must <strong>"box"</strong> it using <code>Ref(value)</code>. <ul> <li> <code>Ref(p)</code> creates a small, <strong>mutable</strong>, <strong>heap-allocated</strong> container object (<code>Ref{Point}</code>) that holds the <code>isbits</code> value <code>p</code>.</li> <li> <strong><code>Base.unsafe_convert(Ptr{T}, ref)</code>:</strong> This is the low-level function (used internally by <code>ccall</code>) to get a <strong>typed pointer</strong> (<code>Ptr{Point}</code> in this case) to the data <em>stored inside</em> the <code>Ref</code> object. This pointer <em>is</em> GC-safe while the <code>Ref</code> object exists and is suitable for passing to C functions expecting a pointer to the struct.</li> <li> <code>pointer_from_objref(p_boxed)</code> still gives you the pointer to the <code>Ref</code> object itself, which is usually less useful for C interop than the pointer to the contained data.</li> </ul> </li> </ul> <p>Understanding when and how to obtain pointers safely is paramount when working at the boundary between Julia's managed memory and raw memory access.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Base Documentation, <code>pointer</code>:</strong> "Get the native address of an array or string element." Mentions GC safety during <code>ccall</code>.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>pointer_from_objref</code>:</strong> "Get the memory address of a Julia object as a <code>Ptr</code>." Explicitly warns about GC interaction.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>Ref</code>:</strong> Describes <code>Ref</code> as a container often used for C interop involving pointers to values.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>Base.unsafe_convert</code>:</strong> "Convert <code>x</code> to a value of type <code>T</code>... In cases where <code>x</code> is already of type <code>T</code>, should return <code>x</code>." Crucially used for converting <code>Ref{T}</code> to <code>Ptr{T}</code> for <code>ccall</code>.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0091_pointer_from_objref.jl <span class="nt">---</span> Mutable Struct <span class="nt">---</span> Object d: MyData<span class="o">(</span>100<span class="o">)</span> Pointer to d object <span class="o">(</span>Ptr<span class="o">{</span>Nothing<span class="o">})</span>: Ptr<span class="o">{</span>Nothing<span class="o">}(</span>0x...<span class="o">)</span> <span class="nt">---</span> Array <span class="nt">---</span> Array A: <span class="o">[</span>10, 20, 30] Pointer to A<span class="s1">'s data (Ptr{Int64}): Ptr{Int64}(0x...) Pointer to A'</span>s <span class="k">*</span>header<span class="k">*</span> <span class="o">(</span>Ptr<span class="o">{</span>Nothing<span class="o">})</span>: Ptr<span class="o">{</span>Nothing<span class="o">}(</span>0x...<span class="o">)</span> <span class="nt">---</span> Immutable isbits Struct <span class="nt">---</span> Point p: Point<span class="o">(</span>1.0, 2.0<span class="o">)</span> Boxed Point <span class="o">(</span>Ref<span class="o">)</span>: Base.RefValue<span class="o">{</span>Point<span class="o">}(</span>Point<span class="o">(</span>1.0, 2.0<span class="o">))</span> Pointer to Ref object: Ptr<span class="o">{</span>Nothing<span class="o">}(</span>0x...<span class="o">)</span> Pointer to Point data inside Ref: Ptr<span class="o">{</span>Point<span class="o">}(</span>0x...<span class="o">)</span> </code></pre> </div> <p><em>(Memory addresses (<code>0x...</code>) will vary.)</em></p> <h3> <code>0092_unsafe_load_store.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0092_unsafe_load_store.jl</span> <span class="c"># Demonstrates reading from and writing to raw pointers.</span> <span class="c"># 1. Get a pointer to array data (our raw memory block)</span> <span class="n">A</span> <span class="o">=</span> <span class="x">[</span><span class="mi">10</span><span class="x">,</span> <span class="mi">20</span><span class="x">,</span> <span class="mi">30</span><span class="x">,</span> <span class="mi">40</span><span class="x">]</span> <span class="c"># Vector{Int64}</span> <span class="n">p</span> <span class="o">=</span> <span class="n">pointer</span><span class="x">(</span><span class="n">A</span><span class="x">)</span> <span class="c"># p::Ptr{Int64}, points to A[1]</span> <span class="n">println</span><span class="x">(</span><span class="s">"Original array: "</span><span class="x">,</span> <span class="n">A</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Pointer p (points to A[1]): "</span><span class="x">,</span> <span class="n">p</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Element size: "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="n">eltype</span><span class="x">(</span><span class="n">A</span><span class="x">)),</span> <span class="s">" bytes"</span><span class="x">)</span> <span class="c"># 8 bytes for Int64</span> <span class="c"># --- Reading from Pointers: unsafe_load ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Reading using unsafe_load ---"</span><span class="x">)</span> <span class="c"># 2. unsafe_load(pointer, [index=1])</span> <span class="c"># Reads the value of the pointer's element type from memory.</span> <span class="c"># The index is 1-based and refers to *elements*, not bytes.</span> <span class="n">val1</span> <span class="o">=</span> <span class="n">unsafe_load</span><span class="x">(</span><span class="n">p</span><span class="x">)</span> <span class="c"># Reads the 1st Int64 (at byte offset 0)</span> <span class="n">val2</span> <span class="o">=</span> <span class="n">unsafe_load</span><span class="x">(</span><span class="n">p</span><span class="x">,</span> <span class="mi">2</span><span class="x">)</span> <span class="c"># Reads the 2nd Int64 (at byte offset 8)</span> <span class="n">val3</span> <span class="o">=</span> <span class="n">unsafe_load</span><span class="x">(</span><span class="n">p</span><span class="x">,</span> <span class="mi">3</span><span class="x">)</span> <span class="c"># Reads the 3rd Int64 (at byte offset 16)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value at index 1 (offset 0): "</span><span class="x">,</span> <span class="n">val1</span><span class="x">)</span> <span class="c"># 10</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value at index 2 (offset 8): "</span><span class="x">,</span> <span class="n">val2</span><span class="x">)</span> <span class="c"># 20</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value at index 3 (offset 16):"</span><span class="x">,</span> <span class="n">val3</span><span class="x">)</span> <span class="c"># 30</span> <span class="c"># --- Writing to Pointers: unsafe_store! ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Writing using unsafe_store! ---"</span><span class="x">)</span> <span class="c"># 3. unsafe_store!(pointer, value, [index=1])</span> <span class="c"># Writes 'value' to the memory location for the specified element index.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Storing 999 at index 4 (offset 24)..."</span><span class="x">)</span> <span class="n">unsafe_store!</span><span class="x">(</span><span class="n">p</span><span class="x">,</span> <span class="mi">999</span><span class="x">,</span> <span class="mi">4</span><span class="x">)</span> <span class="c"># Writes 999 to A[4]'s location</span> <span class="n">println</span><span class="x">(</span><span class="s">"Array after unsafe_store!: "</span><span class="x">,</span> <span class="n">A</span><span class="x">)</span> <span class="c"># [10, 20, 30, 999]</span> <span class="c"># --- Pointer Arithmetic (Alternative Access) ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Pointer Arithmetic (C-style) ---"</span><span class="x">)</span> <span class="c"># 4. Manually add byte offsets to the pointer.</span> <span class="c"># 'p + N' adds N *bytes* to the address.</span> <span class="n">p_plus_8_bytes</span> <span class="o">=</span> <span class="n">p</span> <span class="o">+</span> <span class="n">sizeof</span><span class="x">(</span><span class="kt">Int64</span><span class="x">)</span> <span class="c"># Pointer to the 2nd element</span> <span class="n">p_plus_16_bytes</span> <span class="o">=</span> <span class="n">p</span> <span class="o">+</span> <span class="mi">2</span> <span class="o">*</span> <span class="n">sizeof</span><span class="x">(</span><span class="kt">Int64</span><span class="x">)</span> <span class="c"># Pointer to the 3rd element</span> <span class="c"># Load using the offset pointer (index defaults to 1 for the *new* pointer)</span> <span class="n">val2_arith</span> <span class="o">=</span> <span class="n">unsafe_load</span><span class="x">(</span><span class="n">p_plus_8_bytes</span><span class="x">)</span> <span class="n">val3_arith</span> <span class="o">=</span> <span class="n">unsafe_load</span><span class="x">(</span><span class="n">p_plus_16_bytes</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value at p + 8 bytes: "</span><span class="x">,</span> <span class="n">val2_arith</span><span class="x">)</span> <span class="c"># 20</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value at p + 16 bytes: "</span><span class="x">,</span> <span class="n">val3_arith</span><span class="x">)</span> <span class="c"># 30</span> <span class="c"># --- DANGER: No Bounds Checking ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- DANGER: No Bounds Checking ---"</span><span class="x">)</span> <span class="c"># 5. Unsafe operations DO NOT check array bounds.</span> <span class="c"># Writing past the end corrupts memory.</span> <span class="n">out_of_bounds_index</span> <span class="o">=</span> <span class="mi">100</span> <span class="k">try</span> <span class="n">println</span><span class="x">(</span><span class="s">"Attempting unsafe_store! at index </span><span class="si">$</span><span class="s">out_of_bounds_index (out of bounds)..."</span><span class="x">)</span> <span class="n">unsafe_store!</span><span class="x">(</span><span class="n">p</span><span class="x">,</span> <span class="o">-</span><span class="mi">1</span><span class="x">,</span> <span class="n">out_of_bounds_index</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"...Memory potentially corrupted (no crash this time)."</span><span class="x">)</span> <span class="c"># Reading might read garbage or crash</span> <span class="c"># garbage = unsafe_load(p, out_of_bounds_index)</span> <span class="c"># println("Read garbage: ", garbage)</span> <span class="k">catch</span> <span class="n">e</span> <span class="c"># A crash (segfault) might happen here, or later, or never.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Caught error (lucky if it happens immediately): "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="k">end</span> <span class="c"># Reset the value we overwrote if no crash</span> <span class="k">if</span> <span class="n">A</span><span class="x">[</span><span class="mi">4</span><span class="x">]</span> <span class="o">==</span> <span class="mi">999</span> <span class="n">unsafe_store!</span><span class="x">(</span><span class="n">p</span><span class="x">,</span> <span class="mi">40</span><span class="x">,</span> <span class="mi">4</span><span class="x">)</span> <span class="c"># Restore original value for consistency if needed</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"Array after potential out-of-bounds write attempt: "</span><span class="x">,</span> <span class="n">A</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates the fundamental <strong>unsafe</strong> operations for reading (<code>unsafe_load</code>) and writing (<code>unsafe_store!</code>) directly to memory addresses specified by pointers (<code>Ptr{T}</code>). These functions are the Julia equivalents of C's pointer dereferencing (<code>*ptr</code>) and assignment (<code>*ptr = value</code>).</p> <h2> Core Concepts </h2> <ul> <li> <strong><code>unsafe_load(pointer::Ptr{T}, [index::Integer=1])</code>:</strong> <ul> <li>Reads the binary data from the memory address <code>pointer + (index-1)*sizeof(T)</code>.</li> <li>Interprets those bytes as a value of type <code>T</code> (the element type of the pointer).</li> <li>Returns the value of type <code>T</code>.</li> <li> <strong>1-Based Indexing:</strong> The optional <code>index</code> argument is <strong>1-based</strong> and refers to the <em>element number</em>, not the byte offset. <code>unsafe_load(p, 2)</code> automatically calculates the correct byte offset to read the second <code>Int64</code>.</li> </ul> </li> <li> <strong><code>unsafe_store!(pointer::Ptr{T}, value, [index::Integer=1])</code>:</strong> <ul> <li>Writes the binary representation of <code>value</code> to the memory address <code>pointer + (index-1)*sizeof(T)</code>.</li> <li> <code>value</code> should typically be convertible to type <code>T</code>.</li> <li>The <code>!</code> suffix indicates that this function modifies memory (the location pointed to).</li> </ul> </li> <li> <strong>Pointer Arithmetic:</strong> <ul> <li>You can manually perform C-style pointer arithmetic by adding <strong>byte offsets</strong> to a pointer. <code>p + sizeof(Int64)</code> creates a <em>new</em> pointer address that is 8 bytes after <code>p</code>.</li> <li>When calling <code>unsafe_load</code> or <code>unsafe_store!</code> on such an offset pointer, the default index <code>1</code> refers to the <em>start</em> of that new address. <code>unsafe_load(p + sizeof(Int64))</code> is equivalent to <code>unsafe_load(p, 2)</code>.</li> <li>While possible, using the 1-based index argument is generally less error-prone than manual byte arithmetic.</li> </ul> </li> </ul> <h2> The <code>unsafe_</code> Warning: No Safety Net </h2> <ul> <li> <strong>No Bounds Checking:</strong> This is the most critical danger. <code>unsafe_load</code> and <code>unsafe_store!</code> perform <strong>zero bounds checking</strong>. They operate directly on memory addresses. If you provide an index (or calculate a byte offset) that points outside the allocated memory block for your object (like <code>A</code>), these functions will still attempt to read or write there.</li> <li> <strong>Undefined Behavior:</strong> Accessing memory out of bounds leads to <strong>undefined behavior</strong>: <ul> <li>It might crash immediately with a segmentation fault.</li> <li>It might silently read garbage data.</li> <li>It might silently <strong>corrupt</strong> unrelated data or program state, leading to bizarre errors much later in execution.</li> </ul> </li> <li> <strong>Responsibility:</strong> When using <code>unsafe_</code> functions, <strong>you</strong>, the programmer, are solely responsible for ensuring that all memory accesses are within the valid bounds of the object being pointed to.</li> </ul> <p>These functions are essential building blocks for performance-critical code that interacts directly with memory buffers (e.g., from network I/O, C libraries, or custom data structures), but they must be used with extreme caution and careful bounds management.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Base Documentation, <code>unsafe_load</code>:</strong> "Load a value of type <code>T</code> from the address indicated by pointer <code>p</code>..."</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>unsafe_store!</code>:</strong> "Store a value of type <code>T</code> to the address indicated by pointer <code>p</code>..."</li> <li> <strong>Julia Official Documentation, Manual, "Metaprogramming" (Pointer Arithmetic):</strong> Briefly mentions pointer arithmetic with byte offsets.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0092_unsafe_load_store.jl Original array: <span class="o">[</span>10, 20, 30, 40] Pointer p <span class="o">(</span>points to A[1]<span class="o">)</span>: Ptr<span class="o">{</span>Int64<span class="o">}(</span>0x...<span class="o">)</span> Element size: 8 bytes <span class="nt">---</span> Reading using unsafe_load <span class="nt">---</span> Value at index 1 <span class="o">(</span>offset 0<span class="o">)</span>: 10 Value at index 2 <span class="o">(</span>offset 8<span class="o">)</span>: 20 Value at index 3 <span class="o">(</span>offset 16<span class="o">)</span>: 30 <span class="nt">---</span> Writing using unsafe_store! <span class="nt">---</span> Storing 999 at index 4 <span class="o">(</span>offset 24<span class="o">)</span>... Array after unsafe_store!: <span class="o">[</span>10, 20, 30, 999] <span class="nt">---</span> Pointer Arithmetic <span class="o">(</span>C-style<span class="o">)</span> <span class="nt">---</span> Value at p + 8 bytes: 20 Value at p + 16 bytes: 30 Attempting unsafe_store! at index 100 <span class="o">(</span>out of bounds<span class="o">)</span>... ...Memory potentially corrupted <span class="o">(</span>no crash this <span class="nb">time</span><span class="o">)</span><span class="nb">.</span> Read garbage: <span class="nt">-1</span> Array after potential out-of-bounds write attempt: <span class="o">[</span>10, 20, 30, 40] </code></pre> </div> <p><em>(Memory addresses will vary. Whether the out-of-bounds write actually crashes is system-dependent.)</em></p> <h2> Zero Copy Views And Conversions </h2> <h3> <code>0093_unsafe_wrap.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0093_unsafe_wrap.jl</span> <span class="c"># Creates a Julia Array view over a raw pointer (zero-copy).</span> <span class="k">import</span> <span class="n">Libc</span> <span class="c"># For malloc/free examples</span> <span class="c"># --- Case 1: Wrapping Memory Managed by Julia ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Wrapping a Julia Array's Pointer (Borrowing) ---"</span><span class="x">)</span> <span class="c"># 1. Get a pointer to existing, GC-managed memory.</span> <span class="n">julia_data</span> <span class="o">=</span> <span class="kt">Float64</span><span class="x">[</span><span class="mf">1.1</span><span class="x">,</span> <span class="mf">2.2</span><span class="x">,</span> <span class="mf">3.3</span><span class="x">,</span> <span class="mf">4.4</span><span class="x">,</span> <span class="mf">5.5</span><span class="x">]</span> <span class="n">ptr_julia</span> <span class="o">=</span> <span class="n">pointer</span><span class="x">(</span><span class="n">julia_data</span><span class="x">)</span> <span class="n">num_elements</span> <span class="o">=</span> <span class="n">length</span><span class="x">(</span><span class="n">julia_data</span><span class="x">)</span> <span class="c"># 2. Use 'unsafe_wrap' to create an Array VIEW.</span> <span class="c"># Syntax: unsafe_wrap(Array, pointer::Ptr{T}, dims; own = false)</span> <span class="c"># 'dims' can be an integer (for Vector) or a tuple (for multi-dim).</span> <span class="c"># 'own = false' (default) means Julia does NOT own/manage this memory.</span> <span class="n">wrapped_array</span> <span class="o">=</span> <span class="n">unsafe_wrap</span><span class="x">(</span><span class="kt">Array</span><span class="x">,</span> <span class="n">ptr_julia</span><span class="x">,</span> <span class="n">num_elements</span><span class="x">;</span> <span class="n">own</span> <span class="o">=</span> <span class="nb">false</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Original Julia data: "</span><span class="x">,</span> <span class="n">julia_data</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Wrapped array view: "</span><span class="x">,</span> <span class="n">wrapped_array</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of wrapped array: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">wrapped_array</span><span class="x">))</span> <span class="c"># Vector{Float64}</span> <span class="c"># 3. Modifications through the view AFFECT the original data.</span> <span class="c"># They share the same underlying memory. No copy was made.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Modifying wrapped_array[1] = 99.9"</span><span class="x">)</span> <span class="n">wrapped_array</span><span class="x">[</span><span class="mi">1</span><span class="x">]</span> <span class="o">=</span> <span class="mf">99.9</span> <span class="n">println</span><span class="x">(</span><span class="s">"Wrapped array view is now: "</span><span class="x">,</span> <span class="n">wrapped_array</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Original Julia data is now: "</span><span class="x">,</span> <span class="n">julia_data</span><span class="x">)</span> <span class="c"># Also changed!</span> <span class="c"># --- Case 2: Wrapping Memory Allocated Outside Julia (e.g., C) ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Wrapping Externally Allocated Memory (Taking Ownership) ---"</span><span class="x">)</span> <span class="c"># 4. Allocate memory using C's malloc (via Libc).</span> <span class="c"># This memory is NOT tracked by Julia's GC initially.</span> <span class="n">bytes_to_alloc</span> <span class="o">=</span> <span class="mi">3</span> <span class="o">*</span> <span class="n">sizeof</span><span class="x">(</span><span class="kt">Int64</span><span class="x">)</span> <span class="n">ptr_malloc_void</span> <span class="o">=</span> <span class="n">Libc</span><span class="o">.</span><span class="n">malloc</span><span class="x">(</span><span class="n">bytes_to_alloc</span><span class="x">)</span> <span class="k">if</span> <span class="n">ptr_malloc_void</span> <span class="o">==</span> <span class="nb">C_NULL</span> <span class="n">error</span><span class="x">(</span><span class="s">"malloc failed"</span><span class="x">)</span> <span class="k">end</span> <span class="c"># Cast the void* to a typed pointer</span> <span class="n">ptr_malloc_int</span> <span class="o">=</span> <span class="n">convert</span><span class="x">(</span><span class="kt">Ptr</span><span class="x">{</span><span class="kt">Int64</span><span class="x">},</span> <span class="n">ptr_malloc_void</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Allocated external memory at: "</span><span class="x">,</span> <span class="n">ptr_malloc_int</span><span class="x">)</span> <span class="c"># 5. Wrap the C memory, passing 'own = true'.</span> <span class="c"># 'own = true' tells Julia's GC to take ownership of this pointer</span> <span class="c"># and call 'Libc.free()' on it when the wrapped array is finalized.</span> <span class="n">owned_array</span> <span class="o">=</span> <span class="n">unsafe_wrap</span><span class="x">(</span><span class="kt">Array</span><span class="x">,</span> <span class="n">ptr_malloc_int</span><span class="x">,</span> <span class="mi">3</span><span class="x">;</span> <span class="n">own</span> <span class="o">=</span> <span class="nb">true</span><span class="x">)</span> <span class="c"># 6. Initialize and use the array.</span> <span class="n">owned_array</span><span class="x">[</span><span class="mi">1</span><span class="x">]</span> <span class="o">=</span> <span class="mi">1000</span> <span class="n">owned_array</span><span class="x">[</span><span class="mi">2</span><span class="x">]</span> <span class="o">=</span> <span class="mi">2000</span> <span class="n">owned_array</span><span class="x">[</span><span class="mi">3</span><span class="x">]</span> <span class="o">=</span> <span class="mi">3000</span> <span class="n">println</span><span class="x">(</span><span class="s">"Owned wrapped array: "</span><span class="x">,</span> <span class="n">owned_array</span><span class="x">)</span> <span class="c"># 7. IMPORTANT: We do NOT manually call Libc.free(ptr_malloc_void).</span> <span class="c"># The GC will handle it because we passed 'own = true'.</span> <span class="c"># Manually freeing would cause a double-free crash later.</span> <span class="c"># --- DANGER: Using 'own=true' on Julia Memory ---</span> <span class="c"># 8. NEVER use 'own=true' when wrapping memory from another Julia object.</span> <span class="c"># ptr_julia_bad = pointer(julia_data)</span> <span class="c"># WRONG: owned_bad = unsafe_wrap(Array, ptr_julia_bad, num_elements; own = true)</span> <span class="c"># This would tell the GC to 'free()' the memory managed by 'julia_data',</span> <span class="c"># leading to heap corruption and likely crashes.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Finished unsafe_wrap examples."</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <code>unsafe_wrap(Array, ...)</code>, a powerful function for creating a Julia <code>Array</code> object that acts as a <strong>zero-copy view</strong> onto a raw block of memory specified by a pointer. This is fundamental for high-performance interoperability with C libraries or for working directly with memory buffers.</p> <h2> Core Concept: Zero-Copy View </h2> <ul> <li> <code>unsafe_wrap(Array, pointer::Ptr{T}, dims; own=false)</code> constructs a standard Julia <code>Array</code> (e.g., <code>Vector{T}</code> or <code>Matrix{T}</code>) whose underlying data <em>is</em> the memory block starting at <code>pointer</code>.</li> <li> <strong>No Data Copy:</strong> Absolutely no data is copied during this operation. The created array directly uses the memory pointed to by <code>pointer</code>. This makes it extremely fast.</li> <li> <strong>Shared Memory:</strong> As demonstrated in Case 1, modifications made through the <code>wrapped_array</code> are instantly reflected in the original <code>julia_data</code> because they operate on the exact same memory locations.</li> </ul> <h2> The <code>own</code> Parameter: Managing Memory Ownership </h2> <p>This boolean keyword argument is <strong>critically important</strong> for memory safety:</p> <ul> <li> <strong><code>own = false</code> (Default - "Borrowing"):</strong> <ul> <li>Use this when the memory pointed to by <code>pointer</code> is <strong>managed elsewhere</strong>.</li> <li>Examples: <ul> <li>Wrapping a pointer obtained from another Julia object (like <code>pointer(julia_data)</code>). The Julia GC owns <code>julia_data</code>.</li> <li>Wrapping a pointer returned by a C library where the C library <em>retains ownership</em> and will free the memory later.</li> </ul> </li> <li>You are telling Julia's GC: "Do <strong>not</strong> try to <code>free</code> this memory when the wrapped array goes out of scope."</li> </ul> </li> <li> <strong><code>own = true</code> (Taking Ownership):</strong> <ul> <li>Use this <strong>only</strong> when the memory pointed to by <code>pointer</code> was allocated using a mechanism like C's <code>malloc</code> (or <code>Libc.malloc</code>), and you want to <strong>transfer ownership</strong> of that memory block to the Julia GC.</li> <li>You are telling Julia's GC: "When this wrapped array object is finalized (no longer reachable), you <strong>must call <code>Libc.free()</code></strong> on the original <code>pointer</code> to release the memory."</li> <li> <strong>CRITICAL DANGER:</strong> Never use <code>own = true</code> on a pointer obtained from another Julia object (like <code>pointer(A)</code>). This will cause the GC to incorrectly <code>free</code> memory it doesn't own, leading to <strong>heap corruption</strong> and crashes (double-free).</li> </ul> </li> </ul> <h2> Use Cases </h2> <ul> <li> <strong>C Interoperability (HFT):</strong> When a C library (e.g., a market data feed handler) gives you a <code>Ptr{OrderUpdate}</code> pointing to a large buffer of updates, you use <code>unsafe_wrap(Array, ptr, num_updates; own=false)</code> to instantly get a <code>Vector{OrderUpdate}</code> (assuming <code>OrderUpdate</code> is an <code>isbits struct</code> with matching layout) without any copying. You can then process this vector using fast, idiomatic Julia code.</li> <li> <strong>Memory-Mapped Files:</strong> Wrapping pointers obtained from memory-mapping large files allows processing huge datasets that don't fit in RAM as if they were regular Julia arrays.</li> <li> <strong>Shared Memory:</strong> Working with pointers to shared memory segments used for inter-process communication.</li> </ul> <p><code>unsafe_wrap</code> provides the crucial link between Julia's high-level array interface and low-level memory buffers, enabling maximum performance in data-intensive scenarios. However, misuse of the <code>own</code> parameter is a common source of serious memory errors.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Base Documentation, <code>unsafe_wrap</code>:</strong> "Wrap a pointer <code>p</code> to an array of element type <code>T</code>..." Explains arguments including <code>own</code>.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>Libc.malloc</code>, <code>Libc.free</code>:</strong> Functions for interacting with the C standard library's memory allocation.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0093_unsafe_wrap.jl <span class="nt">---</span> Wrapping a Julia Array<span class="s1">'s Pointer (Borrowing) --- Original Julia data: [1.1, 2.2, 3.3, 4.4, 5.5] Wrapped array view: [1.1, 2.2, 3.3, 4.4, 5.5] Type of wrapped array: Vector{Float64} (alias for Array{Float64, 1}) Modifying wrapped_array[1] = 99.9 Wrapped array view is now: [99.9, 2.2, 3.3, 4.4, 5.5] Original Julia data is now: [99.9, 2.2, 3.3, 4.4, 5.5] --- Wrapping Externally Allocated Memory (Taking Ownership) --- Allocated external memory at: Ptr{Int64}(0x...) Owned wrapped array: [1000, 2000, 3000] Finished unsafe_wrap examples. </span></code></pre> </div> <p><em>(Memory addresses will vary.)</em></p> <h3> <code>0094_unsafe_string.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0094_unsafe_string.jl</span> <span class="c"># Creates a Julia String by COPYING data from a raw pointer.</span> <span class="c"># --- Case 1: Null-Terminated C String ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Creating String from Null-Terminated Pointer ---"</span><span class="x">)</span> <span class="c"># 1. Simulate a C string: Vector{UInt8} ending with 0x00.</span> <span class="c"># This data is managed by Julia's GC.</span> <span class="n">c_string_data</span> <span class="o">=</span> <span class="kt">UInt8</span><span class="x">[</span><span class="sc">'H'</span><span class="x">,</span> <span class="sc">'e'</span><span class="x">,</span> <span class="sc">'l'</span><span class="x">,</span> <span class="sc">'l'</span><span class="x">,</span> <span class="sc">'o'</span><span class="x">,</span> <span class="sc">'\0'</span><span class="x">]</span> <span class="c"># '\0' is the null terminator</span> <span class="n">ptr_null</span> <span class="o">=</span> <span class="n">pointer</span><span class="x">(</span><span class="n">c_string_data</span><span class="x">)</span> <span class="c"># Gets a Ptr{UInt8}</span> <span class="c"># 2. Use 'unsafe_string(pointer)'</span> <span class="c"># This function reads bytes starting at 'ptr_null' and *copies* them</span> <span class="c"># into a NEW, heap-allocated Julia String.</span> <span class="c"># It stops copying when it encounters the first null byte (0x00).</span> <span class="c"># The null byte itself is NOT included in the Julia String.</span> <span class="n">julia_string_from_null</span> <span class="o">=</span> <span class="n">unsafe_string</span><span class="x">(</span><span class="n">ptr_null</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Original C data (bytes): "</span><span class="x">,</span> <span class="n">c_string_data</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Julia string (from null): "</span><span class="x">,</span> <span class="n">repr</span><span class="x">(</span><span class="n">julia_string_from_null</span><span class="x">))</span> <span class="c"># Use repr to see quotes</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">julia_string_from_null</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"Length: "</span><span class="x">,</span> <span class="n">length</span><span class="x">(</span><span class="n">julia_string_from_null</span><span class="x">))</span> <span class="c"># Length is 5, excludes null</span> <span class="c"># --- Case 2: Pointer to Data with Known Length ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Creating String from Pointer + Length ---"</span><span class="x">)</span> <span class="c"># 3. Simulate a buffer without a null terminator (e.g., from network).</span> <span class="n">c_buffer_data</span> <span class="o">=</span> <span class="kt">UInt8</span><span class="x">[</span><span class="sc">'W'</span><span class="x">,</span> <span class="sc">'o'</span><span class="x">,</span> <span class="sc">'r'</span><span class="x">,</span> <span class="sc">'l'</span><span class="x">,</span> <span class="sc">'d'</span><span class="x">]</span> <span class="n">ptr_len</span> <span class="o">=</span> <span class="n">pointer</span><span class="x">(</span><span class="n">c_buffer_data</span><span class="x">)</span> <span class="n">buffer_length</span> <span class="o">=</span> <span class="n">length</span><span class="x">(</span><span class="n">c_buffer_data</span><span class="x">)</span> <span class="c"># 5</span> <span class="c"># 4. Use 'unsafe_string(pointer, length)'</span> <span class="c"># This function reads *exactly* 'length' bytes starting at 'ptr_len'</span> <span class="c"># and *copies* them into a NEW Julia String.</span> <span class="c"># It does NOT look for a null terminator.</span> <span class="n">julia_string_from_len</span> <span class="o">=</span> <span class="n">unsafe_string</span><span class="x">(</span><span class="n">ptr_len</span><span class="x">,</span> <span class="n">buffer_length</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Original C buffer (bytes): "</span><span class="x">,</span> <span class="n">c_buffer_data</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Julia string (from length): "</span><span class="x">,</span> <span class="n">repr</span><span class="x">(</span><span class="n">julia_string_from_len</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">julia_string_from_len</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"Length: "</span><span class="x">,</span> <span class="n">length</span><span class="x">(</span><span class="n">julia_string_from_len</span><span class="x">))</span> <span class="c"># Length is 5</span> <span class="c"># --- Demonstrating the Copy ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Demonstrating the Copy (vs. unsafe_wrap) ---"</span><span class="x">)</span> <span class="c"># 5. Modify the original C data *after* creating the Julia string.</span> <span class="n">c_string_data</span><span class="x">[</span><span class="mi">1</span><span class="x">]</span> <span class="o">=</span> <span class="kt">UInt8</span><span class="x">(</span><span class="sc">'J'</span><span class="x">)</span> <span class="c"># Change 'H' to 'J'</span> <span class="c"># 6. The Julia string remains UNCHANGED because it's a copy.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Original C data modified: "</span><span class="x">,</span> <span class="n">c_string_data</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Julia string (from null) is unchanged: "</span><span class="x">,</span> <span class="n">repr</span><span class="x">(</span><span class="n">julia_string_from_null</span><span class="x">))</span> <span class="c"># Still "Hello"</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <code>unsafe_string()</code>, the standard function for creating a Julia <code>String</code> object from a raw pointer (<code>Ptr{UInt8}</code>), typically obtained from C code. Crucially, unlike <code>unsafe_wrap</code> for arrays, <code>unsafe_string</code> <strong>always copies</strong> the data.</p> <h2> Core Concept: Copying Bytes into a <code>String</code> </h2> <ul> <li> <strong><code>unsafe_string(pointer::Ptr{UInt8})</code>:</strong> <ul> <li> <strong>Purpose:</strong> Converts a <strong>null-terminated</strong> C-style string (<code>char*</code>) into a Julia <code>String</code>.</li> <li> <strong>Behavior:</strong> It starts reading bytes from the memory address <code>pointer</code>. It <strong>copies</strong> each byte into a newly allocated Julia <code>String</code> object until it encounters the <strong>first null byte (<code>0x00</code>)</strong>. The null byte itself is <strong>not included</strong> in the resulting <code>String</code>.</li> <li> <strong>Use Case:</strong> This is the primary function for handling strings returned by C functions that follow the null-termination convention.</li> </ul> </li> <li> <strong><code>unsafe_string(pointer::Ptr{UInt8}, length::Integer)</code>:</strong> <ul> <li> <strong>Purpose:</strong> Converts a sequence of bytes of a <strong>known length</strong> (which might <strong>not</strong> be null-terminated) into a Julia <code>String</code>.</li> <li> <strong>Behavior:</strong> It reads exactly <code>length</code> bytes starting from <code>pointer</code> and <strong>copies</strong> them into a newly allocated Julia <code>String</code>. It does <strong>not</strong> look for, require, or stop at null bytes.</li> <li> <strong>Use Case:</strong> Essential for handling data from sources where the length is provided separately, such as network packets, fixed-width fields in binary files, or C APIs that return a <code>char*</code> and a <code>size_t</code>.</li> </ul> </li> </ul> <h2> Why <code>unsafe_string</code> <em>Copies</em> (Unlike <code>unsafe_wrap</code>) </h2> <p>This copying behavior is deliberate and important for safety and correctness, distinguishing it fundamentally from <code>unsafe_wrap(Array, ...)</code>:</p> <ol> <li> <strong>Immutability:</strong> Julia <code>String</code>s are <strong>immutable</strong>. Once created, their content cannot be changed. If <code>unsafe_string</code> created a <em>view</em> (like <code>unsafe_wrap</code>), modifying the original C buffer later would violate the Julia <code>String</code>'s immutability guarantee. By copying, the Julia <code>String</code> becomes independent of the original C memory. (The script demonstrates this: changing <code>c_string_data</code> does <em>not</em> affect <code>julia_string_from_null</code>).</li> <li> <strong>Ownership &amp; GC:</strong> The copied data is stored in a new <code>String</code> object managed by Julia's Garbage Collector (GC). The GC knows how to track and eventually free this memory. The original C pointer might point to memory managed by C (e.g., <code>malloc</code>/<code>free</code>) or temporary stack memory; Julia cannot safely manage that memory directly through a <code>String</code> view.</li> <li> <strong>UTF-8 Validation (Implicit):</strong> While <code>unsafe_string</code> itself might not strictly validate during the copy for performance, the resulting <code>String</code> object is expected to hold valid UTF-8 data. Copying provides an opportunity (even if sometimes deferred) to ensure this, whereas a direct view would expose Julia code to potentially invalid byte sequences from C.</li> </ol> <p>While the copy introduces a small performance cost compared to a zero-copy view, it's necessary to maintain the guarantees and safety of Julia's immutable <code>String</code> type when interfacing with potentially volatile C memory.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Base Documentation, <code>unsafe_string</code>:</strong> "Copy data from a <code>Ptr{UInt8}</code> into a <code>String</code>." Describes both the null-terminated and length-based versions.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0094_unsafe_string.jl <span class="nt">---</span> Creating String from Null-Terminated Pointer <span class="nt">---</span> Original C data <span class="o">(</span>bytes<span class="o">)</span>: UInt8[0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x00] Julia string <span class="o">(</span>from null<span class="o">)</span>: <span class="s2">"Hello"</span> Type: String Length: 5 <span class="nt">---</span> Creating String from Pointer + Length <span class="nt">---</span> Original C buffer <span class="o">(</span>bytes<span class="o">)</span>: UInt8[0x57, 0x6f, 0x72, 0x6c, 0x64] Julia string <span class="o">(</span>from length<span class="o">)</span>: <span class="s2">"World"</span> Type: String Length: 5 <span class="nt">---</span> Demonstrating the Copy <span class="o">(</span>vs. unsafe_wrap<span class="o">)</span> <span class="nt">---</span> Original C data modified: UInt8[0x4a, 0x65, 0x6c, 0x6c, 0x6f, 0x00] Julia string <span class="o">(</span>from null<span class="o">)</span> is unchanged: <span class="s2">"Hello"</span> </code></pre> </div> <h3> <code>0095_reinterpret.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0095_reinterpret.jl</span> <span class="c"># Demonstrates 'reinterpret' for zero-copy type punning.</span> <span class="c"># 1. Start with an array of one 'isbits' type.</span> <span class="n">A_float</span> <span class="o">=</span> <span class="kt">Float64</span><span class="x">[</span><span class="mf">1.0</span><span class="x">,</span> <span class="o">-</span><span class="mf">2.0</span><span class="x">,</span> <span class="nb">π</span><span class="x">,</span> <span class="mf">0.0</span><span class="x">]</span> <span class="c"># Vector{Float64}</span> <span class="n">println</span><span class="x">(</span><span class="s">"Original array (Float64): "</span><span class="x">,</span> <span class="n">A_float</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Sizeof elements: "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="n">eltype</span><span class="x">(</span><span class="n">A_float</span><span class="x">)),</span> <span class="s">" bytes"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"First element bits: "</span><span class="x">,</span> <span class="n">bitstring</span><span class="x">(</span><span class="n">A_float</span><span class="x">[</span><span class="mi">1</span><span class="x">]))</span> <span class="c"># --- Reinterpret to Same-Size Type ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Reinterpret: Float64 -&gt; UInt64 ---"</span><span class="x">)</span> <span class="c"># 2. Use 'reinterpret(NewType, Array)'</span> <span class="c"># 'NewType' must have the same size as 'eltype(Array)'.</span> <span class="c"># This creates a VIEW, not a copy. It interprets the *exact same bytes*</span> <span class="c"># as the new type.</span> <span class="n">B_uint</span> <span class="o">=</span> <span class="n">reinterpret</span><span class="x">(</span><span class="kt">UInt64</span><span class="x">,</span> <span class="n">A_float</span><span class="x">)</span> <span class="c"># Becomes Vector{UInt64}</span> <span class="n">println</span><span class="x">(</span><span class="s">"Reinterpreted array (UInt64): "</span><span class="x">,</span> <span class="n">B_uint</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Sizeof elements: "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="n">eltype</span><span class="x">(</span><span class="n">B_uint</span><span class="x">)),</span> <span class="s">" bytes"</span><span class="x">)</span> <span class="c"># Still 8</span> <span class="n">println</span><span class="x">(</span><span class="s">"First element bits: "</span><span class="x">,</span> <span class="n">bitstring</span><span class="x">(</span><span class="n">B_uint</span><span class="x">[</span><span class="mi">1</span><span class="x">]))</span> <span class="c"># Same bits as A_float[1]</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of reinterpreted array: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">B_uint</span><span class="x">))</span> <span class="c"># 3. Modifications through the view AFFECT the original data.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Modifying view B_uint[4] = 0x0000_0000_0000_0000"</span><span class="x">)</span> <span class="n">B_uint</span><span class="x">[</span><span class="mi">4</span><span class="x">]</span> <span class="o">=</span> <span class="mh">0x0000_0000_0000_0000</span> <span class="c"># Set the bits for 0.0 to all zeros</span> <span class="n">println</span><span class="x">(</span><span class="s">"View B_uint is now: "</span><span class="x">,</span> <span class="n">B_uint</span><span class="x">)</span> <span class="c"># A_float[4] was 0.0, which has a specific bit pattern (usually all zeros).</span> <span class="c"># Let's check A_float[1] after changing B_uint[4] - it should be unchanged.</span> <span class="c"># Re-check A_float[4] which should reflect the change if it was originally non-zero.</span> <span class="c"># (Let's modify B_uint[1] instead for a clearer effect)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Modifying view B_uint[1] using bitwise XOR..."</span><span class="x">)</span> <span class="n">B_uint</span><span class="x">[</span><span class="mi">1</span><span class="x">]</span> <span class="o">=</span> <span class="n">B_uint</span><span class="x">[</span><span class="mi">1</span><span class="x">]</span> <span class="n">⊻</span> <span class="x">(</span><span class="kt">UInt64</span><span class="x">(</span><span class="mi">1</span><span class="x">)</span> <span class="o">&lt;&lt;</span> <span class="mi">63</span><span class="x">)</span> <span class="c"># Flip the sign bit</span> <span class="n">println</span><span class="x">(</span><span class="s">"View B_uint[1] is now (bits): "</span><span class="x">,</span> <span class="n">bitstring</span><span class="x">(</span><span class="n">B_uint</span><span class="x">[</span><span class="mi">1</span><span class="x">]))</span> <span class="n">println</span><span class="x">(</span><span class="s">"Original A_float[1] is now: "</span><span class="x">,</span> <span class="n">A_float</span><span class="x">[</span><span class="mi">1</span><span class="x">])</span> <span class="c"># Should now be -1.0</span> <span class="c"># --- Reinterpret to Smaller Type ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Reinterpret: Float64 -&gt; UInt8 ---"</span><span class="x">)</span> <span class="c"># 4. Reinterpret to a type with a smaller size.</span> <span class="c"># sizeof(UInt8) = 1 byte. sizeof(Float64) = 8 bytes.</span> <span class="c"># The resulting array will be larger.</span> <span class="n">C_uint8</span> <span class="o">=</span> <span class="n">reinterpret</span><span class="x">(</span><span class="kt">UInt8</span><span class="x">,</span> <span class="n">A_float</span><span class="x">)</span> <span class="c"># Becomes Vector{UInt8}</span> <span class="n">println</span><span class="x">(</span><span class="s">"Reinterpreted array (UInt8): "</span><span class="x">,</span> <span class="n">C_uint8</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Length of UInt8 array: "</span><span class="x">,</span> <span class="n">length</span><span class="x">(</span><span class="n">C_uint8</span><span class="x">))</span> <span class="c"># length(A_float) * 8</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of reinterpreted array: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">C_uint8</span><span class="x">))</span> <span class="c"># The first 8 bytes of C_uint8 correspond to the bytes of A_float[1]</span> <span class="n">println</span><span class="x">(</span><span class="s">"First 8 bytes (UInt8): "</span><span class="x">,</span> <span class="n">C_uint8</span><span class="x">[</span><span class="mi">1</span><span class="o">:</span><span class="mi">8</span><span class="x">])</span> <span class="c"># --- Reinterpret Single Values ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Reinterpret Single Values ---"</span><span class="x">)</span> <span class="c"># 5. Reinterpret can also work on single isbits values.</span> <span class="n">f_val</span><span class="o">::</span><span class="kt">Float64</span> <span class="o">=</span> <span class="o">-</span><span class="mf">1.0</span> <span class="n">u_val</span><span class="o">::</span><span class="kt">UInt64</span> <span class="o">=</span> <span class="n">reinterpret</span><span class="x">(</span><span class="kt">UInt64</span><span class="x">,</span> <span class="n">f_val</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value -1.0 (Float64): "</span><span class="x">,</span> <span class="n">f_val</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value -1.0 reinterpreted as UInt64 (hex): 0x"</span><span class="x">,</span> <span class="n">string</span><span class="x">(</span><span class="n">u_val</span><span class="x">,</span> <span class="n">base</span><span class="o">=</span><span class="mi">16</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value -1.0 reinterpreted as UInt64 (bits): "</span><span class="x">,</span> <span class="n">bitstring</span><span class="x">(</span><span class="n">u_val</span><span class="x">))</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <code>reinterpret(NewType, A)</code>, a powerful <strong>zero-copy</strong> operation that allows you to view the raw memory bytes of an array <code>A</code> as if they represented elements of <code>NewType</code>. This is often called "type punning."</p> <h2> Core Concept: Viewing Bits Differently </h2> <ul> <li> <code>reinterpret(NewType, A)</code> creates a <strong>new array view</strong> that shares the <strong>exact same underlying memory</strong> as the original array <code>A</code>.</li> <li>It does <strong>not</strong> copy any data.</li> <li>It does <strong>not</strong> convert values (like <code>Float64(1)</code> converts an <code>Int</code> to a <code>Float</code>).</li> <li>Instead, it simply changes how Julia <strong>interprets the bits</strong> stored in memory. It tells the compiler: "Look at this block of memory that you thought was an array of <code>Float64</code>s; now, interpret those same bits as an array of <code>UInt64</code>s (or <code>UInt8</code>s, etc.)." </li> </ul> <h2> Size Requirements and Resulting Dimensions </h2> <p>The relationship between the size of the original element type (<code>eltype(A)</code>) and <code>NewType</code> determines the dimensions of the resulting view:</p> <ol> <li> <strong><code>sizeof(NewType) == sizeof(eltype(A))</code></strong> (e.g., <code>Float64</code> -&gt; <code>UInt64</code>, both 8 bytes): <ul> <li>The resulting array view has the <strong>same dimensions</strong> as the original array <code>A</code>.</li> <li> <code>reinterpret(UInt64, A_float)</code> produces a <code>Vector{UInt64}</code> with the same length as <code>A_float</code>.</li> </ul> </li> <li> <strong><code>sizeof(NewType) &lt; sizeof(eltype(A))</code></strong> (e.g., <code>Float64</code> -&gt; <code>UInt8</code>, 8 bytes -&gt; 1 byte): <ul> <li>The resulting array view will have an <strong>additional first dimension</strong> whose size is <code>sizeof(eltype(A)) ÷ sizeof(NewType)</code>.</li> <li> <code>reinterpret(UInt8, A_float)</code> treats each <code>Float64</code> as 8 consecutive <code>UInt8</code>s. The result is a <code>Vector{UInt8}</code> whose length is <code>length(A_float) * 8</code>. If <code>A_float</code> were a matrix, the result would effectively add a dimension of size 8.</li> </ul> </li> <li> <strong><code>sizeof(NewType) &gt; sizeof(eltype(A))</code></strong> (e.g., <code>UInt8</code> -&gt; <code>UInt64</code>): <ul> <li>This requires the first dimension of <code>A</code> to be appropriately sized (<code>sizeof(NewType) ÷ sizeof(eltype(A))</code>). This dimension is then removed in the resulting view. This case is less common.</li> </ul> </li> </ol> <h2> Performance and Use Cases (HFT Context) </h2> <p><code>reinterpret</code> is a critical tool for low-level performance optimization and data manipulation:</p> <ul> <li> <strong>Zero-Copy:</strong> It avoids memory allocation and copying, making it extremely fast.</li> <li> <strong>Bitwise Operations:</strong> Floating-point types (<code>Float32</code>, <code>Float64</code>) don't support bitwise operations (<code>&amp;</code>, <code>|</code>, <code>⊻</code>, shifts). To perform bit-level checks or manipulations on the IEEE 754 representation of a float (e.g., quickly checking the sign bit, extracting exponent/mantissa bits), you <code>reinterpret</code> it as an unsigned integer (<code>UInt32</code>, <code>UInt64</code>) of the same size. We demonstrate flipping the sign bit (<code>UInt64(1) &lt;&lt; 63</code>) of <code>A_float[1]</code> via the <code>B_uint</code> view.</li> <li> <strong>Serialization/Network I/O:</strong> When sending an array of <code>Float64</code>s over the network or saving to a binary file, you often need a raw byte stream (<code>Vector{UInt8}</code>). <code>reinterpret(UInt8, A_float)</code> provides this <strong>zero-copy view</strong> of the underlying bytes, which can then be written directly to an <code>IO</code> stream.</li> <li> <strong>Hashing:</strong> Calculating a hash over raw bytes (<code>Vector{UInt8}</code>) can sometimes be faster or provide different properties than hashing structured data (<code>Vector{Float64}</code>). <code>reinterpret</code> allows accessing those bytes directly.</li> </ul> <h2> Shared Memory </h2> <p>Because <code>reinterpret</code> creates a view, modifying the reinterpreted array (<code>B_uint</code>) directly modifies the bits in the memory shared with the original array (<code>A_float</code>), changing its value, as demonstrated by flipping the sign bit.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Base Documentation, <code>reinterpret</code>:</strong> "Change the type-interpretation of a block of memory... without copying data." Explains the dimension changes based on type sizes.</li> <li> <strong>IEEE 754 Standard:</strong> Defines the binary representation of floating-point numbers, which is what allows <code>reinterpret</code> between floats and integers to be meaningful for bitwise manipulation.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0095_reinterpret.jl Original array <span class="o">(</span>Float64<span class="o">)</span>: <span class="o">[</span>1.0, <span class="nt">-2</span>.0, 3.141592653589793, 0.0] Sizeof elements: 8 bytes First element bits: 0011111111110000000000000000000000000000000000000000000000000000 <span class="nt">---</span> Reinterpret: Float64 -&gt; UInt64 <span class="nt">---</span> Reinterpreted array <span class="o">(</span>UInt64<span class="o">)</span>: <span class="o">[</span>4607182418800017408, 13830554455654793216, 4614256656552045848, 0] Sizeof elements: 8 bytes First element bits: 0011111111110000000000000000000000000000000000000000000000000000 Type of reinterpreted array: Vector<span class="o">{</span>UInt64<span class="o">}</span> <span class="o">(</span><span class="nb">alias </span><span class="k">for </span>Array<span class="o">{</span>UInt64, 1<span class="o">})</span> Modifying view B_uint[1] using bitwise XOR... View B_uint[1] is now <span class="o">(</span>bits<span class="o">)</span>: 1011111111110000000000000000000000000000000000000000000000000000 Original A_float[1] is now: <span class="nt">-1</span>.0 <span class="nt">---</span> Reinterpret: Float64 -&gt; UInt8 <span class="nt">---</span> Reinterpreted array <span class="o">(</span>UInt8<span class="o">)</span>: UInt8[0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xbf, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x18, 0x2d, 0x44, 0x54, 0xfb, 0x21, 0x09, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00] Length of UInt8 array: 32 Type of reinterpreted array: Vector<span class="o">{</span>UInt8<span class="o">}</span> <span class="o">(</span><span class="nb">alias </span><span class="k">for </span>Array<span class="o">{</span>UInt8, 1<span class="o">})</span> First 8 bytes <span class="o">(</span>UInt8<span class="o">)</span>: UInt8[0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xbf] <span class="nt">---</span> Reinterpret Single Values <span class="nt">---</span> Value <span class="nt">-1</span>.0 <span class="o">(</span>Float64<span class="o">)</span>: <span class="nt">-1</span>.0 Value <span class="nt">-1</span>.0 reinterpreted as UInt64 <span class="o">(</span>hex<span class="o">)</span>: 0xbff0000000000000 Value <span class="nt">-1</span>.0 reinterpreted as UInt64 <span class="o">(</span>bits<span class="o">)</span>: 1011111111110000000000000000000000000000000000000000000000000000 </code></pre> </div> <p><em>(Byte order in the <code>UInt8</code> array may vary depending on system endianness. Bit patterns and hex value for -1.0 are standard IEEE 754.)</em></p> <h1> Module 10: Advanced Parallelism and Thread Safety </h1> <h2> Multi Threading </h2> <h3> <code>0096_module_intro.md</code> </h3> <p>This module tackles <strong>parallelism</strong>, the technique of executing computations simultaneously to leverage modern multi-core processors. We will distinguish this sharply from the <strong>concurrency</strong> explored in Module 7 and introduce Julia's powerful tools for both shared-memory (multi-threading) and distributed-memory (multi-processing) parallelism.</p> <h2> Concurrency vs. Parallelism Revisited </h2> <ul> <li> <strong>Concurrency (Module 7):</strong> Primarily managed with <code>Task</code>s (<code>@async</code>). Focuses on <strong>managing many tasks over time</strong>, often interleaving their execution on a <strong>single OS thread</strong>. Tasks yield control during blocking operations (like I/O or <code>sleep</code>), preventing one slow operation from halting progress on others. Excellent for I/O-bound workloads (like handling many network clients).</li> <li> <strong>Parallelism (This Module):</strong> Focuses on <strong>executing multiple tasks truly simultaneously</strong> to speed up CPU-bound work. This requires utilizing multiple CPU cores via: <ul> <li> <strong>Multi-Threading:</strong> Multiple OS threads operating within a <strong>single process</strong>, sharing the same memory space.</li> <li> <strong>Multi-Processing:</strong> Multiple independent OS <strong>processes</strong>, each with its own separate memory space.</li> </ul> </li> </ul> <h2> Julia's Parallelism Advantage: No GIL </h2> <p>A defining feature, especially compared to languages like CPython, is Julia's <strong>lack of a Global Interpreter Lock (GIL)</strong>. This means:</p> <ul> <li> <strong>True Shared-Memory Parallelism:</strong> Julia code running on Thread 1 can execute <em>at the exact same physical time</em> as Julia code running on Thread 2, provided they are scheduled on different CPU cores. </li> <li> <strong>C++/Rust Level Capability:</strong> This enables genuine in-process, shared-memory parallelism, matching the capabilities of compiled languages like C++ and Rust, which is crucial for maximizing performance on modern hardware.</li> </ul> <h2> The Responsibility: Thread Safety </h2> <p>With the power of shared-memory parallelism comes the absolute requirement of <strong>thread safety</strong>.</p> <ul> <li> <strong>Data Races:</strong> When multiple threads access shared, mutable data without proper synchronization, and at least one access is a write, you have a <strong>data race</strong>. This leads to unpredictable results, memory corruption, and non-deterministic crashes that are notoriously difficult to debug.</li> <li> <strong>Synchronization:</strong> Protecting shared data requires <strong>synchronization mechanisms</strong> like locks or atomic operations to ensure that critical sections of code are executed by only one thread at a time or that updates happen indivisibly.</li> <li> <strong>Non-Negotiable:</strong> Failure to ensure thread safety <em>will</em> break your program in subtle and catastrophic ways. Understanding and correctly applying synchronization primitives is not optional; it's a fundamental requirement of multi-threaded programming.</li> </ul> <h2> Relevance to High-Performance Computing (HFT) </h2> <p>Parallelism is essential for low-latency systems:</p> <ul> <li>Processing data from multiple market feeds simultaneously.</li> <li>Running computationally intensive calculations (e.g., signal processing, model execution) for different instruments or strategies in parallel.</li> <li>Reacting to incoming events with minimal delay by dedicating threads or processes to specific tasks.</li> </ul> <p>The tools covered in this module—<code>Threads</code>, <code>Distributed</code>, atomics, and SIMD—are the building blocks for constructing such high-performance, parallel systems in Julia.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Parallel Computing":</strong> Provides a high-level overview of Julia's multi-threading and distributed computing capabilities.</li> <li> <strong>Julia Official Documentation, Manual, "Multi-Threading":</strong> Details the specifics of Julia's threading model and associated tools.</li> </ul> </li> </ul> <h3> <code>0097_launching_with_threads.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0097_launching_with_threads.jl</span> <span class="c"># How to enable and check Julia's multi-threading capabilities.</span> <span class="c"># 1. Access the 'Threads' module (part of Base Julia).</span> <span class="c"># No 'import' is needed for names directly in 'Base.Threads'.</span> <span class="k">import</span> <span class="n">Base</span><span class="o">.</span><span class="n">Threads</span> <span class="c"># Import the module itself to be explicit</span> <span class="c"># 2. Get the number of threads Julia was started with.</span> <span class="c"># 'Threads.nthreads()' returns the size of the thread pool.</span> <span class="n">num_threads</span> <span class="o">=</span> <span class="n">Threads</span><span class="o">.</span><span class="n">nthreads</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">"Julia process launched with </span><span class="si">$</span><span class="s">num_threads thread(s)."</span><span class="x">)</span> <span class="c"># 3. Check if multi-threading is actually enabled.</span> <span class="c"># If nthreads() == 1, parallel execution is not possible.</span> <span class="k">if</span> <span class="n">num_threads</span> <span class="o">==</span> <span class="mi">1</span> <span class="n">println</span><span class="x">(</span><span class="s">"WARNING: Multi-threading is DISABLED."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Performance will be limited to a single core."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"To enable parallelism for subsequent lessons, restart Julia"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"using one of the following methods:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" a) Command Line: julia -t N (e.g., julia -t 4)"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" b) Command Line: julia -t auto (uses all available logical cores)"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" c) Environment Variable: export JULIA_NUM_THREADS=N (before starting Julia)"</span><span class="x">)</span> <span class="k">else</span> <span class="n">println</span><span class="x">(</span><span class="s">"SUCCESS: Multi-threading is ENABLED."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Parallel execution using up to </span><span class="si">$</span><span class="s">num_threads threads is possible."</span><span class="x">)</span> <span class="k">end</span> <span class="c"># 4. Get the ID of the *current* OS thread executing this code.</span> <span class="c"># Thread IDs range from 1 to nthreads().</span> <span class="c"># The main thread (that runs the script initially) is always ID 1.</span> <span class="n">main_thread_id</span> <span class="o">=</span> <span class="n">Threads</span><span class="o">.</span><span class="n">threadid</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">"This main script is currently running on thread ID: </span><span class="si">$</span><span class="s">main_thread_id"</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script explains how Julia's multi-threading capabilities are <strong>enabled at startup</strong> and how to verify the configuration. Unlike some languages where threading is always available, Julia requires an explicit opt-in to create its pool of worker threads.</p> <ul> <li> <strong>Core Concept: Startup Configuration</strong> Julia's parallel scheduler uses a pool of <strong>Operating System (OS) threads</strong>. This pool is created <strong>only once</strong> when the Julia process starts. You <strong>cannot</strong> change the number of threads after Julia has started.</li> <li> <strong>Enabling Threads:</strong> To utilize multiple CPU cores for parallel execution, you <em>must</em> tell Julia how many threads to create when you launch it. There are three primary methods: <ol> <li> <strong><code>-t N</code> / <code>--threads N</code> Command-Line Flag:</strong> <code>julia -t 4 my_script.jl</code> starts Julia with a main thread and 3 additional worker threads, for a total of 4 threads available via <code>Threads.nthreads()</code>.</li> <li> <strong><code>-t auto</code> / <code>--threads auto</code> Flag:</strong> <code>julia -t auto my_script.jl</code> automatically detects the number of logical CPU cores on your machine and sets <code>N</code> to that value. This is often the most convenient option.</li> <li> <strong><code>JULIA_NUM_THREADS</code> Environment Variable:</strong> Setting this variable <em>before</em> launching Julia (e.g., <code>export JULIA_NUM_THREADS=4</code> in bash, then <code>julia my_script.jl</code>) achieves the same result as the command-line flag.</li> </ol> </li> <li> <strong>Checking the Configuration:</strong> <ul> <li> <strong><code>Threads.nthreads()</code>:</strong> This function returns the <strong>total number of threads</strong> in Julia's pool (main thread + worker threads). If this returns <code>1</code>, multi-threading was not enabled at startup, and parallel execution macros like <code>Threads.@spawn</code> or <code>Threads.@threads</code> will effectively run sequentially on the single main thread.</li> <li> <strong><code>Threads.threadid()</code>:</strong> This function returns the <strong>integer ID</strong> (from <code>1</code> to <code>nthreads()</code>) of the specific OS thread that is currently executing the code. The thread that initially runs your script is always <code>1</code>. When you launch parallel tasks (next lessons), you'll see them report different <code>threadid()</code>s as they run on other threads in the pool.</li> </ul> </li> <li> <strong>Verification:</strong> Running this script normally (<code>julia 0097_launching_with_threads.jl</code>) will likely show <code>1</code> thread and print the warning. Running it with threading enabled (e.g., <code>julia -t 4 0097_launching_with_threads.jl</code>) will show the number of threads requested and confirm that multi-threading is active. This check is essential before running any multi-threaded code to ensure parallelism is actually possible.</li> </ul> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Multi-Threading", "Starting Julia with multiple threads":</strong> Details the command-line flags and environment variable.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>Threads.nthreads</code>:</strong> "Get the number of threads available to the Julia process."</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>Threads.threadid</code>:</strong> "Get the ID of the current thread."</li> </ul> </li> </ul> <p>To run the script:</p> <ol> <li> <p><strong>Without Threads:</strong><br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0097_launching_with_threads.jl Julia process launched with 1 thread<span class="o">(</span>s<span class="o">)</span><span class="nb">.</span> WARNING: Multi-threading is DISABLED. Performance will be limited to a single core. To <span class="nb">enable </span>parallelism <span class="k">for </span>subsequent lessons, restart Julia using one of the following methods: a<span class="o">)</span> Command Line: julia <span class="nt">-t</span> N <span class="o">(</span>e.g., julia <span class="nt">-t</span> 4<span class="o">)</span> b<span class="o">)</span> Command Line: julia <span class="nt">-t</span> auto <span class="o">(</span>uses all available logical cores<span class="o">)</span> c<span class="o">)</span> Environment Variable: <span class="nb">export </span><span class="nv">JULIA_NUM_THREADS</span><span class="o">=</span>N <span class="o">(</span>before starting Julia<span class="o">)</span> This main script is currently running on thread ID: 1 </code></pre> </li> <li> <p><strong>With Threads (e.g., 4):</strong><br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>julia <span class="nt">-t</span> 4 0097_launching_with_threads.jl Julia process launched with 4 thread<span class="o">(</span>s<span class="o">)</span><span class="nb">.</span> SUCCESS: Multi-threading is ENABLED. Parallel execution using up to 4 threads is possible. This main script is currently running on thread ID: 1 </code></pre> <p><em>(Replace <code>4</code> with the number of threads you requested or <code>auto</code> detected.)</em></p> </li> </ol> <h3> <code>0098_threads_spawn.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0098_threads_spawn.jl</span> <span class="c"># Introduces Threads.@spawn for dynamic parallel task execution.</span> <span class="c"># Requires running Julia with multiple threads (e.g., 'julia -t 4')</span> <span class="k">import</span> <span class="n">Base</span><span class="o">.</span><span class="n">Threads</span><span class="o">:</span> <span class="nd">@spawn</span><span class="x">,</span> <span class="n">threadid</span> <span class="k">import</span> <span class="n">Base</span><span class="o">:</span> <span class="n">fetch</span> <span class="c"># fetch is needed to get results</span> <span class="c"># 1. Define a function simulating CPU-intensive work.</span> <span class="k">function</span><span class="nf"> cpu_intensive_work</span><span class="x">(</span><span class="n">id</span><span class="o">::</span><span class="kt">Int</span><span class="x">,</span> <span class="n">iterations</span><span class="o">::</span><span class="kt">Int</span><span class="x">)</span> <span class="c"># Report which thread is starting the work for this ID</span> <span class="n">println</span><span class="x">(</span><span class="s">"Task </span><span class="si">$</span><span class="s">id: Starting on thread "</span><span class="x">,</span> <span class="n">threadid</span><span class="x">())</span> <span class="n">sum_val</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="c"># Perform a non-trivial computation</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="n">iterations</span> <span class="n">sum_val</span> <span class="o">+=</span> <span class="n">sin</span><span class="x">(</span><span class="n">sqrt</span><span class="x">(</span><span class="n">float</span><span class="x">(</span><span class="n">i</span><span class="x">)))</span> <span class="k">end</span> <span class="c"># Report which thread finished the work</span> <span class="n">println</span><span class="x">(</span><span class="s">"Task </span><span class="si">$</span><span class="s">id: Finished on thread "</span><span class="x">,</span> <span class="n">threadid</span><span class="x">(),</span> <span class="s">" | Result: "</span><span class="x">,</span> <span class="n">sum_val</span><span class="x">)</span> <span class="k">return</span> <span class="x">(</span><span class="n">id</span><span class="x">,</span> <span class="n">sum_val</span><span class="x">)</span> <span class="c"># Return a tuple with the ID and result</span> <span class="k">end</span> <span class="c"># --- Execution ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"Main script running on thread: "</span><span class="x">,</span> <span class="n">threadid</span><span class="x">())</span> <span class="n">num_tasks</span> <span class="o">=</span> <span class="mi">4</span> <span class="n">iterations_per_task</span> <span class="o">=</span> <span class="mi">50_000_000</span> <span class="n">println</span><span class="x">(</span><span class="s">"Spawning </span><span class="si">$</span><span class="s">num_tasks parallel tasks using Threads.@spawn..."</span><span class="x">)</span> <span class="c"># 2. Create storage for the Task objects returned by @spawn.</span> <span class="n">tasks</span> <span class="o">=</span> <span class="kt">Vector</span><span class="x">{</span><span class="kt">Task</span><span class="x">}(</span><span class="nb">undef</span><span class="x">,</span> <span class="n">num_tasks</span><span class="x">)</span> <span class="c"># 3. Launch tasks using Threads.@spawn.</span> <span class="c"># '@spawn' creates a Task and schedules it to run on any available thread</span> <span class="c"># from Julia's thread pool. It returns the Task object immediately.</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="n">num_tasks</span> <span class="c"># Schedule the function call to run in parallel</span> <span class="n">tasks</span><span class="x">[</span><span class="n">i</span><span class="x">]</span> <span class="o">=</span> <span class="nd">@spawn</span> <span class="n">cpu_intensive_work</span><span class="x">(</span><span class="n">i</span><span class="x">,</span> <span class="n">iterations_per_task</span><span class="x">)</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"All tasks spawned. Main thread continues while tasks run in parallel."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Waiting for tasks to complete by calling fetch()..."</span><span class="x">)</span> <span class="c"># 4. Wait for each task and retrieve its result using 'fetch()'.</span> <span class="c"># 'fetch(t)' blocks the *current* thread (Thread 1 here) until 't' finishes.</span> <span class="c"># We collect results in an array.</span> <span class="n">results</span> <span class="o">=</span> <span class="kt">Vector</span><span class="x">{</span><span class="kt">Any</span><span class="x">}(</span><span class="nb">undef</span><span class="x">,</span> <span class="n">num_tasks</span><span class="x">)</span> <span class="c"># Use Any for tuples, or be more specific</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="n">num_tasks</span> <span class="n">println</span><span class="x">(</span><span class="s">"Main: Waiting for Task "</span><span class="x">,</span> <span class="n">i</span><span class="x">,</span> <span class="s">"..."</span><span class="x">)</span> <span class="c"># fetch() blocks here if tasks[i] is not yet complete.</span> <span class="n">task_result</span> <span class="o">=</span> <span class="n">fetch</span><span class="x">(</span><span class="n">tasks</span><span class="x">[</span><span class="n">i</span><span class="x">])</span> <span class="n">results</span><span class="x">[</span><span class="n">i</span><span class="x">]</span> <span class="o">=</span> <span class="n">task_result</span> <span class="n">println</span><span class="x">(</span><span class="s">"Main: Fetched result from Task "</span><span class="x">,</span> <span class="n">i</span><span class="x">)</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">All tasks complete."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Collected results:"</span><span class="x">)</span> <span class="k">for</span> <span class="n">res</span> <span class="k">in</span> <span class="n">results</span> <span class="n">println</span><span class="x">(</span><span class="s">" "</span><span class="x">,</span> <span class="n">res</span><span class="x">)</span> <span class="k">end</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <strong><code>Threads.@spawn</code></strong>, the primary macro for launching <strong>parallel tasks</strong> in Julia's modern multi-threading system. It enables dynamic task creation and leverages an efficient work-stealing scheduler.</p> <ul> <li> <strong>Core Concept: Parallel Task Execution</strong> <code>Threads.@spawn expression</code> takes a Julia expression (typically a function call), wraps it in a <code>Task</code>, and submits it to Julia's <strong>multi-threaded scheduler</strong>. This scheduler then assigns the task to run on one of the available <strong>worker threads</strong> (threads with ID &gt; 1) in Julia's thread pool, allowing it to execute in parallel with the main thread and other spawned tasks.</li> <li> <strong><code>@spawn</code> vs. <code>@async</code>:</strong> <ul> <li> <code>@async</code> (Module 7): Designed for <strong>concurrency</strong> on a <em>single</em> thread. Tasks yield cooperatively during I/O or explicit yields.</li> <li> <code>@spawn</code>: Designed for <strong>parallelism</strong> across <em>multiple</em> threads/cores. Ideal for CPU-bound computations.</li> </ul> </li> <li> <strong>Return Value: <code>Task</code> Object</strong> Like <code>@async</code>, <code>@spawn</code> returns <strong>immediately</strong>, without waiting for the task to start or finish. It returns a <code>Task</code> object, which serves as a handle to the asynchronously executing computation.</li> <li> <strong>Work-Stealing Scheduler:</strong> <code>@spawn</code> uses a sophisticated <strong>work-stealing scheduler</strong>. Each worker thread maintains a queue of tasks. If a thread finishes its own tasks and another thread still has tasks waiting in its queue, the idle thread can "steal" work from the busy thread. This provides excellent load balancing and CPU utilization, especially when tasks have varying durations.</li> <li> <strong>Synchronization and Results: <code>fetch(t::Task)</code></strong> To get the result of a task launched with <code>@spawn</code> and ensure it has completed, you use <code>fetch(t)</code>. <ul> <li> <strong>Blocking:</strong> <code>fetch(t)</code> <strong>blocks</strong> the calling thread until task <code>t</code> finishes execution.</li> <li> <strong>Return Value:</strong> It returns the value returned by the expression executed within the task (e.g., the tuple <code>(id, sum_val)</code> from <code>cpu_intensive_work</code>).</li> <li> <strong>Error Propagation:</strong> If the spawned task throws an exception, <code>fetch(t)</code> will re-throw that same exception on the calling thread.</li> </ul> </li> <li> <strong>Workflow:</strong> <ol> <li> Launch multiple parallel computations using <code>@spawn</code>, storing the returned <code>Task</code> objects.</li> <li> Perform any other work that can be done concurrently on the main thread (optional).</li> <li> Call <code>fetch()</code> on each <code>Task</code> object to wait for its completion and collect its result. This loop effectively acts as a "join" point, ensuring all parallel work is done before proceeding.</li> </ol> </li> </ul> <p><code>Threads.@spawn</code> is the recommended, flexible way to achieve parallelism for complex or dynamic workloads in Julia.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Multi-Threading":</strong> Explains <code>@spawn</code> and the task-based parallelism model.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>Threads.@spawn</code>:</strong> Details the macro's behavior.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>fetch</code>:</strong> Explains how to wait for and retrieve task results.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(You MUST start Julia with multiple threads, e.g., <code>julia -t 4 0098_threads_spawn.jl</code>)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia <span class="nt">-t</span> 4 0098_threads_spawn.jl Main script running on thread: 1 Spawning 4 parallel tasks using Threads.@spawn... All tasks spawned. Main thread continues <span class="k">while </span>tasks run <span class="k">in </span>parallel. Waiting <span class="k">for </span>tasks to <span class="nb">complete </span>by calling fetch<span class="o">()</span>... Main: Waiting <span class="k">for </span>Task 1... Task 1: Starting on thread 1 <span class="c"># May start on any thread</span> Task 2: Starting on thread 2 Task 3: Starting on thread 3 Task 4: Starting on thread 4 Task 2: Finished on thread 2 | Result: <span class="c">###</span> Task 4: Finished on thread 4 | Result: <span class="c">###</span> Task 3: Finished on thread 3 | Result: <span class="c">###</span> Task 1: Finished on thread 1 | Result: <span class="c">###</span> Main: Fetched result from Task 1 Main: Waiting <span class="k">for </span>Task 2... Main: Fetched result from Task 2 Main: Waiting <span class="k">for </span>Task 3... Main: Fetched result from Task 3 Main: Waiting <span class="k">for </span>Task 4... Main: Fetched result from Task 4 All tasks complete. Collected results: <span class="o">(</span>1, <span class="c">###)</span> <span class="o">(</span>2, <span class="c">###)</span> <span class="o">(</span>3, <span class="c">###)</span> <span class="o">(</span>4, <span class="c">###)</span> </code></pre> </div> <p><em>(The exact order of "Starting" and "Finished" messages will vary due to parallel execution and scheduling. Results <code>###</code> will be floating-point numbers.)</em></p> <h3> <code>0099_threads_macro.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0099_threads_macro.jl</span> <span class="c"># Introduces Threads.@threads for static parallelization of for loops.</span> <span class="c"># Requires running Julia with multiple threads (e.g., 'julia -t 4')</span> <span class="k">import</span> <span class="n">Base</span><span class="o">.</span><span class="n">Threads</span><span class="o">:</span> <span class="nd">@threads</span><span class="x">,</span> <span class="n">threadid</span><span class="x">,</span> <span class="n">nthreads</span> <span class="c"># --- Example 1: Safe Parallel Loop (Writing to unique indices) ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Example 1: Safe Parallel Loop ---"</span><span class="x">)</span> <span class="n">N</span> <span class="o">=</span> <span class="mi">10</span> <span class="c"># Number of iterations</span> <span class="n">results</span> <span class="o">=</span> <span class="n">zeros</span><span class="x">(</span><span class="kt">Float64</span><span class="x">,</span> <span class="n">N</span><span class="x">)</span> <span class="c"># Array to store results</span> <span class="n">println</span><span class="x">(</span><span class="s">"Main script on thread: "</span><span class="x">,</span> <span class="n">threadid</span><span class="x">())</span> <span class="n">println</span><span class="x">(</span><span class="s">"Looping </span><span class="si">$</span><span class="s">N times using </span><span class="si">$</span><span class="s">(nthreads()) threads..."</span><span class="x">)</span> <span class="c"># 1. Use 'Threads.@threads' before a 'for' loop.</span> <span class="c"># Julia divides the loop iterations (1:N) into chunks,</span> <span class="c"># one chunk per available thread. Each thread executes its chunk.</span> <span class="n">Threads</span><span class="o">.</span><span class="nd">@threads</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="n">N</span> <span class="c"># Simulate work for each iteration</span> <span class="n">work_val</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="k">for</span> <span class="n">_</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="mi">20_000_000</span> <span class="c"># Shorter loop for quicker demo</span> <span class="n">work_val</span> <span class="o">+=</span> <span class="n">rand</span><span class="x">()</span> <span class="k">end</span> <span class="c"># Report which thread handled which iteration</span> <span class="n">println</span><span class="x">(</span><span class="s">" Iteration </span><span class="si">$</span><span class="s">i running on thread "</span><span class="x">,</span> <span class="n">threadid</span><span class="x">())</span> <span class="c"># CRITICAL: This is safe *only* because each thread writes</span> <span class="c"># to a unique, non-overlapping index results[i].</span> <span class="c"># There is no shared mutable state being modified concurrently.</span> <span class="n">results</span><span class="x">[</span><span class="n">i</span><span class="x">]</span> <span class="o">=</span> <span class="n">work_val</span> <span class="k">end</span> <span class="c"># The main thread waits here until *all* threads finish their chunks.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Loop finished."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Results: "</span><span class="x">,</span> <span class="n">results</span><span class="x">)</span> <span class="c"># --- Example 2: Data Race (Incorrectly modifying shared state) ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Example 2: Data Race ---"</span><span class="x">)</span> <span class="n">total_sum_incorrect</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="c"># Shared mutable variable</span> <span class="n">iterations_race</span> <span class="o">=</span> <span class="mi">1_000_000</span> <span class="n">println</span><span class="x">(</span><span class="s">"Calculating sum incorrectly (data race)..."</span><span class="x">)</span> <span class="c"># 2. INCORRECT use of @threads with shared mutable state.</span> <span class="n">Threads</span><span class="o">.</span><span class="nd">@threads</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="n">iterations_race</span> <span class="c"># !! DATA RACE !!</span> <span class="c"># Multiple threads read 'total_sum_incorrect', add 1.0,</span> <span class="c"># and try to write back simultaneously. Updates will be lost.</span> <span class="kd">global</span> <span class="n">total_sum_incorrect</span> <span class="o">+=</span> <span class="mf">1.0</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"Loop finished."</span><span class="x">)</span> <span class="c"># The result will be significantly LESS than iterations_race.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Incorrect Total Sum (will be &lt; </span><span class="si">$</span><span class="s">iterations_race): "</span><span class="x">,</span> <span class="n">total_sum_incorrect</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"This demonstrates a read-modify-write data race."</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <strong><code>Threads.@threads</code></strong>, a macro designed for simple <strong>parallelization of <code>for</code> loops</strong>. It offers a straightforward way to distribute loop iterations across multiple threads but requires careful consideration of <strong>data safety</strong>.</p> <ul> <li> <p><strong>Core Concept: Static Loop Scheduling</strong><br> <code>Threads.@threads for i in iterable ... end</code> tells Julia to divide the work of the loop iterations among the available threads.</p> <ul> <li> <strong>Static Schedule:</strong> Unlike <code>@spawn</code>'s dynamic work-stealing, <code>@threads</code> typically performs a <strong>static schedule</strong>. It divides the iteration space (e.g., <code>1:N</code>) into roughly equal chunks (approximately <code>N / nthreads()</code> iterations per chunk) and assigns one chunk to each thread (<code>1</code> to <code>nthreads()</code>).</li> <li> <strong>Implicit Wait:</strong> The code <em>after</em> the <code>@threads for</code> loop only executes <strong>after all threads</strong> have completed their assigned chunks. The main thread implicitly waits.</li> </ul> </li> <li><p><strong>When to Use <code>@threads</code>:</strong><br><br> It's best suited for <strong>"embarrassingly parallel"</strong> loops where:</p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Each iteration is **independent** of the others (the calculation for `i` doesn't depend on the result for `i-1`). 2. The amount of work per iteration is **roughly equal**. 3. You are primarily performing **CPU-bound work**. </code></pre> </div> <ul> <li> <p><strong>The Critical Danger: Data Races</strong></p> <ul> <li> <strong>Example 1 (Safe):</strong> This loop is safe because each thread writes to a <strong>separate, unique location</strong> in the <code>results</code> array (<code>results[i]</code>). There's no possibility of two threads trying to modify the <em>same</em> memory location simultaneously.</li> <li> <strong>Example 2 (Unsafe - Data Race):</strong> This loop demonstrates a <strong>classic data race</strong>. <code>total_sum_incorrect</code> is a single variable shared by all threads. The operation <code>total_sum_incorrect += 1.0</code> is <strong>not atomic</strong> (indivisible). It involves three steps: <ol> <li> <strong>Read</strong> the current value of <code>total_sum_incorrect</code>.</li> <li> <strong>Modify</strong> the value (add 1.0).</li> <li> <strong>Write</strong> the new value back.</li> </ol> </li> <li>If Thread 2 reads the value (<code>100</code>), then Thread 3 reads the value (<code>100</code>) <em>before</em> Thread 2 writes its result (<code>101</code>), both threads will eventually write <code>101</code>. One increment is lost. This happens thousands of times, leading to a final sum far less than the number of iterations.</li> <li> <strong><code>global</code> Keyword:</strong> Note the use of <code>global total_sum_incorrect += 1.0</code>. Just like in single-threaded loops (Module 2), modifying a global variable from within the loop's scope requires the <code>global</code> keyword.</li> </ul> </li> <li> <p><strong><code>@threads</code> vs. <code>@spawn</code>:</strong></p> <ul> <li> <strong><code>@threads</code>:</strong> Simpler syntax for basic <code>for</code> loops. Static scheduling (can be inefficient if work per iteration varies greatly). <strong>Requires manual care</strong> regarding data races if shared mutable state is involved.</li> <li> <strong><code>@spawn</code>:</strong> More flexible (can parallelize any code block, not just loops). Dynamic work-stealing scheduler (better load balancing for uneven tasks). Still requires manual synchronization (<code>fetch</code>) and care with shared mutable state.</li> </ul> </li> </ul> <p><strong>Guideline:</strong> Prefer <code>@threads</code> for simple, independent, balanced <code>for</code> loops where writes go to unique locations. For more complex scenarios or when modifying shared state safely, use <code>@spawn</code> combined with locks or atomics (covered next). Always be extremely vigilant about data races when using <code>@threads</code> with shared mutable variables.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Multi-Threading", <code>Threads.@threads</code>:</strong> Explains the macro and its use cases. Explicitly warns about data races.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(You MUST start Julia with multiple threads, e.g., <code>julia -t 4 0099_threads_macro.jl</code>)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia <span class="nt">-t</span> 4 0099_threads_macro.jl <span class="nt">---</span> Example 1: Safe Parallel Loop <span class="nt">---</span> Main script on thread: 1 Looping 10 <span class="nb">times </span>using 4 threads... Iteration 1 running on thread 1 Iteration 4 running on thread 2 Iteration 7 running on thread 3 Iteration 10 running on thread 4 Iteration 2 running on thread 1 Iteration 5 running on thread 2 Iteration 8 running on thread 3 Iteration 3 running on thread 1 Iteration 6 running on thread 2 Iteration 9 running on thread 3 Loop finished. Results: <span class="o">[</span><span class="c">###, ###, ###, ###, ###, ###, ###, ###, ###, ###]</span> <span class="nt">---</span> Example 2: Data Race <span class="nt">---</span> Calculating <span class="nb">sum </span>incorrectly <span class="o">(</span>data race<span class="o">)</span>... Loop finished. Incorrect Total Sum <span class="o">(</span>will be &lt; 1000000<span class="o">)</span>: <span class="c">###.0 # A value significantly less than 1,000,000</span> This demonstrates a read-modify-write data race. </code></pre> </div> <p><em>(The exact order of iterations per thread may vary. Results <code>###</code> will be floats. The incorrect total sum will vary between runs but will be less than 1,000,000.)</em></p> <h2> Thread Safety Mechanisms </h2> <h3> <code>0100_thread_safety_locks.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0100_thread_safety_locks.jl</span> <span class="c"># Demonstrates using locks to prevent data races.</span> <span class="c"># Requires running Julia with multiple threads (e.g., 'julia -t 4')</span> <span class="k">import</span> <span class="n">Base</span><span class="o">.</span><span class="n">Threads</span><span class="o">:</span> <span class="nd">@spawn</span><span class="x">,</span> <span class="kt">ReentrantLock</span><span class="x">,</span> <span class="n">lock</span><span class="x">,</span> <span class="n">unlock</span><span class="x">,</span> <span class="n">nthreads</span> <span class="k">import</span> <span class="n">Base</span><span class="o">:</span> <span class="n">fetch</span> <span class="c"># 1. Initialize a lock.</span> <span class="c"># A lock is a synchronization primitive ensuring mutual exclusion.</span> <span class="c"># 'ReentrantLock' allows the *same* thread to acquire the lock multiple times</span> <span class="c"># without deadlocking (it must unlock it the same number of times).</span> <span class="c"># 'SpinLock' is lower-level, busy-waiting lock (CPU intensive) for very short critical sections.</span> <span class="kd">const</span> <span class="n">counter_lock</span> <span class="o">=</span> <span class="kt">ReentrantLock</span><span class="x">()</span> <span class="c"># Shared mutable state that needs protection</span> <span class="n">total_sum_correct</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="n">num_increments</span> <span class="o">=</span> <span class="mi">1_000_000</span> <span class="c"># Use a larger number to make races likely</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Correctly calculating sum using lock ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Using </span><span class="si">$</span><span class="s">(nthreads()) threads for </span><span class="si">$</span><span class="s">num_increments increments..."</span><span class="x">)</span> <span class="c"># Array to hold Task objects</span> <span class="n">tasks</span> <span class="o">=</span> <span class="kt">Vector</span><span class="x">{</span><span class="kt">Task</span><span class="x">}(</span><span class="nb">undef</span><span class="x">,</span> <span class="n">num_increments</span><span class="x">)</span> <span class="c"># --- Method 1: Manual lock/unlock with try...finally (Less Preferred) ---</span> <span class="c"># Launch tasks that increment the shared counter safely</span> <span class="c"># for i in 1:num_increments</span> <span class="c"># tasks[i] = @spawn begin</span> <span class="c"># # 2. Acquire the lock *before* accessing shared data.</span> <span class="c"># # If another thread holds the lock, this call blocks.</span> <span class="c"># lock(counter_lock)</span> <span class="c"># try</span> <span class="c"># # --- CRITICAL SECTION START ---</span> <span class="c"># # Only one thread can execute this code block at a time.</span> <span class="c"># global total_sum_correct += 1.0</span> <span class="c"># # --- CRITICAL SECTION END ---</span> <span class="c"># finally</span> <span class="c"># # 3. CRITICAL: Release the lock *always*.</span> <span class="c"># # 'finally' ensures unlock happens even if an error</span> <span class="c"># # occurs inside the 'try' block, preventing deadlock.</span> <span class="c"># unlock(counter_lock)</span> <span class="c"># end</span> <span class="c"># end</span> <span class="c"># end</span> <span class="c"># --- Method 2: Idiomatic lock(...) do ... end (Recommended) ---</span> <span class="c"># This is syntactic sugar for the try...finally block above.</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="n">num_increments</span> <span class="n">tasks</span><span class="x">[</span><span class="n">i</span><span class="x">]</span> <span class="o">=</span> <span class="nd">@spawn</span> <span class="k">begin</span> <span class="c"># 4. Acquire lock, execute block, guarantee unlock.</span> <span class="n">lock</span><span class="x">(</span><span class="n">counter_lock</span><span class="x">)</span> <span class="k">do</span> <span class="c"># --- CRITICAL SECTION START ---</span> <span class="c"># Code here is automatically protected by the lock.</span> <span class="kd">global</span> <span class="n">total_sum_correct</span> <span class="o">+=</span> <span class="mf">1.0</span> <span class="c"># --- CRITICAL SECTION END ---</span> <span class="k">end</span> <span class="c"># Lock is automatically released here</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># 5. Wait for all tasks to complete.</span> <span class="c"># fetch() will block until each task is done.</span> <span class="n">fetch</span><span class="o">.</span><span class="x">(</span><span class="n">tasks</span><span class="x">)</span> <span class="c"># Using broadcasted fetch</span> <span class="n">println</span><span class="x">(</span><span class="s">"Loop finished."</span><span class="x">)</span> <span class="c"># The result should now be exactly equal to num_increments.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Correct Total Sum (with lock): "</span><span class="x">,</span> <span class="n">total_sum_correct</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates how to use <strong>locks</strong> (specifically <code>ReentrantLock</code>) to prevent the <strong>data race</strong> identified in the previous lesson when multiple threads modify shared mutable state concurrently.</p> <h2> Core Concept: Mutual Exclusion </h2> <ul> <li> <strong>Data Race Cause:</strong> The operation <code>total_sum_correct += 1.0</code> is not atomic; it involves reading the current value, modifying it, and writing it back. Multiple threads executing these steps concurrently can interfere, leading to lost updates.</li> <li> <strong>Solution: Mutual Exclusion:</strong> We need to ensure that only <strong>one thread at a time</strong> can execute the code that modifies the shared variable (<code>total_sum_correct</code>). This protected section of code is called a <strong>critical section</strong>.</li> <li> <strong>Locks (Mutexes):</strong> A lock (also known as a mutex, for MUTual EXclusion) is a synchronization primitive used to enforce mutual exclusion. It acts like a token; only the thread currently holding the token (the lock) is allowed to enter the critical section.</li> </ul> <h2> Using Locks in Julia (<code>Threads.ReentrantLock</code>) </h2> <ol> <li> <strong>Initialization:</strong> Create a lock object <strong>once</strong> for the shared resource you need to protect: <code>const counter_lock = ReentrantLock()</code>. Make it <code>const</code> so the reference to the lock itself doesn't change.</li> <li> <strong>Acquiring the Lock:</strong> Before entering the critical section, a thread must <strong>acquire</strong> the lock using <code>lock(counter_lock)</code>. <ul> <li>If the lock is available, the thread acquires it and proceeds into the critical section.</li> <li>If another thread already holds the lock, the <code>lock()</code> call <strong>blocks</strong> the current thread (pauses its execution efficiently) until the lock is released.</li> </ul> </li> <li> <strong>Critical Section:</strong> The code that accesses or modifies the shared mutable state (e.g., <code>global total_sum_correct += 1.0</code>) is placed <em>after</em> <code>lock()</code> and <em>before</em> <code>unlock()</code>.</li> <li> <strong>Releasing the Lock:</strong> After leaving the critical section, the thread <strong>must release</strong> the lock using <code>unlock(counter_lock)</code>. This allows one of the waiting (blocked) threads, if any, to acquire the lock and proceed.</li> </ol> <h2> Ensuring Unlock: <code>try...finally</code> and <code>lock...do</code> </h2> <ul> <li> <strong>The Danger of Deadlock:</strong> If a thread acquires a lock and then encounters an error <em>before</em> it releases the lock, the lock will remain held forever. Any other thread waiting for that lock will block indefinitely, causing a <strong>deadlock</strong>.</li> <li> <strong><code>try...finally...unlock</code> (Manual but Safe):</strong> The standard way to prevent deadlock is to put the critical section code inside a <code>try</code> block and the <code>unlock()</code> call inside a <code>finally</code> block. The <code>finally</code> block is <strong>guaranteed</strong> to execute whether the <code>try</code> block completes normally or throws an error.</li> <li> <strong><code>lock(l) do ... end</code> (Idiomatic and Safest):</strong> Julia provides syntactic sugar for the <code>try...finally</code> pattern. The code inside the <code>do ... end</code> block becomes the critical section. Julia automatically acquires the lock (<code>l</code>) before executing the block and <strong>guarantees</strong> that the lock is released when the block finishes, regardless of how it finishes (normal completion or error). <strong>This is the strongly recommended pattern</strong> as it makes forgetting to unlock impossible.</li> </ul> <h2> Performance Impact </h2> <ul> <li> <strong>Serialization:</strong> Locks fundamentally <strong>serialize</strong> execution through the critical section. Only one thread can be executing that code at any given time. If the critical section is large or frequently contended (many threads trying to acquire the lock often), the lock itself becomes a <strong>performance bottleneck</strong>, limiting overall parallelism.</li> <li> <strong>Overhead:</strong> Acquiring and releasing locks involves atomic operations and potentially interaction with the OS scheduler (if blocking occurs), which has non-zero overhead.</li> <li> <strong>Guideline (HFT):</strong> Use locks only when necessary to protect shared state. Keep critical sections <strong>as small and fast as possible</strong>. Prefer lock-free alternatives (like atomics, covered next) for simple operations like counters if performance is paramount.</li> </ul> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Multi-Threading", "Data race freedom":</strong> Discusses locks (<code>Mutex</code>, <code>ReentrantLock</code>, <code>SpinLock</code>) as the primary mechanism for protecting shared mutable state.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>ReentrantLock</code>, <code>lock</code>, <code>unlock</code>, <code>lock(f::Function, lock)</code>:</strong> Details the lock types and functions, including the <code>do</code> block syntax.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(You MUST start Julia with multiple threads, e.g., <code>julia -t 4 0100_thread_safety_locks.jl</code>)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia <span class="nt">-t</span> 4 0100_thread_safety_locks.jl <span class="nt">---</span> Correctly calculating <span class="nb">sum </span>using lock <span class="nt">---</span> Using 4 threads <span class="k">for </span>1000000 increments... Loop finished. Correct Total Sum <span class="o">(</span>with lock<span class="o">)</span>: 1000000.0 </code></pre> </div> <p><em>(The result should now consistently be exactly 1,000,000.0, demonstrating that the lock correctly prevented the data race.)</em></p> <h3> <code>0101_atomics_lock_free.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0101_atomics_lock_free.jl</span> <span class="c"># Demonstrates Atomic types for lock-free thread safety.</span> <span class="c"># Requires running Julia with multiple threads (e.g., 'julia -t 4')</span> <span class="k">import</span> <span class="n">Base</span><span class="o">.</span><span class="n">Threads</span><span class="o">:</span> <span class="nd">@spawn</span><span class="x">,</span> <span class="n">Atomic</span><span class="x">,</span> <span class="n">atomic_add!</span><span class="x">,</span> <span class="n">atomic_cas!</span><span class="x">,</span> <span class="n">nthreads</span> <span class="k">import</span> <span class="n">Base</span><span class="o">:</span> <span class="n">fetch</span> <span class="c"># 1. Create an Atomic integer.</span> <span class="c"># 'Atomic{T}' is a wrapper around a value of type 'T' (must be primitive bits type).</span> <span class="c"># It guarantees that operations performed via atomic functions are indivisible.</span> <span class="c"># Initialize it with 0.</span> <span class="n">total_atomic</span> <span class="o">=</span> <span class="n">Atomic</span><span class="x">{</span><span class="kt">Int</span><span class="x">}(</span><span class="mi">0</span><span class="x">)</span> <span class="n">num_increments</span> <span class="o">=</span> <span class="mi">1_000_000</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Correctly calculating sum using Atomics (Lock-Free) ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Using </span><span class="si">$</span><span class="s">(nthreads()) threads for </span><span class="si">$</span><span class="s">num_increments increments..."</span><span class="x">)</span> <span class="c"># Array to hold Task objects</span> <span class="n">tasks</span> <span class="o">=</span> <span class="kt">Vector</span><span class="x">{</span><span class="kt">Task</span><span class="x">}(</span><span class="nb">undef</span><span class="x">,</span> <span class="n">num_increments</span><span class="x">)</span> <span class="c"># Launch tasks that increment the atomic counter</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="n">num_increments</span> <span class="n">tasks</span><span class="x">[</span><span class="n">i</span><span class="x">]</span> <span class="o">=</span> <span class="nd">@spawn</span> <span class="k">begin</span> <span class="c"># 2. Perform an atomic Read-Modify-Write operation.</span> <span class="c"># 'atomic_add!(ref, value)' adds 'value' to the current value</span> <span class="c"># in 'ref' atomically. This compiles to a single, thread-safe</span> <span class="c"># CPU instruction (like 'lock xadd' on x86).</span> <span class="c"># There is NO lock, NO blocking. All threads proceed, and the</span> <span class="c"># hardware ensures the additions are correct.</span> <span class="n">atomic_add!</span><span class="x">(</span><span class="n">total_atomic</span><span class="x">,</span> <span class="mi">1</span><span class="x">)</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># 3. Wait for all tasks to complete.</span> <span class="n">fetch</span><span class="o">.</span><span class="x">(</span><span class="n">tasks</span><span class="x">)</span> <span class="c"># 4. Read the final value from the Atomic object.</span> <span class="c"># 'atomic_ref[]' is the syntax for atomically reading the current value.</span> <span class="n">final_value</span> <span class="o">=</span> <span class="n">total_atomic</span><span class="x">[]</span> <span class="n">println</span><span class="x">(</span><span class="s">"Loop finished."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Correct Atomic Total Sum: "</span><span class="x">,</span> <span class="n">final_value</span><span class="x">)</span> <span class="c"># Should be exactly 1,000,000</span> <span class="c"># --- Compare-And-Swap (CAS) ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Demonstrating Compare-And-Swap (CAS) ---"</span><span class="x">)</span> <span class="c"># 5. CAS is the fundamental atomic primitive.</span> <span class="c"># 'atomic_cas!(ref, expected_old, new_value)' performs:</span> <span class="c"># Atomically:</span> <span class="c"># a) Read the current value in 'ref'.</span> <span class="c"># b) Compare it with 'expected_old'.</span> <span class="c"># c) If they match, write 'new_value' into 'ref' and return 'expected_old'.</span> <span class="c"># d) If they don't match (meaning another thread changed it), do nothing</span> <span class="c"># and return the value that was actually read.</span> <span class="c"># It allows building complex lock-free logic by retrying if a conflict occurs.</span> <span class="n">current_val</span> <span class="o">=</span> <span class="n">total_atomic</span><span class="x">[]</span> <span class="c"># Read current value (1,000,000)</span> <span class="n">expected</span> <span class="o">=</span> <span class="n">current_val</span> <span class="n">desired_new</span> <span class="o">=</span> <span class="n">current_val</span> <span class="o">+</span> <span class="mi">100</span> <span class="n">println</span><span class="x">(</span><span class="s">"Current atomic value: "</span><span class="x">,</span> <span class="n">current_val</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Attempting CAS: Expected=</span><span class="si">$</span><span class="s">expected, New=</span><span class="si">$</span><span class="s">desired_new"</span><span class="x">)</span> <span class="c"># Perform the CAS operation</span> <span class="n">old_val_read</span> <span class="o">=</span> <span class="n">atomic_cas!</span><span class="x">(</span><span class="n">total_atomic</span><span class="x">,</span> <span class="n">expected</span><span class="x">,</span> <span class="n">desired_new</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value returned by CAS: "</span><span class="x">,</span> <span class="n">old_val_read</span><span class="x">)</span> <span class="c"># 6. Check if CAS succeeded.</span> <span class="k">if</span> <span class="n">old_val_read</span> <span class="o">==</span> <span class="n">expected</span> <span class="n">println</span><span class="x">(</span><span class="s">"CAS successful!"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"New atomic value: "</span><span class="x">,</span> <span class="n">total_atomic</span><span class="x">[])</span> <span class="c"># Should be 1,000,100</span> <span class="k">else</span> <span class="n">println</span><span class="x">(</span><span class="s">"CAS failed! Another thread likely modified the value."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Current atomic value remains: "</span><span class="x">,</span> <span class="n">total_atomic</span><span class="x">[])</span> <span class="k">end</span> <span class="c"># Example of a failing CAS (if another thread hypothetically interfered)</span> <span class="c"># Let's manually set 'expected' to something wrong</span> <span class="n">expected_wrong</span> <span class="o">=</span> <span class="n">current_val</span> <span class="o">-</span> <span class="mi">1</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Attempting CAS with wrong expected value: Expected=</span><span class="si">$</span><span class="s">expected_wrong, New=0"</span><span class="x">)</span> <span class="n">old_val_read_fail</span> <span class="o">=</span> <span class="n">atomic_cas!</span><span class="x">(</span><span class="n">total_atomic</span><span class="x">,</span> <span class="n">expected_wrong</span><span class="x">,</span> <span class="mi">0</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value returned by failing CAS: "</span><span class="x">,</span> <span class="n">old_val_read_fail</span><span class="x">)</span> <span class="c"># Will be the actual value (1M or 1M+100)</span> <span class="k">if</span> <span class="n">old_val_read_fail</span> <span class="o">==</span> <span class="n">expected_wrong</span> <span class="n">println</span><span class="x">(</span><span class="s">"CAS successful (unexpected!)."</span><span class="x">)</span> <span class="k">else</span> <span class="n">println</span><span class="x">(</span><span class="s">"CAS failed as expected."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Atomic value is unchanged: "</span><span class="x">,</span> <span class="n">total_atomic</span><span class="x">[])</span> <span class="c"># Still 1M or 1M+100</span> <span class="k">end</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <strong>Atomic types</strong> (<code>Threads.Atomic{T}</code>) and <strong>atomic operations</strong>, which provide a <strong>lock-free</strong> mechanism for ensuring thread safety for simple operations like counters and flags. They are generally much faster than locks for these specific use cases.</p> <h2> Core Concept: Atomicity </h2> <ul> <li> <strong>Problem with Locks:</strong> Locks serialize access to critical sections, potentially causing threads to block and wait, creating performance bottlenecks.</li> <li> <strong>Atomic Operations:</strong> These are special operations guaranteed by the CPU hardware to execute <strong>indivisibly</strong> (atomically). When Thread A performs <code>atomic_add!</code>, no other thread (Thread B) can interfere <em>during</em> that add operation. Thread B might execute its own <code>atomic_add!</code> immediately before or after Thread A's, but they cannot corrupt each other's read-modify-write sequence.</li> <li> <strong>Lock-Free:</strong> Code using atomics is often "lock-free" because threads generally do not need to block and wait for a lock. They attempt the atomic operation directly. If there's contention, the hardware manages the conflict at the nanosecond level, which is vastly faster than OS-level thread blocking managed by locks.</li> </ul> <h2> Using Atomics in Julia (<code>Threads.Atomic</code>) </h2> <ol> <li> <strong>Declaration:</strong> Create an atomic variable using <code>Threads.Atomic{T}(initial_value)</code>, where <code>T</code> must be a primitive <code>isbits</code> type (like <code>Int</code>, <code>UInt64</code>, <code>Bool</code>, <code>Float32</code>, <code>Float64</code>). Example: <code>total_atomic = Atomic{Int}(0)</code>.</li> <li> <strong>Atomic Read-Modify-Write:</strong> Use specific atomic functions to modify the value safely: <ul> <li> <strong><code>atomic_add!(ref::Atomic{T}, val::T)</code>:</strong> Atomically adds <code>val</code> to the value in <code>ref</code>. Returns the <em>old</em> value.</li> <li> <strong><code>atomic_sub!(ref::Atomic{T}, val::T)</code>:</strong> Atomically subtracts <code>val</code>. Returns the <em>old</em> value.</li> <li> <strong><code>atomic_xchg!(ref::Atomic{T}, new::T)</code>:</strong> Atomically sets the value in <code>ref</code> to <code>new</code>. Returns the <em>old</em> value.</li> <li> <strong><code>atomic_cas!(ref::Atomic{T}, expected::T, new::T)</code>:</strong> Compare-And-Swap (see below). Returns the <em>old</em> value read from <code>ref</code>.</li> <li><em>(Others exist: <code>atomic_and!</code>, <code>atomic_or!</code>, <code>atomic_xor!</code>, <code>atomic_max!</code>, <code>atomic_min!</code>)</em></li> </ul> </li> <li> <strong>Atomic Read:</strong> To read the current value atomically, use array-like indexing: <code>current_val = atomic_ref[]</code>.</li> <li> <strong>Atomic Write:</strong> To write a new value atomically (overwriting the old), use <code>atomic_xchg!</code> or <code>atomic_ref[] = new_value</code> (assignment is often overloaded for atomic write).</li> </ol> <h2> Compare-And-Swap (CAS) </h2> <ul> <li> <strong><code>atomic_cas!(ref, expected, new)</code>:</strong> This is the <strong>fundamental building block</strong> of most complex lock-free algorithms (like queues, stacks, linked lists).</li> <li> <strong>Operation:</strong> It tries to atomically change the value in <code>ref</code> from <code>expected</code> to <code>new</code>.</li> <li> <strong>Success/Failure:</strong> It <strong>succeeds only if</strong> the value in <code>ref</code> is <em>exactly</em> equal to <code>expected</code> at the moment of the operation. If another thread changed the value between when you read it (<code>expected = ref[]</code>) and when you called <code>atomic_cas!</code>, the CAS operation fails (doesn't write <code>new</code>) and returns the <em>current, different</em> value it found.</li> <li> <p><strong>Retry Loops:</strong> Lock-free algorithms often use CAS in a loop:<br> </p> <pre class="highlight julia"><code><span class="n">current</span> <span class="o">=</span> <span class="n">atomic_ref</span><span class="x">[]</span> <span class="k">while</span> <span class="nb">true</span> <span class="n">desired</span> <span class="o">=</span> <span class="n">calculate_new_value</span><span class="x">(</span><span class="n">current</span><span class="x">)</span> <span class="c"># Try to swap 'current' with 'desired'</span> <span class="n">read_val</span> <span class="o">=</span> <span class="n">atomic_cas!</span><span class="x">(</span><span class="n">atomic_ref</span><span class="x">,</span> <span class="n">current</span><span class="x">,</span> <span class="n">desired</span><span class="x">)</span> <span class="k">if</span> <span class="n">read_val</span> <span class="o">==</span> <span class="n">current</span> <span class="c"># Success! Our change went through.</span> <span class="n">break</span> <span class="k">else</span> <span class="c"># Failure! Another thread interfered. Retry with the new value.</span> <span class="n">current</span> <span class="o">=</span> <span class="n">read_val</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </li> </ul> <h2> Performance (vs. Locks) </h2> <ul> <li>For simple updates like incrementing a counter (<code>atomic_add!</code>), atomics are <strong>significantly faster</strong> than using a lock (<code>lock(l) do ... end</code>). They avoid the overhead of lock acquisition/release and potential thread blocking.</li> <li>For complex updates involving multiple variables, locks are often easier to reason about and implement correctly than complex CAS-based lock-free algorithms.</li> </ul> <p><strong>Guideline (HFT):</strong> Use atomics for high-frequency counters, flags, sequence numbers, or simple state management where lock contention would be a bottleneck. Use locks for protecting more complex data structures or operations involving multiple steps.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Multi-Threading", "Atomic Operations":</strong> Introduces <code>Atomic</code> types and atomic functions.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>Threads.Atomic</code>, <code>Threads.atomic_...</code> functions:</strong> Detailed API descriptions.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(You MUST start Julia with multiple threads, e.g., <code>julia -t 4 0101_atomics_lock_free.jl</code>)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia <span class="nt">-t</span> 4 0101_atomics_lock_free.jl <span class="nt">---</span> Correctly calculating <span class="nb">sum </span>using Atomics <span class="o">(</span>Lock-Free<span class="o">)</span> <span class="nt">---</span> Using 4 threads <span class="k">for </span>1000000 increments... Loop finished. Correct Atomic Total Sum: 1000000 <span class="nt">---</span> Demonstrating Compare-And-Swap <span class="o">(</span>CAS<span class="o">)</span> <span class="nt">---</span> Current atomic value: 1000000 Attempting CAS: <span class="nv">Expected</span><span class="o">=</span>1000000, <span class="nv">New</span><span class="o">=</span>1000100 Value returned by CAS: 1000000 CAS successful! New atomic value: 1000100 Attempting CAS with wrong expected value: <span class="nv">Expected</span><span class="o">=</span>999999, <span class="nv">New</span><span class="o">=</span>0 Value returned by failing CAS: 1000100 CAS failed as expected. Atomic value is unchanged: 1000100 </code></pre> </div> <p><em>(The final result should consistently be 1,000,000, demonstrating lock-free correctness. CAS results should match the logic.)</em></p> <h2> Appendix: Deeper Dive into Atomics </h2> <p>The main script introduced <code>Atomic{T}</code> types and basic operations like <code>atomic_add!</code> and <code>atomic_cas!</code>. This appendix explores some crucial details, patterns, and potential pitfalls for using atomics effectively in high-performance, multi-threaded code.</p> <h3> Recap: Why Atomics Over Locks? </h3> <p>Locks provide <strong>mutual exclusion</strong> by forcing threads to wait, serializing access to critical sections. This is robust but can become a bottleneck if contention is high (many threads frequently trying to acquire the lock).</p> <p>Atomics leverage special <strong>CPU instructions</strong> that perform simple operations (like read, write, add, swap) <strong>indivisibly</strong>. They allow multiple threads to attempt operations concurrently, with the hardware managing conflicts at a very low level. For simple, highly contended updates (like incrementing a shared counter), atomics are often <strong>significantly faster</strong> than locks because they avoid the overhead of lock management and thread blocking.</p> <h3> Memory Orderings: The Hidden Complexity </h3> <p>Atomicity isn't just about indivisibility; it's also about <strong>memory ordering</strong>. This refers to the guarantees an atomic operation provides about how its effects (reads and writes) become visible to other threads relative to other memory operations. Modern CPUs and compilers aggressively reorder memory operations for performance, and atomic operations act as "fences" to prevent undesirable reorderings.</p> <ul> <li> <strong>Sequential Consistency (<code>:sequentially_consistent</code>):</strong> <ul> <li>This is the <strong>default memory order</strong> for all atomic operations in Julia (<code>atomic_add!</code>, <code>atomic_cas!</code>, <code>atomic_store!</code>, <code>atomic_load</code>, etc., unless specified otherwise).</li> <li> <strong>Guarantee:</strong> It provides the strongest guarantees. All threads agree on a single, global sequential order of operations, consistent with the program's source code order. Operations cannot be reordered across a sequentially consistent atomic operation.</li> <li> <strong>Analogy:</strong> Imagine a single, global logbook. Every atomic operation is written into this logbook in a definitive order visible to everyone.</li> <li> <strong>Performance:</strong> This is the easiest to reason about but potentially the slowest, as it imposes the most constraints on the CPU and compiler, potentially requiring expensive memory fence instructions.</li> </ul> </li> <li> <strong>Relaxed Orderings (<code>:acquire</code>, <code>:release</code>, <code>:relaxed</code>):</strong> <ul> <li>Julia also allows specifying weaker memory orderings as optional arguments to atomic functions (e.g., <code>atomic_load(ref, :acquire)</code>, <code>atomic_store!(ref, val, :release)</code>).</li> <li> <strong>:acquire:</strong> Ensures that memory reads/writes <em>after</em> the atomic load are not reordered to happen <em>before</em> it. Used when acquiring a "lock" or reading data dependent on a flag.</li> <li> <strong>:release:</strong> Ensures that memory reads/writes <em>before</em> the atomic store are not reordered to happen <em>after</em> it. Used when releasing a "lock" or signaling that data is ready.</li> <li> <strong>☺️</strong> Provides no ordering guarantees beyond the atomicity of the operation itself. Fastest, but extremely difficult to use correctly.</li> <li> <strong>Warning:</strong> Using relaxed memory orderings is <strong>expert-level territory</strong>. Incorrect use <em>will</em> lead to subtle, non-deterministic data races that are nearly impossible to debug. <strong>Stick to the default sequential consistency unless profiling explicitly identifies atomic operations as a bottleneck AND you thoroughly understand the memory model of your target architecture.</strong> </li> </ul> </li> </ul> <h3> Common Use Cases for Atomics </h3> <ol> <li> <strong>High-Performance Counters:</strong> The canonical example (<code>atomic_add!</code>, <code>atomic_sub!</code>). Massively faster than a locked counter under high contention.</li> <li> <p><strong>Flags and Status Indicators:</strong> Signaling state changes between threads.<br> </p> <pre class="highlight julia"><code><span class="kd">const</span> <span class="n">status</span> <span class="o">=</span> <span class="n">Atomic</span><span class="x">{</span><span class="kt">Int</span><span class="x">}(</span><span class="mi">0</span><span class="x">)</span> <span class="c"># 0=Idle, 1=Running, 2=Stopping</span> <span class="c"># Worker task:</span> <span class="k">while</span> <span class="n">status</span><span class="x">[]</span> <span class="o">==</span> <span class="mi">0</span> <span class="c"># Atomic read</span> <span class="c"># wait</span> <span class="k">end</span> <span class="k">if</span> <span class="n">status</span><span class="x">[]</span> <span class="o">==</span> <span class="mi">1</span> <span class="c"># do work</span> <span class="k">end</span> <span class="c"># Main task:</span> <span class="n">atomic_store!</span><span class="x">(</span><span class="n">status</span><span class="x">,</span> <span class="mi">1</span><span class="x">)</span> <span class="c"># Signal workers to start (or atomic_xchg!)</span> <span class="c"># ... later ...</span> <span class="n">atomic_store!</span><span class="x">(</span><span class="n">status</span><span class="x">,</span> <span class="mi">2</span><span class="x">)</span> <span class="c"># Signal workers to stop</span> </code></pre> </li> <li><p><strong>Generating Unique Sequence Numbers/IDs:</strong> A simple global counter incremented with <code>atomic_add!(counter, 1)</code> can safely generate unique IDs across multiple threads.</p></li> <li><p><strong>Simple Statistics:</strong> Accumulating sums or finding maximums/minimums across threads (<code>atomic_add!</code>, <code>atomic_max!</code>, <code>atomic_min!</code>).</p></li> <li><p><strong>Building Blocks for Lock-Free Data Structures:</strong> <code>atomic_cas!</code> is the primitive used to implement complex lock-free algorithms like queues (e.g., Michael-Scott queue), stacks, and sets. <strong>Caution:</strong> Implementing these correctly is extremely challenging. Prefer using existing, well-tested library implementations (often from external packages or potentially future standard library additions) unless absolutely necessary.</p></li> </ol> <h3> The ABA Problem: A Subtle CAS Pitfall </h3> <p>Naive use of Compare-And-Swap in retry loops can suffer from the <strong>ABA problem</strong>.</p> <ul> <li> <strong>Scenario:</strong> <ol> <li> Thread 1 reads a value <code>A</code> from an atomic reference <code>ref</code>. (<code>expected = A</code>)</li> <li> Thread 1 gets preempted.</li> <li> Thread 2 acquires <code>ref</code>, changes the value from <code>A</code> to <code>B</code>.</li> <li> Thread 2 performs more work, then changes the value in <code>ref</code> <em>back</em> to <code>A</code>.</li> <li> Thread 1 resumes. It calculates its desired <code>new_value</code>.</li> <li> Thread 1 executes <code>atomic_cas!(ref, expected, new_value)</code>. Since <code>expected</code> is <code>A</code> and the current value in <code>ref</code> <em>is</em> <code>A</code>, the CAS <strong>succeeds</strong>.</li> </ol> </li> <li> <strong>The Problem:</strong> Thread 1 assumes the state associated with <code>A</code> hasn't changed because the value <code>A</code> is the same. However, the underlying state <em>was</em> modified (A -&gt; B -&gt; A). This can corrupt data structures where the value <code>A</code> might be, for example, a pointer that was freed and reallocated, now pointing to something different but coincidentally having the same address bits.</li> <li> <strong>Solutions:</strong> Often involve techniques like: <ul> <li> <strong>Tagged Pointers:</strong> Storing a "tag" or counter alongside the pointer within the same atomic word, so A -&gt; B -&gt; A becomes A1 -&gt; B -&gt; A2. The CAS on A1 fails.</li> <li> <strong>Sequence Locks/Counters:</strong> Using separate atomic counters to track modifications.</li> </ul> </li> <li> <strong>Takeaway:</strong> Be aware of this problem if implementing complex CAS-based logic. It's another reason to favor library implementations.</li> </ul> <h3> Performance Considerations </h3> <ul> <li> <strong>Contention:</strong> While faster than locks, atomics are not free. Under extreme contention (many cores constantly trying to modify the same atomic variable), the CPU's cache coherency protocols and atomic instructions themselves can become a bottleneck on the memory bus. Performance may not scale linearly with the number of cores.</li> <li> <strong>False Sharing:</strong> This occurs when unrelated variables happen to reside on the <strong>same CPU cache line</strong> (typically 64 bytes). <ul> <li>Thread A modifies <code>atomic_var_1</code>. This forces the cache line containing <code>atomic_var_1</code> to be invalidated in Thread B's cache.</li> <li>Thread B modifies <code>atomic_var_2</code> (which is nearby in memory, on the same cache line). This forces the cache line to be invalidated in Thread A's cache.</li> <li>Even though the threads are accessing <em>different</em> variables, they constantly invalidate each other's caches because the variables share a cache line. This causes significant performance degradation.</li> <li> <strong>Solution:</strong> Ensure frequently accessed atomic variables used by different threads are sufficiently padded apart in memory (e.g., by placing them in different structs or adding unused padding fields) so they don't share a cache line. </li> </ul> </li> </ul> <h3> Summary and Guidance </h3> <ul> <li>Atomics offer a high-performance, lock-free way to manage simple shared state updates (counters, flags, etc.).</li> <li>They are significantly faster than locks under high contention for these specific use cases.</li> <li>Always use the default <strong>sequential consistency</strong> memory ordering unless you have proven a need for relaxed orderings via profiling and fully understand the implications.</li> <li>Be aware of the <strong>ABA problem</strong> if implementing complex logic with <code>atomic_cas!</code>.</li> <li>Consider <strong>false sharing</strong> if benchmarking reveals unexpected scaling issues with multiple atomic variables.</li> <li>For complex data structures or operations involving multiple variables, <strong>locks are often simpler and safer</strong> to implement correctly than intricate lock-free algorithms.</li> </ul> <p>Choose the right tool for the job: atomics for simple, high-contention points; locks for broader or more complex critical sections. Always prioritize correctness.</p> <h2> Multi Processing </h2> <h3> <code>0102_distributed_processing.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0102_distributed_processing.jl</span> <span class="c"># Introduces Distributed.jl for multi-processing.</span> <span class="c"># MUST BE RUN WITH: julia -p N (e.g., julia -p 4)</span> <span class="c"># 1. Import the Distributed standard library.</span> <span class="c"># '-p N' starts Julia with N additional "worker" processes.</span> <span class="k">import</span> <span class="n">Distributed</span> <span class="c"># --- Setup and Process IDs ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Distributed Processing Setup ---"</span><span class="x">)</span> <span class="c"># 2. Check the number of available processes.</span> <span class="n">num_procs</span> <span class="o">=</span> <span class="n">Distributed</span><span class="o">.</span><span class="n">nprocs</span><span class="x">()</span> <span class="c"># Total number of processes (main + workers)</span> <span class="n">num_workers</span> <span class="o">=</span> <span class="n">Distributed</span><span class="o">.</span><span class="n">nworkers</span><span class="x">()</span> <span class="c"># Number of worker processes only</span> <span class="n">println</span><span class="x">(</span><span class="s">"Total processes (main + workers): "</span><span class="x">,</span> <span class="n">num_procs</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Number of worker processes: "</span><span class="x">,</span> <span class="n">num_workers</span><span class="x">)</span> <span class="k">if</span> <span class="n">num_procs</span> <span class="o">&lt;=</span> <span class="mi">1</span> <span class="n">println</span><span class="x">(</span><span class="s">"WARNING: No worker processes found."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Restart Julia with the '-p N' flag (e.g., 'julia -p 4')"</span><span class="x">)</span> <span class="c"># Exit cleanly if no workers, as subsequent code requires them.</span> <span class="n">exit</span><span class="x">()</span> <span class="k">end</span> <span class="c"># 3. Get process IDs.</span> <span class="n">main_pid</span> <span class="o">=</span> <span class="n">Distributed</span><span class="o">.</span><span class="n">myid</span><span class="x">()</span> <span class="c"># ID of the *current* process (always 1 for the main script)</span> <span class="n">worker_pids</span> <span class="o">=</span> <span class="n">Distributed</span><span class="o">.</span><span class="n">workers</span><span class="x">()</span> <span class="c"># Vector of worker process IDs (e.g., [2, 3, 4, 5])</span> <span class="n">println</span><span class="x">(</span><span class="s">"Main process ID: "</span><span class="x">,</span> <span class="n">main_pid</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Worker process IDs: "</span><span class="x">,</span> <span class="n">worker_pids</span><span class="x">)</span> <span class="c"># --- Executing Code Remotely ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Remote Execution ---"</span><span class="x">)</span> <span class="c"># 4. Define code that needs to exist on *all* processes using '@everywhere'.</span> <span class="c"># Worker processes start with a clean slate; they don't inherit</span> <span class="c"># definitions from the main process unless explicitly told.</span> <span class="n">Distributed</span><span class="o">.</span><span class="nd">@everywhere</span> <span class="k">begin</span> <span class="c"># This block is executed on the main process AND all workers.</span> <span class="k">import</span> <span class="n">Sockets</span> <span class="c"># Make Sockets available on workers if needed inside function</span> <span class="n">MY_CONSTANT</span> <span class="o">=</span> <span class="mi">10</span> <span class="k">function</span><span class="nf"> get_info</span><span class="x">()</span> <span class="n">pid</span> <span class="o">=</span> <span class="n">Distributed</span><span class="o">.</span><span class="n">myid</span><span class="x">()</span> <span class="n">host</span> <span class="o">=</span> <span class="n">Sockets</span><span class="o">.</span><span class="n">gethostname</span><span class="x">()</span> <span class="n">thread_id</span> <span class="o">=</span> <span class="n">Threads</span><span class="o">.</span><span class="n">threadid</span><span class="x">()</span> <span class="c"># Each process has at least one thread</span> <span class="k">return</span> <span class="s">"Process </span><span class="si">$</span><span class="s">pid on host '</span><span class="si">$</span><span class="s">host' (thread </span><span class="si">$</span><span class="s">thread_id) knows MY_CONSTANT = </span><span class="si">$</span><span class="s">MY_CONSTANT"</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># 5. Execute a function remotely on a specific worker using '@spawnat'.</span> <span class="c"># '@spawnat worker_pid expression' runs the expression on that worker.</span> <span class="c"># It returns a 'Future', which is a handle to the remote result.</span> <span class="n">target_worker</span> <span class="o">=</span> <span class="n">worker_pids</span><span class="x">[</span><span class="mi">1</span><span class="x">]</span> <span class="c"># e.g., process 2</span> <span class="n">println</span><span class="x">(</span><span class="s">"Spawning task on worker </span><span class="si">$</span><span class="s">target_worker..."</span><span class="x">)</span> <span class="n">future</span> <span class="o">=</span> <span class="n">Distributed</span><span class="o">.</span><span class="nd">@spawnat</span> <span class="n">target_worker</span> <span class="n">get_info</span><span class="x">()</span> <span class="c"># 6. Retrieve the result from the remote worker using 'fetch()'.</span> <span class="c"># 'fetch(future)' blocks until the remote task completes and sends</span> <span class="c"># its result back to the main process (involves serialization).</span> <span class="n">println</span><span class="x">(</span><span class="s">"Waiting for result from worker </span><span class="si">$</span><span class="s">target_worker..."</span><span class="x">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">fetch</span><span class="x">(</span><span class="n">future</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result from worker </span><span class="si">$</span><span class="s">target_worker: </span><span class="se">\"</span><span class="si">$</span><span class="s">result</span><span class="se">\"</span><span class="s">"</span><span class="x">)</span> <span class="c"># --- Parallel Map-Reduce Across Processes ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Distributed Map-Reduce (@distributed) ---"</span><span class="x">)</span> <span class="n">N</span> <span class="o">=</span> <span class="mi">10</span> <span class="n">println</span><span class="x">(</span><span class="s">"Calculating sum of squares from 1 to </span><span class="si">$</span><span class="s">N across workers..."</span><span class="x">)</span> <span class="c"># 7. Use '@distributed (reducer) for ... end' for parallel loops.</span> <span class="c"># This divides the loop iterations among the *worker* processes.</span> <span class="c"># Each worker computes its portion, and the results are combined</span> <span class="c"># using the specified 'reducer' function (e.g., '+').</span> <span class="c"># Data dependencies must be explicitly handled (e.g., using @everywhere).</span> <span class="c"># The loop variable 'i' is automatically sent to the worker.</span> <span class="c"># NOTE: Unlike Threads.@threads, this does NOT run on the main process (ID 1).</span> <span class="n">final_sum</span> <span class="o">=</span> <span class="n">Distributed</span><span class="o">.</span><span class="nd">@distributed</span> <span class="x">(</span><span class="o">+</span><span class="x">)</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="n">N</span> <span class="c"># This code block runs on a worker process.</span> <span class="n">pid</span> <span class="o">=</span> <span class="n">Distributed</span><span class="o">.</span><span class="n">myid</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">" Worker </span><span class="si">$</span><span class="s">pid processing i = </span><span class="si">$</span><span class="s">i"</span><span class="x">)</span> <span class="c"># Return the value for this iteration to be reduced</span> <span class="n">i</span><span class="o">^</span><span class="mi">2</span> <span class="k">end</span> <span class="c"># Main process blocks here until all workers finish and reduction completes.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Distributed loop finished."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Final sum of squares: "</span><span class="x">,</span> <span class="n">final_sum</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <strong><code>Distributed.jl</code></strong>, Julia's standard library for <strong>multi-processing</strong>. This contrasts with multi-threading by using separate <strong>OS processes</strong>, each with its own independent memory space, enabling parallelism that can scale beyond a single machine and provides memory isolation.</p> <h2> Core Concepts: Threads vs. Processes </h2> <ul> <li> <strong>Multi-Threading (<code>Threads</code>, Module 10):</strong> <ul> <li> <strong>Pros:</strong> Runs within a <strong>single process</strong>, allowing <strong>direct sharing of memory</strong>. Communication is extremely fast (just read/write variables). Low overhead to start tasks (<code>@spawn</code>).</li> <li> <strong>Cons:</strong> Requires careful <strong>thread safety</strong> (locks, atomics) to prevent data races. A crash in one thread can bring down the entire process. Limited to the cores on a single machine.</li> </ul> </li> <li> <strong>Multi-Processing (<code>Distributed</code>, This Lesson):</strong> <ul> <li> <strong>Pros:</strong> Runs in <strong>multiple, separate processes</strong>. Provides complete <strong>memory isolation</strong> (no data races possible on standard variables). A crash in one worker process does not affect others. Can scale across <strong>multiple machines</strong> over a network (though this example uses local processes).</li> <li> <strong>Cons:</strong> <strong>Communication is expensive</strong>. Passing data between processes requires <strong>serialization</strong> (converting objects to a byte stream), network/inter-process communication (IPC), and <strong>deserialization</strong>. High overhead to start worker processes (<code>julia -p N</code>).</li> </ul> </li> </ul> <p><strong>Guideline (HFT):</strong> Use <code>Threads</code> for low-latency, tightly coupled computations on a single machine where shared memory performance is critical (e.g., parallel signal processing within one market data handler). Use <code>Distributed</code> for higher-level task parallelism where memory isolation is desired, fault tolerance is needed, or scaling across machines is required (e.g., running independent strategy simulations, connecting to different exchange gateways in separate processes).</p> <h2> Using <code>Distributed.jl</code> </h2> <ol> <li> <strong>Launch Workers (<code>julia -p N</code>):</strong> You <strong>must</strong> start Julia with the <code>-p N</code> flag (e.g., <code>julia -p 4</code>) to create <code>N</code> additional worker processes alongside the main interactive process (Process 1). Alternatively, use <code>Distributed.addprocs(N)</code> programmatically (less common for script-based work).</li> <li> <strong>Process IDs:</strong> <code>Distributed.nprocs()</code> gives the total count (main + workers). <code>Distributed.nworkers()</code> gives just the worker count. <code>Distributed.myid()</code> returns the ID of the current process. <code>Distributed.workers()</code> returns a list of worker IDs (usually <code>[2, 3, ..., N+1]</code>).</li> <li> <strong>Code on Workers (<code>@everywhere</code>):</strong> Worker processes start "empty." They don't inherit code definitions or variable values from Process 1. The <code>Distributed.@everywhere begin ... end</code> block ensures the enclosed code (module imports, function definitions, constant assignments) is executed on <strong>all</strong> processes (main + workers), making it available everywhere.</li> <li> <strong>Remote Execution (<code>@spawnat</code>):</strong> <code>Distributed.@spawnat worker_id expression</code> executes the <code>expression</code> specifically on the worker process with ID <code>worker_id</code>. It returns a <code>Future</code>, which is a remote reference to the task.</li> <li> <strong>Fetching Remote Results (<code>fetch</code>):</strong> <code>fetch(future)</code> waits for the remote task referenced by <code>future</code> to complete and then transfers its result back to the calling process (involving serialization/deserialization).</li> <li> <strong>Parallel Loop (<code>@distributed</code>):</strong> <code>Distributed.@distributed (reducer) for ... end</code> provides a parallel map-reduce pattern across <strong>worker processes</strong>. <ul> <li>It divides the loop iterations among the workers.</li> <li>Each worker executes the loop body for its assigned iterations.</li> <li>The values returned by each iteration on each worker are collected.</li> <li>The specified <code>reducer</code> function (e.g., <code>+</code>, <code>vcat</code>, <code>append!</code>) is used to combine the results from all workers into a final result returned on the main process.</li> </ul> </li> </ol> <h2> Communication Overhead </h2> <p>Remember that any data sent to (<code>@spawnat</code>, loop variables in <code>@distributed</code>) or received from (<code>fetch</code>) worker processes must be serialized and deserialized. This adds significant overhead compared to threads accessing shared memory directly. <code>Distributed</code> is best for coarse-grained parallelism where the computation time is large relative to the communication time.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Parallel Computing", "Distributed Computing":</strong> Provides a detailed guide to <code>Distributed.jl</code>.</li> <li> <strong>Julia Official Documentation, Standard Library, <code>Distributed</code>:</strong> Documents <code>addprocs</code>, <code>nprocs</code>, <code>nworkers</code>, <code>myid</code>, <code>workers</code>, <code>@everywhere</code>, <code>@spawnat</code>, <code>fetch</code>, <code>@distributed</code>.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(You MUST start Julia with multiple worker processes, e.g., <code>julia -p 4 0102_distributed_processing.jl</code>)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia <span class="nt">-p</span> 4 0102_distributed_processing.jl <span class="nt">---</span> Distributed Processing Setup <span class="nt">---</span> Total processes <span class="o">(</span>main + workers<span class="o">)</span>: 5 Number of worker processes: 4 Main process ID: 1 Worker process IDs: <span class="o">[</span>2, 3, 4, 5] <span class="nt">---</span> Remote Execution <span class="nt">---</span> Spawning task on worker 2... Waiting <span class="k">for </span>result from worker 2... Result from worker 2: <span class="s2">"Process 2 on host '...' (thread 1) knows MY_CONSTANT = 10"</span> <span class="nt">---</span> Distributed Map-Reduce <span class="o">(</span>@distributed<span class="o">)</span> <span class="nt">---</span> Calculating <span class="nb">sum </span>of squares from 1 to 10 across workers... From worker 2: Worker 2 processing i <span class="o">=</span> 1 From worker 3: Worker 3 processing i <span class="o">=</span> 4 From worker 4: Worker 4 processing i <span class="o">=</span> 7 From worker 5: Worker 5 processing i <span class="o">=</span> 10 From worker 2: Worker 2 processing i <span class="o">=</span> 2 From worker 3: Worker 3 processing i <span class="o">=</span> 5 From worker 4: Worker 4 processing i <span class="o">=</span> 8 From worker 2: Worker 2 processing i <span class="o">=</span> 3 From worker 3: Worker 3 processing i <span class="o">=</span> 6 From worker 4: Worker 4 processing i <span class="o">=</span> 9 Distributed loop finished. Final <span class="nb">sum </span>of squares: 385 </code></pre> </div> <p><em>(The exact hostname <code>'...'</code> and the interleaving of worker output will vary.)</em></p> <h2> Simd Vectorization </h2> <h3> <code>0103_simd_macro.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0103_simd_macro.jl</span> <span class="c"># Introduces the @simd macro for loop vectorization hints.</span> <span class="c"># Requires BenchmarkTools.jl</span> <span class="k">import</span> <span class="n">BenchmarkTools</span><span class="o">:</span> <span class="nd">@btime</span> <span class="c"># --- Standard Loop ---</span> <span class="c"># Function to sum array elements with a standard loop.</span> <span class="c"># The compiler *might* auto-vectorize this, but it's not guaranteed.</span> <span class="k">function</span><span class="nf"> sum_array_standard</span><span class="x">(</span><span class="n">A</span><span class="o">::</span><span class="kt">Vector</span><span class="x">{</span><span class="kt">Float64</span><span class="x">})</span> <span class="n">total</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="c"># Use @inbounds for performance, assuming indices are valid.</span> <span class="nd">@inbounds</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="n">eachindex</span><span class="x">(</span><span class="n">A</span><span class="x">)</span> <span class="n">total</span> <span class="o">+=</span> <span class="n">A</span><span class="x">[</span><span class="n">i</span><span class="x">]</span> <span class="k">end</span> <span class="k">return</span> <span class="n">total</span> <span class="k">end</span> <span class="c"># --- Loop with @simd Hint ---</span> <span class="c"># Function using the '@simd' macro hint.</span> <span class="k">function</span><span class="nf"> sum_array_simd</span><span class="x">(</span><span class="n">A</span><span class="o">::</span><span class="kt">Vector</span><span class="x">{</span><span class="kt">Float64</span><span class="x">})</span> <span class="n">total</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="c"># '@simd' is a *promise* to the compiler that iterations are independent</span> <span class="c"># and reordering operations (for vectorization) is safe.</span> <span class="nd">@inbounds</span> <span class="nd">@simd</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="n">eachindex</span><span class="x">(</span><span class="n">A</span><span class="x">)</span> <span class="c"># We promise:</span> <span class="c"># 1. Iterations are independent (result for 'i' doesn't affect 'i+1').</span> <span class="c"># 2. No data dependencies across iterations (e.g., A[i] = A[i-1] + ...).</span> <span class="c"># 3. Floating-point reordering (associativity changes) is acceptable.</span> <span class="n">total</span> <span class="o">+=</span> <span class="n">A</span><span class="x">[</span><span class="n">i</span><span class="x">]</span> <span class="k">end</span> <span class="k">return</span> <span class="n">total</span> <span class="k">end</span> <span class="c"># --- Benchmarking ---</span> <span class="c"># Setup a large array</span> <span class="n">A</span> <span class="o">=</span> <span class="n">rand</span><span class="x">(</span><span class="kt">Float64</span><span class="x">,</span> <span class="mi">1_000_000</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Benchmarking standard loop:"</span><span class="x">)</span> <span class="c"># Benchmark the standard loop. Interpolate 'A'.</span> <span class="nd">@btime</span> <span class="n">sum_array_standard</span><span class="x">(</span><span class="o">$</span><span class="n">A</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Benchmarking with @simd:"</span><span class="x">)</span> <span class="c"># Benchmark the loop with the @simd hint. Interpolate 'A'.</span> <span class="nd">@btime</span> <span class="n">sum_array_simd</span><span class="x">(</span><span class="o">$</span><span class="n">A</span><span class="x">)</span> <span class="c"># --- Verification (Advanced, Optional) ---</span> <span class="c"># To confirm vectorization, you can inspect the generated LLVM code:</span> <span class="c"># julia&gt; import InteractiveUtils: @code_llvm</span> <span class="c"># julia&gt; @code_llvm sum_array_simd(A)</span> <span class="c"># Look for instructions operating on vectors (e.g., "&lt;4 x double&gt;", "vector.body")</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <strong>SIMD</strong> (Single Instruction, Multiple Data) and the <strong><code>@simd</code></strong> macro, a way to potentially achieve significant performance gains by leveraging special CPU vector instructions.</p> <h2> Core Concept: SIMD Vectorization </h2> <ul> <li> <strong>What is SIMD?</strong> Modern CPUs have special <strong>vector registers</strong> (e.g., 128-bit SSE, 256-bit AVX, 512-bit AVX-512) and corresponding instructions that can perform the <em>same operation</em> (like addition or multiplication) on <em>multiple data elements</em> (e.g., two <code>Float64</code>s, four <code>Float32</code>s, etc.) <strong>in a single clock cycle</strong>. This is a form of parallelism <em>within</em> a single CPU core.</li> <li> <strong>Example:</strong> Instead of adding two <code>Float64</code>s (<code>addsd</code>), an AVX-enabled CPU can add <em>four pairs</em> of <code>Float64</code>s simultaneously using a single <code>vaddpd</code> instruction.</li> <li> <strong>Goal:</strong> For loops performing simple arithmetic on arrays, we want the compiler to emit these efficient SIMD instructions instead of scalar instructions. This is called <strong>auto-vectorization</strong>.</li> </ul> <h2> The <code>@simd</code> Macro: A Hint to the Compiler </h2> <ul> <li> <strong>Compiler Limitations:</strong> While Julia's compiler (LLVM) is good at auto-vectorization, it can sometimes be too conservative. It might fail to vectorize a loop if it cannot <em>prove</em> that doing so is safe (e.g., if it suspects potential dependencies between loop iterations or complex memory access patterns).</li> <li> <strong><code>@simd</code> Macro:</strong> The <code>@simd</code> macro, placed immediately before a <code>for</code> loop, is a <strong>promise</strong> or <strong>hint</strong> from you to the compiler. You are asserting: <ol> <li> <strong>Iteration Independence:</strong> The computations in one iteration do <strong>not</strong> affect subsequent iterations.</li> <li> <strong>No Cross-Iteration Dependencies:</strong> The loop does not contain dependencies like <code>A[i] = A[i-1] + B[i]</code>.</li> <li> <strong>Floating-Point Safety:</strong> You accept that the compiler might reorder floating-point operations (e.g., changing <code>(a+b)+c</code> to <code>a+(b+c)</code>), which can lead to slightly different results due to precision differences.</li> </ol> </li> <li> <strong>Effect:</strong> By providing this guarantee, <code>@simd</code> <strong>allows</strong> the compiler to be more aggressive in applying vectorization transformations that it might otherwise deem unsafe. It <strong>does not force</strong> vectorization but strongly encourages it.</li> </ul> <h2> Performance Impact </h2> <ul> <li> <strong>Potential Speedup:</strong> When <code>@simd</code> successfully enables vectorization for an arithmetic-heavy loop on a contiguous array, the speedup can be significant (typically <strong>2x to 8x</strong> or more, depending on the operation and the CPU's vector width).</li> <li> <strong>Benchmarking:</strong> Comparing <code>sum_array_standard</code> and <code>sum_array_simd</code> using <code>@btime</code> is the practical way to see if <code>@simd</code> provided a benefit <em>in your specific case</em>. The standard loop might already be auto-vectorized, or the <code>@simd</code> hint might enable it.</li> </ul> <h2> Critical Warning: The Promise Must Be True </h2> <ul> <li> <strong>Undefined Behavior:</strong> If you place <code>@simd</code> before a loop that <strong>violates</strong> the independence or dependency rules, you are lying to the compiler. It may generate incorrect SIMD code based on your false promise, leading to <strong>wrong results</strong> (a "vectorized" data race) without any error message.</li> <li> <strong>Responsibility:</strong> Use <code>@simd</code> <strong>only when you are certain</strong> the loop iterations are independent and reordering is safe.</li> </ul> <p><strong>Guideline (HFT):</strong> <code>@simd</code> is a valuable tool for optimizing tight, arithmetic loops common in signal processing, financial modeling, or data manipulation. Always benchmark to confirm its effectiveness and ensure your loop meets the independence criteria before using it.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Performance Tips", <code>@simd</code>:</strong> Explains the macro as a hint for vectorization and lists the required properties.</li> <li> <strong>LLVM Auto-Vectorizer Documentation:</strong> (External) Provides insight into the compiler technology Julia uses for vectorization.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(Requires <code>BenchmarkTools.jl</code> installed)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0103_simd_macro.jl Benchmarking standard loop: 371.123 μs <span class="o">(</span>0 allocations: 0 bytes<span class="o">)</span> Benchmarking with @simd: 84.179 μs <span class="o">(</span>0 allocations: 0 bytes<span class="o">)</span> </code></pre> </div> <h3> <code>0104_simd_explicit.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0104_simd_explicit.jl</span> <span class="c"># Demonstrates explicit vectorization using the SIMD.jl package.</span> <span class="c"># Requires SIMD.jl and BenchmarkTools.jl</span> <span class="c"># 1. Import necessary components. See Explanation for installation.</span> <span class="k">import</span> <span class="n">SIMD</span><span class="o">:</span> <span class="n">Vec</span><span class="x">,</span> <span class="n">vload</span><span class="x">,</span> <span class="n">vloada</span><span class="x">,</span> <span class="n">sum</span> <span class="k">import</span> <span class="n">BenchmarkTools</span><span class="o">:</span> <span class="nd">@btime</span> <span class="c"># --- Explicit SIMD Function ---</span> <span class="c"># 2. Define constants for vector width based on target CPU.</span> <span class="c"># 'N = 4' assumes a 256-bit register width (e.g., AVX2) for Float64 (64-bit).</span> <span class="c"># If using AVX-512, N could be 8. For SSE, N would be 2.</span> <span class="c"># 'VecType' is an alias for the specific SIMD vector type.</span> <span class="kd">const</span> <span class="n">N</span> <span class="o">=</span> <span class="mi">4</span> <span class="c"># Vector width (e.g., 4 x Float64 for 256-bit AVX2)</span> <span class="kd">const</span> <span class="n">VecType</span> <span class="o">=</span> <span class="n">Vec</span><span class="x">{</span><span class="n">N</span><span class="x">,</span> <span class="kt">Float64</span><span class="x">}</span> <span class="c"># Function using explicit SIMD instructions via SIMD.jl</span> <span class="k">function</span><span class="nf"> sum_explicit_simd</span><span class="x">(</span><span class="n">A</span><span class="o">::</span><span class="kt">Vector</span><span class="x">{</span><span class="kt">Float64</span><span class="x">})</span> <span class="c"># 3. Precondition: Array length must be a multiple of the vector width.</span> <span class="c"># Real-world code needs to handle trailing elements (remainder).</span> <span class="nd">@assert</span> <span class="n">length</span><span class="x">(</span><span class="n">A</span><span class="x">)</span> <span class="o">%</span> <span class="n">N</span> <span class="o">==</span> <span class="mi">0</span> <span class="s">"Array length must be a multiple of SIMD width (</span><span class="si">$</span><span class="s">N)"</span> <span class="c"># 4. Initialize accumulator vector(s).</span> <span class="c"># 'zero(VecType)' creates a vector register filled with zeros.</span> <span class="c"># Using multiple accumulators can sometimes improve instruction-level parallelism.</span> <span class="n">vsum1</span> <span class="o">=</span> <span class="n">zero</span><span class="x">(</span><span class="n">VecType</span><span class="x">)</span> <span class="c"># vsum2 = zero(VecType) # Example if using 2 accumulators</span> <span class="c"># 5. Iterate through the array in steps of the vector width 'N'.</span> <span class="c"># '@inbounds' is crucial to remove bounds checks within the SIMD loop.</span> <span class="nd">@inbounds</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="n">N</span><span class="o">:</span><span class="n">length</span><span class="x">(</span><span class="n">A</span><span class="x">)</span> <span class="c"># 6. Load 'N' elements from memory into a vector register.</span> <span class="c"># 'vload(VecType, pointer, index)' performs a vector load.</span> <span class="c"># 'pointer(A, i)' gets the pointer to the i-th element.</span> <span class="c"># Alternatively, 'vloada' might assume alignment for potentially faster loads.</span> <span class="n">v</span> <span class="o">=</span> <span class="n">vload</span><span class="x">(</span><span class="n">VecType</span><span class="x">,</span> <span class="n">pointer</span><span class="x">(</span><span class="n">A</span><span class="x">,</span> <span class="n">i</span><span class="x">))</span> <span class="c"># v = vloada(VecType, pointer(A, i)) # If memory is guaranteed aligned</span> <span class="c"># 7. Perform vector addition.</span> <span class="c"># This compiles to a single SIMD instruction (e.g., 'vaddpd').</span> <span class="n">vsum1</span> <span class="o">+=</span> <span class="n">v</span> <span class="c"># If using multiple accumulators:</span> <span class="c"># v = vload(VecType, pointer(A, i + N))</span> <span class="c"># vsum2 += v</span> <span class="c"># (Loop step would then be 2*N)</span> <span class="k">end</span> <span class="c"># 8. Reduce the final vector accumulator(s) to a scalar sum.</span> <span class="c"># 'sum(vsum1)' adds up the elements within the vector register.</span> <span class="n">total_sum</span> <span class="o">=</span> <span class="n">sum</span><span class="x">(</span><span class="n">vsum1</span><span class="x">)</span> <span class="c"># + sum(vsum2) if using multiple</span> <span class="c"># Handle trailing elements here if the length wasn't a multiple of N.</span> <span class="k">return</span> <span class="n">total_sum</span> <span class="k">end</span> <span class="c"># --- Benchmarking ---</span> <span class="c"># Setup a large array (ensure length is a multiple of N)</span> <span class="n">len</span> <span class="o">=</span> <span class="mi">1_000_000</span> <span class="c"># Adjust length slightly if needed: len = floor(Int, len / N) * N</span> <span class="n">A</span> <span class="o">=</span> <span class="n">rand</span><span class="x">(</span><span class="kt">Float64</span><span class="x">,</span> <span class="n">len</span><span class="x">)</span> <span class="c"># Load the @simd version from the previous lesson for comparison</span> <span class="c"># (Assuming 0103_simd_macro.jl is accessible and defines sum_array_simd)</span> <span class="k">try</span> <span class="n">include</span><span class="x">(</span><span class="s">"0103_simd_macro.jl"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Benchmarking previous @simd version:"</span><span class="x">)</span> <span class="nd">@btime</span> <span class="n">sum_array_simd</span><span class="x">(</span><span class="o">$</span><span class="n">A</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"Could not load sum_array_simd for comparison: </span><span class="si">$</span><span class="s">e"</span><span class="x">)</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Benchmarking explicit SIMD (SIMD.jl):"</span><span class="x">)</span> <span class="c"># Benchmark the explicit SIMD function. Interpolate 'A'.</span> <span class="nd">@btime</span> <span class="n">sum_explicit_simd</span><span class="x">(</span><span class="o">$</span><span class="n">A</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the <strong><code>SIMD.jl</code></strong> package, which provides tools for <strong>explicit vectorization</strong>. Unlike the <code>@simd</code> macro (which is a <em>hint</em>), <code>SIMD.jl</code> allows you to directly control the use of CPU vector registers and instructions, offering potentially higher and more predictable performance at the cost of increased code complexity.</p> <p><strong>Installation Note:</strong></p> <p><code>SIMD.jl</code> is an external package. You need to add it to your project environment once.</p> <ol> <li> Start the Julia REPL: <code>julia</code> </li> <li> Enter Pkg mode: <code>]</code> </li> <li> Add the package: <code>add SIMD</code> </li> <li> Exit Pkg mode: Press Backspace or <code>Ctrl+C</code>.</li> <li> You can now run this script (assuming <code>BenchmarkTools.jl</code> is also installed).</li> </ol> <h2> Core Concept: Explicit vs. Implicit Vectorization </h2> <ul> <li> <strong>Implicit (<code>@simd</code>, Auto-vectorization):</strong> You write a standard loop and <em>hope</em> or <em>hint</em> (<code>@simd</code>) that the compiler (LLVM) is smart enough to generate efficient SIMD instructions. Performance can vary depending on compiler heuristics and loop complexity.</li> <li> <strong>Explicit (<code>SIMD.jl</code>):</strong> You <strong>manually structure</strong> your loop to operate on chunks of data that fit into CPU vector registers. You use specific types (<code>Vec{N, T}</code>) and functions (<code>vload</code>, vector arithmetic) that directly map to SIMD hardware capabilities. You are essentially writing a high-level assembly language for the vector unit.</li> </ul> <h2> Using <code>SIMD.jl</code> </h2> <ol> <li> <strong>Vector Type (<code>Vec{N, T}</code>):</strong> This type represents a CPU vector register holding <code>N</code> elements of type <code>T</code>. <code>Vec{4, Float64}</code> directly corresponds to a 256-bit AVX register. You choose <code>N</code> based on your target CPU architecture (e.g., 4 for AVX2 <code>Float64</code>, 8 for AVX-512 <code>Float64</code>).</li> <li> <strong>Loop Structure:</strong> The loop must iterate in steps of <code>N</code> (<code>1:N:length(A)</code>). You must ensure the array length is compatible (often a multiple of <code>N</code>) and typically handle any remaining elements separately (this simple example uses an <code>@assert</code>).</li> <li> <strong>Vector Load (<code>vload</code>, <code>vloada</code>):</strong> Instead of scalar loads (<code>A[i]</code>), you use <code>vload(VecType, pointer, index)</code> to load <code>N</code> elements from memory directly into a <code>Vec</code> register. <code>vloada</code> is similar but assumes the memory address is aligned, which can be faster on some architectures if true. <code>@inbounds</code> is crucial here.</li> <li> <strong>Vector Arithmetic (<code>+</code>, <code>*</code>, etc.):</strong> Standard arithmetic operators (<code>+</code>, <code>-</code>, <code>*</code>, <code>/</code>) and math functions (<code>sqrt</code>, <code>sin</code>, etc.) are overloaded for <code>Vec</code> types. <code>vsum1 + v</code> compiles to a single vector addition instruction (e.g., <code>vaddpd</code>).</li> <li> <strong>Reduction (<code>sum</code>):</strong> After the loop, the accumulator (<code>vsum1</code>) is a <code>Vec</code> register containing <code>N</code> partial sums. You need a final step to reduce this vector to a single scalar value, e.g., using <code>sum(vsum1)</code>.</li> </ol> <h2> Performance and Trade-offs </h2> <ul> <li> <strong>Potential Gain:</strong> Explicit SIMD can sometimes outperform compiler auto-vectorization (even with <code>@simd</code>), especially for complex loops or when the compiler fails to vectorize optimally. It gives you maximum control and performance predictability.</li> <li> <strong>Complexity:</strong> Writing explicit SIMD code is significantly more complex and less portable. You need to know the vector width (<code>N</code>) of your target CPU, handle array lengths that aren't multiples of <code>N</code>, and manage multiple accumulators if needed for instruction-level parallelism.</li> <li> <strong>When to Use (HFT):</strong> This is typically reserved for the absolute most critical, "hot" loops in your application, identified through profiling, where the potential gains from manual vectorization outweigh the complexity and maintenance costs. You wouldn't write your entire application this way.</li> </ul> <p><strong>Guideline:</strong> Start with standard loops, use <code>@simd</code> if appropriate and benchmark the improvement. Only resort to explicit SIMD (<code>SIMD.jl</code>) if profiling shows a specific loop remains a major bottleneck and auto-vectorization (with or without <code>@simd</code>) isn't achieving the desired performance.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong><code>SIMD.jl</code> Documentation:</strong> (<a href="https://github.com/eschnett/SIMD.jl" rel="noopener noreferrer">https://github.com/eschnett/SIMD.jl</a> or relevant package documentation). Explains <code>Vec</code>, <code>vload</code>, and other vector operations.</li> <li> <strong>CPU Vendor Intrinsics Guides (e.g., Intel):</strong> Provide detailed information on the underlying hardware SIMD instructions that <code>SIMD.jl</code> maps to.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(Requires <code>SIMD.jl</code> and <code>BenchmarkTools.jl</code> installed. Assumes <code>0103_simd_macro.jl</code> is runnable for comparison.)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0104_simd_explicit.jl Benchmarking standard loop: 371.126 μs <span class="o">(</span>0 allocations: 0 bytes<span class="o">)</span> Benchmarking with @simd: 84.159 μs <span class="o">(</span>0 allocations: 0 bytes<span class="o">)</span> Benchmarking previous @simd version: 84.153 μs <span class="o">(</span>0 allocations: 0 bytes<span class="o">)</span> Benchmarking explicit SIMD <span class="o">(</span>SIMD.jl<span class="o">)</span>: 93.132 μs <span class="o">(</span>0 allocations: 0 bytes<span class="o">)</span> </code></pre> </div> <h1> Module 11: Metaprogramming for Zero-Cost Abstractions </h1> <h2> Expressions And Symbols </h2> <h3> <code>0105_module_intro.md</code> </h3> <p>This module introduces <strong>metaprogramming</strong> in Julia: the ability for code to manipulate or generate other code. We move beyond writing functions that operate on <em>values</em> to writing code that operates on <em>syntax</em> (<code>Expr</code> objects) and <em>types</em>.</p> <h2> Beyond Type Stability: Telling the Compiler What to Do </h2> <p>In previous modules, especially Module 6, we focused on writing <strong>type-stable</strong> functions. This helps the compiler <em>infer</em> types and generate efficient machine code. Metaprogramming takes this a step further: instead of just <em>helping</em> the compiler, we will <strong>directly instruct</strong> the compiler on exactly what code to generate in certain situations.</p> <h2> Zero-Cost Abstractions: The Holy Grail </h2> <p>The primary goal of metaprogramming in a performance context is to achieve <strong>zero-cost abstractions</strong>. This means writing code that is:</p> <ol> <li> <strong>High-level and Abstract:</strong> Readable, reusable, and easy to reason about (e.g., a generic <code>dot_product(a, b)</code> function).</li> <li> <strong>Zero-Cost:</strong> Compiles down to the <em>exact same</em> highly optimized machine code as if you had manually written the low-level, specialized version (e.g., the fully unrolled loop <code>a[1]*b[1] + a[2]*b[2] + ...</code>).</li> </ol> <p>Metaprogramming provides the bridge between high-level expression and low-level performance, eliminating the usual trade-off where abstraction introduces runtime overhead (like function call penalties or dynamic dispatch).</p> <h2> Code as Data: The Lisp Heritage </h2> <p>Julia, like Lisp, treats code itself as a <strong>first-class data structure</strong>. An expression like <code>a + b</code> isn't just syntax; it can be captured, stored in a variable as an <code>Expr</code> object, inspected (<code>.head</code>, <code>.args</code>), manipulated, and ultimately evaluated. This ability to treat <strong>code as data</strong> is the foundation upon which Julia's metaprogramming tools are built.</p> <h2> Relevance to High-Performance Computing (HFT) </h2> <p>In low-latency environments like High-Frequency Trading, <strong>every nanosecond counts</strong>. Abstraction overhead that might be acceptable elsewhere (like virtual function calls, dynamic lookups, or even simple function call overhead in the tightest loops) is often intolerable.</p> <p>Metaprogramming allows developers to:</p> <ul> <li> <strong>Eliminate Abstraction Penalties:</strong> Write clean, reusable abstractions (like generic vector math functions) that compile away completely, leaving only the bare-metal machine instructions.</li> <li> <strong>Generate Specialized Code:</strong> Automatically generate highly optimized code tailored to specific data types or sizes known at compile time (e.g., unrolling loops for fixed-size vectors).</li> <li> <strong>Reduce Boilerplate:</strong> Automate the generation of repetitive code patterns.</li> </ul> <h2> The Tools: Macros and Generated Functions </h2> <p>This module will focus on the two primary compile-time metaprogramming tools in Julia:</p> <ol> <li> <strong>Macros (<code>@macro_name</code>):</strong> Functions that run during <strong>parsing/macro expansion</strong>. They take Julia syntax (<code>Expr</code>, <code>Symbol</code>, literals) as input and return transformed Julia syntax as output. Ideal for syntactic abstraction and code generation based on the literal code written.</li> <li> <strong>Generated Functions (<code>@generated</code>):</strong> Functions that run during <strong>type inference/compilation</strong>. They take <strong>types</strong> as input and return an expression (<code>Expr</code>) representing the specialized code body to be compiled for those specific input types. Ideal for generating optimal code based on type information.</li> </ol> <p>We will also briefly discuss why runtime code generation (<code>eval</code>) is generally unsuitable for high-performance metaprogramming.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Metaprogramming":</strong> The primary reference covering expressions, quoting, macros, and generated functions.</li> </ul> </li> </ul> <h3> <code>0106_expressions_and_quoting.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0106_expressions_and_quoting.jl</span> <span class="c"># Introduces Expr, Symbol, and quoting: Code as Data.</span> <span class="c"># --- Quoting ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Quoting Code ---"</span><span class="x">)</span> <span class="c"># 1. The colon ':' followed by parentheses '(...)' or a 'begin...end' block</span> <span class="c"># is the "quoting" syntax. It prevents execution and captures the</span> <span class="c"># code structure as data.</span> <span class="n">ex1</span> <span class="o">=</span> <span class="o">:</span><span class="x">(</span><span class="mi">1</span> <span class="o">+</span> <span class="mi">2</span> <span class="o">*</span> <span class="mi">3</span><span class="x">)</span> <span class="n">ex2</span> <span class="o">=</span> <span class="k">quote</span> <span class="n">x</span> <span class="o">=</span> <span class="mi">10</span> <span class="n">y</span> <span class="o">=</span> <span class="n">x</span> <span class="o">+</span> <span class="mi">5</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"Quoted expression 1: "</span><span class="x">,</span> <span class="n">ex1</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of ex1: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">ex1</span><span class="x">))</span> <span class="c"># Expr</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Quoted block expression 2: "</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="n">ex2</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of ex2: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">ex2</span><span class="x">))</span> <span class="c"># Expr</span> <span class="c"># --- Expr: The Structure of Code ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Inspecting Expr ---"</span><span class="x">)</span> <span class="c"># 2. An 'Expr' object represents a piece of Julia code internally.</span> <span class="c"># It has two main fields:</span> <span class="c"># - 'head': A Symbol indicating the kind of expression (e.g., :call, :(=), :block).</span> <span class="c"># - 'args': A Vector{Any} containing the parts (arguments) of the expression.</span> <span class="n">println</span><span class="x">(</span><span class="s">"ex1.head: "</span><span class="x">,</span> <span class="n">ex1</span><span class="o">.</span><span class="n">head</span><span class="x">)</span> <span class="c"># :call (because '+' is a function call)</span> <span class="n">println</span><span class="x">(</span><span class="s">"ex1.args: "</span><span class="x">,</span> <span class="n">ex1</span><span class="o">.</span><span class="n">args</span><span class="x">)</span> <span class="c"># [:+ (Symbol), 1 (Int), :(2 * 3) (Expr)]</span> <span class="c"># Accessing parts of the expression tree</span> <span class="n">operator</span> <span class="o">=</span> <span class="n">ex1</span><span class="o">.</span><span class="n">args</span><span class="x">[</span><span class="mi">1</span><span class="x">]</span> <span class="n">arg1</span> <span class="o">=</span> <span class="n">ex1</span><span class="o">.</span><span class="n">args</span><span class="x">[</span><span class="mi">2</span><span class="x">]</span> <span class="n">sub_expression</span> <span class="o">=</span> <span class="n">ex1</span><span class="o">.</span><span class="n">args</span><span class="x">[</span><span class="mi">3</span><span class="x">]</span> <span class="n">println</span><span class="x">(</span><span class="s">" Operator: "</span><span class="x">,</span> <span class="n">operator</span><span class="x">,</span> <span class="s">" (Type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">operator</span><span class="x">),</span> <span class="s">")"</span><span class="x">)</span> <span class="c"># Symbol</span> <span class="n">println</span><span class="x">(</span><span class="s">" Argument 1: "</span><span class="x">,</span> <span class="n">arg1</span><span class="x">,</span> <span class="s">" (Type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">arg1</span><span class="x">),</span> <span class="s">")"</span><span class="x">)</span> <span class="c"># Int64</span> <span class="n">println</span><span class="x">(</span><span class="s">" Argument 2: "</span><span class="x">,</span> <span class="n">sub_expression</span><span class="x">,</span> <span class="s">" (Type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">sub_expression</span><span class="x">),</span> <span class="s">")"</span><span class="x">)</span> <span class="c"># Expr</span> <span class="c"># Inspect the sub-expression</span> <span class="n">println</span><span class="x">(</span><span class="s">" Sub-expression head: "</span><span class="x">,</span> <span class="n">sub_expression</span><span class="o">.</span><span class="n">head</span><span class="x">)</span> <span class="c"># :call</span> <span class="n">println</span><span class="x">(</span><span class="s">" Sub-expression args: "</span><span class="x">,</span> <span class="n">sub_expression</span><span class="o">.</span><span class="n">args</span><span class="x">)</span> <span class="c"># [:*, 2, 3]</span> <span class="c"># Inspect the block expression</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">ex2.head: "</span><span class="x">,</span> <span class="n">ex2</span><span class="o">.</span><span class="n">head</span><span class="x">)</span> <span class="c"># :block</span> <span class="n">println</span><span class="x">(</span><span class="s">"ex2.args (lines/expressions in block): "</span><span class="x">)</span> <span class="k">for</span> <span class="n">arg</span> <span class="k">in</span> <span class="n">ex2</span><span class="o">.</span><span class="n">args</span> <span class="n">println</span><span class="x">(</span><span class="s">" "</span><span class="x">,</span> <span class="n">arg</span><span class="x">,</span> <span class="s">" (Type: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">arg</span><span class="x">),</span> <span class="s">")"</span><span class="x">)</span> <span class="c"># LineNumberNode or Expr</span> <span class="k">end</span> <span class="c"># --- Symbols ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Symbols ---"</span><span class="x">)</span> <span class="c"># 3. A 'Symbol' is an "interned string" used to represent identifiers</span> <span class="c"># (variable names, function names, operators, keywords) in the code structure.</span> <span class="c"># It's created with a colon ':'.</span> <span class="n">sym_var</span> <span class="o">=</span> <span class="o">:</span><span class="n">my_variable</span> <span class="n">sym_op</span> <span class="o">=</span> <span class="o">:+</span> <span class="n">sym_kw</span> <span class="o">=</span> <span class="o">:</span><span class="k">if</span> <span class="n">println</span><span class="x">(</span><span class="s">"Symbol sym_var: "</span><span class="x">,</span> <span class="n">sym_var</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of sym_var: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">sym_var</span><span class="x">))</span> <span class="c"># Symbol</span> <span class="c"># Symbols guarantee that identical names point to the same object (interning),</span> <span class="c"># making comparisons very fast (relevant from Module 3).</span> <span class="c"># --- Building Expressions Programmatically ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Building Expressions ---"</span><span class="x">)</span> <span class="c"># 4. You can construct Expr objects directly.</span> <span class="c"># Expr(head::Symbol, args...)</span> <span class="n">ex_manual</span> <span class="o">=</span> <span class="kt">Expr</span><span class="x">(</span><span class="o">:</span><span class="n">call</span><span class="x">,</span> <span class="o">:*</span><span class="x">,</span> <span class="o">:</span><span class="n">a</span><span class="x">,</span> <span class="o">:</span><span class="n">b</span><span class="x">)</span> <span class="c"># Equivalent to :(a * b)</span> <span class="n">ex_assign</span> <span class="o">=</span> <span class="kt">Expr</span><span class="x">(</span><span class="o">:</span><span class="x">(</span><span class="o">=</span><span class="x">),</span> <span class="o">:</span><span class="n">result</span><span class="x">,</span> <span class="n">ex_manual</span><span class="x">)</span> <span class="c"># Equivalent to :(result = a * b)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Manually built expression: "</span><span class="x">,</span> <span class="n">ex_assign</span><span class="x">)</span> <span class="c"># --- Evaluating Expressions ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Evaluating Expressions (eval) ---"</span><span class="x">)</span> <span class="c"># 5. 'eval(expr)' takes an Expr object and executes it in the</span> <span class="c"># *global scope* of the current module at *runtime*.</span> <span class="n">a</span> <span class="o">=</span> <span class="mi">5</span> <span class="n">b</span> <span class="o">=</span> <span class="mi">6</span> <span class="c"># 'result' does not exist yet.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Before eval: a=</span><span class="si">$</span><span class="s">a, b=</span><span class="si">$</span><span class="s">b"</span><span class="x">)</span> <span class="c"># eval(ex_assign) will execute 'result = a * b'</span> <span class="n">eval</span><span class="x">(</span><span class="n">ex_assign</span><span class="x">)</span> <span class="c"># 'result' now exists as a global variable.</span> <span class="n">println</span><span class="x">(</span><span class="s">"After eval: result=</span><span class="si">$</span><span class="s">result"</span><span class="x">)</span> <span class="c"># 6. WARNING: 'eval' is generally SLOW and should be AVOIDED in</span> <span class="c"># performance-critical code. It invokes the compiler at runtime</span> <span class="c"># and operates on global variables. Macros and @generated functions</span> <span class="c"># perform code generation at compile time.</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the fundamental concepts underpinning Julia's metaprogramming capabilities: the ability to treat <strong>code as data</strong> using <strong><code>Expr</code></strong> objects, **<code>Symbol</code>**s, and the <strong>quoting</strong> syntax.</p> <h2> Core Concept: Code as Data (<code>Expr</code>) </h2> <ul> <li>In Julia, code can be represented as a data structure <em>before</em> it's compiled or executed. The primary data structure for this is <code>Expr</code>.</li> <li> <strong><code>Expr</code> Objects:</strong> An <code>Expr</code> represents a compound piece of Julia syntax, like a function call, an assignment, a block of code, or a loop. It essentially represents a node in the code's <strong>Abstract Syntax Tree (AST)</strong>.</li> <li> <strong>Structure:</strong> An <code>Expr</code> has two main components: <ul> <li> <code>.head</code>: A <code>Symbol</code> indicating the <em>type</em> of expression (e.g., <code>:call</code> for a function call, <code>:=</code> for assignment, <code>:block</code> for a sequence of statements, <code>:if</code> for an if-statement).</li> <li> <code>.args</code>: A <code>Vector{Any}</code> containing the <em>parts</em> or arguments of the expression. These parts can be literal values (like <code>1</code>, <code>"hello"</code>), <code>Symbol</code>s, or even other nested <code>Expr</code> objects.</li> </ul> </li> </ul> <h2> Quoting (<code>:</code> or <code>quote ... end</code>) </h2> <ul> <li> <strong>Purpose:</strong> The quoting syntax (<code>:(...)</code> or <code>quote ... end</code>) is how you <strong>capture</strong> Julia code as an <code>Expr</code> data structure <em>without executing it</em>.</li> <li> <strong>Example:</strong> <code>ex1 = :(1 + 2 * 3)</code> does not calculate <code>7</code>. It creates an <code>Expr</code> object representing the addition and multiplication operations. Inspecting <code>ex1.head</code> (<code>:call</code>) and <code>ex1.args</code> (<code>[:+, 1, :(2 * 3)]</code>) reveals this structure. The <code>:(2 * 3)</code> is itself a nested <code>Expr</code>.</li> <li> <strong>Blocks:</strong> <code>quote ... end</code> is useful for capturing multi-line blocks of code. The resulting <code>Expr</code> typically has <code>.head == :block</code>, and its <code>.args</code> contain the individual expressions and line number information from the block.</li> </ul> <h2> Symbols (<code>:name</code>) </h2> <ul> <li> <strong>Purpose:</strong> A <code>Symbol</code> is a special, <strong>interned</strong> string used primarily to represent <strong>identifiers</strong> (names) within code structures. Function names (<code>:+</code>, <code>:sin</code>), variable names (<code>:x</code>, <code>:my_variable</code>), keywords (<code>:if</code>, <code>:for</code>), and expression heads (<code>:call</code>, <code>:block</code>) are represented as <code>Symbol</code>s within an <code>Expr</code>.</li> <li> <strong>Interning:</strong> "Interned" means that only one <code>Symbol</code> object exists for any given name. <code>:x === :x</code> is always true, and this comparison is as fast as comparing integers (relevant from Module 3 on Symbols vs. Strings). This makes them efficient keys for representing code structure.</li> </ul> <h2> Building and Evaluating Expressions </h2> <ul> <li> <strong>Programmatic Construction:</strong> You can build <code>Expr</code> objects manually using <code>Expr(head, args...)</code>. This is what macros often do internally to construct the code they will return. <code>Expr(:(=), :result, Expr(:call, :*, :a, :b))</code> programmatically builds the AST for <code>result = a * b</code>.</li> <li> <strong><code>eval(expr)</code>:</strong> This function takes an <code>Expr</code> object and <strong>executes</strong> it within the <strong>global scope</strong> of the current module at <strong>runtime</strong>.</li> <li> <strong><code>eval</code> Warning:</strong> While useful for demonstration or interactive use, <code>eval</code> should generally be <strong>avoided</strong> in performance-sensitive code. It has significant overhead because: <ol> <li> It often involves invoking the compiler <strong>at runtime</strong>.</li> <li> It operates in the <strong>global scope</strong>, which hinders compiler optimizations (due to potential type instability, as seen in Module 6).</li> </ol> </li> <li> <strong>Metaprogramming Goal:</strong> The goal of high-performance metaprogramming (using macros and generated functions) is to perform code generation and transformation <strong>at compile time</strong>, avoiding runtime <code>eval</code>.</li> </ul> <p>Understanding <code>Expr</code>, <code>Symbol</code>, and quoting is the foundation for writing macros, which manipulate these code structures before compilation.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Metaprogramming", "Expressions":</strong> Explains <code>Expr</code>, <code>Symbol</code>, quoting (<code>quote</code>), and <code>dump</code>.</li> <li> <strong>Julia Official Documentation, Manual, "Metaprogramming", "Eval":</strong> Describes <code>eval</code> and its scope implications.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0106_expressions_and_quoting.jl <span class="nt">---</span> Quoting Code <span class="nt">---</span> Quoted expression 1: 1 + 2 <span class="k">*</span> 3 Type of ex1: Expr Quoted block expression 2: quote <span class="c">#= ... =#</span> x <span class="o">=</span> 10 <span class="c">#= ... =#</span> y <span class="o">=</span> x + 5 end Type of ex2: Expr <span class="nt">---</span> Inspecting Expr <span class="nt">---</span> ex1.head: call ex1.args: Any[:+, 1, :<span class="o">(</span><span class="si">$(</span>Expr<span class="o">(</span>:call, :<span class="k">*</span>, 2, 3<span class="o">)</span><span class="si">)</span><span class="o">)]</span> Operator: + <span class="o">(</span>Type: Symbol<span class="o">)</span> Argument 1: 1 <span class="o">(</span>Type: Int64<span class="o">)</span> Argument 2: 2 <span class="k">*</span> 3 <span class="o">(</span>Type: Expr<span class="o">)</span> Sub-expression <span class="nb">head</span>: call Sub-expression args: Any[:<span class="k">*</span>, 2, 3] ex2.head: block ex2.args <span class="o">(</span>lines/expressions <span class="k">in </span>block<span class="o">)</span>: LineNumberNode<span class="o">(</span><span class="s2">"..."</span>, :none<span class="o">)</span> <span class="o">(</span>Type: LineNumberNode<span class="o">)</span> :<span class="o">(</span><span class="si">$(</span>Expr<span class="o">(</span>:<span class="o">(=)</span>, :x, 10<span class="o">)</span><span class="si">)</span><span class="o">)</span> <span class="o">(</span>Type: Expr<span class="o">)</span> LineNumberNode<span class="o">(</span><span class="s2">"..."</span>, :none<span class="o">)</span> <span class="o">(</span>Type: LineNumberNode<span class="o">)</span> :<span class="o">(</span><span class="si">$(</span>Expr<span class="o">(</span>:<span class="o">(=)</span>, :y, Expr<span class="o">(</span>:call, :+, :x, 5<span class="o">))</span><span class="si">)</span><span class="o">)</span> <span class="o">(</span>Type: Expr<span class="o">)</span> <span class="nt">---</span> Symbols <span class="nt">---</span> Symbol sym_var: my_variable Type of sym_var: Symbol <span class="nt">---</span> Building Expressions <span class="nt">---</span> Manually built expression: result <span class="o">=</span> a <span class="k">*</span> b <span class="nt">---</span> Evaluating Expressions <span class="o">(</span><span class="nb">eval</span><span class="o">)</span> <span class="nt">---</span> Before <span class="nb">eval</span>: <span class="nv">a</span><span class="o">=</span>5, <span class="nv">b</span><span class="o">=</span>6 After <span class="nb">eval</span>: <span class="nv">result</span><span class="o">=</span>30 </code></pre> </div> <p><em>(LineNumberNode details and exact Expr printing might vary slightly.)</em></p> <h3> <code>0107_dump_and_ast.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0107_dump_and_ast.jl</span> <span class="c"># Using dump() to inspect the structure of Expr objects (AST).</span> <span class="c"># 1. Basic arithmetic expression</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- dump(:(1 + 2 * 3)) ---"</span><span class="x">)</span> <span class="c"># Quoting captures the code as an Expr object.</span> <span class="n">ex1</span> <span class="o">=</span> <span class="o">:</span><span class="x">(</span><span class="mi">1</span> <span class="o">+</span> <span class="mi">2</span> <span class="o">*</span> <span class="mi">3</span><span class="x">)</span> <span class="c"># dump() provides a detailed, recursive view of the object's structure.</span> <span class="n">dump</span><span class="x">(</span><span class="n">ex1</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">"</span> <span class="o">*</span> <span class="s">"-"</span><span class="o">^</span><span class="mi">30</span> <span class="o">*</span> <span class="s">"</span><span class="se">\n</span><span class="s">"</span><span class="x">)</span> <span class="c"># Separator</span> <span class="c"># 2. Function call expression</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- dump(:(println(</span><span class="se">\"</span><span class="s">Hello </span><span class="se">\"</span><span class="s">, name))) ---"</span><span class="x">)</span> <span class="n">ex2</span> <span class="o">=</span> <span class="o">:</span><span class="x">(</span><span class="n">println</span><span class="x">(</span><span class="s">"Hello "</span><span class="x">,</span> <span class="n">name</span><span class="x">))</span> <span class="n">dump</span><span class="x">(</span><span class="n">ex2</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">"</span> <span class="o">*</span> <span class="s">"-"</span><span class="o">^</span><span class="mi">30</span> <span class="o">*</span> <span class="s">"</span><span class="se">\n</span><span class="s">"</span><span class="x">)</span> <span class="c"># 3. Assignment expression with array indexing</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- dump(:(results[i] = compute(data[i]))) ---"</span><span class="x">)</span> <span class="n">ex3</span> <span class="o">=</span> <span class="o">:</span><span class="x">(</span><span class="n">results</span><span class="x">[</span><span class="n">i</span><span class="x">]</span> <span class="o">=</span> <span class="n">compute</span><span class="x">(</span><span class="n">data</span><span class="x">[</span><span class="n">i</span><span class="x">]))</span> <span class="n">dump</span><span class="x">(</span><span class="n">ex3</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">"</span> <span class="o">*</span> <span class="s">"-"</span><span class="o">^</span><span class="mi">30</span> <span class="o">*</span> <span class="s">"</span><span class="se">\n</span><span class="s">"</span><span class="x">)</span> <span class="c"># 4. Block expression (e.g., from 'begin...end' or multi-line quote)</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- dump(quote ... end) ---"</span><span class="x">)</span> <span class="n">ex4</span> <span class="o">=</span> <span class="k">quote</span> <span class="n">x</span> <span class="o">=</span> <span class="mi">10</span> <span class="k">if</span> <span class="n">x</span> <span class="o">&gt;</span> <span class="mi">5</span> <span class="n">println</span><span class="x">(</span><span class="s">"Greater"</span><span class="x">)</span> <span class="k">end</span> <span class="k">end</span> <span class="n">dump</span><span class="x">(</span><span class="n">ex4</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the <strong><code>dump()</code></strong> function, an indispensable tool for metaprogramming in Julia. It allows you to visualize the detailed internal structure of any Julia object, and it's particularly useful for understanding the <strong>Abstract Syntax Tree (AST)</strong> represented by <strong><code>Expr</code></strong> objects.</p> <h2> Core Concept: Visualizing the AST </h2> <ul> <li> <strong><code>Expr</code> Review:</strong> As seen in the previous lesson, Julia code captured by quoting (<code>:</code> or <code>quote...end</code>) is stored as nested <code>Expr</code> objects. An <code>Expr</code> has a <code>.head</code> (a <code>Symbol</code> indicating the operation type) and <code>.args</code> (a <code>Vector{Any}</code> containing the parts).</li> <li> <strong><code>dump(object)</code>:</strong> This built-in function provides a <strong>recursive, indented printout</strong> of the structure and fields of any Julia object. When applied to an <code>Expr</code>, it reveals the entire tree structure of the captured code.</li> <li> <strong>Why Use <code>dump()</code>?</strong> When writing macros (which receive <code>Expr</code> objects as input), you <em>need</em> to know the exact structure of the code you are receiving to correctly transform it. <code>dump()</code> is your primary tool for inspecting these input expressions during macro development and debugging.</li> </ul> <h2> Analyzing the Output </h2> <p>Let's examine the <code>dump</code> output for each example:</p> <ol> <li> <strong><code>dump(:(1 + 2 * 3))</code></strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> * Shows the top-level `Expr` with `head: call` and `args: [+, 1, Expr]`. This confirms that `1 + ...` is treated as a function call to `+`. * Recursively shows the nested `Expr` for `2 * 3` also having `head: call` and `args: [*, 2, 3]`. * This reveals the **operator precedence** and nesting captured in the AST. </code></pre> </div> <ol> <li> <strong><code>dump(:(println("Hello ", name)))</code></strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> * `head: call`. * `args: [println (GlobalRef), "Hello " (String), name (Symbol)]`. * Illustrates how function names (`println`), literal strings, and variable names (`name`, represented as a `Symbol`) appear within the `.args` list. </code></pre> </div> <ol> <li> <strong><code>dump(:(results[i] = compute(data[i])))</code></strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> * Top-level `head: =` (assignment). * `args[1]` is an `Expr` representing the left-hand side `results[i]`, with `head: ref` (array reference/indexing) and `args: [results, i]`. * `args[2]` is an `Expr` representing the right-hand side `compute(data[i])`, with `head: call` and `args: [compute, Expr]`, where the nested `Expr` is for `data[i]` (`head: ref`, `args: [data, i]`). * Shows how complex statements involving assignments, function calls, and indexing are represented as nested trees. </code></pre> </div> <ol> <li> <strong><code>dump(quote ... end)</code></strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> * Top-level `head: block`. * `args` contains a sequence of items representing the lines within the block, often alternating between `LineNumberNode` (for debugging info) and `Expr` objects for each actual statement (like the assignment `x = 10` (`head: =`) and the `if` statement (`head: if`)). * Shows the structure for multi-line code blocks. </code></pre> </div> <p>By using <code>dump()</code>, you gain a precise understanding of how Julia represents syntax internally. This knowledge is crucial before attempting to write macros that manipulate or generate code effectively.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Base Documentation, <code>dump</code>:</strong> "Show every part of the representation of a value."</li> <li> <strong>Julia Official Documentation, Manual, "Metaprogramming", "Expressions":</strong> Describes the <code>Expr</code> structure that <code>dump</code> visualizes.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0107_dump_and_ast.jl <span class="nt">---</span> dump<span class="o">(</span>:<span class="o">(</span>1 + 2 <span class="k">*</span> 3<span class="o">))</span> <span class="nt">---</span> Expr <span class="nb">head</span>: Symbol call args: Array<span class="o">{</span>Any<span class="o">}((</span>3,<span class="o">))</span> 1: Symbol + 2: Int64 1 3: Expr <span class="nb">head</span>: Symbol call args: Array<span class="o">{</span>Any<span class="o">}((</span>3,<span class="o">))</span> 1: Symbol <span class="k">*</span> 2: Int64 2 3: Int64 3 <span class="nt">------------------------------</span> <span class="nt">---</span> dump<span class="o">(</span>:<span class="o">(</span>println<span class="o">(</span><span class="s2">"Hello "</span>, name<span class="o">)))</span> <span class="nt">---</span> Expr <span class="nb">head</span>: Symbol call args: Array<span class="o">{</span>Any<span class="o">}((</span>3,<span class="o">))</span> 1: Symbol println 2: String <span class="s2">"Hello "</span> 3: Symbol name <span class="nt">------------------------------</span> <span class="nt">---</span> dump<span class="o">(</span>:<span class="o">(</span>results[i] <span class="o">=</span> compute<span class="o">(</span>data[i]<span class="o">)))</span> <span class="nt">---</span> Expr <span class="nb">head</span>: Symbol <span class="o">=</span> args: Array<span class="o">{</span>Any<span class="o">}((</span>2,<span class="o">))</span> 1: Expr <span class="nb">head</span>: Symbol ref args: Array<span class="o">{</span>Any<span class="o">}((</span>2,<span class="o">))</span> 1: Symbol results 2: Symbol i 2: Expr <span class="nb">head</span>: Symbol call args: Array<span class="o">{</span>Any<span class="o">}((</span>2,<span class="o">))</span> 1: Symbol compute 2: Expr <span class="nb">head</span>: Symbol ref args: Array<span class="o">{</span>Any<span class="o">}((</span>2,<span class="o">))</span> 1: Symbol data 2: Symbol i <span class="nt">------------------------------</span> <span class="nt">---</span> dump<span class="o">(</span>quote ... end<span class="o">)</span> <span class="nt">---</span> Expr <span class="nb">head</span>: Symbol block args: Array<span class="o">{</span>Any<span class="o">}((</span>3,<span class="o">))</span> 1: LineNumberNode line: Int64 36 file: Symbol <span class="c">## path to file ##</span> 2: Expr <span class="nb">head</span>: Symbol <span class="o">=</span> args: Array<span class="o">{</span>Any<span class="o">}((</span>2,<span class="o">))</span> 1: Symbol x 2: Int64 10 3: Expr <span class="nb">head</span>: Symbol <span class="k">if </span>args: Array<span class="o">{</span>Any<span class="o">}((</span>2,<span class="o">))</span> 1: Expr <span class="nb">head</span>: Symbol call args: Array<span class="o">{</span>Any<span class="o">}((</span>3,<span class="o">))</span> 1: Symbol <span class="o">&gt;</span> 2: Symbol x 3: Int64 5 2: Expr <span class="nb">head</span>: Symbol block args: Array<span class="o">{</span>Any<span class="o">}((</span>2,<span class="o">))</span> 1: LineNumberNode line: Int64 38 file: Symbol <span class="c">## path to file ##</span> 2: Expr <span class="nb">head</span>: Symbol call args: Array<span class="o">{</span>Any<span class="o">}((</span>2,<span class="o">))</span> 1: Symbol println 2: String <span class="s2">"Greater"</span> </code></pre> </div> <p><em>(File paths and line numbers in the output will vary.)</em></p> <h2> Macros </h2> <h3> <code>0108_macros_basics.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0108_macros_basics.jl</span> <span class="c"># Defines and uses a simple macro.</span> <span class="c"># 1. Define a macro using the 'macro' keyword.</span> <span class="c"># The macro name MUST start with '@'.</span> <span class="c"># Macros receive their arguments as quoted expressions (Expr, Symbol, literals).</span> <span class="k">macro</span><span class="nf"> print_expression_info</span><span class="x">(</span><span class="n">expression_arg</span><span class="x">)</span> <span class="c"># This code runs during macro expansion (before runtime).</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Inside Macro '@print_expression_info' (Compile Time) ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Received expression: "</span><span class="x">,</span> <span class="n">expression_arg</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Type of expression: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">expression_arg</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">" String representation: "</span><span class="x">,</span> <span class="n">string</span><span class="x">(</span><span class="n">expression_arg</span><span class="x">))</span> <span class="c"># Convert Symbol or Expr to String</span> <span class="c"># 2. Return a new expression.</span> <span class="c"># This expression will *replace* the original macro call in the code.</span> <span class="c"># We use '$' interpolation to insert the *string* representation</span> <span class="c"># of the original expression into the 'println' call we are building.</span> <span class="n">returned_expr</span> <span class="o">=</span> <span class="k">quote</span> <span class="c"># This code will run at runtime</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Executing Code Generated by Macro (Runtime) ---"</span><span class="x">)</span> <span class="c"># Interpolate the stringified expression from compile time</span> <span class="n">println</span><span class="x">(</span><span class="s">" Original expression was: '"</span><span class="x">,</span> <span class="o">$</span><span class="x">(</span><span class="n">string</span><span class="x">(</span><span class="n">expression_arg</span><span class="x">)),</span> <span class="s">"'"</span><span class="x">)</span> <span class="c"># Interpolate the original expression itself to be evaluated at runtime</span> <span class="kd">local</span> <span class="n">result_value</span> <span class="o">=</span> <span class="o">$</span><span class="x">(</span><span class="n">expression_arg</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Its runtime value is: "</span><span class="x">,</span> <span class="n">result_value</span><span class="x">)</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Macro Returning Expression ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="n">returned_expr</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"---------------------------------"</span><span class="x">)</span> <span class="k">return</span> <span class="n">returned_expr</span> <span class="k">end</span> <span class="c"># --- Using the Macro ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Script Execution (Runtime) ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Preparing to call the macro..."</span><span class="x">)</span> <span class="c"># 3. Call the macro.</span> <span class="c"># Julia parses this line, sees the '@', and executes the macro function,</span> <span class="c"># passing the quoted argument ':(1 + 2 * 3)'.</span> <span class="c"># The code below is *replaced* by the 'returned_expr' from the macro.</span> <span class="nd">@print_expression_info</span><span class="x">(</span><span class="mi">1</span> <span class="o">+</span> <span class="mi">2</span> <span class="o">*</span> <span class="mi">3</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Preparing to call the macro with a variable..."</span><span class="x">)</span> <span class="n">my_var</span> <span class="o">=</span> <span class="mi">100</span> <span class="nd">@print_expression_info</span><span class="x">(</span><span class="n">my_var</span> <span class="o">/</span> <span class="mi">2</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Script finished."</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <strong>macros</strong>, a core metaprogramming tool in Julia. Macros are functions that run at <strong>parse/expansion time</strong> to <strong>transform</strong> code syntax before it is fully compiled and executed.</p> <h2> Core Concept: Syntax Transformation </h2> <ul> <li> <strong>Macro Definition:</strong> You define a macro using the <code>macro MacroName(args...) ... end</code> syntax. The name <strong>must</strong> start with <code>@</code>.</li> <li> <strong>Input:</strong> Macros <strong>do not receive evaluated values</strong> like regular functions. They receive the <strong>literal syntax</strong> (code) passed to them as arguments, automatically quoted into <code>Expr</code> objects, <code>Symbol</code>s, or literal values. <ul> <li>In <code>@print_expression_info(1 + 2 * 3)</code>, the macro receives the <code>Expr</code> object <code>:(1 + 2 * 3)</code>.</li> <li>In <code>@print_expression_info(my_var / 2)</code>, it receives the <code>Expr</code> object <code>:(my_var / 2)</code>.</li> </ul> </li> <li> <strong>Execution Time:</strong> The code <em>inside</em> the macro definition (e.g., the <code>println</code> statements within <code>macro print_expression_info</code>) runs <strong>before</strong> the main script execution, during a phase called <strong>macro expansion</strong>. This is often loosely called "compile time" or "parse time".</li> <li> <strong>Output (Return Value):</strong> A macro <strong>must return</strong> a valid Julia expression (<code>Expr</code>, <code>Symbol</code>, or literal).</li> <li> <strong>Transformation:</strong> The crucial step is that the original macro call (e.g., <code>@print_expression_info(1 + 2 * 3)</code>) is <strong>completely replaced</strong> in the program's Abstract Syntax Tree (AST) by the <strong>expression returned</strong> by the macro. The final compiled code contains the <em>result</em> of the macro's transformation, not the macro call itself.</li> </ul> <h2> Interpolation (<code>$</code>) in Macros </h2> <ul> <li> <strong>Purpose:</strong> The dollar sign <code>$</code> is used <em>inside</em> a quoted expression (<code>:()</code> or <code>quote...end</code>) within a macro definition. It signifies <strong>interpolation</strong> or "unquoting."</li> <li> <strong>Behavior:</strong> It means "evaluate the expression immediately following the <code>$</code> <strong>during macro expansion time</strong>, and substitute its resulting <em>value</em> into the expression being built." <ul> <li> <code>$(string(expression_arg))</code>: Evaluates <code>string(expression_arg)</code> at expansion time (converting the input <code>Expr</code> or <code>Symbol</code> like <code>:my_var</code> to the <code>String</code> <code>"my_var"</code>) and inserts that string literal into the <code>println</code> call being constructed.</li> <li> <code>$(expression_arg)</code>: Inserts the <em>original <code>Expr</code> object</em> received by the macro (<code>:(1 + 2 * 3)</code> or <code>:(my_var / 2)</code>) directly into the code being built. This ensures the original calculation is performed at <em>runtime</em>.</li> </ul> </li> </ul> <h2> Example Walkthrough (<code>@print_expression_info(1 + 2 * 3)</code>) </h2> <ol> <li> <strong>Parsing:</strong> Julia sees <code>@print_expression_info(1 + 2 * 3)</code>.</li> <li> <strong>Macro Call:</strong> It calls the <code>print_expression_info</code> macro function, passing <code>expression_arg = :(1 + 2 * 3)</code>.</li> <li> <p><strong>Macro Execution (Expansion Time):</strong></p> <ul> <li>The <code>println</code>s inside the macro run, printing info about the <code>Expr</code>.</li> <li> <code>string(expression_arg)</code> evaluates to <code>"1 + 2 * 3"</code>.</li> <li> <p>The <code>quote ... end</code> block constructs a new <code>Expr</code> object. Interpolation substitutes <code>"1 + 2 * 3"</code> and <code>:(1 + 2 * 3)</code>. The resulting <code>Expr</code> is equivalent to:<br> </p> <pre class="highlight julia"><code><span class="k">quote</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Executing Code Generated by Macro (Runtime) ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Original expression was: '"</span><span class="x">,</span> <span class="s">"1 + 2 * 3"</span><span class="x">,</span> <span class="s">"'"</span><span class="x">)</span> <span class="kd">local</span> <span class="n">result_value</span> <span class="o">=</span> <span class="x">(</span><span class="mi">1</span> <span class="o">+</span> <span class="mi">2</span> <span class="o">*</span> <span class="mi">3</span><span class="x">)</span> <span class="c"># The original expression inserted</span> <span class="n">println</span><span class="x">(</span><span class="s">" Its runtime value is: "</span><span class="x">,</span> <span class="n">result_value</span><span class="x">)</span> <span class="k">end</span> </code></pre> </li> </ul> </li> <li><p><strong>Replacement:</strong> The original line <code>@print_expression_info(1 + 2 * 3)</code> in the code is replaced by this generated <code>quote</code> block.</p></li> <li><p><strong>Compilation &amp; Runtime:</strong> Julia compiles the <em>transformed</em> code. When the script runs, the <code>println</code> statements <em>inside the generated quote block</em> execute, calculating <code>1 + 2 * 3</code> and printing the runtime value <code>7</code>.</p></li> </ol> <p>Macros allow you to manipulate syntax, reduce boilerplate, create domain-specific languages, and perform code generation before the main compilation phase, enabling powerful abstractions without runtime cost.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Metaprogramming", "Macros":</strong> Explains macro definition, expansion, interpolation, and provides examples.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0108_macros_basics.jl Preparing to call the macro... <span class="nt">---</span> Inside Macro <span class="s1">'@print_expression_info'</span> <span class="o">(</span>Compile Time<span class="o">)</span> <span class="nt">---</span> Received expression: 1 + 2 <span class="k">*</span> 3 Type of expression: Expr String representation: 1 + 2 <span class="k">*</span> 3 <span class="nt">---</span> Macro Returning Expression <span class="nt">---</span> begin <span class="c">#= 0108_macros_basics.jl:8 =#</span> println<span class="o">(</span><span class="s2">"--- Executing Code Generated by Macro (Runtime) ---"</span><span class="o">)</span> <span class="c">#= 0108_macros_basics.jl:9 =#</span> println<span class="o">(</span><span class="s2">" Original expression was: '"</span>, <span class="s2">"1 + 2 * 3"</span>, <span class="s2">"'"</span><span class="o">)</span> <span class="c">#= 0108_macros_basics.jl:10 =#</span> <span class="nb">local </span>result_value <span class="o">=</span> 1 + 2 <span class="k">*</span> 3 <span class="c">#= 0108_macros_basics.jl:11 =#</span> println<span class="o">(</span><span class="s2">" Its runtime value is: "</span>, result_value<span class="o">)</span> end <span class="nt">----------------------------------</span> <span class="nt">---</span> Executing Code Generated by Macro <span class="o">(</span>Runtime<span class="o">)</span> <span class="nt">---</span> Original expression was: <span class="s1">'1 + 2 * 3'</span> Its runtime value is: 7 Preparing to call the macro with a variable... <span class="nt">---</span> Inside Macro <span class="s1">'@print_expression_info'</span> <span class="o">(</span>Compile Time<span class="o">)</span> <span class="nt">---</span> Received expression: my_var / 2 Type of expression: Expr String representation: my_var / 2 <span class="nt">---</span> Macro Returning Expression <span class="nt">---</span> begin <span class="c">#= 0108_macros_basics.jl:8 =#</span> println<span class="o">(</span><span class="s2">"--- Executing Code Generated by Macro (Runtime) ---"</span><span class="o">)</span> <span class="c">#= 0108_macros_basics.jl:9 =#</span> println<span class="o">(</span><span class="s2">" Original expression was: '"</span>, <span class="s2">"my_var / 2"</span>, <span class="s2">"'"</span><span class="o">)</span> <span class="c">#= 0108_macros_basics.jl:10 =#</span> <span class="nb">local </span>result_value <span class="o">=</span> my_var / 2 <span class="c">#= 0108_macros_basics.jl:11 =#</span> println<span class="o">(</span><span class="s2">" Its runtime value is: "</span>, result_value<span class="o">)</span> end <span class="nt">----------------------------------</span> <span class="nt">---</span> Executing Code Generated by Macro <span class="o">(</span>Runtime<span class="o">)</span> <span class="nt">---</span> Original expression was: <span class="s1">'my_var / 2'</span> Its runtime value is: 50.0 Script finished. </code></pre> </div> <p><em>(Note: Line number nodes <code>#= ... =#</code> and internal variable names will vary but show the structure of the generated code.)</em></p> <h3> <code>0109_macro_hygiene_and_esc.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0109_macro_hygiene_and_esc.jl</span> <span class="c"># Explains macro hygiene and how to bypass it with esc().</span> <span class="c"># --- Part 1: Hygienic Macro (Default Behavior) ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Part 1: Hygienic Macro ---"</span><span class="x">)</span> <span class="k">macro</span><span class="nf"> hygienic_example</span><span class="x">()</span> <span class="c"># This macro defines a variable 'x' internally.</span> <span class="c"># Due to hygiene, this 'x' will be automatically renamed</span> <span class="c"># by the compiler to avoid collision with any 'x' outside the macro.</span> <span class="n">println</span><span class="x">(</span><span class="s">" (Macro Expansion Time: Defining hygienic 'x')"</span><span class="x">)</span> <span class="k">return</span> <span class="k">quote</span> <span class="kd">local</span> <span class="n">x</span> <span class="o">=</span> <span class="s">"Value from Hygienic Macro"</span> <span class="c"># Renamed internally (e.g., ##x#123)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Inside generated code (Runtime): Hygienic x = "</span><span class="x">,</span> <span class="n">x</span><span class="x">)</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># Define a global 'x' in the calling scope.</span> <span class="n">x</span> <span class="o">=</span> <span class="s">"Value from Global Scope"</span> <span class="n">println</span><span class="x">(</span><span class="s">"Before macro call: Global x = "</span><span class="x">,</span> <span class="n">x</span><span class="x">)</span> <span class="c"># Call the macro. The 'x' inside the macro's generated code</span> <span class="c"># will NOT interfere with the global 'x'.</span> <span class="nd">@hygienic_example</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">"After macro call: Global x = "</span><span class="x">,</span> <span class="n">x</span><span class="x">)</span> <span class="c"># Remains unchanged</span> <span class="c"># --- Part 2: Unhygienic Macro (Using esc()) ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Part 2: Unhygienic Macro (using esc()) ---"</span><span class="x">)</span> <span class="k">macro</span><span class="nf"> unhygienic_assignment</span><span class="x">(</span><span class="n">varname</span><span class="x">,</span> <span class="n">value</span><span class="x">)</span> <span class="c"># This macro *intends* to assign to a variable in the *caller's* scope.</span> <span class="n">println</span><span class="x">(</span><span class="s">" (Macro Expansion Time: Assigning to caller's variable)"</span><span class="x">)</span> <span class="c"># 'esc(varname)' tells the hygiene system NOT to rename 'varname'.</span> <span class="c"># It ensures the assignment targets the variable from the calling scope.</span> <span class="c"># 'value' is interpolated as usual.</span> <span class="k">return</span> <span class="o">:</span><span class="x">(</span><span class="o">$</span><span class="x">(</span><span class="n">esc</span><span class="x">(</span><span class="n">varname</span><span class="x">))</span> <span class="o">=</span> <span class="o">$</span><span class="n">value</span><span class="x">)</span> <span class="k">end</span> <span class="c"># 'y' does not exist yet in global scope.</span> <span class="c"># The macro call will create and assign to the global 'y'.</span> <span class="nd">@unhygienic_assignment</span><span class="x">(</span><span class="n">y</span><span class="x">,</span> <span class="mi">123</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"After macro call: Global y = "</span><span class="x">,</span> <span class="n">y</span><span class="x">)</span> <span class="c"># y now exists and is 123</span> <span class="c"># Modify an existing variable 'x' using the unhygienic macro.</span> <span class="nd">@unhygienic_assignment</span><span class="x">(</span><span class="n">x</span><span class="x">,</span> <span class="s">"Value assigned via unhygienic macro"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"After macro call: Global x = "</span><span class="x">,</span> <span class="n">x</span><span class="x">)</span> <span class="c"># x has been changed</span> <span class="c"># --- Part 3: Hygienic Wrapping Macro (Common Pattern) ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Part 3: Hygienic Wrapping Macro (@simple_time) ---"</span><span class="x">)</span> <span class="c"># A macro to time an expression, using hygiene correctly.</span> <span class="k">macro</span><span class="nf"> simple_time</span><span class="x">(</span><span class="n">expression_to_run</span><span class="x">)</span> <span class="c"># Variables defined *by the macro* should be hygienic (local).</span> <span class="c"># The code *provided by the user* needs to run in the caller's scope.</span> <span class="k">return</span> <span class="k">quote</span> <span class="kd">local</span> <span class="n">start_ns</span> <span class="o">=</span> <span class="n">time_ns</span><span class="x">()</span> <span class="c"># 'esc(expression_to_run)' ensures the user's code runs</span> <span class="c"># correctly in their scope, seeing their variables.</span> <span class="kd">local</span> <span class="n">result</span> <span class="o">=</span> <span class="o">$</span><span class="x">(</span><span class="n">esc</span><span class="x">(</span><span class="n">expression_to_run</span><span class="x">))</span> <span class="kd">local</span> <span class="n">end_ns</span> <span class="o">=</span> <span class="n">time_ns</span><span class="x">()</span> <span class="kd">local</span> <span class="n">elapsed_ms</span> <span class="o">=</span> <span class="x">(</span><span class="n">end_ns</span> <span class="o">-</span> <span class="n">start_ns</span><span class="x">)</span> <span class="o">/</span> <span class="mi">1_000_000</span> <span class="n">println</span><span class="x">(</span><span class="s">"Expression `"</span><span class="x">,</span> <span class="o">$</span><span class="x">(</span><span class="n">string</span><span class="x">(</span><span class="n">expression_to_run</span><span class="x">)),</span> <span class="s">"` executed in: "</span><span class="x">,</span> <span class="n">round</span><span class="x">(</span><span class="n">elapsed_ms</span><span class="x">,</span> <span class="n">digits</span><span class="o">=</span><span class="mi">3</span><span class="x">),</span> <span class="s">" ms"</span><span class="x">)</span> <span class="c"># Ensure the macro call evaluates to the result of the user's expression</span> <span class="n">result</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># Use the timing macro</span> <span class="n">z</span> <span class="o">=</span> <span class="mi">50</span> <span class="n">timed_result</span> <span class="o">=</span> <span class="nd">@simple_time</span> <span class="k">begin</span> <span class="n">sleep</span><span class="x">(</span><span class="mf">0.05</span><span class="x">)</span> <span class="c"># Simulate work</span> <span class="n">z</span> <span class="o">*</span> <span class="mi">2</span> <span class="c"># Access local variable 'z'</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result of timed expression: "</span><span class="x">,</span> <span class="n">timed_result</span><span class="x">)</span> <span class="c"># Should be 100</span> <span class="c"># 'start_ns', 'result', 'end_ns', 'elapsed_ms' from the macro do not leak.</span> </code></pre> </div> <h3> Explanation </h3> <p>This script delves into <strong>macro hygiene</strong>, a crucial feature that makes macros safer and easier to compose, and introduces <code>esc()</code> for intentionally bypassing hygiene when needed.</p> <h2> Core Concept: Macro Hygiene </h2> <ul> <li> <strong>The Problem:</strong> Imagine macros didn't have hygiene. If a macro defined an internal variable <code>x</code>, and the code calling the macro also used a variable <code>x</code>, the macro's variable could accidentally overwrite or interfere with the user's variable, leading to chaos.</li> <li> <strong>Hygiene Solution:</strong> Julia macros are <strong>hygienic by default</strong>. The compiler automatically and invisibly <strong>renames</strong> variables introduced <em>within</em> the macro's generated code. <ul> <li>In <code>@hygienic_example</code>, the <code>local x = ...</code> inside the <code>quote</code> block does not refer to the global <code>x</code>. The compiler effectively renames the macro's <code>x</code> to something unique (like <code>##x#123</code>), ensuring it cannot clash with any <code>x</code> in the scope where the macro is called.</li> <li>This allows macro authors to use common variable names internally without fear of breaking the user's code.</li> </ul> </li> </ul> <h2> Bypassing Hygiene: <code>esc(expression)</code> </h2> <ul> <li> <strong>The Need:</strong> Sometimes, a macro <em>intentionally</em> needs to interact with or modify variables in the <strong>calling scope</strong>. Common examples include macros that perform assignments (like <code>@unhygienic_assignment</code>) or macros that need to evaluate user-provided code within the user's context (like <code>@simple_time</code>).</li> <li> <strong><code>esc()</code> Function:</strong> The <code>esc(expression)</code> function is used <em>inside</em> the macro's returned <code>quote</code> block. It marks <code>expression</code> (which must be an <code>Expr</code> or <code>Symbol</code>) as needing to <strong>"escape"</strong> the hygiene mechanism. <ul> <li>When the compiler sees <code>esc(varname)</code> during macro expansion, it <strong>does not rename</strong> <code>varname</code>. It leaves the symbol exactly as it appeared in the macro call.</li> <li>In <code>@unhygienic_assignment(y, 123)</code>, the macro receives <code>varname = :y</code> and <code>value = 123</code>. The returned expression <code>:($(esc(varname)) = $value)</code> becomes <code>:(y = 123)</code>. Since <code>y</code> was escaped, this assignment refers to the variable <code>y</code> in the <em>caller's</em> scope (creating it if it doesn't exist).</li> </ul> </li> </ul> <h2> The Hygienic Wrapping Pattern (<code>@simple_time</code>) </h2> <ul> <li> <strong>Combining Hygiene and Escape:</strong> Many useful macros <em>wrap</em> user-provided code, adding some functionality before and/or after. The <code>@simple_time</code> macro is a classic example.</li> <li> <strong>Correct Implementation:</strong> <ol> <li> <strong>Macro Variables:</strong> Variables needed <em>by the macro itself</em> (<code>start_ns</code>, <code>result</code>, <code>end_ns</code>, <code>elapsed_ms</code>) should be declared <code>local</code> within the returned <code>quote</code> block. They will remain hygienic and won't clash with user variables.</li> <li> <strong>User Expression:</strong> The code provided <em>by the user</em> (<code>expression_to_run</code>) <strong>must be escaped</strong> (<code>$(esc(expression_to_run))</code>). This ensures that when the user's code (e.g., <code>sleep(0.05); z * 2</code>) runs, it does so in the <em>caller's</em> scope, where variables like <code>z</code> are correctly defined.</li> </ol> </li> <li> <strong>Result:</strong> The macro adds timing logic using safe, hygienic internal variables, while correctly executing the user's code in their own context. The macro call evaluates to the <em>result</em> of the user's code (<code>result</code>), making it composable.</li> </ul> <p>Understanding hygiene and <code>esc</code> is essential for writing correct and robust macros that interact predictably with the code that calls them. Use hygiene by default; use <code>esc</code> deliberately and carefully when interaction with the caller's scope is intended.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Metaprogramming", "Hygiene":</strong> Provides a detailed explanation of hygiene and the <code>esc</code> function with examples.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0109_macro_hygiene_and_esc.jl <span class="nt">---</span> Part 1: Hygienic Macro <span class="nt">---</span> Before macro call: Global x <span class="o">=</span> Value from Global Scope <span class="o">(</span>Macro Expansion Time: Defining hygienic <span class="s1">'x'</span><span class="o">)</span> Inside generated code <span class="o">(</span>Runtime<span class="o">)</span>: Hygienic x <span class="o">=</span> Value from Hygienic Macro After macro call: Global x <span class="o">=</span> Value from Global Scope <span class="nt">---</span> Part 2: Unhygienic Macro <span class="o">(</span>using esc<span class="o">())</span> <span class="nt">---</span> <span class="o">(</span>Macro Expansion Time: Assigning to <span class="nb">caller</span><span class="s1">'s variable) After macro call: Global y = 123 (Macro Expansion Time: Assigning to caller'</span>s variable<span class="o">)</span> After macro call: Global x <span class="o">=</span> Value assigned via unhygienic macro <span class="nt">---</span> Part 3: Hygienic Wrapping Macro <span class="o">(</span>@simple_time<span class="o">)</span> <span class="nt">---</span> Expression <span class="sb">`</span>begin <span class="c">#= ... =#</span> <span class="nb">sleep</span><span class="o">(</span>0.05<span class="o">)</span> <span class="c">#= ... =#</span> Main.z <span class="k">*</span> 2 end<span class="sb">`</span> executed <span class="k">in</span>: 5X.XXX ms <span class="c"># Actual time will vary slightly</span> Result of timed expression: 100 </code></pre> </div> <p><em>(The expansion time messages appear during compilation/loading. Runtime messages appear during execution. The exact timing will vary.)</em></p> <h2> Generated Functions </h2> <h3> <code>0110_generated_functions_basics.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0110_generated_functions_basics.jl</span> <span class="c"># Introduces @generated functions for compile-time code generation based on types.</span> <span class="k">import</span> <span class="n">InteractiveUtils</span><span class="o">:</span> <span class="nd">@code_lowered</span><span class="x">,</span> <span class="nd">@code_typed</span> <span class="c"># For inspecting generated code</span> <span class="c"># --- Standard Function (Runtime Logic) ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Standard Function ---"</span><span class="x">)</span> <span class="c"># 1. A regular function determines behavior based on runtime *values*.</span> <span class="k">function</span><span class="nf"> get_container_description_runtime</span><span class="x">(</span><span class="n">container</span><span class="x">)</span> <span class="c"># This uses 'isa' checks at runtime.</span> <span class="k">if</span> <span class="k">isa</span><span class="x">(</span><span class="n">container</span><span class="o">.</span><span class="n">value</span><span class="x">,</span> <span class="kt">Int</span><span class="x">)</span> <span class="k">return</span> <span class="s">"Container holds an Integer"</span> <span class="k">elseif</span> <span class="k">isa</span><span class="x">(</span><span class="n">container</span><span class="o">.</span><span class="n">value</span><span class="x">,</span> <span class="kt">String</span><span class="x">)</span> <span class="k">return</span> <span class="s">"Container holds a String"</span> <span class="k">else</span> <span class="k">return</span> <span class="s">"Container holds Other type"</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># Define a simple parametric struct</span> <span class="k">struct</span><span class="nc"> Container</span><span class="x">{</span><span class="n">T</span><span class="x">}</span> <span class="n">value</span><span class="o">::</span><span class="n">T</span> <span class="k">end</span> <span class="n">c_int</span> <span class="o">=</span> <span class="n">Container</span><span class="x">(</span><span class="mi">10</span><span class="x">)</span> <span class="n">c_str</span> <span class="o">=</span> <span class="n">Container</span><span class="x">(</span><span class="s">"hello"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Runtime dispatch:"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Input Container{Int}: "</span><span class="x">,</span> <span class="n">get_container_description_runtime</span><span class="x">(</span><span class="n">c_int</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">" Input Container{String}: "</span><span class="x">,</span> <span class="n">get_container_description_runtime</span><span class="x">(</span><span class="n">c_str</span><span class="x">))</span> <span class="c"># --- Generated Function (Compile-Time Logic based on Types) ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- @generated Function ---"</span><span class="x">)</span> <span class="c"># 2. A @generated function runs *during compilation* for each unique</span> <span class="c"># combination of *input types*. It returns an *expression* (code)</span> <span class="c"># that becomes the compiled body for those specific types.</span> <span class="c"># Note: Arguments to the generator are TYPE objects, not values.</span> <span class="nd">@generated</span> <span class="k">function</span><span class="nf"> get_container_description_compiletime</span><span class="x">(</span><span class="n">c</span><span class="o">::</span><span class="n">Container</span><span class="x">{</span><span class="n">T</span><span class="x">})</span> <span class="k">where</span> <span class="x">{</span><span class="n">T</span><span class="x">}</span> <span class="c"># This code runs AT COMPILE TIME, once per distinct 'T'.</span> <span class="n">println</span><span class="x">(</span><span class="s">" (@generated running for T = </span><span class="si">$</span><span class="s">T)"</span><span class="x">)</span> <span class="c"># Logic based *purely* on the type 'T'.</span> <span class="k">if</span> <span class="n">T</span> <span class="o">&lt;:</span> <span class="kt">Integer</span> <span class="c"># Check if T is a subtype of Integer</span> <span class="c"># Return the *code* to be compiled for integer containers</span> <span class="k">return</span> <span class="k">quote</span> <span class="c"># This code runs at RUNTIME for Container{Int} etc.</span> <span class="s">"Container holds an Integer (determined at compile time)"</span> <span class="k">end</span> <span class="k">elseif</span> <span class="n">T</span> <span class="o">==</span> <span class="kt">String</span> <span class="c"># Return the *code* to be compiled for string containers</span> <span class="k">return</span> <span class="k">quote</span> <span class="c"># This code runs at RUNTIME for Container{String}</span> <span class="s">"Container holds a String (determined at compile time)"</span> <span class="k">end</span> <span class="k">else</span> <span class="c"># Return the *code* for any other type</span> <span class="k">return</span> <span class="k">quote</span> <span class="c"># This code runs at RUNTIME for other Container{T}</span> <span class="s">"Container holds Other type (determined at compile time)"</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># End of @generated function</span> <span class="c"># 3. Call the @generated function.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Compile-time dispatch:"</span><span class="x">)</span> <span class="c"># First call with Container{Int64}: Triggers generator, compiles, runs.</span> <span class="n">println</span><span class="x">(</span><span class="s">" Input Container{Int}: "</span><span class="x">,</span> <span class="n">get_container_description_compiletime</span><span class="x">(</span><span class="n">c_int</span><span class="x">))</span> <span class="c"># Second call with Container{Int64}: Runs pre-compiled method.</span> <span class="n">println</span><span class="x">(</span><span class="s">" Input Container{Int} (again): "</span><span class="x">,</span> <span class="n">get_container_description_compiletime</span><span class="x">(</span><span class="n">c_int</span><span class="x">))</span> <span class="c"># First call with Container{String}: Triggers generator, compiles, runs.</span> <span class="n">println</span><span class="x">(</span><span class="s">" Input Container{String}: "</span><span class="x">,</span> <span class="n">get_container_description_compiletime</span><span class="x">(</span><span class="n">c_str</span><span class="x">))</span> <span class="c"># --- Inspecting Generated Code (Advanced) ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Inspecting Code ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Code for runtime version (Container{Int}):"</span><span class="x">)</span> <span class="c"># Explicitly print the result of @code_typed</span> <span class="c"># Note: @code_typed shows optimized code *after* type inference.</span> <span class="c"># The `isa` check might be optimized away for this specific input `c_int`,</span> <span class="c"># but the branching structure would exist in the general method.</span> <span class="n">println</span><span class="x">(</span><span class="nd">@code_typed</span> <span class="n">get_container_description_runtime</span><span class="x">(</span><span class="n">c_int</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Code for compile-time version (Container{Int}):"</span><span class="x">)</span> <span class="c"># Explicitly print the result of @code_typed</span> <span class="c"># This might trigger the "@generated running..." message again as it compiles</span> <span class="c"># the specific method needed for inspection.</span> <span class="n">println</span><span class="x">(</span><span class="nd">@code_typed</span> <span class="n">get_container_description_compiletime</span><span class="x">(</span><span class="n">c_int</span><span class="x">))</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces <strong><code>@generated</code> functions</strong>, the second major tool for compile-time metaprogramming in Julia. Unlike macros which operate on syntax, <code>@generated</code> functions operate based on <strong>types</strong> inferred during compilation, allowing for extreme specialization of code.</p> <h2> Core Concept: Compile-Time Code Generation Based on Types </h2> <ul> <li> <strong><code>@generated function func(args...) ... end</code>:</strong> Defines a generated function.</li> <li> <strong>Execution Model:</strong> <ol> <li> <strong>First Call (Type Signature):</strong> When Julia encounters a call to <code>@generated</code> function <code>func</code> with a <em>new combination of argument types</em> (e.g., <code>get_container_description_compiletime(::Container{Int64})</code>), it <strong>runs the body</strong> of the <code>@generated</code> function definition <strong>at compile time</strong>.</li> <li> <strong>Input = Types:</strong> The arguments passed to the generator code are <strong>Type objects</strong> (e.g., <code>T</code> will be <code>Int64</code>, not the value <code>10</code>). You cannot access the <em>values</em> of the arguments inside the generator body.</li> <li> <strong>Output = Code (<code>Expr</code>):</strong> The generator body <strong>must return</strong> a Julia expression (<code>Expr</code> object, usually created with <code>quote...end</code>).</li> <li> <strong>Compilation:</strong> Julia takes the returned expression and <strong>compiles it</strong> as the <strong>method body</strong> specifically for that combination of input types.</li> <li> <strong>Runtime Execution:</strong> The compiled, specialized method body is then executed at runtime.</li> <li> <strong>Subsequent Calls:</strong> For <em>all future calls</em> with the <strong>same argument types</strong>, Julia skips the generator step and directly executes the already-compiled, specialized method body.</li> </ol> </li> <li> <strong>Contrast with Macros:</strong> <ul> <li> <strong>Macros:</strong> Run earlier (parse time), operate on syntax (<code>Expr</code>), unaware of types.</li> <li> <strong><code>@generated</code>:</strong> Run later (compile/type-inference time), operate on types (<code>Type</code>), unaware of specific syntax used by the caller.</li> </ul> </li> </ul> <h2> Example Walkthrough </h2> <ul> <li> <strong><code>get_container_description_runtime</code>:</strong> This standard function uses runtime <code>isa</code> checks. Every time it's called, it potentially performs these type checks.</li> <li> <strong><code>get_container_description_compiletime</code>:</strong> <ul> <li>When called with <code>c_int</code> (<code>Container{Int64}</code>), the generator runs (<code>println(" (@generated running...)")</code>). <code>T</code> is <code>Int64</code>. The <code>if T &lt;: Integer</code> branch matches. The generator <em>returns the expression</em> <code>quote "Container holds an Integer..." end</code>. Julia compiles this simple expression (which just returns a string constant) as the method for <code>Container{Int64}</code>. This compiled method is then run.</li> <li>When called with <code>c_int</code> <em>again</em>, the generator does <strong>not</strong> run. The already compiled method (which just returns the string) is executed instantly.</li> <li>When called with <code>c_str</code> (<code>Container{String}</code>), the generator runs again. <code>T</code> is <code>String</code>. The <code>elseif T == String</code> branch matches. The generator returns the appropriate <code>quote</code> block, which Julia compiles as the method for <code>Container{String}</code>.</li> </ul> </li> </ul> <h2> Zero-Cost Abstraction Achieved </h2> <ul> <li> <strong>Inspection:</strong> Using <code>println(@code_typed(...))</code> confirms the benefit: <ul> <li>The runtime version's typed code might still show branching logic (depending on optimization level and context), representing the runtime <code>isa</code> checks. Your output <code>CodeInfo( ... return "Container holds an Integer" ) =&gt; String</code> suggests the compiler <em>was</em> able to constant-propagate the <code>isa(c_int.value, Int)</code> check for this specific call, but the general method still contains the branching logic.</li> <li>The <code>@generated</code> version's typed code (for <code>Container{Int}</code>) shows <strong>no branching</strong>; it compiles <em>directly</em> to <code>CodeInfo( return "Container holds an Integer (determined at compile time)" ) =&gt; String</code>. All the <code>if/elseif/else</code> logic based on the <em>type</em> <code>T</code> happened <strong>at compile time</strong> and vanished entirely from the runtime code for this specific <code>T</code>.</li> </ul> </li> <li> <strong>Performance:</strong> <code>@generated</code> functions allow you to write generic-looking code where the dispatch logic (based on types) is resolved entirely during compilation, resulting in highly specialized, efficient runtime code with zero dispatch overhead. This is a key technique for implementing zero-cost abstractions based on type information.</li> </ul> <h2> Restrictions </h2> <ul> <li>You <strong>cannot access argument values</strong> inside the generator body, only their types.</li> <li>You cannot cause side effects (like modifying global state) inside the generator body that affect runtime behavior (though <code>println</code> for debugging is okay). The generator's only job is to return the code expression.</li> </ul> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Metaprogramming", "@generated Functions":</strong> Provides the definitive explanation and rules for generated functions.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>@generated</code>:</strong> Macro documentation.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0110_generated_functions_basics.jl <span class="nt">---</span> Standard Function <span class="nt">---</span> Runtime dispatch: Input Container<span class="o">{</span>Int<span class="o">}</span>: Container holds an Integer Input Container<span class="o">{</span>String<span class="o">}</span>: Container holds a String <span class="nt">---</span> @generated Function <span class="nt">---</span> Compile-time dispatch: <span class="o">(</span>@generated running <span class="k">for </span>T <span class="o">=</span> Int64<span class="o">)</span> Input Container<span class="o">{</span>Int<span class="o">}</span>: Container holds an Integer <span class="o">(</span>determined at compile <span class="nb">time</span><span class="o">)</span> Input Container<span class="o">{</span>Int<span class="o">}</span> <span class="o">(</span>again<span class="o">)</span>: Container holds an Integer <span class="o">(</span>determined at compile <span class="nb">time</span><span class="o">)</span> <span class="o">(</span>@generated running <span class="k">for </span>T <span class="o">=</span> String<span class="o">)</span> Input Container<span class="o">{</span>String<span class="o">}</span>: Container holds a String <span class="o">(</span>determined at compile <span class="nb">time</span><span class="o">)</span> <span class="nt">---</span> Inspecting Code <span class="nt">---</span> Code <span class="k">for </span>runtime version <span class="o">(</span>Container<span class="o">{</span>Int<span class="o">})</span>: CodeInfo<span class="o">(</span> 1 ─ nothing::Nothing └── <span class="k">return</span> <span class="s2">"Container holds an Integer"</span> <span class="o">)</span> <span class="o">=&gt;</span> String Code <span class="k">for </span>compile-time version <span class="o">(</span>Container<span class="o">{</span>Int<span class="o">})</span>: <span class="o">(</span>@generated running <span class="k">for </span>T <span class="o">=</span> Int64<span class="o">)</span> <span class="c"># Note: Runs again for inspection call</span> CodeInfo<span class="o">(</span> 1 ─ <span class="k">return</span> <span class="s2">"Container holds an Integer (determined at compile time)"</span> <span class="o">)</span> <span class="o">=&gt;</span> String </code></pre> </div> <p><em>(The <code>@code_typed</code> output confirms the specialized, non-branching code generated by the <code>@generated</code> function for the <code>Int64</code> case.)</em></p> <h3> <code>0111_generated_loop_unroll.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0111_generated_loop_unroll.jl</span> <span class="c"># Demonstrates loop unrolling using @generated functions for NTuples.</span> <span class="k">import</span> <span class="n">BenchmarkTools</span><span class="o">:</span> <span class="nd">@btime</span> <span class="c"># --- Runtime Loop Version (for Tuples/AbstractVectors) ---</span> <span class="c"># 1. Standard function using a runtime loop.</span> <span class="c"># Works for any Tuple or AbstractVector.</span> <span class="k">function</span><span class="nf"> dot_runtime</span><span class="x">(</span><span class="n">a</span><span class="o">::</span><span class="kt">Union</span><span class="x">{</span><span class="kt">Tuple</span><span class="x">,</span> <span class="kt">AbstractVector</span><span class="x">},</span> <span class="n">b</span><span class="o">::</span><span class="kt">Union</span><span class="x">{</span><span class="kt">Tuple</span><span class="x">,</span> <span class="kt">AbstractVector</span><span class="x">})</span> <span class="n">len_a</span> <span class="o">=</span> <span class="n">length</span><span class="x">(</span><span class="n">a</span><span class="x">)</span> <span class="n">len_b</span> <span class="o">=</span> <span class="n">length</span><span class="x">(</span><span class="n">b</span><span class="x">)</span> <span class="c"># Basic error check (could be more robust)</span> <span class="k">if</span> <span class="n">len_a</span> <span class="o">!=</span> <span class="n">len_b</span> <span class="n">throw</span><span class="x">(</span><span class="kt">DimensionMismatch</span><span class="x">(</span><span class="s">"Vectors must have same length"</span><span class="x">))</span> <span class="k">end</span> <span class="n">s</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="c"># Use Float64 for accumulation</span> <span class="nd">@inbounds</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="n">len_a</span> <span class="c"># Runtime loop: involves counter, bounds check (unless @inbounds), branching.</span> <span class="n">s</span> <span class="o">+=</span> <span class="n">a</span><span class="x">[</span><span class="n">i</span><span class="x">]</span> <span class="o">*</span> <span class="n">b</span><span class="x">[</span><span class="n">i</span><span class="x">]</span> <span class="k">end</span> <span class="k">return</span> <span class="n">s</span> <span class="k">end</span> <span class="c"># --- Compile-Time Unrolled Version (for NTuples) ---</span> <span class="c"># 2. @generated function specifically for NTuples.</span> <span class="c"># 'NTuple{N, T}' is a fixed-size, stack-allocated tuple where 'N' (length)</span> <span class="c"># is part of the type information *available at compile time*.</span> <span class="nd">@generated</span> <span class="k">function</span><span class="nf"> dot_compiletime_unrolled</span><span class="x">(</span> <span class="n">a</span><span class="o">::</span><span class="kt">NTuple</span><span class="x">{</span><span class="n">N</span><span class="x">,</span> <span class="n">T</span><span class="x">},</span> <span class="n">b</span><span class="o">::</span><span class="kt">NTuple</span><span class="x">{</span><span class="n">N</span><span class="x">,</span> <span class="n">T</span><span class="x">}</span> <span class="x">)</span> <span class="k">where</span> <span class="x">{</span><span class="n">N</span><span class="x">,</span> <span class="n">T</span><span class="o">&lt;:</span><span class="kt">Number</span><span class="x">}</span> <span class="c"># Constrain T to be Number, N is length</span> <span class="c"># This code runs AT COMPILE TIME. 'N' is the known length.</span> <span class="n">println</span><span class="x">(</span><span class="s">" (@generated running dot_unrolled for N=</span><span class="si">$</span><span class="s">N, T=</span><span class="si">$</span><span class="s">T)"</span><span class="x">)</span> <span class="c"># 3. Start building the expression tree for the function body.</span> <span class="c"># We initialize the expression to the first multiplication.</span> <span class="c"># Handles N=0 case implicitly (though perhaps needs explicit check).</span> <span class="k">if</span> <span class="n">N</span> <span class="o">==</span> <span class="mi">0</span> <span class="k">return</span> <span class="o">:</span><span class="x">(</span><span class="n">zero</span><span class="x">(</span><span class="kt">Float64</span><span class="x">))</span> <span class="c"># Return 0.0 if tuples are empty</span> <span class="k">end</span> <span class="c"># Start with the first element's calculation</span> <span class="n">ex</span> <span class="o">=</span> <span class="o">:</span><span class="x">(</span><span class="n">a</span><span class="x">[</span><span class="mi">1</span><span class="x">]</span> <span class="o">*</span> <span class="n">b</span><span class="x">[</span><span class="mi">1</span><span class="x">])</span> <span class="c"># 4. This loop runs AT COMPILE TIME, from i=2 up to N.</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">2</span><span class="o">:</span><span class="n">N</span> <span class="c"># 5. Append the next term '+ a[i] * b[i]' to the expression tree.</span> <span class="n">ex</span> <span class="o">=</span> <span class="o">:</span><span class="x">(</span><span class="o">$</span><span class="n">ex</span> <span class="o">+</span> <span class="n">a</span><span class="x">[</span><span class="o">$</span><span class="n">i</span><span class="x">]</span> <span class="o">*</span> <span class="n">b</span><span class="x">[</span><span class="o">$</span><span class="n">i</span><span class="x">])</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">" Generated code for N=</span><span class="si">$</span><span class="s">N: "</span><span class="x">,</span> <span class="n">ex</span><span class="x">)</span> <span class="c"># 6. Return the fully unrolled expression tree.</span> <span class="c"># This expression becomes the *entire* compiled body for this NTuple size.</span> <span class="k">return</span> <span class="n">ex</span> <span class="k">end</span> <span class="c"># --- Benchmarking ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Benchmarking ---"</span><span class="x">)</span> <span class="c"># Define input data</span> <span class="c"># Use NTuple for the unrolled version</span> <span class="n">a_ntup</span> <span class="o">=</span> <span class="x">(</span><span class="mf">1.0</span><span class="x">,</span> <span class="mf">2.0</span><span class="x">,</span> <span class="mf">3.0</span><span class="x">,</span> <span class="mf">4.0</span><span class="x">)</span> <span class="c"># NTuple{4, Float64}</span> <span class="n">b_ntup</span> <span class="o">=</span> <span class="x">(</span><span class="mf">5.0</span><span class="x">,</span> <span class="mf">6.0</span><span class="x">,</span> <span class="mf">7.0</span><span class="x">,</span> <span class="mf">8.0</span><span class="x">)</span> <span class="c"># NTuple{4, Float64}</span> <span class="c"># Use Vectors for the runtime version (for fair comparison of loop vs unroll)</span> <span class="n">a_vec</span> <span class="o">=</span> <span class="x">[</span><span class="mf">1.0</span><span class="x">,</span> <span class="mf">2.0</span><span class="x">,</span> <span class="mf">3.0</span><span class="x">,</span> <span class="mf">4.0</span><span class="x">]</span> <span class="c"># Vector{Float64}</span> <span class="n">b_vec</span> <span class="o">=</span> <span class="x">[</span><span class="mf">5.0</span><span class="x">,</span> <span class="mf">6.0</span><span class="x">,</span> <span class="mf">7.0</span><span class="x">,</span> <span class="mf">8.0</span><span class="x">]</span> <span class="c"># Vector{Float64}</span> <span class="c"># Benchmark the standard loop version</span> <span class="n">println</span><span class="x">(</span><span class="s">"Benchmarking dot_runtime (Vector input):"</span><span class="x">)</span> <span class="nd">@btime</span> <span class="n">dot_runtime</span><span class="x">(</span><span class="o">$</span><span class="n">a_vec</span><span class="x">,</span> <span class="o">$</span><span class="n">b_vec</span><span class="x">)</span> <span class="c"># Benchmark the @generated unrolled version</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Benchmarking dot_compiletime_unrolled (NTuple input):"</span><span class="x">)</span> <span class="c"># First call triggers generator, subsequent calls use compiled code.</span> <span class="nd">@btime</span> <span class="n">dot_compiletime_unrolled</span><span class="x">(</span><span class="o">$</span><span class="n">a_ntup</span><span class="x">,</span> <span class="o">$</span><span class="n">b_ntup</span><span class="x">)</span> <span class="c"># --- Verification ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Verification ---"</span><span class="x">)</span> <span class="n">res_runtime</span> <span class="o">=</span> <span class="n">dot_runtime</span><span class="x">(</span><span class="n">a_vec</span><span class="x">,</span> <span class="n">b_vec</span><span class="x">)</span> <span class="n">res_unrolled</span> <span class="o">=</span> <span class="n">dot_compiletime_unrolled</span><span class="x">(</span><span class="n">a_ntup</span><span class="x">,</span> <span class="n">b_ntup</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Runtime result: "</span><span class="x">,</span> <span class="n">res_runtime</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Unrolled result: "</span><span class="x">,</span> <span class="n">res_unrolled</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Results match: "</span><span class="x">,</span> <span class="n">res_runtime</span> <span class="n">≈</span> <span class="n">res_unrolled</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script showcases a powerful application of <strong><code>@generated</code> functions</strong>: achieving <strong>compile-time loop unrolling</strong> for operations on fixed-size collections like <code>NTuple</code>. This is a classic technique for maximizing performance by eliminating loop overhead entirely.</p> <h2> Core Concept: Loop Unrolling </h2> <ul> <li> <strong>Runtime Loops:</strong> A standard <code>for</code> loop (like in <code>dot_runtime</code>) involves runtime overhead: <ul> <li>Incrementing and checking the loop counter (<code>i</code>).</li> <li>Performing bounds checks on array accesses (<code>a[i]</code>, <code>b[i]</code>) unless disabled by <code>@inbounds</code>.</li> <li>Conditional branching at the end of each iteration.</li> </ul> </li> <li> <strong>Loop Unrolling:</strong> For loops with a small, <em>fixed</em> number of iterations known <em>at compile time</em>, these overheads can be eliminated by <strong>unrolling</strong> the loop. The compiler replaces the loop structure with a straight sequence of the operations from each iteration. <ul> <li>For N=4, <code>dot_compiletime_unrolled</code> aims to generate code equivalent to: <code>a[1]*b[1] + a[2]*b[2] + a[3]*b[3] + a[4]*b[4]</code> </li> </ul> </li> <li> <strong>Benefit:</strong> The unrolled version contains only the essential arithmetic operations, with no counters, checks, or branches. This allows the CPU to execute the instructions more efficiently, often utilizing techniques like instruction pipelining and potentially SIMD more effectively.</li> </ul> <h2> Using <code>@generated</code> for Unrolling </h2> <ul> <li> <strong><code>NTuple{N, T}</code>:</strong> The key enabler is <code>NTuple{N, T}</code>. It's an immutable, <code>isbits</code> tuple type where the <strong>length <code>N</code> is part of the type information</strong>. This means <code>N</code> is known to the compiler during type inference.</li> <li> <strong>Generator Logic:</strong> <ol> <li> The <code>@generated function dot_compiletime_unrolled</code> receives the <em>types</em> <code>NTuple{N, T}</code> as input. The <code>where {N, T&lt;:Number}</code> clause extracts the compile-time constant <code>N</code> (the length) and the element type <code>T</code>.</li> <li> The code inside the generator runs <strong>at compile time</strong>.</li> <li> It uses a standard Julia <code>for i in 2:N</code> loop (running <em>at compile time</em>) to programmatically build an <code>Expr</code> object (<code>ex</code>).</li> <li> In each iteration of this compile-time loop, it appends the next term (<code>+ a[$i] * b[$i]</code>) to the <code>Expr</code> tree.</li> <li> The final <code>Expr</code> returned by the generator is the fully unrolled sequence of additions and multiplications.</li> </ol> </li> <li> <strong>Zero-Cost Abstraction:</strong> Julia compiles this returned expression as the <em>entire body</em> of the function specifically for that <code>N</code>. When you call <code>dot_compiletime_unrolled(a_ntup, b_ntup)</code> at runtime, you execute the straight-line, unrolled code directly. The generic function definition with the compile-time loop has vanished, achieving a <strong>zero-cost abstraction</strong>.</li> </ul> <h2> Benchmarking Results </h2> <ul> <li>The benchmark comparison between <code>dot_runtime</code> (using <code>Vector</code>s and a runtime loop) and <code>dot_compiletime_unrolled</code> (using <code>NTuple</code>s and compile-time unrolling) should show the unrolled version is significantly faster for small <code>N</code>.</li> <li> <strong>Important:</strong> This specific <code>@generated</code> function only works for <code>NTuple</code>. <code>dot_runtime</code> is more general but potentially slower due to the loop overhead (and potential heap allocation if Vectors are large or escape). Using <code>StaticArrays.jl</code> provides similar performance benefits for fixed-size arrays with a more convenient interface than manual <code>@generated</code> functions.</li> </ul> <p>Loop unrolling via <code>@generated</code> functions is a powerful technique for optimizing performance-critical code operating on small, fixed-size data structures, commonly encountered in fields like graphics, physics simulations, and low-level signal processing.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Metaprogramming", "@generated Functions":</strong> Shows examples including generating specialized code based on type parameters.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>NTuple</code>:</strong> Describes the fixed-size tuple type where length is part of the type.</li> <li>(Loop unrolling is a standard compiler optimization technique).</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(Requires <code>BenchmarkTools.jl</code> installed)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0111_generated_loop_unroll.jl <span class="nt">---</span> Benchmarking <span class="nt">---</span> Benchmarking dot_runtime <span class="o">(</span>Vector input<span class="o">)</span>: 2.888 ns <span class="o">(</span>0 allocations: 0 bytes<span class="o">)</span> Benchmarking dot_compiletime_unrolled <span class="o">(</span>NTuple input<span class="o">)</span>: <span class="o">(</span>@generated running dot_unrolled <span class="k">for </span><span class="nv">N</span><span class="o">=</span>4, <span class="nv">T</span><span class="o">=</span>Float64<span class="o">)</span> Generated code <span class="k">for </span><span class="nv">N</span><span class="o">=</span>4: <span class="o">((</span>a[1] <span class="k">*</span> b[1] + a[2] <span class="k">*</span> b[2]<span class="o">)</span> + a[3] <span class="k">*</span> b[3]<span class="o">)</span> + a[4] <span class="k">*</span> b[4] 1.490 ns <span class="o">(</span>0 allocations: 0 bytes<span class="o">)</span> <span class="nt">---</span> Verification <span class="nt">---</span> Runtime result: 70.0 Unrolled result: 70.0 Results match: <span class="nb">true</span> </code></pre> </div> <h2> Eval Vs Compile </h2> <h3> <code>0112_eval_and_world_age.md</code> </h3> <p>While Julia <em>can</em> execute code represented as data structures (<code>Expr</code>) at runtime using the <code>eval()</code> function, this approach is fundamentally different from compile-time metaprogramming (macros, <code>@generated</code> functions) and generally unsuitable for high-performance code. Understanding <code>eval</code>'s limitations and the related "world age" concept solidifies <em>why</em> compile-time code generation is preferred.</p> <h2> Runtime Code Execution: <code>eval()</code> </h2> <ul> <li> <strong>What it does:</strong> <code>eval(expression::Expr)</code> takes an <code>Expr</code> object and executes it as code within the <strong>global scope</strong> of the module where <code>eval</code> is called. It effectively invokes the Julia compiler and execution engine <strong>at runtime</strong>.</li> <li> <strong>Example:</strong> <code>eval(:(x = 10 + 5))</code> compiles and runs <code>x = 15</code>, creating or modifying the global variable <code>x</code>.</li> </ul> <h2> Why <code>eval()</code> is Slow and Problematic for Performance </h2> <ol> <li> <strong>Runtime Compilation Overhead:</strong> Every time <code>eval</code> is called with a new expression (or one that hasn't been cached), it must invoke the Julia compiler (type inference, optimization, machine code generation). This is a significant overhead compared to executing already-compiled code.</li> <li> <strong>Global Scope:</strong> <code>eval</code> operates in the global scope. As established in Module 6, code relying heavily on <strong>non-constant global variables</strong> is inherently <strong>type-unstable</strong> and slow because the compiler cannot specialize code effectively. <code>eval</code> compounds this problem by both reading <em>and potentially defining</em> global variables dynamically.</li> <li> <strong>Type Instability:</strong> Because <code>eval</code> runs arbitrary code at runtime, the compiler usually cannot predict the type of the value returned by <code>eval</code>, leading to type instability in the code that uses the result.</li> </ol> <h2> The "World Age" Problem </h2> <p>This is a subtle but important concept related to Julia's JIT compilation and method dispatch, which particularly affects runtime <code>eval</code>.</p> <ul> <li> <strong>Compilation and World Age:</strong> Julia compiles functions <em>just-in-time</em>. When a function is compiled, it "knows about" all the methods and global variables that exist at that specific moment (its "world age"). Julia maintains a global counter for this "world age," incrementing it whenever a new method is defined or a relevant global changes.</li> <li> <strong>The Rule:</strong> A function running in an older "world" <strong>cannot call</strong> methods defined in a newer "world." This prevents inconsistencies during dynamic code updates.</li> <li> <strong><code>eval</code> Creates a New World:</strong> When <code>eval</code> defines a new function or method at runtime, it <strong>increments the world age counter</strong>.</li> <li> <strong>The Conflict:</strong> If you call <code>eval</code> <em>inside</em> a function <code>f</code> to define a new function <code>g</code>, and then immediately try to call <code>g()</code> from within that <em>same</em> execution of <code>f</code>, you will likely get a <code>MethodError</code>. Why? Because <code>f</code> was compiled in an older world age and doesn't "see" the <code>g</code> function that <code>eval</code> just created in the newer world.</li> <li> <p><strong>Example:</strong><br> </p> <pre class="highlight julia"><code><span class="k">function</span><span class="nf"> run_eval</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">"Current world: "</span><span class="x">,</span> <span class="n">Base</span><span class="o">.</span><span class="n">get_world_counter</span><span class="x">())</span> <span class="n">eval</span><span class="x">(</span><span class="o">:</span><span class="x">(</span><span class="k">function</span><span class="nf"> my_new_func</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">"Hello from new func!"</span><span class="x">)</span> <span class="k">end</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"World after eval: "</span><span class="x">,</span> <span class="n">Base</span><span class="o">.</span><span class="n">get_world_counter</span><span class="x">())</span> <span class="c"># Incremented!</span> <span class="k">try</span> <span class="n">my_new_func</span><span class="x">()</span> <span class="c"># Error! run_eval() lives in the older world.</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"Caught Error: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># run_eval() # This would error inside</span> </code></pre> </li> </ul> <h2> <code>Base.invokelatest()</code>: The Slow Workaround </h2> <ul> <li> <strong>Purpose:</strong> <code>Base.invokelatest(f, args...)</code> is designed specifically to overcome the world age problem for <strong>interactive use</strong> (like the REPL).</li> <li> <strong>How it Works:</strong> It explicitly tells Julia: "Look up the <em>absolute newest</em> definition of function <code>f</code> (in the latest world age) and call it with <code>args</code>, even if my current function doesn't know about it yet."</li> <li> <strong>Performance:</strong> <code>invokelatest</code> is <strong>extremely slow</strong> and <strong>type-unstable</strong> by design. It involves runtime method lookups and cannot be optimized by the compiler. It completely defeats the purpose of Julia's JIT specialization.</li> <li> <strong>Guideline:</strong> <code>invokelatest</code> is a tool for REPLs, debuggers, and interactive widgets. It should <strong>never</strong> appear in performance-critical code.</li> </ul> <h2> Conclusion: Compile-Time Metaprogramming is Key </h2> <ul> <li> <code>eval</code> and <code>invokelatest</code> are for <strong>runtime flexibility</strong>, primarily in interactive contexts. They come at a significant performance cost.</li> <li>High-performance code generation in Julia relies on <strong>compile-time metaprogramming</strong>: <ul> <li> <strong>Macros (<code>@macro</code>)</strong>: Transform <strong>syntax</strong> at parse time.</li> <li> <strong>Generated Functions (<code>@generated</code>)</strong>: Generate specialized code based on <strong>types</strong> at compile time.</li> </ul> </li> <li>These tools allow you to perform complex code generation and optimization <em>before</em> runtime, leveraging Julia's JIT compiler to produce efficient, specialized machine code, thus achieving true zero-cost abstractions. If you feel the need to use <code>eval</code> within a performance-sensitive function, it's almost always a sign that a macro or <code>@generated</code> function is the more appropriate (and faster) solution.</li> </ul> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Metaprogramming", "Eval":</strong> Describes <code>eval</code> and its global scope behavior.</li> <li> <strong>Julia Official Documentation, Manual, "Calling C and Fortran Code" / "Embedding Julia" / <code>devdocs</code>:</strong> Discussions of the "world age counter" often appear in advanced sections related to compilation and runtime interaction.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>Base.invokelatest</code>:</strong> Explains its purpose for calling functions defined after the caller was compiled. Explicitly notes performance implications.</li> </ul> </li> </ul> <h1> Module 12: System Integration and Interoperability </h1> <h2> Calling C Code </h2> <h3> <code>0113_module_intro.md</code> </h3> <p>This module focuses on <strong>system integration and interoperability</strong>, bridging the gap between high-performance Julia code and the vast ecosystem of existing native libraries (C, C++, Fortran) and operating system interfaces. Mastering this is essential for building real-world, high-performance systems.</p> <h2> Beyond Pure Julia: Leveraging Native Code </h2> <p>While Julia itself is exceptionally fast, achieving performance often comparable to C, much of the world's highly optimized code for specific tasks (numerical libraries, hardware drivers, OS primitives) is written in C or C++. Julia was <strong>designed from the ground up</strong> for seamless interoperability with these languages. We don't call C because Julia is <em>slow</em>, but to leverage existing, battle-tested, and often hardware-specific native code for tasks like:</p> <ol> <li> <strong>Specialized Libraries:</strong> Utilizing highly optimized libraries like BLAS (Basic Linear Algebra Subprograms), LAPACK, Intel MKL, FFTW, or custom vendor libraries for hardware acceleration.</li> <li> <strong>Hardware Interaction:</strong> Interfacing directly with network card drivers, GPU APIs (beyond high-level packages), or other hardware through their native C interfaces.</li> <li> <strong>Operating System Primitives:</strong> Accessing low-level OS features not exposed directly in Julia's standard library (e.g., advanced process control, specific system calls, memory mapping options).</li> <li> <strong>Legacy Codebases:</strong> Integrating Julia components into larger systems predominantly written in C or C++.</li> </ol> <h2> Julia's Interoperability Strengths </h2> <p>Julia's design makes C interoperability remarkably clean and efficient:</p> <ul> <li> <strong><code>isbits</code> Layout:</strong> Immutable <code>struct</code>s composed of primitive types (<code>isbits</code>) have a memory layout identical to their C <code>struct</code> counterparts (Module 9), allowing them to be passed directly without conversion or serialization.</li> <li> <strong>Native Pointers (<code>Ptr{T}</code>):</strong> Julia has a first-class pointer type (<code>Ptr</code>) that maps directly to C pointers.</li> <li> <strong><code>ccall</code>:</strong> The built-in <code>ccall</code> function provides a direct, low-overhead mechanism to call functions within compiled shared libraries (<code>.so</code>, <code>.dll</code>).</li> <li> <strong>No GIL:</strong> Julia's multi-threading model allows C library calls from different threads to run truly in parallel without interference from a Global Interpreter Lock.</li> <li> <strong>GC Safety:</strong> The interaction between <code>ccall</code> and the Garbage Collector ensures that Julia objects passed by pointer to C are "pinned" (not moved or collected) during the C call.</li> </ul> <h2> The <code>ccall</code> Interface and Responsibility </h2> <p>The primary tool we will use is <code>ccall</code>. It allows calling C functions (and by extension, C++ functions exposed via <code>extern "C"</code>) as if they were native Julia functions. However, this power comes with significant responsibility:</p> <ul> <li> <strong>Type Correctness is Absolute:</strong> <code>ccall</code> bypasses Julia's dynamic type checking. You must provide the <strong>exact</strong> C function signature (return type and argument types) to <code>ccall</code>. Mismatches in type size, alignment, or calling convention will lead to <strong>undefined behavior</strong>, typically <strong>segmentation faults</strong> or silent memory corruption, not Julia <code>MethodError</code>s.</li> <li> <strong>Memory Management:</strong> You are responsible for understanding the memory ownership rules of the C library. Who allocates? Who frees? Does the C function return a pointer you now own, or a pointer to static memory you must not free? Mistakes here lead to memory leaks or double-free crashes.</li> <li> <strong>Calling Conventions:</strong> <code>ccall</code> handles the platform's default C calling convention, but awareness may be needed for non-standard conventions.</li> </ul> <p>This module will guide you through using <code>ccall</code> safely and effectively, starting with simple examples and progressing to passing complex data like arrays and structs, and even handling callbacks.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Calling C and Fortran Code":</strong> The primary guide for <code>ccall</code> and related interoperability features.</li> <li> <strong>C Language Standards / ABI Documentation:</strong> (External) Necessary for understanding the C side of the interface (type sizes, alignment, calling conventions).</li> </ul> </li> </ul> <h3> <code>0114_ccall_basics_simple.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0114_ccall_basics_simple.jl</span> <span class="c"># Demonstrates basic 'ccall' usage with simple C standard library functions,</span> <span class="c"># highlighting different ways to specify the library.</span> <span class="k">import</span> <span class="n">Base</span><span class="o">.</span><span class="n">Libc</span><span class="o">:</span> <span class="kt">Clong</span><span class="x">,</span> <span class="kt">Cvoid</span><span class="x">,</span> <span class="nb">C_NULL</span> <span class="c"># Import C types explicitly</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Calling C Standard Library Functions via ccall ---"</span><span class="x">)</span> <span class="c"># 1. Basic ccall Syntax:</span> <span class="c"># result = ccall( Fspec, ReturnType, ArgTypes, ArgValues... )</span> <span class="c"># 2. Finding the C Standard Library:</span> <span class="c"># There are multiple ways to specify 'libc':</span> <span class="c"># a) "" or C_NULL: Search current process (reliable for common functions).</span> <span class="c"># b) Explicit Path: "/path/to/libc.so.6" (works if path is correct, not portable).</span> <span class="c"># c) :libc Symbol: Platform-independent alias (should work, but might fail</span> <span class="c"># in non-standard environments if Julia's search path is confused).</span> <span class="c"># --- Example 1: Calling C's time() using Explicit Path ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Calling time(NULL) [Using Explicit Path] ---"</span><span class="x">)</span> <span class="c"># C function prototype: time_t time(time_t *tloc);</span> <span class="c"># Returns time_t (Clong). We call time(NULL). Argument type is Ptr{Cvoid}.</span> <span class="c"># !! NOTE !! This path MUST be correct for your specific system.</span> <span class="c"># Found via `ldconfig -p | grep libc.so.6` or `find /usr/lib /lib -name libc.so.6`</span> <span class="c"># This makes the script NON-PORTABLE.</span> <span class="kd">const</span> <span class="n">ACTUAL_LIBC_PATH</span> <span class="o">=</span> <span class="s">"/usr/lib/x86_64-linux-gnu/libc.so.6"</span> <span class="n">println</span><span class="x">(</span><span class="s">"Using explicit libc path: "</span><span class="x">,</span> <span class="n">ACTUAL_LIBC_PATH</span><span class="x">)</span> <span class="n">current_time_t</span> <span class="o">=</span> <span class="k">try</span> <span class="n">ccall</span><span class="x">(</span> <span class="x">(</span><span class="o">:</span><span class="n">time</span><span class="x">,</span> <span class="n">ACTUAL_LIBC_PATH</span><span class="x">),</span> <span class="c"># Use the explicit path string</span> <span class="kt">Clong</span><span class="x">,</span> <span class="x">(</span><span class="kt">Ptr</span><span class="x">{</span><span class="kt">Cvoid</span><span class="x">},),</span> <span class="nb">C_NULL</span> <span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"ERROR calling time with explicit path '</span><span class="si">$</span><span class="s">ACTUAL_LIBC_PATH': "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="kt">Clong</span><span class="x">(</span><span class="o">-</span><span class="mi">1</span><span class="x">)</span> <span class="c"># Return dummy value on error</span> <span class="k">end</span> <span class="k">if</span> <span class="n">current_time_t</span> <span class="o">!=</span> <span class="o">-</span><span class="mi">1</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result of C's time(NULL): "</span><span class="x">,</span> <span class="n">current_time_t</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Type of result: "</span><span class="x">,</span> <span class="n">typeof</span><span class="x">(</span><span class="n">current_time_t</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"Julia's time(): "</span><span class="x">,</span> <span class="n">time</span><span class="x">())</span> <span class="k">end</span> <span class="c"># --- Example 2: Calling C's clock() using "" (Search Current Process) ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Calling clock() [Using </span><span class="se">\"\"</span><span class="s"> Library Path] ---"</span><span class="x">)</span> <span class="c"># C function prototype: clock_t clock(void);</span> <span class="c"># Returns clock_t (Clong). Takes no arguments.</span> <span class="c"># Using "" tells ccall to look for 'clock' in the already loaded process space.</span> <span class="c"># This is generally reliable for standard functions.</span> <span class="kd">const</span> <span class="n">LIBC_LOOKUP_CURRENT</span> <span class="o">=</span> <span class="s">""</span> <span class="n">ticks</span> <span class="o">=</span> <span class="k">try</span> <span class="n">ccall</span><span class="x">(</span> <span class="x">(</span><span class="o">:</span><span class="n">clock</span><span class="x">,</span> <span class="n">LIBC_LOOKUP_CURRENT</span><span class="x">),</span> <span class="c"># Look for 'clock' in current process</span> <span class="kt">Clong</span><span class="x">,</span> <span class="x">()</span> <span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"ERROR calling clock with </span><span class="se">\"\"</span><span class="s"> library path: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="kt">Clong</span><span class="x">(</span><span class="o">-</span><span class="mi">1</span><span class="x">)</span> <span class="c"># Return dummy value on error</span> <span class="k">end</span> <span class="k">if</span> <span class="n">ticks</span> <span class="o">!=</span> <span class="o">-</span><span class="mi">1</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result of C's clock(): "</span><span class="x">,</span> <span class="n">ticks</span><span class="x">,</span> <span class="s">" ticks"</span><span class="x">)</span> <span class="kd">const</span> <span class="n">CLOCKS_PER_SEC</span> <span class="o">=</span> <span class="mi">1_000_000</span> <span class="c"># Assume standard value</span> <span class="n">time_in_seconds</span> <span class="o">=</span> <span class="n">ticks</span> <span class="o">/</span> <span class="n">CLOCKS_PER_SEC</span> <span class="n">println</span><span class="x">(</span><span class="s">"Time in seconds (approx): "</span><span class="x">,</span> <span class="n">time_in_seconds</span><span class="x">)</span> <span class="k">end</span> <span class="c"># --- Example 3: Demonstrating Potential Failure with :libc ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Calling getpid() [Using :libc Symbol - Might Fail] ---"</span><span class="x">)</span> <span class="c"># C function prototype: pid_t getpid(void);</span> <span class="c"># Returns pid_t (usually Cint). Takes no arguments.</span> <span class="c"># We use ':libc', the platform-independent alias. This *should* work,</span> <span class="c"># but can fail if the library search path is misconfigured or points</span> <span class="c"># to an invalid file (like a linker script instead of the .so).</span> <span class="n">pid</span> <span class="o">=</span> <span class="k">try</span> <span class="n">ccall</span><span class="x">(</span> <span class="x">(</span><span class="o">:</span><span class="n">getpid</span><span class="x">,</span> <span class="o">:</span><span class="n">libc</span><span class="x">),</span> <span class="c"># Use the standard :libc alias</span> <span class="kt">Cint</span><span class="x">,</span> <span class="x">()</span> <span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"ERROR calling getpid with :libc symbol: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" This demonstrates that ':libc' lookup can sometimes fail,"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" especially in non-standard environments. Using </span><span class="se">\"\"</span><span class="s"> might be more robust."</span><span class="x">)</span> <span class="kt">Cint</span><span class="x">(</span><span class="o">-</span><span class="mi">1</span><span class="x">)</span> <span class="c"># Return dummy value on error</span> <span class="k">end</span> <span class="k">if</span> <span class="n">pid</span> <span class="o">!=</span> <span class="o">-</span><span class="mi">1</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result of C's getpid(): "</span><span class="x">,</span> <span class="n">pid</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Julia's getpid(): "</span><span class="x">,</span> <span class="n">getpid</span><span class="x">())</span> <span class="c"># Compare with Julia's wrapper</span> <span class="k">else</span> <span class="c"># Try again with "" if :libc failed, just to show it often works</span> <span class="n">println</span><span class="x">(</span><span class="s">"Trying getpid() again using </span><span class="se">\"\"</span><span class="s"> library path..."</span><span class="x">)</span> <span class="n">pid_fallback</span> <span class="o">=</span> <span class="k">try</span> <span class="n">ccall</span><span class="x">((</span><span class="o">:</span><span class="n">getpid</span><span class="x">,</span> <span class="s">""</span><span class="x">),</span> <span class="kt">Cint</span><span class="x">,</span> <span class="x">())</span> <span class="k">catch</span> <span class="n">e_fallback</span> <span class="n">println</span><span class="x">(</span><span class="s">" ERROR calling getpid with </span><span class="se">\"\"</span><span class="s"> as well: "</span><span class="x">,</span> <span class="n">e_fallback</span><span class="x">)</span> <span class="kt">Cint</span><span class="x">(</span><span class="o">-</span><span class="mi">1</span><span class="x">)</span> <span class="k">end</span> <span class="k">if</span> <span class="n">pid_fallback</span> <span class="o">!=</span> <span class="o">-</span><span class="mi">1</span> <span class="n">println</span><span class="x">(</span><span class="s">" Result using </span><span class="se">\"\"</span><span class="s">: "</span><span class="x">,</span> <span class="n">pid_fallback</span><span class="x">,</span> <span class="s">" (Success)"</span><span class="x">)</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the fundamental <code>ccall</code> function for calling C functions, demonstrating different ways to specify the C standard library (<code>libc</code>) and highlighting potential pitfalls.</p> <h2> Core Concept: <code>ccall</code> </h2> <p><code>ccall</code> provides a direct, low-overhead way to invoke native compiled code from shared libraries, handling platform ABI details.</p> <h2> <code>ccall</code> Syntax Breakdown </h2> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="n">result</span> <span class="o">=</span> <span class="n">ccall</span><span class="x">(</span> <span class="n">Fspec</span><span class="x">,</span> <span class="n">ReturnType</span><span class="x">,</span> <span class="n">ArgTypes</span><span class="x">,</span> <span class="n">ArgValues</span><span class="o">...</span> <span class="x">)</span> </code></pre> </div> <ol> <li> <strong><code>Fspec</code> (Function Specifier):</strong> <code>(:function_name, library_specifier)</code> <ul> <li> <code>function_name::Symbol</code>: Name of the C function (e.g., <code>:time</code>).</li> <li> <code>library_specifier</code>: Identifies the library. Crucial variations: <ul> <li> <strong><code>""</code> or <code>C_NULL</code>:</strong> Searches only within the <strong>current Julia process</strong> and libraries already loaded into it. Often the most reliable way for ubiquitous functions (like <code>time</code>, <code>clock</code>, <code>malloc</code>, <code>printf</code>) that are typically linked into the main executable.</li> <li> <strong>Explicit Path (<code>String</code>):</strong> e.g., <code>"/usr/lib/x86_64-linux-gnu/libc.so.6"</code>. Directly tells Julia which file to load. Works if the path is correct but makes the script <strong>non-portable</strong>.</li> <li> <strong>Symbolic Name (<code>Symbol</code> or <code>String</code>):</strong> e.g., <code>:libc</code>, <code>"libc"</code>, <code>"libm"</code>. Tells Julia to search standard system library paths and potentially use pre-configured aliases. <code>:libc</code> <em>should</em> be the platform-independent way, but as demonstrated, it can fail if the search mechanism finds an incorrect file (like a linker script instead of the actual <code>.so</code>) in non-standard environments.</li> </ul> </li> </ul> </li> <li> <strong><code>ReturnType</code>:</strong> Julia type matching C return type (e.g., <code>Clong</code>, <code>Cint</code>, <code>Float64</code>, <code>Ptr{T}</code>, <code>Cvoid</code>). <strong>Must be correct.</strong> </li> <li> <strong><code>ArgTypes</code>:</strong> <code>Tuple</code> of Julia types matching C argument types (e.g., <code>(Cint, Float64, Ptr{Cvoid})</code>). <code>()</code> for no arguments. <strong>Must be correct.</strong> </li> <li> <strong><code>ArgValues...</code>:</strong> Actual values passed to the C function.</li> </ol> <h2> Examples Explained </h2> <ul> <li> <strong><code>time(NULL)</code> [Explicit Path]:</strong> We use the exact path <code>/usr/lib/x86_64-linux-gnu/libc.so.6</code> (which must be correct for the specific system). This works reliably if the path is right but isn't portable.</li> <li> <strong><code>clock()</code> [<code>""</code> Path]:</strong> We use <code>""</code> for the library. <code>ccall</code> finds the <code>clock</code> symbol already loaded within the Julia process memory space. This is often robust for standard functions.</li> <li> <strong><code>getpid()</code> [<code>:libc</code> Symbol - Potential Failure]:</strong> We attempt to use the standard <code>:libc</code> alias. In correctly configured systems, this works. However, the <code>try...catch</code> block demonstrates that if Julia's search path logic incorrectly identifies the library file (as observed during debugging where it found an invalid ELF header), this call will fail. We then show that retrying with <code>""</code> often succeeds because <code>getpid</code> is likely already loaded.</li> </ul> <h2> Critical Notes </h2> <ul> <li> <strong>Type Accuracy:</strong> Correctly specifying <code>ReturnType</code> and <code>ArgTypes</code> is <strong>paramount</strong> to avoid crashes. Use Julia's C-compatible types (<code>Cint</code>, <code>Clong</code>, etc.).</li> <li> <strong>Library Path Choice:</strong> <ul> <li>For very common C standard library functions, <code>""</code> is often the most robust method.</li> <li> <code>:libc</code> or <code>:libm</code> <em>should</em> be preferred for platform independence when they work correctly in your environment.</li> <li>Explicit paths are non-portable but necessary if the library isn't in standard locations or if symbolic lookups fail.</li> <li>For your own or third-party libraries, use the library name (e.g., <code>"libmycoolstuff"</code>) or a relative/absolute path (<code>"./libmycoolstuff.so"</code>).</li> </ul> </li> </ul> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Calling C and Fortran Code", <code>ccall</code>:</strong> Primary documentation, mentions using <code>C_NULL</code> or <code>""</code> for searching the current process.</li> <li> <strong>Julia Official Documentation, Manual, "Calling C and Fortran Code", "Mapping C Types to Julia":</strong> Lists type correspondences.</li> <li> <strong>C Standard Library Documentation (e.g., man pages for <code>time</code>, <code>clock</code>, <code>getpid</code>):</strong> Provides C function prototypes.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0114_ccall_basics_simple.jl <span class="nt">---</span> Calling C Standard Library Functions via ccall <span class="nt">---</span> <span class="nt">---</span> Calling <span class="nb">time</span><span class="o">(</span>NULL<span class="o">)</span> <span class="o">[</span>Using Explicit Path] <span class="nt">---</span> Using explicit libc path: /usr/lib/x86_64-linux-gnu/libc.so.6 Result of C<span class="s1">'s time(NULL): 1761130895 Type of result: Int64 Julia'</span>s <span class="nb">time</span><span class="o">()</span>: 1.761130896255223e9 <span class="nt">---</span> Calling clock<span class="o">()</span> <span class="o">[</span>Using <span class="s2">""</span> Library Path] <span class="nt">---</span> Result of C<span class="s1">'s clock(): 1717681 ticks Time in seconds (approx): 1.717681 --- Calling getpid() [Using :libc Symbol - Might Fail] --- ERROR calling getpid with :libc symbol: ErrorException("could not load library \"libc\"\n/lib/x86_64-linux-gnu/libc.so: invalid ELF header") This demonstrates that '</span>:libc<span class="s1">' lookup can sometimes fail, especially in non-standard environments. Using "" might be more robust. Trying getpid() again using "" library path... Result using "": 16986 (Success) </span></code></pre> </div> <p><em>(Exact timestamp, ticks, PID values, and whether the <code>:libc</code> call fails will vary.)</em></p> <h3> <code>0115_ccall_type_mapping.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0115_ccall_type_mapping.jl</span> <span class="c"># Demonstrates mapping common C types to Julia types for 'ccall'.</span> <span class="k">import</span> <span class="n">Base</span><span class="o">.</span><span class="n">Libc</span><span class="o">:</span> <span class="kt">Cint</span><span class="x">,</span> <span class="kt">Clong</span><span class="x">,</span> <span class="kt">Csize_t</span><span class="x">,</span> <span class="kt">Cdouble</span><span class="x">,</span> <span class="kt">Cfloat</span><span class="x">,</span> <span class="kt">Cchar</span> <span class="c"># Import C-specific types</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Mapping C Types to Julia Types in ccall ---"</span><span class="x">)</span> <span class="c"># We will call C's standard math function 'atan2' from 'libm'.</span> <span class="c"># C prototype: double atan2(double y, double x);</span> <span class="c"># Input values for the function</span> <span class="n">y_jl</span><span class="o">::</span><span class="kt">Float64</span> <span class="o">=</span> <span class="mf">1.0</span> <span class="n">x_jl</span><span class="o">::</span><span class="kt">Float64</span> <span class="o">=</span> <span class="o">-</span><span class="mf">1.0</span> <span class="c"># 1. The Core Type Mapping:</span> <span class="c"># C Type | Julia Type | Typical Size (64-bit Linux/macOS)</span> <span class="c"># ------------------------------------------------------------------</span> <span class="c"># int | Cint | 4 bytes (Int32)</span> <span class="c"># unsigned int | Cuint | 4 bytes (UInt32)</span> <span class="c"># long | Clong | 8 bytes (Int64)</span> <span class="c"># unsigned long | Culong | 8 bytes (UInt64)</span> <span class="c"># long long | Clonglong | 8 bytes (Int64)</span> <span class="c"># unsigned long long | Culonglong| 8 bytes (UInt64)</span> <span class="c"># short | Cshort | 2 bytes (Int16)</span> <span class="c"># unsigned short| Cushort | 2 bytes (UInt16)</span> <span class="c"># char | Cchar | 1 byte (Int8 or UInt8, platform dependent)</span> <span class="c"># signed char | Cchar | 1 byte (Int8) (Usually same as char)</span> <span class="c"># unsigned char | Cuchar | 1 byte (UInt8)</span> <span class="c"># float | Cfloat | 4 bytes (Float32)</span> <span class="c"># double | Cdouble | 8 bytes (Float64)</span> <span class="c"># size_t | Csize_t | 8 bytes (UInt64)</span> <span class="c"># ptrdiff_t | Cptrdiff_t | 8 bytes (Int64)</span> <span class="c"># void | Cvoid | (Used only for ReturnType)</span> <span class="c"># T* | Ptr{T} | 8 bytes (Pointer to Julia type T)</span> <span class="c"># void* | Ptr{Cvoid} | 8 bytes</span> <span class="c"># char* | Ptr{UInt8} or Ptr{Cchar} | 8 bytes (Often use unsafe_string)</span> <span class="c"># struct T | T (if isbits) | sizeof(T) (Pass via Ref{T} for T*)</span> <span class="c"># 2. Call atan2 using the mapping.</span> <span class="c"># Use ":libm" for the standard math library. Use "" if it might be linked in already.</span> <span class="n">libm_spec</span> <span class="o">=</span> <span class="s">""</span> <span class="c"># Or :libm if "" fails</span> <span class="n">result</span> <span class="o">=</span> <span class="k">try</span> <span class="n">ccall</span><span class="x">(</span> <span class="x">(</span><span class="o">:</span><span class="n">atan2</span><span class="x">,</span> <span class="n">libm_spec</span><span class="x">),</span> <span class="c"># Function "atan2" in the math library (or current process)</span> <span class="kt">Cdouble</span><span class="x">,</span> <span class="c"># Return type is C double -&gt; Julia Cdouble (Float64)</span> <span class="x">(</span><span class="kt">Cdouble</span><span class="x">,</span> <span class="kt">Cdouble</span><span class="x">),</span> <span class="c"># Argument types are (C double, C double)</span> <span class="n">y_jl</span><span class="x">,</span> <span class="n">x_jl</span> <span class="c"># Pass the Julia Float64 values</span> <span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"ERROR calling atan2: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="nb">NaN</span> <span class="c"># Return dummy value</span> <span class="k">end</span> <span class="k">if</span> <span class="o">!</span><span class="n">isnan</span><span class="x">(</span><span class="n">result</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"C's atan2(</span><span class="si">$</span><span class="s">y_jl, </span><span class="si">$</span><span class="s">x_jl): "</span><span class="x">,</span> <span class="n">result</span><span class="x">)</span> <span class="c"># Compare with Julia's built-in version</span> <span class="n">julia_result</span> <span class="o">=</span> <span class="n">atan</span><span class="x">(</span><span class="n">y_jl</span><span class="x">,</span> <span class="n">x_jl</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Julia's atan(</span><span class="si">$</span><span class="s">y_jl, </span><span class="si">$</span><span class="s">x_jl): "</span><span class="x">,</span> <span class="n">julia_result</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Results are approx equal: "</span><span class="x">,</span> <span class="n">result</span> <span class="n">≈</span> <span class="n">julia_result</span><span class="x">)</span> <span class="k">end</span> <span class="c"># 3. Verifying sizes of C-specific types on this platform.</span> <span class="c"># It's crucial these match the C compiler's sizes.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Verifying C Type Sizes on this Platform ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"sizeof(Cint): "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="kt">Cint</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"sizeof(Clong): "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="kt">Clong</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"sizeof(Clonglong): "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="kt">Clonglong</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"sizeof(Csize_t): "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="kt">Csize_t</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"sizeof(Cchar): "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="kt">Cchar</span><span class="x">))</span> <span class="c"># Can be signed or unsigned by default</span> <span class="n">println</span><span class="x">(</span><span class="s">"sizeof(Cfloat): "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="kt">Cfloat</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"sizeof(Cdouble): "</span><span class="x">,</span> <span class="n">sizeof</span><span class="x">(</span><span class="kt">Cdouble</span><span class="x">))</span> </code></pre> </div> <h3> Explanation </h3> <p>This script focuses on the crucial <strong>type mapping</strong> required when using <code>ccall</code>. Because <code>ccall</code> bypasses Julia's type system to call native code, you <em>must</em> explicitly tell Julia the exact C types expected by the function for both arguments and the return value, using the corresponding Julia types.</p> <h2> Core Concept: The <code>ccall</code> Type Contract </h2> <p>The <code>ReturnType</code> and <code>ArgTypes</code> tuple provided to <code>ccall</code> form a <strong>strict contract</strong> between your Julia code and the native C library. Julia uses this contract to:</p> <ol> <li> <strong>Convert Arguments:</strong> Convert the Julia values you provide (<code>ArgValues</code>) into the binary representation expected by the C function based on the <code>ArgTypes</code>.</li> <li> <strong>Generate Calling Code:</strong> Emit the correct machine instructions to pass these arguments according to the platform's C ABI (Application Binary Interface) – handling registers vs. stack appropriately.</li> <li> <strong>Interpret Return Value:</strong> Interpret the binary data returned by the C function as the specified <code>ReturnType</code> and convert it back into a Julia value.</li> </ol> <p><strong>If this contract (the type mapping) is wrong, <code>ccall</code> will generate incorrect code, leading to crashes (segmentation faults), garbage results, or silent memory corruption.</strong></p> <h2> The Julia-to-C Type Map </h2> <p>Julia provides a set of <strong>C-specific type aliases</strong> (like <code>Cint</code>, <code>Clong</code>, <code>Cdouble</code>) within the <code>Base.Libc</code> module. <strong>You should always use these specific types in <code>ccall</code> signatures</strong>, rather than generic Julia types like <code>Int</code> or <code>Float64</code> directly (even though <code>Cdouble</code> <em>is</em> often just an alias for <code>Float64</code>, and <code>Clong</code> for <code>Int64</code> on 64-bit systems), because:</p> <ul> <li> <strong>Platform Portability:</strong> The exact size of C types like <code>int</code> and <code>long</code> can vary between platforms (e.g., <code>long</code> is often 32 bits on 32-bit Windows but 64 bits on 64-bit Linux). Julia's <code>Cint</code>, <code>Clong</code>, etc., are defined correctly for the specific platform Julia was compiled for, ensuring your <code>ccall</code> signature remains correct when your code is run on different operating systems or architectures.</li> <li> <strong>Clarity:</strong> Using <code>Cint</code> explicitly signals that you are interfacing with a C function expecting an <code>int</code>.</li> </ul> <p>The table in the code provides the standard mapping. Key points include:</p> <ul> <li>Use <code>Cint</code>, <code>Clong</code>, <code>Csize_t</code>, etc., for C integer types.</li> <li>Use <code>Cfloat</code> (maps to <code>Float32</code>) for C <code>float</code>.</li> <li>Use <code>Cdouble</code> (maps to <code>Float64</code>) for C <code>double</code>.</li> <li>Use <code>Ptr{JuliaType}</code> for C <code>CType*</code>, where <code>JuliaType</code> corresponds to <code>CType</code>. Use <code>Ptr{Cvoid}</code> for <code>void*</code>.</li> <li>Use <code>Cvoid</code> as the <code>ReturnType</code> for C <code>void</code> functions.</li> <li>Pass <code>isbits struct</code>s <em>by pointer</em> (<code>T*</code>) using <code>Ref{T}</code> as the <code>ArgType</code> and <code>Ref(value)</code> as the <code>ArgValue</code>.</li> </ul> <h2> Example: <code>atan2</code> </h2> <ul> <li>The C prototype is <code>double atan2(double y, double x)</code>.</li> <li> <code>ReturnType</code> is <code>Cdouble</code> (maps to Julia's <code>Float64</code>).</li> <li> <code>ArgTypes</code> is <code>(Cdouble, Cdouble)</code>.</li> <li>We pass Julia <code>Float64</code> values (<code>y_jl</code>, <code>x_jl</code>). <code>ccall</code> ensures they are passed correctly as C doubles.</li> </ul> <h2> Verification </h2> <p>The script concludes by printing the <code>sizeof</code> Julia's C-aliased types on the current platform. This allows you to verify that Julia's understanding of C type sizes matches what your C compiler uses. Mismatches here would indicate a potential problem with the Julia build or environment configuration.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Calling C and Fortran Code", "Mapping C Types to Julia":</strong> The definitive table and explanation of type correspondences.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>Libc</code>:</strong> Lists the available C-compatible type aliases (<code>Cint</code>, <code>Clong</code>, etc.).</li> <li> <strong>C Language Standard / Platform ABI Documentation:</strong> (External) Defines the sizes and alignment of C types on specific platforms.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0115_ccall_type_mapping.jl <span class="nt">---</span> Mapping C Types to Julia Types <span class="k">in </span>ccall <span class="nt">---</span> C<span class="s1">'s atan2(1.0, -1.0): 2.356194490192345 Julia'</span>s atan<span class="o">(</span>1.0, <span class="nt">-1</span>.0<span class="o">)</span>: 2.356194490192345 Results are approx equal: <span class="nb">true</span> <span class="nt">---</span> Verifying C Type Sizes on this Platform <span class="nt">---</span> sizeof<span class="o">(</span>Cint<span class="o">)</span>: 4 sizeof<span class="o">(</span>Clong<span class="o">)</span>: 8 sizeof<span class="o">(</span>Clonglong<span class="o">)</span>: 8 sizeof<span class="o">(</span>Csize_t<span class="o">)</span>: 8 sizeof<span class="o">(</span>Cchar<span class="o">)</span>: 1 sizeof<span class="o">(</span>Cfloat<span class="o">)</span>: 4 sizeof<span class="o">(</span>Cdouble<span class="o">)</span>: 8 </code></pre> </div> <p><em>(The specific sizes reflect a typical 64-bit Linux/macOS environment. <code>Clong</code> might be 4 on 32-bit systems or 64-bit Windows.)</em></p> <h3> <code>0116_ccall_passing_vectors.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0116_ccall_passing_vectors.jl</span> <span class="c"># Demonstrates passing a Julia Vector to C using pointer and length.</span> <span class="k">import</span> <span class="n">Base</span><span class="o">.</span><span class="n">Libc</span><span class="o">:</span> <span class="kt">Csize_t</span><span class="x">,</span> <span class="kt">Cdouble</span> <span class="k">import</span> <span class="n">Libdl</span> <span class="c"># For dlopen/dlsym if not compiling string</span> <span class="c"># --- C Function Simulation ---</span> <span class="c"># We simulate a C function that sums elements of a double array:</span> <span class="c"># // C prototype:</span> <span class="c"># // double sum_array(const double* arr, size_t len);</span> <span class="c">#</span> <span class="c"># For self-containment, we'll compile this C code from a string</span> <span class="c"># into a temporary shared library. In real use, you'd link against</span> <span class="c"># an existing library.</span> <span class="kd">const</span> <span class="n">c_code_sum</span> <span class="o">=</span> <span class="s">""" #include &lt;stddef.h&gt; // for size_t double sum_array(const double* arr, size_t len) { double sum = 0.0; for (size_t i = 0; i &lt; len; i++) { sum += arr[i]; } return sum; } """</span> <span class="c"># Compile the C code into a temporary shared library</span> <span class="k">function</span><span class="nf"> compile_c_code</span><span class="x">(</span><span class="n">c_code</span><span class="x">,</span> <span class="n">lib_name</span><span class="x">)</span> <span class="n">lib_filename</span> <span class="o">=</span> <span class="n">lib_name</span> <span class="o">*</span> <span class="s">"."</span> <span class="o">*</span> <span class="n">Libdl</span><span class="o">.</span><span class="n">dlext</span> <span class="c"># Platform-specific extension (.so, .dll, .dylib)</span> <span class="c"># Basic check if gcc exists</span> <span class="k">if</span> <span class="n">isnothing</span><span class="x">(</span><span class="n">Sys</span><span class="o">.</span><span class="n">which</span><span class="x">(</span><span class="s">"gcc"</span><span class="x">))</span> <span class="n">error</span><span class="x">(</span><span class="s">"gcc not found. Please install gcc to run this example."</span><span class="x">)</span> <span class="k">end</span> <span class="n">compile_cmd</span> <span class="o">=</span> <span class="sb">`gcc -fPIC -shared -x c -o $lib_filename -`</span> <span class="n">println</span><span class="x">(</span><span class="s">"Compiling C code to </span><span class="si">$</span><span class="s">lib_filename..."</span><span class="x">)</span> <span class="k">try</span> <span class="n">open</span><span class="x">(</span><span class="n">compile_cmd</span><span class="x">,</span> <span class="s">"w"</span><span class="x">,</span> <span class="nb">stdout</span><span class="x">)</span> <span class="k">do</span> <span class="n">io</span> <span class="n">print</span><span class="x">(</span><span class="n">io</span><span class="x">,</span> <span class="n">c_code</span><span class="x">)</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"Compilation successful."</span><span class="x">)</span> <span class="k">return</span> <span class="n">abspath</span><span class="x">(</span><span class="n">lib_filename</span><span class="x">)</span> <span class="c"># Return full path</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"ERROR compiling C code: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="k">return</span> <span class="nb">nothing</span> <span class="k">end</span> <span class="k">end</span> <span class="kd">const</span> <span class="n">temp_lib_path</span> <span class="o">=</span> <span class="n">compile_c_code</span><span class="x">(</span><span class="n">c_code_sum</span><span class="x">,</span> <span class="s">"libtempsum"</span><span class="x">)</span> <span class="k">if</span> <span class="n">temp_lib_path</span> <span class="o">===</span> <span class="nb">nothing</span> <span class="n">println</span><span class="x">(</span><span class="s">"Exiting due to compilation failure."</span><span class="x">)</span> <span class="n">exit</span><span class="x">(</span><span class="mi">1</span><span class="x">)</span> <span class="k">end</span> <span class="c"># --- Julia Data and ccall ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Calling C function with Julia Vector ---"</span><span class="x">)</span> <span class="c"># 1. The Julia Vector we want to pass.</span> <span class="c"># It's crucial that its element type matches the C function's expectation.</span> <span class="n">julia_vector</span> <span class="o">=</span> <span class="kt">Float64</span><span class="x">[</span><span class="mf">1.1</span><span class="x">,</span> <span class="mf">2.2</span><span class="x">,</span> <span class="mf">3.3</span><span class="x">,</span> <span class="mf">4.4</span><span class="x">,</span> <span class="mf">5.5</span><span class="x">]</span> <span class="c"># 2. Prepare arguments for ccall:</span> <span class="c"># - C 'const double* arr': Use 'pointer(julia_vector)' which returns Ptr{Float64}.</span> <span class="c"># Float64 matches Cdouble. Ptr{Float64} matches Ptr{Cdouble}.</span> <span class="c"># - C 'size_t len': Use 'length(julia_vector)' which returns Int.</span> <span class="c"># ccall automatically converts Int to Csize_t.</span> <span class="n">ptr_to_data</span> <span class="o">=</span> <span class="n">pointer</span><span class="x">(</span><span class="n">julia_vector</span><span class="x">)</span> <span class="n">vector_length</span> <span class="o">=</span> <span class="n">length</span><span class="x">(</span><span class="n">julia_vector</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Julia Vector: "</span><span class="x">,</span> <span class="n">julia_vector</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Pointer to data: "</span><span class="x">,</span> <span class="n">ptr_to_data</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Vector length: "</span><span class="x">,</span> <span class="n">vector_length</span><span class="x">)</span> <span class="c"># 3. Perform the ccall.</span> <span class="n">result</span> <span class="o">=</span> <span class="k">try</span> <span class="n">ccall</span><span class="x">(</span> <span class="x">(</span><span class="o">:</span><span class="n">sum_array</span><span class="x">,</span> <span class="n">temp_lib_path</span><span class="x">),</span> <span class="c"># Function name and path to our temporary library</span> <span class="kt">Cdouble</span><span class="x">,</span> <span class="c"># Return type: double -&gt; Cdouble (Float64)</span> <span class="x">(</span><span class="kt">Ptr</span><span class="x">{</span><span class="kt">Cdouble</span><span class="x">},</span> <span class="kt">Csize_t</span><span class="x">),</span> <span class="c"># Argument types: (double*, size_t)</span> <span class="n">ptr_to_data</span><span class="x">,</span> <span class="n">vector_length</span> <span class="c"># Argument values: pointer and length</span> <span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"ERROR during ccall: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="nb">NaN</span> <span class="k">end</span> <span class="c"># --- Verification and Cleanup ---</span> <span class="k">if</span> <span class="o">!</span><span class="n">isnan</span><span class="x">(</span><span class="n">result</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Result from C's sum_array: "</span><span class="x">,</span> <span class="n">result</span><span class="x">)</span> <span class="n">julia_sum</span> <span class="o">=</span> <span class="n">sum</span><span class="x">(</span><span class="n">julia_vector</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Julia's sum(): "</span><span class="x">,</span> <span class="n">julia_sum</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Results approximately equal: "</span><span class="x">,</span> <span class="n">result</span> <span class="n">≈</span> <span class="n">julia_sum</span><span class="x">)</span> <span class="k">end</span> <span class="c"># Clean up the temporary library file</span> <span class="k">try</span> <span class="n">rm</span><span class="x">(</span><span class="n">temp_lib_path</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Removed temporary library: "</span><span class="x">,</span> <span class="n">temp_lib_path</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Warning: Could not remove temporary library '</span><span class="si">$</span><span class="s">temp_lib_path': "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="k">end</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates the most common and crucial pattern for C interoperability: passing a Julia <code>Vector</code> (or <code>Array</code>) to a C function that expects a pointer to the data and the number of elements. This is achieved efficiently and safely using <code>pointer()</code> and <code>length()</code>.</p> <h2> Core Concept: Pointer + Length Idiom </h2> <p>Many C functions operating on arrays follow the pattern <code>return_type function_name(element_type* data_pointer, size_type number_of_elements)</code>. To call such a function from Julia with a <code>Vector</code> named <code>A</code>:</p> <ol> <li> <strong>Get Pointer to Data:</strong> Use <code>pointer(A)</code>. As covered in Module 9, this returns a <code>Ptr{T}</code> (where <code>T</code> is the element type of <code>A</code>) pointing directly to the <strong>first element</strong> (<code>A[1]</code>) in the vector's contiguous memory buffer.</li> <li> <strong>Get Number of Elements:</strong> Use <code>length(A)</code>. This returns the number of elements in the vector as a Julia <code>Int</code>.</li> <li> <strong><code>ccall</code> Signature:</strong> <ul> <li>The <code>ArgTypes</code> tuple must match the C function. C <code>T*</code> maps to Julia <code>Ptr{CorrespondingJuliaT}</code> (e.g., <code>double*</code> -&gt; <code>Ptr{Cdouble}</code>). C <code>size_t</code> maps to Julia <code>Csize_t</code>.</li> <li>Pass <code>pointer(A)</code> and <code>length(A)</code> as the corresponding <code>ArgValues</code>. <code>ccall</code> automatically handles converting the Julia <code>Int</code> from <code>length</code> to the required C integer type (<code>Csize_t</code> in this case).</li> </ul> </li> </ol> <h2> Zero-Copy Performance </h2> <ul> <li> <strong>No Data Copying:</strong> This is a <strong>zero-copy</strong> operation. <code>pointer(A)</code> simply gets the memory address where the vector's data <em>already resides</em>. The data itself is <strong>not copied</strong> before being passed to C. The C function operates directly on Julia's memory buffer.</li> <li> <strong>Efficiency:</strong> This makes calling C functions with large arrays extremely efficient, avoiding the potentially massive overhead of copying data between Julia and C.</li> </ul> <h2> GC Safety: Pinning </h2> <ul> <li> <strong>The Problem:</strong> Julia's garbage collector (GC) occasionally moves objects in memory to compact the heap. If the GC moved the data buffer of <code>julia_vector</code> <em>while</em> the C function <code>sum_array</code> was reading from <code>ptr_to_data</code>, the C function would suddenly be accessing invalid memory, leading to a crash.</li> <li> <strong><code>ccall</code>'s Solution:</strong> When <code>ccall</code> sees that one of its arguments (<code>ptr_to_data</code>) was derived from a Julia object (<code>julia_vector</code> via <code>pointer()</code>), it automatically <strong>"pins"</strong> the object (<code>julia_vector</code>). This tells the GC: "Do <strong>not</strong> move or garbage collect this object or its data buffer until this <code>ccall</code> completes."</li> <li> <strong>Guaranteed Safety:</strong> This pinning mechanism ensures that the pointer passed to C remains valid for the entire duration of the native function call, preventing GC-related memory corruption. You do not need to manually manage pinning when using <code>pointer()</code> with <code>ccall</code>.</li> </ul> <p>This <code>pointer(A), length(A)</code> pattern combined with <code>ccall</code>'s automatic GC pinning provides a safe, efficient, and idiomatic way to leverage C libraries that operate on arrays, forming the backbone of numerical and systems integration in Julia.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Calling C and Fortran Code", "Passing Pointers for Modifying Inputs":</strong> Although discussing modification, it implicitly covers passing arrays via pointers.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>pointer</code>:</strong> "Get the native address..." Mentions safety for <code>ccall</code>.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>length</code>:</strong> Returns the number of elements.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(Requires a C compiler like <code>gcc</code> to be installed and in the system's PATH for the C code compilation step.)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0116_ccall_passing_vectors.jl Compiling C code to libtempsum.so... Compilation successful. <span class="nt">---</span> Calling C <span class="k">function </span>with Julia Vector <span class="nt">---</span> Julia Vector: <span class="o">[</span>1.1, 2.2, 3.3, 4.4, 5.5] Pointer to data: Ptr<span class="o">{</span>Float64<span class="o">}(</span>0x...<span class="o">)</span> Vector length: 5 Result from C<span class="s1">'s sum_array: 16.5 Julia'</span>s <span class="nb">sum</span><span class="o">()</span>: 16.5 Results approximately equal: <span class="nb">true </span>Removed temporary library: /path/to/libtempsum.so </code></pre> </div> <p><em>(Memory address and exact path will vary. The sums should match.)</em></p> <h3> <code>0117_ccall_passing_structs.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0117_ccall_passing_structs.jl</span> <span class="c"># Demonstrates passing an isbits struct by reference (pointer) to C.</span> <span class="k">import</span> <span class="n">Base</span><span class="o">.</span><span class="n">Libc</span><span class="o">:</span> <span class="kt">Cdouble</span><span class="x">,</span> <span class="kt">Cvoid</span> <span class="k">import</span> <span class="n">Libdl</span> <span class="c"># --- Julia Struct Definition ---</span> <span class="c"># 1. Define an immutable 'isbits' struct in Julia.</span> <span class="c"># Its memory layout will be identical to the corresponding C struct.</span> <span class="k">struct</span><span class="nc"> Point</span> <span class="c"># isbits, 16 bytes</span> <span class="n">x</span><span class="o">::</span><span class="kt">Float64</span> <span class="c"># 8 bytes</span> <span class="n">y</span><span class="o">::</span><span class="kt">Float64</span> <span class="c"># 8 bytes</span> <span class="k">end</span> <span class="c"># --- C Code Simulation ---</span> <span class="c"># C struct equivalent:</span> <span class="c"># typedef struct {</span> <span class="c"># double x;</span> <span class="c"># double y;</span> <span class="c"># } Point;</span> <span class="c">#</span> <span class="c"># C function that modifies a Point via pointer:</span> <span class="c"># void move_point(Point* p, double dx, double dy) {</span> <span class="c"># p-&gt;x += dx;</span> <span class="c"># p-&gt;y += dy;</span> <span class="c"># }</span> <span class="c"># Compile the C code into a temporary shared library</span> <span class="kd">const</span> <span class="n">c_code_point</span> <span class="o">=</span> <span class="s">""" #include &lt;stddef.h&gt; typedef struct { double x; double y; } Point; void move_point(Point* p, double dx, double dy) { if (p != NULL) { // Basic null check p-&gt;x += dx; p-&gt;y += dy; } } """</span> <span class="k">function</span><span class="nf"> compile_c_code</span><span class="x">(</span><span class="n">c_code</span><span class="x">,</span> <span class="n">lib_name</span><span class="x">)</span> <span class="n">lib_filename</span> <span class="o">=</span> <span class="n">lib_name</span> <span class="o">*</span> <span class="s">"."</span> <span class="o">*</span> <span class="n">Libdl</span><span class="o">.</span><span class="n">dlext</span> <span class="k">if</span> <span class="n">isnothing</span><span class="x">(</span><span class="n">Sys</span><span class="o">.</span><span class="n">which</span><span class="x">(</span><span class="s">"gcc"</span><span class="x">))</span> <span class="n">error</span><span class="x">(</span><span class="s">"gcc not found. Please install gcc to run this example."</span><span class="x">)</span> <span class="k">end</span> <span class="n">compile_cmd</span> <span class="o">=</span> <span class="sb">`gcc -fPIC -shared -x c -o $lib_filename -`</span> <span class="n">println</span><span class="x">(</span><span class="s">"Compiling C code to </span><span class="si">$</span><span class="s">lib_filename..."</span><span class="x">)</span> <span class="k">try</span> <span class="n">open</span><span class="x">(</span><span class="n">compile_cmd</span><span class="x">,</span> <span class="s">"w"</span><span class="x">,</span> <span class="nb">stdout</span><span class="x">)</span> <span class="k">do</span> <span class="n">io</span> <span class="n">print</span><span class="x">(</span><span class="n">io</span><span class="x">,</span> <span class="n">c_code</span><span class="x">)</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"Compilation successful."</span><span class="x">)</span> <span class="k">return</span> <span class="n">abspath</span><span class="x">(</span><span class="n">lib_filename</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"ERROR compiling C code: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="k">return</span> <span class="nb">nothing</span> <span class="k">end</span> <span class="k">end</span> <span class="kd">const</span> <span class="n">temp_lib_path</span> <span class="o">=</span> <span class="n">compile_c_code</span><span class="x">(</span><span class="n">c_code_point</span><span class="x">,</span> <span class="s">"libtemppoint"</span><span class="x">)</span> <span class="k">if</span> <span class="n">temp_lib_path</span> <span class="o">===</span> <span class="nb">nothing</span> <span class="n">println</span><span class="x">(</span><span class="s">"Exiting due to compilation failure."</span><span class="x">)</span> <span class="n">exit</span><span class="x">(</span><span class="mi">1</span><span class="x">)</span> <span class="k">end</span> <span class="c"># --- Julia Data and ccall ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Calling C function with Julia isbits struct ---"</span><span class="x">)</span> <span class="c"># 2. Create an instance of the Julia struct.</span> <span class="n">p</span> <span class="o">=</span> <span class="n">Point</span><span class="x">(</span><span class="mf">10.0</span><span class="x">,</span> <span class="mf">20.0</span><span class="x">)</span> <span class="c"># 3. Prepare argument for passing *by pointer* to C.</span> <span class="c"># The C function expects 'Point*'. We cannot pass 'p' directly,</span> <span class="c"># as that would pass the 16-byte value itself (pass-by-value).</span> <span class="c"># We need to pass its *address*.</span> <span class="c"># The safe way to do this for an isbits value is using 'Ref(value)'.</span> <span class="c"># 'Ref(p)' creates a GC-managed box holding 'p', allowing a stable pointer.</span> <span class="n">p_ref</span> <span class="o">=</span> <span class="kt">Ref</span><span class="x">(</span><span class="n">p</span><span class="x">)</span> <span class="c"># Type is Base.RefValue{Point}</span> <span class="n">println</span><span class="x">(</span><span class="s">"Julia Point p: "</span><span class="x">,</span> <span class="n">p</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Boxed Ref(p): "</span><span class="x">,</span> <span class="n">p_ref</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value inside Ref before call: "</span><span class="x">,</span> <span class="n">p_ref</span><span class="x">[])</span> <span class="c"># Use [] to get value from Ref</span> <span class="c"># 4. Perform the ccall.</span> <span class="c"># Map C 'Point*' to Julia 'Ref{Point}' in the ArgTypes tuple.</span> <span class="c"># ccall automatically uses Base.unsafe_convert(Ptr{Point}, p_ref) internally.</span> <span class="n">result</span> <span class="o">=</span> <span class="k">try</span> <span class="n">ccall</span><span class="x">(</span> <span class="x">(</span><span class="o">:</span><span class="n">move_point</span><span class="x">,</span> <span class="n">temp_lib_path</span><span class="x">),</span> <span class="c"># Function name and library path</span> <span class="kt">Cvoid</span><span class="x">,</span> <span class="c"># Return type: void</span> <span class="x">(</span><span class="kt">Ref</span><span class="x">{</span><span class="n">Point</span><span class="x">},</span> <span class="kt">Cdouble</span><span class="x">,</span> <span class="kt">Cdouble</span><span class="x">),</span> <span class="c"># Arg types: (Point*, double, double)</span> <span class="n">p_ref</span><span class="x">,</span> <span class="mf">5.0</span><span class="x">,</span> <span class="o">-</span><span class="mf">5.0</span> <span class="c"># Arg values: pass the Ref object</span> <span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">ccall executed successfully."</span><span class="x">)</span> <span class="nb">true</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">ERROR during ccall: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="nb">false</span> <span class="k">end</span> <span class="c"># --- Verification and Cleanup ---</span> <span class="k">if</span> <span class="n">result</span> <span class="c"># 5. Check the value *inside* the Ref object after the call.</span> <span class="c"># The C function modified the data held within the Ref.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value inside Ref after call: "</span><span class="x">,</span> <span class="n">p_ref</span><span class="x">[])</span> <span class="c"># The original immutable 'p' variable is *unchanged*.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Original variable 'p' (immutable) is unchanged: "</span><span class="x">,</span> <span class="n">p</span><span class="x">)</span> <span class="k">end</span> <span class="k">try</span> <span class="n">rm</span><span class="x">(</span><span class="n">temp_lib_path</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Removed temporary library: "</span><span class="x">,</span> <span class="n">temp_lib_path</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Warning: Could not remove temporary library '</span><span class="si">$</span><span class="s">temp_lib_path': "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="k">end</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates how to pass a Julia <strong><code>isbits struct</code></strong> (like our immutable <code>Point</code>) <strong>by reference (as a pointer)</strong> to a C function that expects to receive and potentially modify a C <code>struct</code> via a pointer.</p> <h2> Core Concept: Identical Memory Layout &amp; Passing Pointers </h2> <ul> <li> <strong><code>isbits struct</code> Layout:</strong> As established in Module 9, an immutable Julia <code>struct</code> containing only <code>isbits</code> fields (like <code>Point</code> with its <code>Float64</code>s) has a <strong>memory layout identical</strong> to its corresponding C <code>struct</code>. This allows direct memory sharing.</li> <li> <strong>C Expects Pointers:</strong> C functions often modify structs passed to them by taking a <strong>pointer</strong> (<code>Point* p</code>) rather than receiving the struct by value (<code>Point p</code>). Passing by pointer allows the C function to modify the original struct data in the caller's memory.</li> <li> <strong>Julia <code>Ref{T}</code> for <code>T*</code>:</strong> When a C function expects a pointer <code>T*</code> where <code>T</code> is an <code>isbits</code> type (like <code>Point*</code>), the idiomatic and safe way to pass a Julia value <code>p</code> of type <code>T</code> is: <ol> <li> Wrap the Julia value in a <code>Ref</code>: <code>p_ref = Ref(p)</code>. This creates a small, GC-managed object on the heap that contains the <code>isbits</code> data (<code>p</code>).</li> <li> Specify <code>Ref{Point}</code> as the corresponding Julia type in the <code>ccall</code> <code>ArgTypes</code> tuple.</li> <li> Pass the <code>p_ref</code> object itself as the argument value to <code>ccall</code>.</li> </ol> </li> <li> <strong>Behind the Scenes:</strong> <code>ccall</code> recognizes the <code>Ref{Point}</code> argument type. It uses the internal function <code>Base.unsafe_convert(Ptr{Point}, p_ref)</code> (as seen in lesson 0091) to get a stable, GC-safe <code>Ptr{Point}</code> pointing to the data <em>inside</em> the <code>Ref</code> object. This raw pointer is then passed to the C function.</li> </ul> <h2> How Modification Works </h2> <ul> <li>The C function <code>move_point</code> receives the <code>Ptr{Point}</code>.</li> <li>It dereferences the pointer (<code>p-&gt;x</code>, <code>p-&gt;y</code>) and modifies the bytes <strong>at that memory address</strong>.</li> <li>This memory address belongs to the data stored <em>inside</em> the Julia <code>Ref</code> object (<code>p_ref</code>).</li> <li>After the <code>ccall</code> returns, the data within <code>p_ref</code> has been changed by the C code. We can observe this by accessing the value using <code>p_ref[]</code>.</li> <li> <strong>Immutability Note:</strong> The original immutable variable <code>p</code> remains unchanged. The <code>Ref(p)</code> constructor copied the <em>value</em> of <code>p</code> into the mutable <code>Ref</code> container. The C function modified the data <em>inside the container</em>, not the original immutable <code>p</code>.</li> </ul> <p>This <code>Ref{T}</code> mechanism provides a safe and standard way to bridge Julia's value types (<code>isbits struct</code>) with C's common pattern of passing structs by pointer for modification.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Calling C and Fortran Code", "Passing Pointers for Modifying Inputs":</strong> Explains the use of <code>Ref{T}</code> for passing pointers to <code>isbits</code> types to C for modification.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>Ref</code>:</strong> "Used to pass references to objects..."</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(Requires <code>gcc</code> available.)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0117_ccall_passing_structs.jl Compiling C code to libtemppoint.so... Compilation successful. <span class="nt">---</span> Calling C <span class="k">function </span>with Julia isbits struct <span class="nt">---</span> Julia Point p: Point<span class="o">(</span>10.0, 20.0<span class="o">)</span> Boxed Ref<span class="o">(</span>p<span class="o">)</span>: Base.RefValue<span class="o">{</span>Point<span class="o">}(</span>Point<span class="o">(</span>10.0, 20.0<span class="o">))</span> Value inside Ref before call: Point<span class="o">(</span>10.0, 20.0<span class="o">)</span> ccall executed successfully. Value inside Ref after call: Point<span class="o">(</span>15.0, 15.0<span class="o">)</span> Original variable <span class="s1">'p'</span> <span class="o">(</span>immutable<span class="o">)</span> is unchanged: Point<span class="o">(</span>10.0, 20.0<span class="o">)</span> Removed temporary library: /path/to/libtemppoint.so </code></pre> </div> <p><em>(Path and memory addresses will vary. The key is that <code>p_ref[]</code> shows the modified values.)</em></p> <h3> <code>0118_ccall_callbacks.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0118_ccall_callbacks.jl</span> <span class="c"># Demonstrates passing a Julia function TO C as a callback pointer.</span> <span class="k">import</span> <span class="n">Base</span><span class="o">.</span><span class="n">Libc</span><span class="o">:</span> <span class="kt">Cint</span><span class="x">,</span> <span class="kt">Cvoid</span> <span class="k">import</span> <span class="n">Libdl</span> <span class="c"># --- C Code Simulation ---</span> <span class="c"># C code defining a function pointer type 'compare_func' and</span> <span class="c"># a function 'do_comparison' that accepts and calls such a pointer.</span> <span class="c">#</span> <span class="c"># // C typedef for a function pointer: takes two ints, returns int</span> <span class="c"># typedef int (*compare_func)(int a, int b);</span> <span class="c">#</span> <span class="c"># // C function that uses the callback</span> <span class="c"># int do_comparison(int a, int b, compare_func func_ptr) {</span> <span class="c"># if (func_ptr == NULL) return -999; // Basic error check</span> <span class="c"># return func_ptr(a, b); // Call the function pointer</span> <span class="c"># }</span> <span class="kd">const</span> <span class="n">c_code_callback</span> <span class="o">=</span> <span class="s">""" #include &lt;stddef.h&gt; // For NULL typedef int (*compare_func)(int a, int b); int do_comparison(int a, int b, compare_func func_ptr) { if (func_ptr == NULL) return -999; // Call the function provided by Julia return func_ptr(a, b); } """</span> <span class="c"># Compile the C code into a temporary shared library</span> <span class="k">function</span><span class="nf"> compile_c_code</span><span class="x">(</span><span class="n">c_code</span><span class="x">,</span> <span class="n">lib_name</span><span class="x">)</span> <span class="n">lib_filename</span> <span class="o">=</span> <span class="n">lib_name</span> <span class="o">*</span> <span class="s">"."</span> <span class="o">*</span> <span class="n">Libdl</span><span class="o">.</span><span class="n">dlext</span> <span class="k">if</span> <span class="n">isnothing</span><span class="x">(</span><span class="n">Sys</span><span class="o">.</span><span class="n">which</span><span class="x">(</span><span class="s">"gcc"</span><span class="x">))</span> <span class="n">error</span><span class="x">(</span><span class="s">"gcc not found. Please install gcc to run this example."</span><span class="x">)</span> <span class="k">end</span> <span class="n">compile_cmd</span> <span class="o">=</span> <span class="sb">`gcc -fPIC -shared -x c -o $lib_filename -`</span> <span class="n">println</span><span class="x">(</span><span class="s">"Compiling C code to </span><span class="si">$</span><span class="s">lib_filename..."</span><span class="x">)</span> <span class="k">try</span> <span class="n">open</span><span class="x">(</span><span class="n">compile_cmd</span><span class="x">,</span> <span class="s">"w"</span><span class="x">,</span> <span class="nb">stdout</span><span class="x">)</span> <span class="k">do</span> <span class="n">io</span> <span class="n">print</span><span class="x">(</span><span class="n">io</span><span class="x">,</span> <span class="n">c_code</span><span class="x">)</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"Compilation successful."</span><span class="x">)</span> <span class="k">return</span> <span class="n">abspath</span><span class="x">(</span><span class="n">lib_filename</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"ERROR compiling C code: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="k">return</span> <span class="nb">nothing</span> <span class="k">end</span> <span class="k">end</span> <span class="kd">const</span> <span class="n">temp_lib_path</span> <span class="o">=</span> <span class="n">compile_c_code</span><span class="x">(</span><span class="n">c_code_callback</span><span class="x">,</span> <span class="s">"libtempcallback"</span><span class="x">)</span> <span class="k">if</span> <span class="n">temp_lib_path</span> <span class="o">===</span> <span class="nb">nothing</span> <span class="n">println</span><span class="x">(</span><span class="s">"Exiting due to compilation failure."</span><span class="x">)</span> <span class="n">exit</span><span class="x">(</span><span class="mi">1</span><span class="x">)</span> <span class="k">end</span> <span class="c"># --- Julia Callback and ccall ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Calling C function with Julia Callback ---"</span><span class="x">)</span> <span class="c"># 1. Define the Julia function to be used as a callback.</span> <span class="c"># CRITICAL: The argument types and return type MUST exactly match</span> <span class="c"># the C function pointer typedef, using Julia's C-compatible types.</span> <span class="c"># C 'int' maps to Julia 'Cint'.</span> <span class="k">function</span><span class="nf"> julia_comparator</span><span class="x">(</span><span class="n">a</span><span class="o">::</span><span class="kt">Cint</span><span class="x">,</span> <span class="n">b</span><span class="o">::</span><span class="kt">Cint</span><span class="x">)</span><span class="o">::</span><span class="kt">Cint</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Julia Callback 'julia_comparator' Executing ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">" Received: a=</span><span class="si">$</span><span class="s">a, b=</span><span class="si">$</span><span class="s">b"</span><span class="x">)</span> <span class="k">if</span> <span class="n">a</span> <span class="o">&gt;</span> <span class="n">b</span> <span class="k">return</span> <span class="kt">Cint</span><span class="x">(</span><span class="mi">1</span><span class="x">)</span> <span class="k">elseif</span> <span class="n">a</span> <span class="o">&lt;</span> <span class="n">b</span> <span class="k">return</span> <span class="kt">Cint</span><span class="x">(</span><span class="o">-</span><span class="mi">1</span><span class="x">)</span> <span class="k">else</span> <span class="k">return</span> <span class="kt">Cint</span><span class="x">(</span><span class="mi">0</span><span class="x">)</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># 2. Create a C-callable function pointer using '@cfunction'.</span> <span class="c"># Syntax: @cfunction(julia_function_name, ReturnType, (ArgType1, ...))</span> <span class="c"># This generates a GC-safe pointer that C code can invoke.</span> <span class="n">c_func_ptr</span> <span class="o">=</span> <span class="nd">@cfunction</span><span class="x">(</span><span class="n">julia_comparator</span><span class="x">,</span> <span class="kt">Cint</span><span class="x">,</span> <span class="x">(</span><span class="kt">Cint</span><span class="x">,</span> <span class="kt">Cint</span><span class="x">))</span> <span class="n">println</span><span class="x">(</span><span class="s">"Generated C function pointer: "</span><span class="x">,</span> <span class="n">c_func_ptr</span><span class="x">)</span> <span class="c"># Prints the Ptr{Cvoid} address</span> <span class="c"># 3. Perform the ccall to the C function 'do_comparison'.</span> <span class="c"># - C function pointer 'compare_func' maps to 'Ptr{Cvoid}' in ArgTypes.</span> <span class="c"># - Pass the 'c_func_ptr' obtained from @cfunction as the argument value.</span> <span class="n">result</span> <span class="o">=</span> <span class="k">try</span> <span class="n">ccall</span><span class="x">(</span> <span class="x">(</span><span class="o">:</span><span class="n">do_comparison</span><span class="x">,</span> <span class="n">temp_lib_path</span><span class="x">),</span> <span class="c"># C function name and library</span> <span class="kt">Cint</span><span class="x">,</span> <span class="c"># Return type: int -&gt; Cint</span> <span class="x">(</span><span class="kt">Cint</span><span class="x">,</span> <span class="kt">Cint</span><span class="x">,</span> <span class="kt">Ptr</span><span class="x">{</span><span class="kt">Cvoid</span><span class="x">}),</span> <span class="c"># Arg types: (int, int, compare_func)</span> <span class="kt">Cint</span><span class="x">(</span><span class="mi">10</span><span class="x">),</span> <span class="kt">Cint</span><span class="x">(</span><span class="mi">5</span><span class="x">),</span> <span class="n">c_func_ptr</span> <span class="c"># Arg values: pass ints and the function pointer</span> <span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"ERROR during ccall: "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="kt">Cint</span><span class="x">(</span><span class="o">-</span><span class="mi">999</span><span class="x">)</span> <span class="c"># Error value</span> <span class="k">end</span> <span class="c"># --- Verification and Cleanup ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">ccall to 'do_comparison' finished."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Result returned from C (via Julia callback): "</span><span class="x">,</span> <span class="n">result</span><span class="x">)</span> <span class="c"># Should be 1</span> <span class="k">try</span> <span class="n">rm</span><span class="x">(</span><span class="n">temp_lib_path</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Removed temporary library: "</span><span class="x">,</span> <span class="n">temp_lib_path</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Warning: Could not remove temporary library '</span><span class="si">$</span><span class="s">temp_lib_path': "</span><span class="x">,</span> <span class="n">e</span><span class="x">)</span> <span class="k">end</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates a powerful feature of Julia's C interoperability: passing a <strong>Julia function</strong> to a C library that expects a <strong>function pointer</strong> (often called a <strong>callback</strong>). This allows C code to call back into your Julia code, enabling patterns like event handling or custom comparison functions.</p> <h2> Core Concept: C Function Pointers and Callbacks </h2> <ul> <li> <strong>C Function Pointers:</strong> In C, you can store the memory address of a function in a variable (a function pointer). This pointer can then be passed to other functions, which can invoke the original function via the pointer. <code>typedef int (*compare_func)(int a, int b);</code> defines <code>compare_func</code> as a type representing a pointer to a function that takes two <code>int</code>s and returns an <code>int</code>.</li> <li> <strong>Callbacks:</strong> This mechanism is frequently used for callbacks. A library function (like C's <code>qsort</code> or our <code>do_comparison</code>) takes a function pointer as an argument. The library function performs some generic operation but calls the user-provided function pointer at specific points to customize behavior (e.g., to compare elements during sorting or to handle an event).</li> </ul> <h2> Julia's Solution: <code>@cfunction</code> </h2> <ul> <li> <strong>The Bridge:</strong> Julia provides the <strong><code>@cfunction</code></strong> macro to bridge the gap between Julia functions and C function pointers.</li> <li> <strong>Syntax:</strong> <code>@cfunction(julia_function_name, ReturnType, (ArgType1, ...))</code> <ul> <li> <code>julia_function_name</code>: The name of the Julia function you want C to call.</li> <li> <code>ReturnType</code>: The Julia C-compatible type corresponding to the C function pointer's return type (e.g., <code>Cint</code>).</li> <li> <code>(ArgType1, ...)</code>: A <code>Tuple</code> of Julia C-compatible types corresponding to the C function pointer's argument types (e.g., <code>(Cint, Cint)</code>).</li> </ul> </li> <li> <strong>Return Value:</strong> <code>@cfunction</code> returns a <code>Ptr{Cvoid}</code> (equivalent to <code>void*</code>), which is the raw function pointer address that C code can understand and call.</li> <li> <strong>Type Safety:</strong> The <code>ReturnType</code> and <code>ArgTypes</code> provided to <code>@cfunction</code> <strong>must exactly match</strong> the signature expected by the C code (defined by the <code>typedef</code> or function prototype). Mismatches will lead to crashes. Your Julia function (<code>julia_comparator</code>) must also adhere to this signature.</li> <li> <strong>GC Safety:</strong> Pointers generated by <code>@cfunction</code> are <strong>safe with respect to Julia's Garbage Collector</strong>. Julia ensures that the underlying Julia function (<code>julia_comparator</code>) and the necessary runtime context will <strong>not</strong> be garbage collected as long as the C function pointer might still be used by C code. <code>@cfunction</code> handles the complex details of generating a "trampoline" or "thunk" that C calls, which then sets up the Julia environment correctly before calling your Julia code.</li> </ul> <h2> <code>ccall</code> with Function Pointers </h2> <ul> <li>When calling a C function (like <code>do_comparison</code>) that expects a function pointer argument (like <code>compare_func</code>), the corresponding Julia type in the <code>ccall</code> <code>ArgTypes</code> tuple is typically <strong><code>Ptr{Cvoid}</code></strong>.</li> <li>You pass the pointer generated by <code>@cfunction</code> (<code>c_func_ptr</code>) as the value for that argument.</li> </ul> <h2> Use Cases (HFT Context) </h2> <ul> <li> <strong>Asynchronous Event Handling:</strong> Network libraries or market data APIs often use callbacks. They might require you to register a function pointer (<code>on_order_update</code>, <code>on_market_data</code>) that the library will call when a specific event occurs. You implement the handler logic in Julia and use <code>@cfunction</code> to pass it to the C library.</li> <li> <strong>Custom Sorting/Comparison:</strong> C library functions like <code>qsort</code> require a comparison function pointer. You can provide a Julia function for custom sorting logic.</li> <li> <strong>Integrating with C Frameworks:</strong> Many C frameworks use function pointers for plugins or extensions.</li> </ul> <p><code>@cfunction</code> provides a safe and efficient way for Julia code to respond to events or customize behavior within native C libraries.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Calling C and Fortran Code", "Passing C-compatible Function Pointers":</strong> Explains <code>@cfunction</code> and its usage for callbacks.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(Requires <code>gcc</code> available.)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0118_ccall_callbacks.jl Compiling C code to libtempcallback.so... Compilation successful. <span class="nt">---</span> Calling C <span class="k">function </span>with Julia Callback <span class="nt">---</span> Generated C <span class="k">function </span>pointer: Ptr<span class="o">{</span>Cvoid<span class="o">}(</span>0x...<span class="o">)</span> <span class="nt">---</span> Julia Callback <span class="s1">'julia_comparator'</span> Executing <span class="nt">---</span> Received: <span class="nv">a</span><span class="o">=</span>10, <span class="nv">b</span><span class="o">=</span>5 ccall to <span class="s1">'do_comparison'</span> finished. Result returned from C <span class="o">(</span>via Julia callback<span class="o">)</span>: 1 Removed temporary library: /path/to/libtempcallback.so </code></pre> </div> <p><em>(Memory address and path will vary. The output confirms that the C code successfully called the Julia function.)</em></p> <h2> Operating System Interaction </h2> <h3> <code>0119_libc_calls.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0119_libc_calls.jl</span> <span class="c"># Demonstrates using the Libc standard library for C functions.</span> <span class="c"># 1. Import the Libc module and specific names.</span> <span class="c"># Libc contains wrappers for many standard C library functions</span> <span class="c"># and C-compatible types (already imported in previous lessons).</span> <span class="k">import</span> <span class="n">Base</span><span class="o">.</span><span class="n">Libc</span><span class="o">:</span> <span class="n">malloc</span><span class="x">,</span> <span class="n">free</span><span class="x">,</span> <span class="n">time</span> <span class="c"># Import specific function wrappers</span> <span class="k">import</span> <span class="n">Base</span><span class="o">.</span><span class="n">Libc</span><span class="o">:</span> <span class="kt">Clong</span><span class="x">,</span> <span class="kt">Cvoid</span><span class="x">,</span> <span class="nb">C_NULL</span> <span class="c"># Import needed types</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Using Libc Wrappers ---"</span><span class="x">)</span> <span class="c"># 2. Calling simple wrapped functions.</span> <span class="c"># Instead of 'ccall(:time, ...)', we can call 'Libc.time()'.</span> <span class="c"># This wrapper handles the ccall internally.</span> <span class="n">current_time_t</span> <span class="o">=</span> <span class="n">Libc</span><span class="o">.</span><span class="n">time</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">"Libc.time(): "</span><span class="x">,</span> <span class="n">current_time_t</span><span class="x">)</span> <span class="c"># --- Manual Memory Management with Libc.malloc/free ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Manual Memory Management (Outside GC) ---"</span><span class="x">)</span> <span class="c"># 3. Allocate memory directly from the C heap using 'Libc.malloc'.</span> <span class="c"># This memory is *NOT* tracked by Julia's Garbage Collector.</span> <span class="n">bytes_to_alloc</span> <span class="o">=</span> <span class="mi">10</span> <span class="o">*</span> <span class="n">sizeof</span><span class="x">(</span><span class="kt">Float64</span><span class="x">)</span> <span class="c"># Request space for 10 doubles</span> <span class="n">println</span><span class="x">(</span><span class="s">"Allocating </span><span class="si">$</span><span class="s">bytes_to_alloc bytes using Libc.malloc..."</span><span class="x">)</span> <span class="c"># Libc.malloc returns Ptr{Cvoid} (like void*). Returns C_NULL on failure.</span> <span class="n">ptr_void</span> <span class="o">=</span> <span class="n">Libc</span><span class="o">.</span><span class="n">malloc</span><span class="x">(</span><span class="n">bytes_to_alloc</span><span class="x">)</span> <span class="k">if</span> <span class="n">ptr_void</span> <span class="o">==</span> <span class="nb">C_NULL</span> <span class="n">error</span><span class="x">(</span><span class="s">"Libc.malloc failed to allocate memory."</span><span class="x">)</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"Received raw pointer: "</span><span class="x">,</span> <span class="n">ptr_void</span><span class="x">)</span> <span class="c"># 4. Convert the raw pointer to a typed pointer.</span> <span class="n">ptr_float</span> <span class="o">=</span> <span class="n">convert</span><span class="x">(</span><span class="kt">Ptr</span><span class="x">{</span><span class="kt">Float64</span><span class="x">},</span> <span class="n">ptr_void</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Typed pointer: "</span><span class="x">,</span> <span class="n">ptr_float</span><span class="x">)</span> <span class="c"># 5. Use the allocated memory (e.g., via unsafe_store!).</span> <span class="c"># We are responsible for ensuring we stay within the allocated bounds.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Writing values using unsafe_store!..."</span><span class="x">)</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="mi">10</span> <span class="n">unsafe_store!</span><span class="x">(</span><span class="n">ptr_float</span><span class="x">,</span> <span class="kt">Float64</span><span class="x">(</span><span class="n">i</span> <span class="o">*</span> <span class="mf">1.1</span><span class="x">),</span> <span class="n">i</span><span class="x">)</span> <span class="k">end</span> <span class="c"># 6. Read back values using unsafe_load.</span> <span class="n">val5</span> <span class="o">=</span> <span class="n">unsafe_load</span><span class="x">(</span><span class="n">ptr_float</span><span class="x">,</span> <span class="mi">5</span><span class="x">)</span> <span class="n">val10</span> <span class="o">=</span> <span class="n">unsafe_load</span><span class="x">(</span><span class="n">ptr_float</span><span class="x">,</span> <span class="mi">10</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value at index 5: "</span><span class="x">,</span> <span class="n">val5</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Value at index 10: "</span><span class="x">,</span> <span class="n">val10</span><span class="x">)</span> <span class="c"># 7. CRITICAL: Manually free the memory using 'Libc.free'.</span> <span class="c"># Failure to do this results in a memory leak, as the GC doesn't know</span> <span class="c"># about this memory.</span> <span class="n">println</span><span class="x">(</span><span class="s">"Freeing manually allocated memory using Libc.free..."</span><span class="x">)</span> <span class="n">Libc</span><span class="o">.</span><span class="n">free</span><span class="x">(</span><span class="n">ptr_void</span><span class="x">)</span> <span class="c"># Pass the original Ptr{Cvoid}</span> <span class="n">println</span><span class="x">(</span><span class="s">"Memory freed."</span><span class="x">)</span> <span class="c"># Attempting to access ptr_float now would be undefined behavior (use after free).</span> <span class="c"># val_after_free = unsafe_load(ptr_float, 1) # DO NOT DO THIS</span> <span class="c"># --- Alternative: Using unsafe_wrap with own=true ---</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Managing malloc'd Memory with unsafe_wrap(..., own=true) ---"</span><span class="x">)</span> <span class="c"># 8. Allocate again.</span> <span class="n">ptr_void_2</span> <span class="o">=</span> <span class="n">Libc</span><span class="o">.</span><span class="n">malloc</span><span class="x">(</span><span class="n">bytes_to_alloc</span><span class="x">)</span> <span class="k">if</span> <span class="n">ptr_void_2</span> <span class="o">==</span> <span class="nb">C_NULL</span><span class="x">;</span> <span class="n">error</span><span class="x">(</span><span class="s">"malloc failed"</span><span class="x">);</span> <span class="k">end</span> <span class="n">ptr_float_2</span> <span class="o">=</span> <span class="n">convert</span><span class="x">(</span><span class="kt">Ptr</span><span class="x">{</span><span class="kt">Float64</span><span class="x">},</span> <span class="n">ptr_void_2</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Allocated second block at: "</span><span class="x">,</span> <span class="n">ptr_float_2</span><span class="x">)</span> <span class="c"># 9. Use unsafe_wrap with 'own=true'.</span> <span class="c"># This creates a Julia Vector view and transfers ownership to the GC.</span> <span class="c"># The GC will call 'Libc.free(ptr_void_2)' when 'owned_array' is finalized.</span> <span class="n">owned_array</span> <span class="o">=</span> <span class="n">unsafe_wrap</span><span class="x">(</span><span class="kt">Array</span><span class="x">,</span> <span class="n">ptr_float_2</span><span class="x">,</span> <span class="mi">10</span><span class="x">;</span> <span class="n">own</span> <span class="o">=</span> <span class="nb">true</span><span class="x">)</span> <span class="c"># 10. Use the array normally.</span> <span class="n">owned_array</span> <span class="o">.=</span> <span class="x">[</span><span class="kt">Float64</span><span class="x">(</span><span class="n">i</span> <span class="o">*</span> <span class="mf">2.2</span><span class="x">)</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="mi">10</span><span class="x">]</span> <span class="c"># Initialize using broadcasting</span> <span class="n">println</span><span class="x">(</span><span class="s">"Owned wrapped array: "</span><span class="x">,</span> <span class="n">owned_array</span><span class="x">)</span> <span class="c"># 11. DO NOT manually free ptr_void_2. The GC handles it via 'own=true'.</span> <span class="c"># Libc.free(ptr_void_2) # WRONG - would cause double-free later.</span> <span class="n">println</span><span class="x">(</span><span class="s">"GC will free the memory for 'owned_array' when it's no longer reachable."</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces the <code>Libc</code> standard library module, which provides convenient Julia wrappers for many common C standard library functions, most notably memory management functions like <code>malloc</code> and <code>free</code>. It demonstrates how to allocate and manage memory <strong>outside</strong> of Julia's garbage collector control.</p> <h2> <code>Libc</code> Module: Convenience Wrappers </h2> <ul> <li> <strong>Purpose:</strong> Instead of writing <code>ccall((:time, :libc), Clong, ...)</code> repeatedly, the <code>Libc</code> module pre-defines wrappers like <code>Libc.time()</code>. These wrappers handle the correct <code>ccall</code> signature internally, providing a more Julian interface to standard C functions.</li> <li> <strong>Usage:</strong> <code>import Base.Libc</code> or import specific functions like <code>import Base.Libc: malloc, free</code>. You can then call them directly (e.g., <code>Libc.malloc(...)</code>).</li> </ul> <h2> Manual Memory Management: <code>Libc.malloc</code> and <code>Libc.free</code> </h2> <p>This is the most critical feature demonstrated here, relevant for specific low-level performance and interoperability scenarios.</p> <ol> <li> <strong><code>Libc.malloc(size::Integer)</code>:</strong> <ul> <li>Allocates a block of <code>size</code> bytes directly from the <strong>C heap</strong> (using the system's <code>malloc</code> implementation).</li> <li>Returns a <code>Ptr{Cvoid}</code> (like <code>void*</code>) pointing to the start of the block, or <code>C_NULL</code> if allocation fails.</li> <li> <strong>Crucially:</strong> This memory is <strong>NOT tracked by Julia's Garbage Collector (GC)</strong>.</li> </ul> </li> <li> <strong>Using the Memory:</strong> <ul> <li>You typically <code>convert</code> the <code>Ptr{Cvoid}</code> to a typed pointer (e.g., <code>Ptr{Float64}</code>).</li> <li>You can then read/write using <code>unsafe_load</code>/<code>unsafe_store!</code> (as shown) or create a view using <code>unsafe_wrap</code>.</li> <li>You are <strong>entirely responsible</strong> for managing the bounds of this memory block.</li> </ul> </li> <li> <strong><code>Libc.free(ptr::Ptr{Cvoid})</code>:</strong> <ul> <li> <strong>Explicitly releases</strong> the memory block pointed to by <code>ptr</code> (which <em>must</em> have been previously allocated by <code>Libc.malloc</code> or a compatible C allocator) back to the C heap.</li> <li> <strong>Mandatory:</strong> If you allocate with <code>Libc.malloc</code>, you <strong>must</strong> ensure <code>Libc.free</code> is called exactly once on that pointer when the memory is no longer needed. Failure to do so results in a <strong>memory leak</strong>. Calling <code>free</code> more than once (double-free) or on an invalid pointer leads to heap corruption and crashes.</li> </ul> </li> </ol> <h2> Managing <code>malloc</code>'d Memory with <code>unsafe_wrap(..., own=true)</code> </h2> <ul> <li>As seen in Module 9, <code>unsafe_wrap</code> provides a convenient way to manage <code>malloc</code>'d memory by transferring ownership to Julia's GC.</li> <li> <code>unsafe_wrap(Array, ptr, dims; own = true)</code> creates a Julia <code>Array</code> view onto the memory at <code>ptr</code>.</li> <li>The <code>own = true</code> flag tells the GC: "When this array object is finalized, call <code>Libc.free</code> on the original <code>ptr</code>."</li> <li>This automates the <code>free</code> call, reducing the risk of memory leaks or double-frees compared to purely manual management. <strong>This is generally the preferred way</strong> to work with <code>malloc</code>'d memory that you intend to use primarily through a Julia <code>Array</code> interface.</li> </ul> <h2> Why Use Manual Memory Management? (HFT Context) </h2> <p>While generally discouraged in favor of letting Julia's GC manage memory, direct <code>malloc</code>/<code>free</code> (often managed via <code>unsafe_wrap(..., own=true)</code>) is sometimes necessary in high-performance or systems-level code for:</p> <ol> <li> <strong>Interfacing with C libraries:</strong> C APIs might require you to pass pointers to memory allocated via <code>malloc</code>.</li> <li> <strong>Avoiding GC Pauses:</strong> For extremely latency-sensitive operations, you might allocate critical large buffers (e.g., for network packets or market data snapshots) using <code>malloc</code> to ensure the GC <em>never</em> scans, moves, or pauses due to those specific buffers. You would typically use <code>unsafe_wrap(..., own=false)</code> to create temporary views into these long-lived, manually managed buffers.</li> <li> <strong>Custom Allocators:</strong> Integrating with specialized memory allocators.</li> </ol> <p>Use manual memory management sparingly and carefully, with <code>unsafe_wrap(..., own=true)</code> being the safer option when feasible.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Standard Library, <code>Libc</code>:</strong> Lists available C standard library functions and types.</li> <li> <strong>C Standard Library Documentation (e.g., man pages for <code>malloc</code>, <code>free</code>):</strong> Defines the behavior of the underlying C functions.</li> <li> <strong>Julia Official Documentation, Base Documentation, <code>unsafe_wrap</code>:</strong> Explains the <code>own</code> parameter for managing externally allocated memory.</li> </ul> </li> </ul> <p>To run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0119_libc_calls.jl <span class="nt">---</span> Using Libc Wrappers <span class="nt">---</span> Libc.time<span class="o">()</span>: 1.761134061489851e9 <span class="nt">---</span> Manual Memory Management <span class="o">(</span>Outside GC<span class="o">)</span> <span class="nt">---</span> Allocating 80 bytes using Libc.malloc... Received raw pointer: Ptr<span class="o">{</span>Nothing<span class="o">}(</span>0x000000003ace19a0<span class="o">)</span> Typed pointer: Ptr<span class="o">{</span>Float64<span class="o">}(</span>0x000000003ace19a0<span class="o">)</span> Writing values using unsafe_store!... Value at index 5: 5.5 Value at index 10: 11.0 Freeing manually allocated memory using Libc.free... Memory freed. <span class="nt">---</span> Managing malloc<span class="s1">'d Memory with unsafe_wrap(..., own=true) --- Allocated second block at: Ptr{Float64}(0x000000003ace19a0) Owned wrapped array: [2.2, 4.4, 6.6000000000000005, 8.8, 11.0, 13.200000000000001, 15.400000000000002, 17.6, 19.8, 22.0] GC will free the memory for '</span>owned_array<span class="s1">' when it'</span>s no longer reachable. </code></pre> </div> <p><em>(Memory addresses will vary.)</em></p> <h3> <code>0120_cpu_affinity.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0120_cpu_affinity.jl</span> <span class="c"># Demonstrates pinning Julia threads to specific CPU cores using ThreadPinning.jl.</span> <span class="c"># Requires the ThreadPinning.jl package and running Julia with multiple threads.</span> <span class="c"># 1. Import the package. See Explanation for installation.</span> <span class="k">try</span> <span class="k">import</span> <span class="n">ThreadPinning</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"ERROR: ThreadPinning.jl not found."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Please install it: Open Julia REPL, type ']', then 'add ThreadPinning'"</span><span class="x">)</span> <span class="n">exit</span><span class="x">(</span><span class="mi">1</span><span class="x">)</span> <span class="k">end</span> <span class="k">import</span> <span class="n">Base</span><span class="o">.</span><span class="n">Threads</span><span class="o">:</span> <span class="nd">@spawn</span><span class="x">,</span> <span class="n">threadid</span><span class="x">,</span> <span class="n">nthreads</span> <span class="c"># 2. Check if multi-threading is enabled.</span> <span class="k">if</span> <span class="n">nthreads</span><span class="x">()</span> <span class="o">&lt;</span> <span class="mi">2</span> <span class="n">println</span><span class="x">(</span><span class="s">"WARNING: Multi-threading is DISABLED (Threads.nthreads() == </span><span class="si">$</span><span class="s">(nthreads()))."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Restart Julia with '-t N' (N &gt;= 2) to run this demo."</span><span class="x">)</span> <span class="n">exit</span><span class="x">()</span> <span class="k">end</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- CPU Affinity Demo using ThreadPinning.jl ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Total Julia threads available: "</span><span class="x">,</span> <span class="n">nthreads</span><span class="x">())</span> <span class="c"># 3. Display initial system topology and thread placement (optional but informative).</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Initial State ---"</span><span class="x">)</span> <span class="c"># threadinfo() provides a visual overview of cores, sockets, NUMA nodes,</span> <span class="c"># and where Julia threads are currently allowed to run (or currently are).</span> <span class="c"># By default, threads usually aren't pinned and can run anywhere.</span> <span class="n">ThreadPinning</span><span class="o">.</span><span class="n">threadinfo</span><span class="x">()</span> <span class="c"># 4. Pin threads using a predefined strategy.</span> <span class="c"># ':cores' attempts to pin each Julia thread to a distinct physical core,</span> <span class="c"># avoiding hyperthreads if possible. Other options include :sockets, :numa,</span> <span class="c"># or explicit core IDs (e.g., 0:3).</span> <span class="n">pinning_strategy</span> <span class="o">=</span> <span class="o">:</span><span class="n">cores</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Pinning threads with strategy: </span><span class="si">$</span><span class="s">pinning_strategy ---"</span><span class="x">)</span> <span class="k">try</span> <span class="n">ThreadPinning</span><span class="o">.</span><span class="n">pinthreads</span><span class="x">(</span><span class="n">pinning_strategy</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Pinning successful (using pinthreads)."</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"ERROR during pinning: </span><span class="si">$</span><span class="s">e"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Ensure you have appropriate permissions (may require admin/root on some systems)."</span><span class="x">)</span> <span class="c"># Continue without pinning if it fails</span> <span class="k">end</span> <span class="c"># 5. Display the state *after* pinning.</span> <span class="c"># threadinfo() should now show each Julia thread restricted to specific cores.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- State After Pinning ---"</span><span class="x">)</span> <span class="n">ThreadPinning</span><span class="o">.</span><span class="n">threadinfo</span><span class="x">()</span> <span class="c"># (Optional: Add work here using @spawn or @threads to see tasks running on pinned threads)</span> <span class="c"># 6. Unpin threads to restore default OS scheduling.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Unpinning threads ---"</span><span class="x">)</span> <span class="k">try</span> <span class="n">ThreadPinning</span><span class="o">.</span><span class="n">unpinthreads</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">"Unpinning successful."</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"ERROR during unpinning: </span><span class="si">$</span><span class="s">e"</span><span class="x">)</span> <span class="k">end</span> <span class="c"># 7. Display the state after unpinning.</span> <span class="c"># Should revert towards the initial state where threads can run on any core,</span> <span class="c"># though the OS might keep them somewhat localized initially.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- State After Unpinning ---"</span><span class="x">)</span> <span class="n">ThreadPinning</span><span class="o">.</span><span class="n">threadinfo</span><span class="x">()</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Affinity demo finished."</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates <strong>CPU core pinning</strong> (also known as setting thread affinity), a crucial technique in low-latency systems to ensure predictable performance by controlling which CPU core(s) a specific thread can run on. It uses the <strong><code>ThreadPinning.jl</code></strong> package.</p> <p><strong>Installation Note:</strong></p> <p><code>ThreadPinning.jl</code> is an external package. You need to add it to your project environment once.</p> <ol> <li> Start the Julia REPL: <code>julia</code> </li> <li> Enter Pkg mode: <code>]</code> </li> <li> Add the package: <code>add ThreadPinning</code> </li> <li> Exit Pkg mode: Press Backspace or <code>Ctrl+C</code>.</li> <li> You can now run this script (remembering to start Julia with multiple threads). Note that pinning functionality is primarily supported on <strong>Linux</strong>.</li> </ol> <h2> Core Concept: Thread Affinity and Performance Jitter </h2> <ul> <li> <strong>Default OS Scheduling:</strong> By default, the operating system's scheduler is free to <strong>migrate</strong> a running thread between different CPU cores.</li> <li> <strong>The Problem: Cache Invalidation &amp; Jitter:</strong> When a thread moves from Core A to Core B, data in Core A's L1/L2 caches becomes useless for that thread. The thread must repopulate Core B's caches, causing a significant, unpredictable <strong>performance stall</strong> or <strong>latency spike (jitter)</strong>.</li> <li> <strong>Low-Latency Impact:</strong> In HFT and other real-time systems, unpredictable jitter is unacceptable. Consistent, low latency is paramount.</li> </ul> <h2> The Solution: Core Pinning (<code>ThreadPinning.jl</code>) </h2> <ul> <li> <strong>CPU Affinity:</strong> This refers to the set of CPU cores on which a thread is <em>allowed</em> to run. Core pinning involves explicitly setting a thread's affinity, often to a single, specific core or a limited set.</li> <li> <strong><code>ThreadPinning.jl</code>:</strong> Provides functions to control thread affinity: <ul> <li> <strong><code>ThreadPinning.threadinfo(; kwargs...)</code>:</strong> Displays a detailed visualization of the system topology (sockets, cores, hyperthreads, NUMA domains) and shows where Julia threads are currently placed or allowed to run. Indispensable for verifying pinning.</li> <li> <strong><code>ThreadPinning.pinthreads(strategy; kwargs...)</code>:</strong> Pins Julia threads according to a specified <code>strategy</code>. Common strategies include: <ul> <li> <code>:cores</code>: Pin threads sequentially to physical cores, avoiding hyperthreads if possible.</li> <li> <code>:sockets</code>: Distribute threads round-robin across CPU sockets.</li> <li> <code>:numa</code>: Distribute threads round-robin across NUMA memory domains.</li> <li>Explicit Core IDs: Pass a vector or range of OS core IDs (e.g., <code>0:3</code> or <code>[0, 2, 4]</code>).</li> </ul> </li> <li> <strong><code>ThreadPinning.unpinthreads()</code>:</strong> Removes pinning restrictions for all Julia threads, restoring the default OS scheduling behavior.</li> </ul> </li> <li> <strong>Benefits of Pinning:</strong> <ol> <li> <strong>Eliminates Migration:</strong> Prevents OS scheduler-induced moves.</li> <li> <strong>Maximizes Cache Locality:</strong> Keeps thread data hot in specific L1/L2 caches.</li> <li> <strong>Reduces Jitter:</strong> Leads to more predictable, lower-latency execution.</li> <li> <strong>Reduces Interference:</strong> Isolates critical threads from other processes competing for the same core.</li> </ol> </li> </ul> <h2> Typical HFT Architecture </h2> <p>A common pattern is dedicating specific threads (pinned to specific cores) to distinct tasks (Network I/O, Strategy A, Strategy B, Order Management) to maximize cache efficiency and minimize interference.</p> <h2> Important Notes </h2> <ul> <li> <strong>Permissions:</strong> Setting thread affinity might require specific OS permissions.</li> <li> <strong>Platform:</strong> <code>ThreadPinning.jl</code>'s pinning functions work primarily on <strong>Linux</strong>. Querying functions like <code>threadinfo</code> may work elsewhere.</li> <li> <strong>Core Indexing:</strong> OS core/CPU IDs are typically <strong>0-indexed</strong>. Be mindful when providing explicit lists. <code>ThreadPinning.jl</code>'s documentation clarifies its indexing conventions. The <code>threadinfo</code> output mapping clarifies which Julia thread ID maps to which OS core ID.</li> </ul> <p>Core pinning is an advanced but essential technique for optimizing latency-sensitive applications by taking control of thread placement from the OS scheduler.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong><code>ThreadPinning.jl</code> Documentation:</strong> (<a href="https://github.com/carstenbauer/ThreadPinning.jl" rel="noopener noreferrer">https://github.com/carstenbauer/ThreadPinning.jl</a>). The primary source for usage and available strategies.</li> <li> <strong>Operating System Documentation (Linux <code>sched_setaffinity</code>):</strong> Describes the underlying OS system calls.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(Requires <code>ThreadPinning.jl</code> installed and Julia started with multiple threads, e.g., <code>julia -t 4 0120_cpu_affinity.jl</code>. Output indicates an Intel i9-13900HX with 24 CPU-threads.)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia <span class="nt">-t</span> 4 0120_cpu_affinity.jl <span class="nt">---</span> CPU Affinity Demo using ThreadPinning.jl <span class="nt">---</span> Total Julia threads available: 4 <span class="nt">---</span> Initial State <span class="nt">---</span> Hostname: a8b1b1c0bbc3 CPU<span class="o">(</span>s<span class="o">)</span>: 1 x 13th Gen Intel<span class="o">(</span>R<span class="o">)</span> Core<span class="o">(</span>TM<span class="o">)</span> i9-13900HX CPU target: alderlake Cores: 24 <span class="o">(</span>24 CPU-threads<span class="o">)</span> Core kinds: 16 <span class="s2">"efficiency cores"</span>, 8 <span class="s2">"performance cores"</span><span class="nb">.</span> NUMA domains: 1 <span class="o">(</span>24 cores each<span class="o">)</span> Julia threads: 4 CPU socket 1 0,1,2,3,4,5,6,7,8,9 <span class="o">(</span>J1<span class="o">)</span>,10,11,12,13,14,15, 16,17 <span class="o">(</span>J2<span class="o">)</span>,18,19,20,21 <span class="o">(</span>J3<span class="o">)</span>,22 <span class="o">(</span>J4<span class="o">)</span>,23 <span class="c"># ... Legend ...</span> <span class="o">(</span>Mapping: 1 <span class="o">=&gt;</span> 9, 2 <span class="o">=&gt;</span> 17, 3 <span class="o">=&gt;</span> 21, 4 <span class="o">=&gt;</span> 22,<span class="o">)</span> <span class="c"># Initial OS placement</span> <span class="nt">---</span> Pinning threads with strategy: cores <span class="nt">---</span> Pinning successful <span class="o">(</span>using pinthreads<span class="o">)</span><span class="nb">.</span> <span class="nt">---</span> State After Pinning <span class="nt">---</span> Hostname: a8b1b1c0bbc3 CPU<span class="o">(</span>s<span class="o">)</span>: 1 x 13th Gen Intel<span class="o">(</span>R<span class="o">)</span> Core<span class="o">(</span>TM<span class="o">)</span> i9-13900HX CPU target: alderlake Cores: 24 <span class="o">(</span>24 CPU-threads<span class="o">)</span> Core kinds: 16 <span class="s2">"efficiency cores"</span>, 8 <span class="s2">"performance cores"</span><span class="nb">.</span> NUMA domains: 1 <span class="o">(</span>24 cores each<span class="o">)</span> Julia threads: 4 CPU socket 1 0 <span class="o">(</span>J1<span class="o">)</span>,1 <span class="o">(</span>J2<span class="o">)</span>,2 <span class="o">(</span>J3<span class="o">)</span>,3 <span class="o">(</span>J4<span class="o">)</span>,4,5,6,7,8,9,10,11,12,13,14,15, 16,17,18,19,20,21,22,23 <span class="c"># ... Legend ...</span> <span class="o">(</span>Mapping: 1 <span class="o">=&gt;</span> 0, 2 <span class="o">=&gt;</span> 1, 3 <span class="o">=&gt;</span> 2, 4 <span class="o">=&gt;</span> 3,<span class="o">)</span> <span class="c"># Pinned to first cores</span> <span class="nt">---</span> Unpinning threads <span class="nt">---</span> Unpinning successful. <span class="nt">---</span> State After Unpinning <span class="nt">---</span> Hostname: a8b1b1c0bbc3 CPU<span class="o">(</span>s<span class="o">)</span>: 1 x 13th Gen Intel<span class="o">(</span>R<span class="o">)</span> Core<span class="o">(</span>TM<span class="o">)</span> i9-13900HX CPU target: alderlake Cores: 24 <span class="o">(</span>24 CPU-threads<span class="o">)</span> Core kinds: 16 <span class="s2">"efficiency cores"</span>, 8 <span class="s2">"performance cores"</span><span class="nb">.</span> NUMA domains: 1 <span class="o">(</span>24 cores each<span class="o">)</span> Julia threads: 4 CPU socket 1 0 <span class="o">(</span>J2<span class="o">)</span>,1 <span class="o">(</span>J1<span class="o">)</span>,2,3 <span class="o">(</span>J3<span class="o">)</span>,4 <span class="o">(</span>J4<span class="o">)</span>,5,6,7,8,9,10,11,12,13,14,15, <span class="c"># Example OS placement</span> 16,17,18,19,20,21,22,23 <span class="c"># ... Legend ...</span> <span class="o">(</span>Mapping: 1 <span class="o">=&gt;</span> 1, 2 <span class="o">=&gt;</span> 0, 3 <span class="o">=&gt;</span> 3, 4 <span class="o">=&gt;</span> 4,<span class="o">)</span> <span class="c"># Example after unpinning</span> Affinity demo finished. </code></pre> </div> <h2> Profiling Performance </h2> <h3> <code>0121_profiler_basics.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0121_profiler_basics.jl</span> <span class="c"># Introduces the built-in Profile standard library.</span> <span class="c"># 1. Import the Profile module (part of Julia's standard library).</span> <span class="k">import</span> <span class="n">Profile</span> <span class="c"># 2. Define some functions with varying amounts of "work".</span> <span class="c"># (Using simple loops; real work would be more complex).</span> <span class="k">function</span><span class="nf"> work_level_1</span><span class="x">(</span><span class="n">n</span><span class="x">)</span> <span class="n">s</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="n">n</span><span class="x">;</span> <span class="n">s</span> <span class="o">+=</span> <span class="n">sin</span><span class="x">(</span><span class="n">sqrt</span><span class="x">(</span><span class="n">float</span><span class="x">(</span><span class="n">i</span><span class="x">)));</span> <span class="k">end</span> <span class="k">return</span> <span class="n">s</span> <span class="k">end</span> <span class="k">function</span><span class="nf"> work_level_2</span><span class="x">(</span><span class="n">n</span><span class="x">)</span> <span class="c"># Calls level 1 multiple times</span> <span class="n">s</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="k">for</span> <span class="n">_</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="mi">5</span> <span class="n">s</span> <span class="o">+=</span> <span class="n">work_level_1</span><span class="x">(</span><span class="n">n</span> <span class="o">÷</span> <span class="mi">5</span><span class="x">)</span> <span class="k">end</span> <span class="c"># Add some work at this level too</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="x">(</span><span class="n">n</span> <span class="o">÷</span> <span class="mi">10</span><span class="x">);</span> <span class="n">s</span> <span class="o">+=</span> <span class="n">cos</span><span class="x">(</span><span class="n">float</span><span class="x">(</span><span class="n">i</span><span class="x">));</span> <span class="k">end</span> <span class="k">return</span> <span class="n">s</span> <span class="k">end</span> <span class="k">function</span><span class="nf"> main_computation</span><span class="x">(</span><span class="n">n</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Starting main computation..."</span><span class="x">)</span> <span class="c"># Call the intermediate function</span> <span class="n">result</span> <span class="o">=</span> <span class="n">work_level_2</span><span class="x">(</span><span class="n">n</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Main computation finished."</span><span class="x">)</span> <span class="k">return</span> <span class="n">result</span> <span class="k">end</span> <span class="c"># --- Profiling ---</span> <span class="c"># 3. Warmup Run (CRITICAL!)</span> <span class="c"># We MUST run the code once *before* profiling to ensure</span> <span class="c"># all functions are compiled by the JIT. Profiling the first</span> <span class="c"># run would incorrectly measure compilation time.</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Warming up (compiling) functions ---"</span><span class="x">)</span> <span class="n">warmup_n</span> <span class="o">=</span> <span class="mi">1_000_000</span> <span class="n">_</span> <span class="o">=</span> <span class="n">main_computation</span><span class="x">(</span><span class="n">warmup_n</span><span class="x">)</span> <span class="c"># Discard result using '_'</span> <span class="n">println</span><span class="x">(</span><span class="s">"Warmup finished."</span><span class="x">)</span> <span class="c"># 4. Clear any previous profiling data.</span> <span class="n">Profile</span><span class="o">.</span><span class="n">clear</span><span class="x">()</span> <span class="c"># 5. Run the code under the profiler using 'Profile.@profile'.</span> <span class="c"># Need to qualify '@profile' since we used 'import Profile'.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Running computation under @profile ---"</span><span class="x">)</span> <span class="n">profile_n</span> <span class="o">=</span> <span class="mi">5_000_000</span> <span class="c"># Use a larger N for profiling</span> <span class="n">Profile</span><span class="o">.</span><span class="nd">@profile</span> <span class="n">main_computation</span><span class="x">(</span><span class="n">profile_n</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Profiling finished."</span><span class="x">)</span> <span class="c"># 6. Print the profiling results to the console.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Displaying Profile Results (Text Format) ---"</span><span class="x">)</span> <span class="c"># 'Profile.print()' displays the collected stack traces.</span> <span class="c"># Options like 'format=:flat' or 'sortedby=:count' exist.</span> <span class="n">Profile</span><span class="o">.</span><span class="n">print</span><span class="x">(</span><span class="n">format</span><span class="o">=:</span><span class="n">tree</span><span class="x">,</span> <span class="n">sortedby</span><span class="o">=:</span><span class="n">count</span><span class="x">)</span> <span class="c"># Optional: Clear data after printing if you intend to profile something else later.</span> <span class="c"># Profile.clear()</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- End of Script ---"</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script introduces Julia's built-in <strong>statistical profiler</strong>, available through the <code>Profile</code> standard library. Profiling is essential for identifying <strong>performance bottlenecks</strong> – the specific parts of your code where the most execution time is spent.</p> <h2> Core Concept: Statistical (Sampling) Profiling </h2> <ul> <li> <strong>How it Works:</strong> Julia's profiler is a <strong>sampling</strong> profiler. It periodically interrupts the program's execution and records the <strong>stack trace</strong> – the sequence of functions currently being executed.</li> <li> <strong>Statistical Inference:</strong> By collecting many such samples, it builds a statistical picture of where the program spends its time. Functions that appear frequently at the <em>top</em> of the recorded stack traces are likely the "hot spots" consuming the most CPU time.</li> <li> <strong>Low Overhead:</strong> Sampling profilers generally have low overhead, making them suitable for analyzing performance-critical code.</li> </ul> <h2> Using the Profiler </h2> <ol> <li> <strong><code>import Profile</code>:</strong> Load the standard library module.</li> <li> <strong>Warmup (Critical):</strong> Run your code at least once <em>before</em> profiling to ensure JIT compilation is complete. Profiling the first run measures compilation time, not execution performance.</li> <li> <strong><code>Profile.clear()</code>:</strong> Clear any pre-existing profiling data before starting a new measurement.</li> <li> <strong><code>Profile.@profile expression</code>:</strong> (Note the qualification <code>Profile.@profile</code> because we used <code>import Profile</code>). This macro enables sampling, executes the <code>expression</code>, and stops sampling. Data is stored internally.</li> <li> <strong><code>Profile.print(...)</code>:</strong> Analyzes collected samples and prints a formatted report. Key options include: <ul> <li> <code>format=:tree</code> (default): Hierarchical call stack view.</li> <li> <code>format=:flat</code>: Flat list sorted by time spent <em>in</em> the function itself.</li> <li> <code>sortedby=:count</code> (default): Sorts by sample frequency.</li> <li> <code>C=true</code>: Include calls into C libraries.</li> <li> <code>noisefloor=...</code>: Hide entries below a percentage threshold.</li> </ul> </li> </ol> <h2> Interpreting the Tree Output </h2> <p>The default tree format shows stack traces. Read from <strong>bottom to top</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Count File:Line Function # Example Line -------------------------------------------------------------- [100] ... main_computation # 100 samples total in this call stack [98] ... work_level_2 # 98 samples were within work_level_2 or its children [90] ... work_level_1 # 90 samples were further down inside work_level_1 (the hot spot) [8] ... work_level_2 # 8 samples were directly in work_level_2's own code </code></pre> </div> <ul> <li> <strong>Counts/Percentages:</strong> High counts/percentages, especially deep in the indentation (leaves of the tree), indicate functions consuming significant time.</li> <li> <strong>Identifying Bottlenecks:</strong> Look for the widest bars (highest counts) deepest in the call tree. In the example output provided previously, <code>work_level_1</code> and the math functions it calls (<code>sin</code>, <code>sqrt</code>, <code>float</code>) were clearly identified as the primary consumers of time.</li> </ul> <p>Profiling is iterative: profile, identify, optimize, profile again.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Manual, "Profiling":</strong> Main guide to using the <code>Profile</code> module.</li> <li> <strong>Julia Official Documentation, Standard Library, <code>Profile</code>:</strong> Documents <code>@profile</code>, <code>Profile.print</code>, <code>Profile.clear</code>.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(Ensure you're running with Julia 1.0 or later)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0121_profiler_basics.jl <span class="nt">---</span> Warming up <span class="o">(</span>compiling<span class="o">)</span> functions <span class="nt">---</span> Starting main computation... Main computation finished. Warmup finished. <span class="nt">---</span> Running computation under @profile <span class="nt">---</span> Starting main computation... Main computation finished. Profiling finished. <span class="nt">---</span> Displaying Profile Results <span class="o">(</span>Text Format<span class="o">)</span> <span class="nt">---</span> Overhead ╎ <span class="o">[</span>+additional indent] Count File:Line Function <span class="o">=========================================================</span> ╎60 @Base/client.jl:550 _start<span class="o">()</span> ╎ 60 @Base/client.jl:317 exec_options<span class="o">(</span>opts::Base.JLOptions<span class="o">)</span> <span class="c"># ... (Rest of the detailed profile tree as shown in your output) ...</span> <span class="c"># ... showing significant time spent within work_level_1 and its calls ...</span> <span class="nt">---</span> End of Script <span class="nt">---</span> </code></pre> </div> <h3> <code>0122_profiler_flamegraphs.jl</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight julia"><code><span class="c"># 0122_profiler_flamegraphs.jl</span> <span class="c"># Visualizing Profile data by saving to a file for use with 'pprof'.</span> <span class="c"># 1. Import Profile module and PProf package. See Explanation for installation.</span> <span class="k">import</span> <span class="n">Profile</span> <span class="k">try</span> <span class="c"># PProf is needed for the pprof() function to save the data.</span> <span class="k">import</span> <span class="n">PProf</span> <span class="k">catch</span> <span class="n">e</span> <span class="n">println</span><span class="x">(</span><span class="s">"ERROR: PProf.jl not found."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Please install it: Open Julia REPL, type ']', then 'add PProf'"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Viewing the output file requires the external 'pprof' tool (Go)."</span><span class="x">)</span> <span class="n">exit</span><span class="x">(</span><span class="mi">1</span><span class="x">)</span> <span class="k">end</span> <span class="c"># 2. Reuse the functions from the previous lesson.</span> <span class="k">function</span><span class="nf"> work_level_1</span><span class="x">(</span><span class="n">n</span><span class="x">)</span> <span class="n">s</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="n">n</span><span class="x">;</span> <span class="n">s</span> <span class="o">+=</span> <span class="n">sin</span><span class="x">(</span><span class="n">sqrt</span><span class="x">(</span><span class="n">float</span><span class="x">(</span><span class="n">i</span><span class="x">)));</span> <span class="k">end</span> <span class="k">return</span> <span class="n">s</span> <span class="k">end</span> <span class="k">function</span><span class="nf"> work_level_2</span><span class="x">(</span><span class="n">n</span><span class="x">)</span> <span class="n">s</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="k">for</span> <span class="n">_</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="mi">5</span> <span class="n">s</span> <span class="o">+=</span> <span class="n">work_level_1</span><span class="x">(</span><span class="n">n</span> <span class="o">÷</span> <span class="mi">5</span><span class="x">)</span> <span class="k">end</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">1</span><span class="o">:</span><span class="x">(</span><span class="n">n</span> <span class="o">÷</span> <span class="mi">10</span><span class="x">);</span> <span class="n">s</span> <span class="o">+=</span> <span class="n">cos</span><span class="x">(</span><span class="n">float</span><span class="x">(</span><span class="n">i</span><span class="x">));</span> <span class="k">end</span> <span class="k">return</span> <span class="n">s</span> <span class="k">end</span> <span class="k">function</span><span class="nf"> main_computation</span><span class="x">(</span><span class="n">n</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Starting main computation..."</span><span class="x">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">work_level_2</span><span class="x">(</span><span class="n">n</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Main computation finished."</span><span class="x">)</span> <span class="k">return</span> <span class="n">result</span> <span class="k">end</span> <span class="c"># --- Profiling ---</span> <span class="c"># 3. Warmup Run (as before).</span> <span class="n">println</span><span class="x">(</span><span class="s">"--- Warming up (compiling) functions ---"</span><span class="x">)</span> <span class="n">warmup_n</span> <span class="o">=</span> <span class="mi">1_000_000</span> <span class="n">_</span> <span class="o">=</span> <span class="n">main_computation</span><span class="x">(</span><span class="n">warmup_n</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Warmup finished."</span><span class="x">)</span> <span class="c"># 4. Clear existing profile data.</span> <span class="n">Profile</span><span class="o">.</span><span class="n">clear</span><span class="x">()</span> <span class="c"># 5. Run the code under the profiler.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Running computation under Profile.@profile ---"</span><span class="x">)</span> <span class="n">profile_n</span> <span class="o">=</span> <span class="mi">5_000_000</span> <span class="n">Profile</span><span class="o">.</span><span class="nd">@profile</span> <span class="n">main_computation</span><span class="x">(</span><span class="n">profile_n</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Profiling finished."</span><span class="x">)</span> <span class="c"># 6. Save the profile data to a file using PProf.jl.</span> <span class="n">output_filename</span> <span class="o">=</span> <span class="s">"profile.pb.gz"</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Saving profile data to '</span><span class="si">$</span><span class="s">output_filename' using PProf.jl ---"</span><span class="x">)</span> <span class="k">try</span> <span class="c"># PProf.pprof() reads data collected by 'Profile' and saves it</span> <span class="c"># to the specified file when 'out=' is used.</span> <span class="n">PProf</span><span class="o">.</span><span class="n">pprof</span><span class="x">(</span><span class="n">out</span> <span class="o">=</span> <span class="n">output_filename</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Profile data saved successfully."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- Viewing Instructions (Requires External Tools) ---"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"1. Install 'go' (golang.dev/doc/install)."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"2. Install 'pprof': go install github.com/google/pprof@latest"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"3. Install 'graphviz' (system package manager, e.g., apt, brew)."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"4. Ensure '</span><span class="si">$</span><span class="s">HOME/go/bin' is in your PATH."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"5. Run from terminal: pprof -http=:8080 </span><span class="si">$</span><span class="s">output_filename"</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"6. Open http://localhost:8080 in browser and select 'Flame Graph'."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"(Note: Author did not test the viewing steps.)"</span><span class="x">)</span> <span class="k">catch</span> <span class="n">e</span> <span class="c"># Catch potential errors during saving, including the "Unexpected 0" warning.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Error/Warning during profile data saving using PProf: </span><span class="si">$</span><span class="s">e"</span><span class="x">)</span> <span class="c"># Check if file was still created despite warning</span> <span class="k">if</span> <span class="n">isfile</span><span class="x">(</span><span class="n">output_filename</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"'</span><span class="si">$</span><span class="s">output_filename' was created, but may contain issues (see warning above)."</span><span class="x">)</span> <span class="n">println</span><span class="x">(</span><span class="s">"Viewing instructions still apply, but results might be affected."</span><span class="x">)</span> <span class="k">end</span> <span class="k">end</span> <span class="c"># Note: For VS Code users, the Julia extension provides '@profview',</span> <span class="c"># which displays an interactive flame graph directly within the editor</span> <span class="c"># after running Profile.@profile, without needing PProf.jl or external tools.</span> <span class="n">println</span><span class="x">(</span><span class="s">"</span><span class="se">\n</span><span class="s">--- End of Script ---"</span><span class="x">)</span> </code></pre> </div> <h3> Explanation </h3> <p>This script demonstrates how to <strong>visualize</strong> the data collected by Julia's <code>Profile</code> module using <strong>flame graphs</strong> by saving the data to a file compatible with Google's <strong><code>pprof</code></strong> tool, using the <code>PProf.jl</code> package. Viewing requires installing external tools.</p> <p><strong>Installation Note (PProf.jl &amp; Viewer):</strong></p> <ol> <li> <strong>Install <code>PProf.jl</code>:</strong> Add via Julia's Pkg mode (<code>] add PProf</code>).</li> <li> <strong>Install Viewer (<code>pprof</code> + <code>graphviz</code>):</strong> To <em>view</em> the saved file later, you need external tools: <ul> <li>Install the Go language (<code>go</code>).</li> <li>Install <code>pprof</code> via <code>go install github.com/google/pprof@latest</code>.</li> <li>Install <code>graphviz</code> via your system package manager.</li> <li>Ensure the <code>go</code> binary path is in your system <code>PATH</code>.</li> </ul> </li> </ol> <h2> Why Visualize? Flame Graphs </h2> <ul> <li> <strong>Text Output Limitations:</strong> <code>Profile.print()</code> can be hard to interpret visually.</li> <li> <strong>Flame Graphs:</strong> Provide an intuitive visualization of sampled stack trace data. <ul> <li> <strong>Y-Axis:</strong> Call stack depth.</li> <li> <strong>X-Axis (Width):</strong> Proportion of samples where a function appeared. <strong>Wider bars = more time spent</strong>.</li> </ul> </li> <li> <strong>Identifying Bottlenecks:</strong> Look for <strong>wide plateaus</strong> at the top of the graph, indicating functions consuming significant CPU time directly.</li> </ul> <h2> Saving Profile Data (<code>PProf.pprof</code>) </h2> <ol> <li> <strong>Collect Data:</strong> Use <code>Profile.@profile expression</code> (after warmup and <code>Profile.clear()</code>) to collect sampling data internally.</li> <li> <strong>Save Data:</strong> <code>PProf.pprof(out=filename)</code> accesses the data collected by <code>Profile</code> and exports it into the compressed protobuf format (<code>.pb.gz</code>), saving it to <code>filename</code>. (Note: This function might print warnings like "Unexpected 0 in data" but often still saves a usable file).</li> </ol> <h2> Viewing Saved Data with <code>pprof</code> (External Tool) </h2> <ol> <li> <p><strong>Run <code>pprof</code>:</strong> After running the Julia script and generating <code>profile.pb.gz</code>, open your terminal <em>in the same directory</em> and run (assuming <code>pprof</code> is installed and in your <code>PATH</code>):<br> </p> <pre class="highlight shell"><code>pprof <span class="nt">-http</span><span class="o">=</span>:8080 profile.pb.gz </code></pre> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> * `-http=:8080`: Starts a web server on port 8080. </code></pre> </div> <ol> <li> <strong>Open Browser:</strong> Navigate to <code>http://localhost:8080</code>.</li> <li> <strong>Explore:</strong> Use the "View" menu to select <strong>"Flame Graph"</strong>. Interact with the visualization.</li> <li> <strong>Shutdown:</strong> Press <code>Ctrl+C</code> in the terminal running <code>pprof</code> to stop its server. <em>(Disclaimer: The author did not perform these viewing steps.)</em> </li> </ol> <h2> Alternative: VS Code <code>@profview</code> </h2> <p>If using VS Code with the Julia extension:</p> <ol> <li> Add <code>using ProfileView</code> (might need <code>Pkg.add("ProfileView")</code>).</li> <li> Run <code>Profile.@profile main_computation(profile_n)</code> as before.</li> <li> Run <code>@profview()</code> <em>after</em> the <code>@profile</code> call.</li> <li> An interactive flame graph appears directly within a VS Code panel, no external tools needed.</li> </ol> <p>Saving profile data provides a standard way to analyze performance offline or share results, while integrated options offer convenience.</p> <ul> <li> <strong>References:</strong> <ul> <li> <strong>Julia Official Documentation, Standard Library, <code>Profile</code>:</strong> Documents <code>Profile.@profile</code>.</li> <li> <strong><code>PProf.jl</code> Documentation:</strong> (<a href="https://github.com/JuliaPerf/PProf.jl" rel="noopener noreferrer">https://github.com/JuliaPerf/PProf.jl</a>) Explains the <code>pprof()</code> function, including the <code>out</code> argument.</li> <li> <strong><code>pprof</code> Documentation (Google):</strong> (<a href="https://github.com/google/pprof" rel="noopener noreferrer">https://github.com/google/pprof</a>) Explains the command-line tool and web UI.</li> <li> <strong>Brendan Gregg's Flame Graphs Page:</strong> (<a href="https://www.brendangregg.com/flamegraphs.html" rel="noopener noreferrer">https://www.brendangregg.com/flamegraphs.html</a>) Definitive guide to flame graphs.</li> </ul> </li> </ul> <p>To run the script:</p> <p><em>(Requires <code>PProf.jl</code> installed. Run after warmup.)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>julia 0122_profiler_flamegraphs.jl <span class="nt">---</span> Warming up <span class="o">(</span>compiling<span class="o">)</span> functions <span class="nt">---</span> Starting main computation... Main computation finished. Warmup finished. <span class="nt">---</span> Running computation under Profile.@profile <span class="nt">---</span> Starting main computation... Main computation finished. Profiling finished. <span class="nt">---</span> Saving profile data to <span class="s1">'profile.pb.gz'</span> using PProf.jl <span class="nt">---</span> ┌ Error: Unexpected 0 <span class="k">in </span>data, please file an issue. <span class="c"># This warning might appear</span> │ idx <span class="o">=</span> XXXX └ @ PProf ... Profile data saved successfully. <span class="nt">---</span> Viewing Instructions <span class="o">(</span>Requires External Tools<span class="o">)</span> <span class="nt">---</span> 1. Install <span class="s1">'go'</span> <span class="o">(</span>golang.dev/doc/install<span class="o">)</span><span class="nb">.</span> 2. Install <span class="s1">'pprof'</span>: go <span class="nb">install </span>github.com/google/pprof@latest 3. Install <span class="s1">'graphviz'</span> <span class="o">(</span>system package manager, e.g., apt, brew<span class="o">)</span><span class="nb">.</span> 4. Ensure <span class="s1">'$HOME/go/bin'</span> is <span class="k">in </span>your PATH. 5. Run from terminal: pprof <span class="nt">-http</span><span class="o">=</span>:8080 profile.pb.gz 6. Open http://localhost:8080 <span class="k">in </span>browser and <span class="k">select</span> <span class="s1">'Flame Graph'</span><span class="nb">.</span> <span class="o">(</span>Note: Author did not <span class="nb">test </span>the viewing steps.<span class="o">)</span> <span class="nt">---</span> End of Script <span class="nt">---</span> </code></pre> </div> <p><em>(After running, you should find <code>profile.pb.gz</code>. Use the separate <code>pprof</code> command to view.)</em></p> <p>NOTE: I did not test pprof visualization. </p> julialang tutorial systems performance Warren Jitsing Sat, 20 Dec 2025 08:12:34 +0000 https://dev.to/warren_jitsing_dd1c1d6fc6/part-06-building-a-sovereign-software-factory-sonarqube-quality-gates-5499 https://dev.to/warren_jitsing_dd1c1d6fc6/part-06-building-a-sovereign-software-factory-sonarqube-quality-gates-5499 <p>GitHub: <a href="https://github.com/InfiniteConsult/0010_cicd_part06_sonarqube" rel="noopener noreferrer">https://github.com/InfiniteConsult/0010_cicd_part06_sonarqube</a></p> <p><strong>TL;DR:</strong> In this installment, we solve the "Blind Spot" where our pipeline builds code without inspecting it. We deploy <strong>SonarQube</strong> as our <strong>"Inspector,"</strong> but first, we must navigate the <strong>"Abstraction Leak"</strong> of Elasticsearch by tuning the host kernel's <code>vm.max_map_count</code> via an architect script. We build a custom Docker image to inject our Root CA into the Java Truststore, bridging the "Trust Gap," and implement a strict <strong>Quality Gate</strong> that stops the factory line if our polyglot code (C++, Rust, Python) fails to meet security or coverage standards.</p> <p><strong>The Sovereign Software Factory Series:</strong></p> <ol> <li> <strong>Part 01:</strong> Building a Sovereign Software Factory: Docker Networking &amp; Persistence</li> <li> <strong>Part 02:</strong> Building a Sovereign Software Factory: The Local Root CA &amp; Trust Chains</li> <li> <strong>Part 03:</strong> Building a Sovereign Software Factory: Self-Hosted GitLab &amp; Secrets Management</li> <li> <strong>Part 04:</strong> Building a Sovereign Software Factory: Jenkins Configuration as Code (JCasC)</li> <li> <strong>Part 05:</strong> Building a Sovereign Software Factory: Artifactory &amp; The "Strict TLS" Trap</li> <li> <strong>Part 06: Building a Sovereign Software Factory: SonarQube Quality Gates</strong> (You are here)</li> <li> <strong>Part 07:</strong> Building a Sovereign Software Factory: ChatOps with Mattermost</li> <li> <strong>Part 08:</strong> Building a Sovereign Software Factory: Observability with the ELK Stack</li> <li> <strong>Part 09:</strong> Building a Sovereign Software Factory: Monitoring with Prometheus &amp; Grafana</li> <li> <strong>Part 10:</strong> Building a Sovereign Software Factory: The Python API Package (Capstone)</li> </ol> <h1> Chapter 1: The Challenge - Quantity vs. Quality </h1> <h2> 1.1 The "Green Build" Fallacy </h2> <p>In our previous session, we completed the construction of the <strong>"Software Supply Chain."</strong> We successfully integrated <strong>GitLab</strong> (The Library), <strong>Jenkins</strong> (The Factory), and <strong>Artifactory</strong> (The Warehouse) into a seamless, automated conduit. When a developer pushes code, our city springs to life: webhooks fire, agents are provisioned, code is compiled, and immutable artifacts are delivered to secure storage.</p> <p>If you look at your Jenkins dashboard right now, you will likely see a column of green checks. The pipeline works. The artifacts are safe. The system is functioning exactly as designed.</p> <p>But this "Green Build" is a lie.</p> <p>We have built a system that prioritizes <strong>Quantity over Quality</strong>. Our factory is incredibly efficient at moving boxes, but it has absolutely no idea what is <em>inside</em> them. If a developer commits a C++ memory leak, a Python type error, or a Rust panic handler, our pipeline will happily compile it, package it, and ship it to the warehouse with a stamp of approval. We are effectively filling our secure bunker with "Time Bombs"—defective software that will only explode when it reaches production.</p> <p>This reveals a critical "Blind Spot" in our architecture. We have established <strong>Continuous Integration</strong> (merging code) and <strong>Continuous Delivery</strong> (shipping code), but we have completely neglected <strong>Continuous Inspection</strong>. We have no way to measure the <em>health</em> of our codebase. We don't know if our test coverage is improving or degrading. We don't know if our cyclomatic complexity is spiraling out of control. We are flying blind, trusting that "if it compiles, it works."</p> <p>In a high-assurance environment—like the one we are simulating—this is unacceptable. A build that compiles but introduces a critical security vulnerability is not a success; it is a containment breach. We need a mechanism to detect these flaws <em>before</em> the artifact is signed and sealed.</p> <h2> 1.2 The "Quality Gate" Concept </h2> <p>To solve this, we must introduce a new entity to our city: the <strong>"Inspector."</strong></p> <p>Architecturally, this Inspector sits between the Factory (Jenkins) and the Warehouse (Artifactory). Its role is not to build code, but to analyze it. It must disassemble the "box" our factory produced, x-ray the contents, measure the tolerances, and verify that the product meets our engineering standards.</p> <p>But inspection alone is passive. A report that says "Your code has 50 bugs" is useless if the pipeline has already shipped that code to the warehouse.</p> <p>We need to implement a <strong>Quality Gate</strong>. This is a binary decision point in our pipeline. It transforms our "Inspector" from a passive observer into an active gatekeeper. The Inspector must have the authority to <strong>"Stop the Line"</strong> (the famous Toyota "Andon Cord" principle).</p> <p>If the code coverage drops below 80%, the line stops. If a new security vulnerability is detected, the line stops. If the technical debt ratio exceeds 5%, the line stops.</p> <p>When the line stops, the build fails. The artifact is rejected. It never reaches the Warehouse. This ensures that every single artifact in Artifactory is not just "built," but "certified."</p> <h2> 1.3 The Solution: SonarQube Community Build </h2> <p>To fulfill this role, we will deploy <strong>SonarQube</strong>.</p> <p>SonarQube is the industry standard for static code analysis. It provides a centralized dashboard that tracks code health over time, visualizing metrics like duplication, complexity, and test coverage.</p> <p>However, we must navigate a specific constraint. We are deploying the <strong>SonarQube Community Build</strong> (specifically version 25.x). This free version is powerful, but it comes with architectural limitations that distinguish it from the paid Enterprise editions:</p> <ol> <li> <strong>No Native C or C++ Analysis:</strong> Out of the box, the Community Build ignores both C and C++ files entirely. Since our "Hero Project" is a true polyglot implementation—containing distinct, idiomatic C23 code <em>and</em> C++23 code—this is a major blocker. We will have to engineer a "First Principles" workaround using community plugins to "unlock" analysis for these compiled languages.</li> <li> <strong>Branch Analysis Limitations:</strong> It generally only analyzes the <code>main</code> branch, limiting our ability to decorate Pull Requests directly.</li> </ol> <p>Despite these constraints, it is the perfect tool for our "Inspector." Our goal is to deploy it into our secure <code>cicd-net</code>, force it to trust our internal PKI, and integrate it with Jenkins to enforce a strict Quality Gate on our C, C++, Rust, and Python code.</p> <h1> Chapter 2: Architecture - The Host &amp; The Kernel </h1> <h2> 2.1 The Hidden Dependency: Elasticsearch &amp; The Kernel </h2> <p>To understand why deploying SonarQube is fundamentally different from deploying Jenkins or GitLab, we must first deconstruct its internal architecture.</p> <p>When you launch a Jenkins container, you are essentially launching a standard Java Web Archive (WAR) inside a Jetty web server. It is a monolithic, CPU-bound application. If you give it enough RAM, it runs.</p> <p>SonarQube, however, is not a single application; it is a distributed system packaged into a single binary. When the container starts, a master Java process spawns three distinct child processes:</p> <ol> <li> <strong>The Web Server:</strong> Serves the UI and API.</li> <li> <strong>The Compute Engine:</strong> Processes the heavy analysis reports sent by scanners.</li> <li> <strong>The Search Engine (Elasticsearch):</strong> Indexes every line of code, every issue, and every metric for instant retrieval.</li> </ol> <p>It is this third component—<strong>Elasticsearch</strong>—that introduces a critical "Abstraction Leak" in our Docker environment.</p> <h3> The Mechanics of <code>mmapfs</code> </h3> <p>Elasticsearch is built on top of <strong>Apache Lucene</strong>, a high-performance search library. To achieve the incredible speed required to search through millions of lines of code in milliseconds, Lucene relies heavily on a file system feature called <strong>Memory Mapped Files (<code>mmap</code>)</strong>.</p> <p>In a standard file read, the operating system copies data from the disk into a kernel buffer, and then copies it again into the application's memory. This "double copy" is slow.</p> <p>With <code>mmap</code>, Lucene tells the Operating System to map the physical file on the disk directly into the process's virtual memory address space. The application can then read the file as if it were essentially a massive array in RAM. The OS handles the complexity of paging data in from the disk only when it is accessed. This eliminates the system call overhead and allows Elasticsearch to perform near-memory-speed searches on datasets that are larger than the available RAM.</p> <h3> The Abstraction Leak </h3> <p>This architecture relies on the Operating System allowing a process to create thousands upon thousands of these memory maps—one for every index segment.</p> <p>Here lies the conflict with Docker.</p> <p>While Docker provides excellent isolation for the <strong>Filesystem</strong> (via UnionFS) and <strong>Process Namespace</strong> (PID), it shares the <strong>Kernel</strong> with the host machine. Kernel-level tunables, such as memory management limits, are enforced globally by the host kernel.</p> <p>By default, most Linux distributions (including Debian 12) are tuned for desktop or standard server workloads. They conservatively limit the maximum number of memory map areas a process can have (<code>vm.max_map_count</code>) to approximately <strong>65,530</strong>.</p> <p>For a web server, this is plenty. For Elasticsearch, it is suffocating. SonarQube requires a minimum of <strong>262,144</strong> (and recommends <strong>524,288</strong> for larger instances) to function correctly.</p> <h3> The Failure Mode </h3> <p>If we attempt to run <code>sonarqube:community</code> on a standard Linux host without modification, we encounter a particularly frustrating failure mode:</p> <ol> <li> The container starts successfully (Docker sees no error).</li> <li> The SonarQube wrapper process launches.</li> <li> The Elasticsearch child process attempts to initialize its indices.</li> <li> The Host Kernel denies the <code>mmap</code> request because the limit (65,530) is exceeded.</li> <li> Elasticsearch crashes silently or throws a "bootstrap check failure."</li> <li> The SonarQube wrapper sees its child process die, shuts down the web server, and kills the container.</li> </ol> <p>To the user, the container simply enters a "Restart Loop" with no obvious error message unless you dig deep into the specific <code>es.log</code> file inside the container volume. To build a stable "Inspector," we must proactively reconfigure the Host Kernel to support this workload.</p> <h2> 2.2 The "Architect" Script (<code>01-setup-sonarqube.sh</code>) </h2> <p>To solve the "Abstraction Leak" described above, we cannot rely on Docker. We must intervene at the Host Operating System level.</p> <p>We will assign this responsibility to our <strong>"Architect"</strong> script. Unlike previous setup scripts that primarily focused on generating configuration files or SSL certificates, this script acts as a <strong>Host State Enforcer</strong>. It must inspect the physical machine it is running on, determine if it is capable of supporting our workload, and apply the necessary kernel modifications if it finds the host lacking.</p> <p>This requires a two-pronged strategy to ensure stability across time:</p> <ol> <li> <strong>The Runtime Fix (<code>sysctl -w</code>):</strong> This command writes directly to the kernel's parameters in memory (specifically <code>/proc/sys/vm/max_map_count</code>). This change takes effect instantly, allowing us to launch the container immediately without restarting the host machine. However, because it is in memory, it is volatile; it will vanish if the server reboots.</li> <li> <strong>The Persistence Fix (<code>/etc/sysctl.conf</code>):</strong> To survive a reboot, we must write the configuration to the system's control file. On boot, the OS reads this file and re-applies the settings.</li> </ol> <p>A naive script might simply append the configuration to the end of the file. However, in a "First Principles" architecture, we aim for <strong>idempotency</strong>. If we run the script ten times, it should not add ten identical lines to the configuration file. Our script must be intelligent enough to parse the existing configuration, detect if the limit is already sufficient, and update it <em>in place</em> using <code>sed</code> only if necessary.</p> <p>Create this file at <code>~/cicd_stack/sonarqube/01-setup-sonarqube.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 01-setup-sonarqube.sh</span> <span class="c">#</span> <span class="c"># This is the "Architect" script for SonarQube.</span> <span class="c"># It prepares the host environment.</span> <span class="c">#</span> <span class="c"># WARNING: This script requires SUDO privileges to update</span> <span class="c"># kernel parameters (vm.max_map_count) in /etc/sysctl.conf</span> <span class="c">#</span> <span class="c"># 1. Kernel Check: Enforces vm.max_map_count &gt;= 524288</span> <span class="c"># (Strict requirement for the embedded Elasticsearch).</span> <span class="c"># 2. Secrets: Verifies Database passwords exist in cicd.env.</span> <span class="c"># 3. Env: Generates the scoped 'sonarqube.env' for Docker.</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># --- 1. Define Paths ---</span> <span class="nv">HOST_CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="nv">SONAR_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/sonarqube"</span> <span class="nv">MASTER_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/cicd.env"</span> <span class="nv">SCOPED_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$SONAR_BASE</span><span class="s2">/sonarqube.env"</span> <span class="nb">echo</span> <span class="s2">"Starting SonarQube 'Architect' Setup..."</span> <span class="c"># --- 2. Kernel Prerequisites (Elasticsearch) ---</span> <span class="c"># SonarQube uses embedded Elasticsearch which requires high mmap counts.</span> <span class="c"># We must ensure the host allows this.</span> <span class="nv">REQUIRED_MAX_MAP</span><span class="o">=</span>524288 <span class="nv">SYSCTL_CONF</span><span class="o">=</span><span class="s2">"/etc/sysctl.conf"</span> <span class="nb">echo</span> <span class="s2">"--- Phase 1: Checking Kernel Parameters ---"</span> <span class="c"># A. Runtime Check (Immediate Fix)</span> <span class="c"># We read the current value from the kernel</span> <span class="nv">CURRENT_RUNTIME_MAP</span><span class="o">=</span><span class="si">$(</span>sysctl <span class="nt">-n</span> vm.max_map_count<span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$CURRENT_RUNTIME_MAP</span><span class="s2">"</span> <span class="nt">-lt</span> <span class="s2">"</span><span class="nv">$REQUIRED_MAX_MAP</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Limit too low (</span><span class="nv">$CURRENT_RUNTIME_MAP</span><span class="s2">). Updating immediately..."</span> <span class="c"># Apply the fix to the live kernel</span> <span class="nb">sudo </span>sysctl <span class="nt">-w</span> vm.max_map_count<span class="o">=</span><span class="nv">$REQUIRED_MAX_MAP</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"Runtime limit is sufficient (</span><span class="nv">$CURRENT_RUNTIME_MAP</span><span class="s2">)."</span> <span class="k">fi</span> <span class="c"># B. Persistence Check (sysctl.conf)</span> <span class="c"># We ensure the setting survives a reboot</span> <span class="nb">echo</span> <span class="s2">" Checking persistence in </span><span class="nv">$SYSCTL_CONF</span><span class="s2">..."</span> <span class="c"># Check if entry exists (handling optional leading whitespace)</span> <span class="k">if </span><span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"^</span><span class="se">\s</span><span class="s2">*vm.max_map_count"</span> <span class="s2">"</span><span class="nv">$SYSCTL_CONF</span><span class="s2">"</span><span class="p">;</span> <span class="k">then</span> <span class="c"># Value exists, extract it (handling spaces around '=')</span> <span class="nv">STORED_VAL</span><span class="o">=</span><span class="si">$(</span><span class="nb">grep</span> <span class="s2">"^</span><span class="se">\s</span><span class="s2">*vm.max_map_count"</span> <span class="s2">"</span><span class="nv">$SYSCTL_CONF</span><span class="s2">"</span> | <span class="nb">awk</span> <span class="nt">-F</span><span class="o">=</span> <span class="s1">'{print $2}'</span> | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">'[:space:]'</span><span class="si">)</span> <span class="c"># Ensure we captured a number</span> <span class="k">if</span> <span class="o">[[</span> <span class="o">!</span> <span class="s2">"</span><span class="nv">$STORED_VAL</span><span class="s2">"</span> <span class="o">=</span>~ ^[0-9]+<span class="nv">$ </span><span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Could not parse stored value. Appending correct config..."</span> <span class="nb">echo</span> <span class="s2">"vm.max_map_count=</span><span class="nv">$REQUIRED_MAX_MAP</span><span class="s2">"</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> <span class="s2">"</span><span class="nv">$SYSCTL_CONF</span><span class="s2">"</span> <span class="o">&gt;</span> /dev/null <span class="k">elif</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$STORED_VAL</span><span class="s2">"</span> <span class="nt">-lt</span> <span class="s2">"</span><span class="nv">$REQUIRED_MAX_MAP</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Stored value (</span><span class="nv">$STORED_VAL</span><span class="s2">) is too low. Updating config..."</span> <span class="c"># Use regex to replace the line regardless of spacing</span> <span class="nb">sudo sed</span> <span class="nt">-i</span> <span class="s2">"s/^</span><span class="se">\s</span><span class="s2">*vm.max_map_count.*/vm.max_map_count=</span><span class="nv">$REQUIRED_MAX_MAP</span><span class="s2">/"</span> <span class="s2">"</span><span class="nv">$SYSCTL_CONF</span><span class="s2">"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"Stored configuration is sufficient (</span><span class="nv">$STORED_VAL</span><span class="s2">)."</span> <span class="k">fi else</span> <span class="c"># Value missing, append it</span> <span class="nb">echo</span> <span class="s2">"Value missing. Appending to config..."</span> <span class="nb">echo</span> <span class="s2">"vm.max_map_count=</span><span class="nv">$REQUIRED_MAX_MAP</span><span class="s2">"</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> <span class="s2">"</span><span class="nv">$SYSCTL_CONF</span><span class="s2">"</span> <span class="o">&gt;</span> /dev/null <span class="k">fi</span> <span class="c"># --- 3. Directory Setup ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 2: Directory Scaffolding ---"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$SONAR_BASE</span><span class="s2">"</span> <span class="c"># --- 4. Secrets Validation ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 3: Secrets Management ---"</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Master env file not found at </span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># Load Master Secrets</span> <span class="nb">set</span> <span class="nt">-a</span> <span class="nb">source</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">set</span> +a <span class="c"># Verify Database Password exists (Created in Article 9)</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$SONARQUBE_DB_PASSWORD</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: SONARQUBE_DB_PASSWORD not found in cicd.env"</span> <span class="nb">echo</span> <span class="s2">" Please run the Database Setup (Article 9) first."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># --- 5. Generate Scoped Environment File ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 4: Generating 'sonarqube.env' ---"</span> <span class="c"># We map our master secrets to the specific env vars SonarQube expects.</span> <span class="c"># We also inject the IPv4 fix here to ensure stable internal Docker networking.</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$SCOPED_ENV_FILE</span><span class="sh">" # Scoped Environment for SonarQube Container # Auto-generated by 01-setup-sonarqube.sh # Database Connection # We use the internal Docker DNS name for Postgres SONAR_JDBC_URL=jdbc:postgresql://postgres.cicd.local:5432/sonarqube SONAR_JDBC_USERNAME=sonarqube SONAR_JDBC_PASSWORD=</span><span class="nv">$SONARQUBE_DB_PASSWORD</span><span class="sh"> # Network / JVM Fixes # Forces the JVM to use IPv4 to prevent connection issues within the container # (e.g. timeout connecting to localhost) SONAR_WEB_JAVAADDITIONALOPTS=-Djava.net.preferIPv4Stack=true </span><span class="no">EOF </span><span class="c"># Secure the file</span> <span class="nb">chmod </span>600 <span class="s2">"</span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Setup complete."</span> <span class="nb">echo</span> <span class="s2">" Kernel configured."</span> <span class="nb">echo</span> <span class="s2">" Secrets injected into </span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" Ready to run 02-build-image.sh"</span> </code></pre> </div> <h3> Deconstructing the Architect </h3> <p><strong>1. The Host Surgery (Phase 1)</strong><br> This section breaks the "Container Isolation" rule out of necessity. We use <code>sudo</code> not to manage Docker, but to manage the Linux Kernel. The script is defensive: it checks <code>grep "^\s*vm.max_map_count"</code> with a regex that tolerates leading whitespace, ensuring that if a human administrator manually indented the config file, our script won't blindly append a duplicate entry.</p> <p><strong>2. The Dependency Guard (Phase 3)</strong><br> We explicitly check for <code>SONARQUBE_DB_PASSWORD</code>. This reinforces the dependency chain we built in <strong>Article 9</strong>. We are <em>not</em> creating a database here. We are assuming the centralized "Water Treatment Plant" (PostgreSQL) is operational. If the password isn't in the environment file, the script fails fast, preventing us from launching a container that would immediately crash on a connection error.</p> <p><strong>3. The IPv4 Mandate (Phase 4)</strong><br> In the generated environment file, we inject <code>SONAR_WEB_JAVAADDITIONALOPTS=-Djava.net.preferIPv4Stack=true</code>. This is a critical stability fix for Java applications running inside Docker. By default, the JVM may attempt to bind to IPv6 addresses (<code>::1</code>), while Docker's internal networking often routes exclusively via IPv4. This mismatch can cause inter-process communication (IPC) between the SonarQube Web Server and Compute Engine to time out, leading to a "zombie" state where the UI never loads. This flag forces the JVM to speak the language of the container network.</p> <h2> 2.3 Secrets &amp; The "Scoped Environment" </h2> <p>With the host operating system prepared, we turn our attention to the container's configuration. In previous articles, such as Jenkins and Artifactory, we relied heavily on bind-mounting configuration files (<code>jenkins.yaml</code> or <code>system.yaml</code>) from the host into the container.</p> <p>For SonarQube, we are changing tactics. We will adopt the <strong>Twelve-Factor App</strong> methodology, which mandates storing configuration in the <strong>Environment</strong>, not in files.</p> <p>While SonarQube <em>does</em> support a <code>sonar.properties</code> file, modifying it inside a Docker deployment is an anti-pattern. It requires either:</p> <ol> <li> <strong>Bind-mounting the file:</strong> This overrides the default configuration inside the image, forcing us to maintain a complex file on the host that might drift from the container's internal defaults during an upgrade.</li> <li> <strong>Building a custom image:</strong> copying a static file into the image creates a hard-coded secret risk.</li> </ol> <p>Instead, the official SonarQube Docker image is designed to read specific environment variables and inject them into its internal configuration at runtime. Our "Architect" script acts as a bridge, translating our master secrets into these specific variables.</p> <p>We generate a <strong>Scoped Environment File</strong> (<code>sonarqube.env</code>). This file serves a specific security purpose: <strong>Least Privilege</strong>. We do not pass our entire <code>cicd.env</code> (which contains GitLab tokens, Jenkins secrets, and Root CA passwords) to the SonarQube container. We generate a file containing <em>only</em> the three variables it needs to access the database:</p> <ul> <li> <strong><code>SONAR_JDBC_URL</code></strong>: We point this to <code>jdbc:postgresql://postgres.cicd.local:5432/sonarqube</code>. Note that we use the internal DNS name established in Article 5.</li> <li> <strong><code>SONAR_JDBC_USERNAME</code></strong>: <code>sonarqube</code>.</li> <li> <strong><code>SONAR_JDBC_PASSWORD</code></strong>: The high-entropy string we generated in Article 9.</li> </ul> <p>This approach keeps our container's environment clean and audit-friendly.</p> <h2> 2.4 The Dependency Chain </h2> <p>Finally, our architecture enforces a strict <strong>Dependency Chain</strong>.</p> <p>In a novice setup, a <code>docker-compose.yml</code> file might attempt to spin up a database and the application simultaneously. This often leads to race conditions where the application crashes because the database is not yet ready to accept connections.</p> <p>In our "City Planning" model, we treat the database as <strong>Public Utility Infrastructure</strong>. We established the PostgreSQL service in <strong>Article 9</strong>. It is a permanent fixture of our city, running independently of the applications that consume it.</p> <p>Our <code>01-setup-sonarqube.sh</code> script enforces this relationship. Before it writes a single configuration line, it checks for the existence of <code>SONARQUBE_DB_PASSWORD</code> in the master environment file.</p> <ul> <li> <strong>If the variable is missing:</strong> It means the database infrastructure has not been provisioned. The script fails fast with a clear error: <code>Please run the Database Setup (Article 9) first.</code> </li> <li> <strong>If the variable exists:</strong> It assumes the utility is online and proceeds to provision the application.</li> </ul> <p>This logic prevents "Orphaned Services"—applications deployed without a backend—and ensures that our infrastructure is built in the correct, layered order: <strong>Network $\rightarrow$ Storage $\rightarrow$ Database $\rightarrow$ Application.</strong></p> <h1> Chapter 3: The Trust Gap - A Familiar Foe </h1> <h2> 3.1 The Connectivity Paradox (and a Confession) </h2> <p>In our initial attempt to deploy this service, we fell into a trap. We launched the official <code>sonarqube:community</code> image, updated our host's <code>/etc/hosts</code> file to resolve <code>sonarqube.cicd.local</code> to <code>127.0.0.1</code>, and successfully accessed the UI on port 9000. The dashboard loaded, the database connected, and the logs were clean. We felt victorious.</p> <p>Then, we tried to configure the <strong>GitLab</strong> integration. We entered our GitLab URL (<code>https://gitlab.cicd.local:10300/api/v4</code>) and clicked "Save."</p> <p>The result was an immediate crash: <code>PKIX path building failed</code>.</p> <p>We must make a confession: even after ten articles of preaching "First Principles," we got lulled into a false sense of security by the <strong>Community Build's</strong> primary limitation. Because this version of SonarQube does not support <em>inbound</em> HTTPS (forcing us to run it as an HTTP service), we mentally categorized it as an "insecure" service.</p> <p>This was a mistake. While SonarQube listens on HTTP, it acts as a <strong>Client</strong> to other services in our city. To import projects, it must talk to GitLab. To authenticate users, it might need to talk to LDAP. To send webhooks, it must talk to Jenkins.</p> <p>All of these internal services are secured by our <strong>Local Root CA</strong>. The official SonarQube container, running a standard OpenJDK runtime, has no knowledge of this CA. It is an island. When it attempts to handshake with GitLab, it sees an unknown certificate issuer and terminates the connection to protect itself.</p> <p>We cannot simply "turn off SSL verification" in SonarQube without compromising the integrity of our entire architecture. We must fix the root of trust.</p> <h2> 3.2 The "Builder" Pattern (Revisited) </h2> <p>We faced this exact problem with the <strong>Jenkins Controller</strong> in Article 8. The solution remains the same.</p> <p>We reject the "quick fix" of bind-mounting the host's <code>/etc/ssl/certs/java/cacerts</code> file into the container. This is fragile; if the container's Java version (e.g., Java 17) differs from the host's Java version (e.g., Java 11), the binary keystore format may be incompatible, leading to cryptic startup failures.</p> <p>Instead, we will apply the <strong>Builder Pattern</strong>. We will create a <code>Dockerfile</code> that extends the official image, briefly switches to the <code>root</code> user, and uses the native Java <code>keytool</code> utility to "bake" our "Passport Office" license (<code>ca.pem</code>) directly into the container's immutable system trust store.</p> <p>This ensures that any container spawned from this image carries our trust relationships with it, making it a first-class citizen of our secure city.</p> <h2> 3.3 The Implementation (<code>02-build-image.sh</code>) </h2> <p>To execute this, we need two files: the <code>Dockerfile</code> blueprint and a builder script to orchestrate the context.</p> <p>There is a specific nuance here regarding <strong>User Context</strong>. SonarQube runs as a non-privileged user (<code>sonarqube</code>, UID 1000). However, modifying the system-wide Java keystore requires root privileges. Our Dockerfile must explicitly handle this privilege escalation and then de-escalate back to the correct user to ensure runtime permissions match our volume mounts.</p> <p>Create the <strong><code>Dockerfile</code></strong> in <code>~/cicd_stack/sonarqube/</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># 1. Start from the official Community Edition</span> <span class="k">FROM</span><span class="s"> sonarqube:community</span> <span class="c"># 2. Switch to root to perform system administration (Certificate Import)</span> <span class="k">USER</span><span class="s"> root</span> <span class="c"># 3. Copy the Local CA from the build context (Current Directory)</span> <span class="k">COPY</span><span class="s"> ca.pem /tmp/ca.pem</span> <span class="c"># 4. Import the CA into the JVM Truststore</span> <span class="c"># We use the $JAVA_HOME environment variable provided by the base image.</span> <span class="c"># The default password for the java truststore is 'changeit'.</span> <span class="k">RUN </span>keytool <span class="nt">-importcert</span> <span class="se">\ </span> <span class="nt">-file</span> /tmp/ca.pem <span class="se">\ </span> <span class="nt">-keystore</span> <span class="s2">"</span><span class="nv">$JAVA_HOME</span><span class="s2">/lib/security/cacerts"</span> <span class="se">\ </span> <span class="nt">-alias</span> <span class="s2">"CICD-Root-CA"</span> <span class="se">\ </span> <span class="nt">-storepass</span> changeit <span class="se">\ </span> <span class="nt">-noprompt</span> <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> /tmp/ca.pem <span class="c"># 5. Switch back to the unprivileged sonarqube user</span> <span class="k">USER</span><span class="s"> sonarqube</span> </code></pre> </div> <p>Now, create the builder script, <strong><code>02-build-image.sh</code></strong>. This script handles the "Build Context" trap we encountered in previous articles by copying the CA certificate into the current directory before building.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 02-build-image.sh</span> <span class="c">#</span> <span class="c"># This is the "Builder" script for SonarQube.</span> <span class="c"># It creates a custom image that trusts our Local Root CA.</span> <span class="c">#</span> <span class="c"># 1. Staging: Copies ca.pem from the CA directory to CURRENT dir.</span> <span class="c"># 2. Build: Creates 'sonarqube-custom:latest' from context '.'.</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># --- 1. Define Paths ---</span> <span class="nv">CA_SOURCE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack/ca/pki/certs/ca.pem"</span> <span class="nb">echo</span> <span class="s2">"🚀 Starting SonarQube Custom Build..."</span> <span class="c"># --- 2. Stage Assets ---</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$CA_SOURCE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: CA certificate not found at </span><span class="nv">$CA_SOURCE</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"Copying CA certificate to build context (current dir)..."</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$CA_SOURCE</span><span class="s2">"</span> ./ca.pem <span class="c"># --- 3. Build Image ---</span> <span class="nb">echo</span> <span class="s2">"Building 'sonarqube-custom:latest'..."</span> <span class="c"># We build from the current directory where the Dockerfile resides</span> docker build <span class="nt">-t</span> sonarqube-custom:latest <span class="nb">.</span> <span class="c"># Cleanup staged file</span> <span class="nb">rm</span> ./ca.pem <span class="nb">echo</span> <span class="s2">"✅ Build complete."</span> <span class="nb">echo</span> <span class="s2">" Image: sonarqube-custom:latest"</span> <span class="nb">echo</span> <span class="s2">" Ready to run 03-deploy-sonarqube.sh"</span> </code></pre> </div> <h1> Chapter 4: Deployment - Launching the Inspector </h1> <h2> 4.1 The "Launcher" Script (<code>03-deploy-sonarqube.sh</code>) </h2> <p>With our host kernel tuned by the "Architect" and our trust store baked by the "Builder," we are finally ready to execute the deployment.</p> <p>We will use our standard <strong>"Launcher"</strong> pattern. This script is not just a wrapper for <code>docker run</code>; it is an enforcement mechanism for our infrastructure's state. It ensures that every deployment begins with a "Clean Slate," preventing the configuration drift that plagues manual server management.</p> <p>For SonarQube specifically, this script has an additional responsibility: <strong>Persistence Management</strong>. Unlike Jenkins, which can technically survive with a single volume, SonarQube requires a strict separation of concerns for its storage to survive upgrades and plugin installations. We must verify that three distinct "Storage Lockers" (Named Volumes) exist before the application starts.</p> <p>Create this file at <code>~/cicd_stack/sonarqube/03-deploy-sonarqube.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 03-deploy-sonarqube.sh</span> <span class="c">#</span> <span class="c"># This is the "Launcher" script for SonarQube.</span> <span class="c"># It performs a clean-slate deployment of the container.</span> <span class="c">#</span> <span class="c"># 1. Clean Slate: Stops/Removes existing container.</span> <span class="c"># 2. Volumes: Ensures data, extensions, and logs volumes exist.</span> <span class="c"># 3. Launch: Runs sonarqube-custom:latest with strict networking.</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># --- 1. Define Paths ---</span> <span class="nv">HOST_CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="nv">SONAR_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/sonarqube"</span> <span class="c"># We use the scoped environment file generated by the Architect script</span> <span class="nv">SCOPED_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$SONAR_BASE</span><span class="s2">/sonarqube.env"</span> <span class="nb">echo</span> <span class="s2">"Starting SonarQube Deployment..."</span> <span class="c"># --- 2. Prerequisite Checks ---</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Scoped env file not found at </span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Please run 01-setup-sonarqube.sh first."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># --- 3. Clean Slate Protocol ---</span> <span class="c"># We destroy the container to ensure configuration changes (env vars, mounts)</span> <span class="c"># are applied fresh. We never just 'restart' a stale container.</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-q</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>sonarqube<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Stopping existing 'sonarqube' container..."</span> docker stop sonarqube <span class="k">fi if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-aq</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>sonarqube<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Removing existing 'sonarqube' container..."</span> docker <span class="nb">rm </span>sonarqube <span class="k">fi</span> <span class="c"># --- 4. Volume Management ---</span> <span class="c"># We ensure all three required storage lockers exist.</span> <span class="c"># - data: The heavy Elasticsearch indices and embedded DB (if used)</span> <span class="c"># - extensions: Plugins (like sonar-cxx)</span> <span class="c"># - logs: Critical for debugging Elasticsearch startup failures</span> <span class="nb">echo</span> <span class="s2">"Verifying Docker volumes..."</span> docker volume create sonarqube-data <span class="o">&gt;</span> /dev/null docker volume create sonarqube-extensions <span class="o">&gt;</span> /dev/null docker volume create sonarqube-logs <span class="o">&gt;</span> /dev/null <span class="nb">echo</span> <span class="s2">"Volumes verified."</span> <span class="c"># --- 5. Deploy Container ---</span> <span class="nb">echo</span> <span class="s2">"Launching SonarQube (Custom Image)..."</span> <span class="c"># Notes on Configuration:</span> <span class="c"># - Image: We use 'sonarqube-custom:latest' (built in Step 02)</span> <span class="c"># to ensure the JVM trusts our Local CA.</span> <span class="c"># - Net: We connect to 'cicd-net' so we can reach Postgres/GitLab.</span> <span class="c"># - Port: We bind STRICTLY to 127.0.0.1 to prevent external access.</span> docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> sonarqube <span class="se">\</span> <span class="nt">--restart</span> always <span class="se">\</span> <span class="nt">--network</span> cicd-net <span class="se">\</span> <span class="nt">--hostname</span> sonarqube.cicd.local <span class="se">\</span> <span class="nt">--publish</span> 127.0.0.1:9000:9000 <span class="se">\</span> <span class="nt">--env-file</span> <span class="s2">"</span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--volume</span> sonarqube-data:/opt/sonarqube/data <span class="se">\</span> <span class="nt">--volume</span> sonarqube-extensions:/opt/sonarqube/extensions <span class="se">\</span> <span class="nt">--volume</span> sonarqube-logs:/opt/sonarqube/logs <span class="se">\</span> sonarqube-custom:latest <span class="nb">echo</span> <span class="s2">"SonarQube container started."</span> <span class="nb">echo</span> <span class="s2">" It will take 2-3 minutes to initialize Elasticsearch."</span> <span class="nb">echo</span> <span class="s2">" Monitor logs with: docker logs -f sonarqube"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">" Wait for: 'SonarQube is operational'"</span> <span class="nb">echo</span> <span class="s2">" Then access: http://sonarqube.cicd.local:9000"</span> <span class="nb">echo</span> <span class="s2">" (Don't forget to add '127.0.0.1 sonarqube.cicd.local' to your /etc/hosts file)"</span> </code></pre> </div> <h3> Deconstructing the Launcher </h3> <p><strong>1. The Persistence Trinity (Volume Management)</strong><br> We explicitly provision three volumes. While <code>data</code> and <code>extensions</code> are standard, the <strong><code>sonarqube-logs</code></strong> volume is often overlooked in beginner tutorials. This is a mistake.<br> SonarQube's startup sequence is complex. If the Elasticsearch engine fails (due to memory limits or corruption), the container will die immediately. If you do not persist the logs, the error message vanishes with the container. By mounting <code>/opt/sonarqube/logs</code>, we ensure that we can perform forensics on a crashed container even after it has been removed.</p> <p><strong>2. The Configuration Injection (<code>--env-file</code>)</strong><br> We inject the <code>sonarqube.env</code> file we generated in Chapter 2. This keeps our <code>docker run</code> command clean and audit-safe. It ensures that the database credentials and the critical <code>SONAR_WEB_JAVAADDITIONALOPTS</code> flag are present in the runtime environment.</p> <p><strong>3. The Custom Image (<code>sonarqube-custom:latest</code>)</strong><br> Critically, we do <strong>not</strong> run <code>sonarqube:community</code>. We run the custom image we built in Chapter 3. This is the difference between a working system and a broken one. If we reverted to the official image here, our database connection would work, but our GitLab integration would silently fail with SSL handshake errors later. We strictly enforce the use of our "Trusted" image.</p> <h2> 4.2 Network Security &amp; The "Localhost Binding" </h2> <p>In our <code>docker run</code> command, you might have noticed a specific nuance in the port mapping flag: <code>--publish 127.0.0.1:9000:9000</code>.</p> <p>This is not a stylistic choice; it is a critical security control necessitated by the architecture of the <strong>SonarQube Community Build</strong>.</p> <p>Unlike GitLab (which bundles Nginx) or Jenkins (which runs on Jetty and supports native keystores), the Community Build of SonarQube has a hard architectural constraint: <strong>it does not support inbound HTTPS.</strong> The application server (Tomcat) is configured to speak only plain text HTTP.</p> <p>In a traditional "Happy Path" tutorial, you might see instructions to map ports like <code>-p 9000:9000</code>. This is dangerous. When you omit the IP address, Docker binds the port to <code>0.0.0.0</code>—all network interfaces. This means your unencrypted SonarQube instance, carrying sensitive code metrics and potentially authentication tokens, would be instantly accessible to anyone on your local Wi-Fi network or corporate LAN.</p> <p>We reject this exposure. By explicitly prepending <code>127.0.0.1</code>, we force Docker to bind the port <strong>only</strong> to the host's loopback interface.</p> <p>This creates a "Poor Man's Firewall."</p> <ol> <li> <strong>The Host:</strong> You can access the UI via <code>localhost:9000</code> (or <code>sonarqube.cicd.local</code> via your hosts file) because you are on the machine.</li> <li> <strong>The City:</strong> Jenkins and GitLab can access it because they share the private <code>cicd-net</code> bridge network.</li> <li> <strong>The World:</strong> Anyone else on your network sees a closed port.</li> </ol> <p>This mimics the "Air Gapped" architecture of high-security environments where internal tools are never exposed directly to the user network without an intervening Reverse Proxy or VPN.</p> <h2> 4.3 The "Zombie State" Smoke Test (<code>04-verify-sonarqube.py</code>) </h2> <p>Launching the container is not the same as starting the service. Because SonarQube is a distributed system (Web + Compute + Search), it has a complex startup sequence that can take several minutes.</p> <p>During this initialization phase, the Web Server port (9000) might accept TCP connections, but the application is not ready. It enters a "Zombie State" where it serves a "Maintenance Mode" page or simply hangs while waiting for Elasticsearch to index the database.</p> <p>If we try to script against it too early, our automation will fail. A simple <code>curl</code> or <code>nc -z</code> check is insufficient because it only checks the TCP layer, not the Application layer.</p> <p>We need a "Smoke Test" that verifies the <strong>System Status</strong>, ensuring that all three internal engines are green. We will write a Python script to poll the <code>api/system/status</code> endpoint from <em>inside</em> our control center.</p> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0010_cicd_part06_sonarqube/04-verify-sonarqube.py</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">import</span> <span class="n">urllib.request</span> <span class="kn">import</span> <span class="n">urllib.error</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">import</span> <span class="n">sys</span> <span class="c1"># --- Configuration --- # We verify from the perspective of the 'dev-container' # using the internal Docker DNS name. </span><span class="n">TARGET_URL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">http://sonarqube.cicd.local:9000/api/system/status</span><span class="sh">"</span> <span class="n">MAX_RETRIES</span> <span class="o">=</span> <span class="mi">20</span> <span class="n">WAIT_SECONDS</span> <span class="o">=</span> <span class="mi">5</span> <span class="k">def</span> <span class="nf">verify_sonarqube</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">--- Starting SonarQube Verification ---</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Target: </span><span class="si">{</span><span class="n">TARGET_URL</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="n">MAX_RETRIES</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Attempt </span><span class="si">{</span><span class="n">i</span><span class="o">+</span><span class="mi">1</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">MAX_RETRIES</span><span class="si">}</span><span class="s">...</span><span class="sh">"</span><span class="p">,</span> <span class="n">end</span><span class="o">=</span><span class="sh">"</span><span class="s"> </span><span class="sh">"</span><span class="p">,</span> <span class="n">flush</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="c1"># Make the request </span> <span class="k">with</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="n">TARGET_URL</span><span class="p">)</span> <span class="k">as</span> <span class="n">response</span><span class="p">:</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">status</span> <span class="o">!=</span> <span class="mi">200</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">FAILED (HTTP </span><span class="si">{</span><span class="n">response</span><span class="p">.</span><span class="n">status</span><span class="si">}</span><span class="s">)</span><span class="sh">"</span><span class="p">)</span> <span class="k">continue</span> <span class="c1"># Parse JSON </span> <span class="n">data</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">())</span> <span class="n">status</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">CONNECTED</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> System Status: </span><span class="si">{</span><span class="n">status</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">status</span> <span class="o">==</span> <span class="sh">"</span><span class="s">UP</span><span class="sh">"</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">✅ SUCCESS: SonarQube is fully operational.</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">elif</span> <span class="n">status</span> <span class="o">==</span> <span class="sh">"</span><span class="s">STARTING</span><span class="sh">"</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">⏳ WAITING: SonarQube is still initializing (Elasticsearch loading)...</span><span class="sh">"</span><span class="p">)</span> <span class="k">elif</span> <span class="n">status</span> <span class="o">==</span> <span class="sh">"</span><span class="s">DB_MIGRATION_NEEDED</span><span class="sh">"</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">⚠️ WARNING: Database migration required.</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">⚠️ Unknown Status: </span><span class="si">{</span><span class="n">status</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">except</span> <span class="n">urllib</span><span class="p">.</span><span class="n">error</span><span class="p">.</span><span class="n">URLError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">FAILED (</span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">reason</span><span class="si">}</span><span class="s">)</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> (Check if </span><span class="sh">'</span><span class="s">sonarqube.cicd.local</span><span class="sh">'</span><span class="s"> resolves or if the container is running)</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">ERROR: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">MAX_RETRIES</span> <span class="o">-</span> <span class="mi">1</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="n">WAIT_SECONDS</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">❌ FAILURE: Could not verify SonarQube status after multiple attempts.</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">verify_sonarqube</span><span class="p">():</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </code></pre> </div> <h3> Deconstructing the Smoke Test </h3> <p><strong>1. The Target (<code>sonarqube.cicd.local</code>)</strong><br> We run this script from the <code>dev-container</code>. It uses the internal Docker DNS name. This validates that our <code>cicd-net</code> is functioning and that the container is reachable on its internal port 9000.</p> <p><strong>2. The Logic (<code>api/system/status</code>)</strong><br> We do not scrape HTML. We hit the official status API.</p> <ul> <li> <strong><code>STARTING</code></strong>: The web server is up, but Elasticsearch is still loading indices from disk. The script knows to wait and retry.</li> <li> <strong><code>UP</code></strong>: All child processes are healthy, and the database is connected. Only <em>now</em> is the system ready for login.</li> </ul> <p><strong>3. Zero Dependencies</strong><br> We intentionally use Python's built-in <code>urllib</code> instead of <code>requests</code>. This ensures the script runs immediately inside our <code>dev-container</code> (or any minimal Python environment) without requiring a <code>pip install</code> step.</p> <p>To run this verification:</p> <ol> <li> Enter your control center: <code>./dev-container.sh</code> </li> <li> Run the script: <code>python3 articles/0010_cicd_part06_sonarqube/04-verify-sonarqube.py</code> </li> </ol> <h2> 4.4 Verification: The "First Login" </h2> <p>Once the smoke test returns <code>✅ SUCCESS</code>, we know the application is physically running. However, we must now verify that it is accessible from our <strong>Host Machine</strong> in a way that respects our networking architecture.</p> <p>In <strong>Article 7</strong>, we established a pattern of using "Split-Horizon DNS" via the <code>/etc/hosts</code> file. We mapped <code>gitlab.cicd.local</code> to <code>127.0.0.1</code> so our browser would send the correct <code>Host</code> header, preventing CORS issues and redirection loops. We must apply the same rigor here.</p> <p>Although we <em>could</em> access the server via <code>http://localhost:9000</code>, doing so creates an inconsistency between how <em>we</em> see the server and how <em>Jenkins</em> sees the server (as <code>sonarqube.cicd.local</code>). To align these perspectives, we update our host's DNS resolution.</p> <p><strong>1. Update Hosts File (Host Machine):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>nano /etc/hosts <span class="c"># Add the following line (or append to existing):</span> 127.0.0.1 sonarqube.cicd.local </code></pre> </div> <p><strong>2. Access the UI:</strong><br> Open your web browser to <strong><code>http://sonarqube.cicd.local:9000</code></strong>.</p> <p>You should be greeted by the login screen. Because we are running the Community Build, you will notice the connection is <strong>Not Secure</strong> (HTTP). This is expected and acceptable <em>only</em> because we explicitly bound the port to <code>127.0.0.1</code> in our Launcher script. We are connecting over the loopback interface, which is considered a trusted path in our "Air Gapped" simulation.</p> <p><strong>3. The Credential Handshake:</strong><br> Log in with the factory default credentials:</p> <ul> <li> <strong>Login:</strong> <code>admin</code> </li> <li> <strong>Password:</strong> <code>admin</code> </li> </ul> <p>Upon the first successful authentication, SonarQube will force you to update the password. Choose a strong password.</p> <p><strong>Critical Step: Record the Secret</strong><br> Since we did not generate this password programmatically, it is not currently stored in our secrets file. To prevent locking yourself out of your own city, manually add this new password to your master environment file now.</p> <p>Edit <code>~/cicd_stack/cicd.env</code> and add:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">SONARQUBE_ADMIN_PASSWORD</span><span class="o">=</span><span class="s2">"&lt;your_new_password&gt;"</span> </code></pre> </div> <p>If you see the empty "Projects" dashboard, the deployment is a success. We have a running Inspector, backed by a tuned kernel, secure persistence, and a trusted communication channel. Now, we must connect it to the rest of the city.</p> <h1> Chapter 5: The Bridge - Bidirectional Identity </h1> <h2> 5.1 The "Handshake" Protocol </h2> <p>We have a running Factory (Jenkins) and a running Inspector (SonarQube). They share the same network (<code>cicd-net</code>) and the same trust root (Local CA), but they are currently strangers. To establish a functioning Quality Gate, we must build a bridge between them.</p> <p>This bridge is not a simple, one-way road. It is a <strong>bidirectional handshake</strong> necessitated by the asynchronous architecture of static analysis.</p> <p>When a build runs, the interaction happens in two distinct phases:</p> <ol> <li><p><strong>The Outbound Push (Jenkins $\rightarrow$ SonarQube):</strong><br> The Jenkins Agent runs the <code>sonar-scanner</code>. This tool scans the code, packages the raw data, and uploads it to the SonarQube server. To do this securely, the "Factory" needs a key to the "Inspector's" office. We cannot use a username and password here; we need a revocable, scoped <strong>User Token</strong>.</p></li> <li><p><strong>The Asynchronous Gap:</strong><br> Once the scanner uploads the report, its job is done. It disconnects. However, the analysis is <em>not</em> complete. The SonarQube <strong>Compute Engine</strong> takes over, processing the report in the background. This can take anywhere from a few seconds to several minutes depending on the project size.<br> During this gap, Jenkins is blind. It doesn't know if the project passed or failed.</p></li> <li><p><strong>The Inbound Callback (SonarQube $\rightarrow$ Jenkins):</strong><br> When the Compute Engine finishes, it calculates the Quality Gate status (Green or Red). It must then pick up the "Red Phone" and call the Factory back to report the result. This requires a <strong>Webhook</strong>. SonarQube becomes the client, sending an HTTPS POST request to Jenkins to wake up the paused pipeline.</p></li> </ol> <p>We must configure both sides of this relationship. If we miss the Token, the scan fails. If we miss the Webhook, the pipeline hangs forever, waiting for a call that never comes.</p> <h2> 5.2 Identity Creation (UI &amp; Secrets) </h2> <p>We begin by creating the credentials for the <strong>Outbound</strong> connection. Jenkins needs a key to access the SonarQube API.</p> <p>In a fully mature "Configuration as Code" setup, we might provision this using a bootstrap script against the SonarQube API. However, because this is the "First Run" of our Inspector, we face a bootstrapping paradox: we need an admin token to use the API to create tokens. To resolve this, we will perform this specific setup manually in the UI, treating it as a one-time "City Key" generation event.</p> <p><strong>1. Generate the Jenkins Token (SonarQube UI):</strong><br> Log in to SonarQube as <code>admin</code>. Navigate to <strong>User Profile</strong> (top right) &gt; <strong>My Account</strong> &gt; <strong>Security</strong>.<br> Generate a new token with the following attributes:</p> <ul> <li> <strong>Name:</strong> <code>jenkins-admin-token</code> </li> <li> <strong>Type:</strong> <strong>User Token</strong>. We choose this over a "Project Analysis Token" because Jenkins acts as a global orchestrator. It needs permissions to create projects, trigger scans, and configure webhooks across the entire system.</li> <li> <strong>Expiration:</strong> For this lab, "No expiration." In a real enterprise environment, you would establish a rotation policy here.</li> </ul> <p><strong>2. Secure the Token (Host):</strong><br> Copy the token immediately. We must now persist this secret in our "Control Center" so our automation scripts can access it.<br> Open your master secrets file <code>~/cicd_stack/cicd.env</code> and add the token:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">SONAR_ADMIN_TOKEN</span><span class="o">=</span><span class="s2">"&lt;paste_your_token_here&gt;"</span> </code></pre> </div> <p><strong>3. Configure the Library Link (GitLab ALM):</strong><br> While we are in the UI, we must also introduce the Inspector to the Library. This allows SonarQube to decorate Pull Requests and import repositories.<br> Navigate to <strong>Administration</strong> &gt; <strong>Configuration</strong> &gt; <strong>General Settings</strong> &gt; <strong>DevOps Platform Integrations</strong> &gt; <strong>GitLab</strong>.</p> <ul> <li> <strong>Configuration Name:</strong> <code>gitlab-cicd</code> </li> <li> <strong>GitLab API URL:</strong> <code>https://gitlab.cicd.local:10300/api/v4</code> </li> <li> <strong>Personal Access Token:</strong> Use the <code>GITLAB_API_TOKEN</code> you generated in Article 7.</li> </ul> <p>Note the URL. We are using the internal <strong>HTTPS</strong> address. This connection will only succeed because we built our Custom Image in Chapter 3. If we were using the vanilla image, saving this configuration would trigger a certificate error.</p> <h2> 5.3 The "Configuration Helper" (<code>update_jcasc_sonar.py</code>) </h2> <p>With the credentials secured, we face the integration challenge on the Jenkins side. We need to configure the <strong>SonarQube Scanner</strong> plugin.</p> <p>In a manual setup, you would click through "Manage Jenkins" menus. In our "Configuration as Code" (JCasC) architecture, we must define this in <code>jenkins.yaml</code>.</p> <p>However, the JCasC schema for plugins is notoriously brittle. The documentation is often sparse, and incorrect indentation or nesting will cause Jenkins to crash on boot. To solve this safely, we use our <strong>Python Helper</strong> pattern. Instead of using <code>sed</code> or <code>cat</code> to hack text into the YAML file, we treat the configuration as a structured data object.</p> <p>We write a script that:</p> <ol> <li> <strong>Parses</strong> the existing <code>jenkins.yaml</code>.</li> <li> <strong>Injects</strong> the <code>sonar-admin-token</code> credential into the global credentials block.</li> <li> <strong>Injects</strong> the <code>sonarGlobalConfiguration</code> block under the <code>unclassified</code> root key.</li> <li> <strong>Writes</strong> the valid YAML back to disk.</li> </ol> <p>Create this file at <code>~/cicd_stack/jenkins/config/update_jcasc_sonar.py</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">import</span> <span class="n">yaml</span> <span class="kn">import</span> <span class="n">os</span> <span class="c1"># Target the LIVE configuration in the cicd_stack </span><span class="n">JCAS_FILE</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">expanduser</span><span class="p">(</span><span class="sh">"</span><span class="s">~/cicd_stack/jenkins/config/jenkins.yaml</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">update_jcasc</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[INFO] Reading JCasC file: </span><span class="si">{</span><span class="n">JCAS_FILE</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">JCAS_FILE</span><span class="p">,</span> <span class="sh">'</span><span class="s">r</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">jcasc</span> <span class="o">=</span> <span class="n">yaml</span><span class="p">.</span><span class="nf">safe_load</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> <span class="k">except</span> <span class="nb">FileNotFoundError</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[ERROR] File not found: </span><span class="si">{</span><span class="n">JCAS_FILE</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># 1. Add SonarQube Admin Token Credential </span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[INFO] Injecting SonarQube Admin Token credential...</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">jcasc</span><span class="p">:</span> <span class="n">jcasc</span><span class="p">[</span><span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="sh">'</span><span class="s">system</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">domainCredentials</span><span class="sh">'</span><span class="p">:</span> <span class="p">[{</span><span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span><span class="p">:</span> <span class="p">[]}]}}</span> <span class="n">sonar_cred</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">string</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">sonar-admin-token</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">scope</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">GLOBAL</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">description</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">SonarQube Admin Token</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">secret</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">${SONAR_AUTH_TOKEN}</span><span class="sh">'</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Safe navigation to credentials list </span> <span class="k">if</span> <span class="sh">'</span><span class="s">system</span><span class="sh">'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">jcasc</span><span class="p">[</span><span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span><span class="p">]:</span> <span class="n">jcasc</span><span class="p">[</span><span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">system</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="sh">'</span><span class="s">domainCredentials</span><span class="sh">'</span><span class="p">:</span> <span class="p">[{</span><span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span><span class="p">:</span> <span class="p">[]}]}</span> <span class="n">domain_creds</span> <span class="o">=</span> <span class="n">jcasc</span><span class="p">[</span><span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">system</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">domainCredentials</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">domain_creds</span><span class="p">:</span> <span class="n">domain_creds</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span><span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span><span class="p">:</span> <span class="p">[]})</span> <span class="n">creds_list</span> <span class="o">=</span> <span class="n">domain_creds</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="n">creds_list</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="n">creds_list</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">domain_creds</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="n">creds_list</span> <span class="c1"># Idempotency Check </span> <span class="n">exists</span> <span class="o">=</span> <span class="bp">False</span> <span class="k">for</span> <span class="n">cred</span> <span class="ow">in</span> <span class="n">creds_list</span><span class="p">:</span> <span class="k">if</span> <span class="sh">'</span><span class="s">string</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">cred</span> <span class="ow">and</span> <span class="n">cred</span><span class="p">[</span><span class="sh">'</span><span class="s">string</span><span class="sh">'</span><span class="p">].</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">)</span> <span class="o">==</span> <span class="sh">'</span><span class="s">sonar-admin-token</span><span class="sh">'</span><span class="p">:</span> <span class="n">exists</span> <span class="o">=</span> <span class="bp">True</span> <span class="k">break</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">exists</span><span class="p">:</span> <span class="n">creds_list</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">sonar_cred</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[INFO] Credential </span><span class="sh">'</span><span class="s">sonar-admin-token</span><span class="sh">'</span><span class="s"> added.</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[INFO] Credential </span><span class="sh">'</span><span class="s">sonar-admin-token</span><span class="sh">'</span><span class="s"> already exists. Skipping.</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 2. Add SonarQube Global Configuration </span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[INFO] Injecting SonarQube Server configuration...</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="sh">'</span><span class="s">unclassified</span><span class="sh">'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">jcasc</span><span class="p">:</span> <span class="n">jcasc</span><span class="p">[</span><span class="sh">'</span><span class="s">unclassified</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">{}</span> <span class="c1"># The 'sonarGlobalConfiguration' block configures the SonarScanner plugin </span> <span class="n">jcasc</span><span class="p">[</span><span class="sh">'</span><span class="s">unclassified</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">sonarGlobalConfiguration</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">buildWrapperEnabled</span><span class="sh">'</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">'</span><span class="s">installations</span><span class="sh">'</span><span class="p">:</span> <span class="p">[{</span> <span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">SonarQube</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">serverUrl</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">http://sonarqube.cicd.local:9000</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">credentialsId</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">sonar-admin-token</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">webhookSecretId</span><span class="sh">'</span><span class="p">:</span> <span class="sh">''</span> <span class="c1"># Optional: We will configure webhooks later </span> <span class="p">}]</span> <span class="p">}</span> <span class="c1"># 3. Write back to file </span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[INFO] Writing updated JCasC file...</span><span class="sh">"</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">JCAS_FILE</span><span class="p">,</span> <span class="sh">'</span><span class="s">w</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">yaml</span><span class="p">.</span><span class="nf">dump</span><span class="p">(</span><span class="n">jcasc</span><span class="p">,</span> <span class="n">f</span><span class="p">,</span> <span class="n">default_flow_style</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">sort_keys</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[INFO] JCasC update complete.</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">update_jcasc</span><span class="p">()</span> </code></pre> </div> <h3> Deconstructing the Helper </h3> <ul> <li> <strong><code>credentialsId: 'sonar-admin-token'</code></strong>: This links the server configuration to the credential we just injected.</li> <li> <strong><code>serverUrl: 'http://sonarqube.cicd.local:9000'</code></strong>: We use the internal Docker DNS name. Note that we use <strong>HTTP</strong> here, because we deliberately bound SonarQube to port 9000 without an SSL proxy for simplicity. Jenkins communicates over the private bridge network, so this traffic is isolated from the physical LAN.</li> <li> <strong><code>${SONAR_AUTH_TOKEN}</code></strong>: We do not hardcode the token in the YAML. We use a variable placeholder, which Jenkins will resolve at runtime from its environment variables. This is the next step in our integration.</li> </ul> <h2> 5.4 The "Integrator" Script (<code>05-update-jenkins.sh</code>) </h2> <p>We now have the configuration helper logic defined, but we need a mechanism to execute it safely. We cannot simply run the Python script and hope for the best; we must ensure the environment variables it references (<code>${SONAR_AUTH_TOKEN}</code>) actually exist in the container's runtime.</p> <p>This requires an orchestration script that bridges the gap between our Host credentials and the Container's environment.</p> <p>Create this file at <code>~/cicd_stack/sonarqube/05-update-jenkins.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 05-update-jenkins.sh</span> <span class="c">#</span> <span class="c"># This script integrates Jenkins with SonarQube.</span> <span class="c">#</span> <span class="c"># 1. Secrets: Reads SONAR_ADMIN_TOKEN (host) -&gt; Injects SONAR_AUTH_TOKEN (jenkins.env).</span> <span class="c"># 2. JCasC: Runs local python helper to patch jenkins.yaml in cicd_stack.</span> <span class="c"># 3. Apply: Triggers Jenkins redeployment from the Jenkins article dir.</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># --- Paths ---</span> <span class="nv">CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="c"># The module where the Jenkins deployment logic lives</span> <span class="nv">JENKINS_MODULE_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/Documents/FromFirstPrinciples/articles/0008_cicd_part04_jenkins"</span> <span class="nv">JENKINS_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$JENKINS_MODULE_DIR</span><span class="s2">/jenkins.env"</span> <span class="nv">DEPLOY_SCRIPT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$JENKINS_MODULE_DIR</span><span class="s2">/03-deploy-controller.sh"</span> <span class="c"># Local python helper</span> <span class="nv">PY_HELPER</span><span class="o">=</span><span class="s2">"./update_jcasc_sonar.py"</span> <span class="nv">MASTER_ENV</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CICD_ROOT</span><span class="s2">/cicd.env"</span> <span class="nb">echo</span> <span class="s2">"Starting Jenkins &lt;-&gt; SonarQube Integration..."</span> <span class="c"># --- 1. Secret Injection ---</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$MASTER_ENV</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Master environment file not found: </span><span class="nv">$MASTER_ENV</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># Load SONAR_ADMIN_TOKEN</span> <span class="nb">source</span> <span class="s2">"</span><span class="nv">$MASTER_ENV</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$SONAR_ADMIN_TOKEN</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: SONAR_ADMIN_TOKEN not found in cicd.env."</span> <span class="nb">echo</span> <span class="s2">" Please generate a User Token in SonarQube (My Account &gt; Security)"</span> <span class="nb">echo</span> <span class="s2">" and save it to ~/cicd_stack/cicd.env"</span> <span class="nb">exit </span>1 <span class="k">fi if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$JENKINS_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Jenkins env file not found at: </span><span class="nv">$JENKINS_ENV_FILE</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"Injecting SonarQube secrets into jenkins.env..."</span> <span class="c"># Idempotency check using grep to prevent duplicate entries</span> <span class="k">if</span> <span class="o">!</span> <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"SONAR_AUTH_TOKEN"</span> <span class="s2">"</span><span class="nv">$JENKINS_ENV_FILE</span><span class="s2">"</span><span class="p">;</span> <span class="k">then </span><span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt;&gt; "</span><span class="nv">$JENKINS_ENV_FILE</span><span class="sh">" # --- SonarQube Integration --- SONAR_AUTH_TOKEN=</span><span class="nv">$SONAR_ADMIN_TOKEN</span><span class="sh"> </span><span class="no">EOF </span> <span class="nb">echo</span> <span class="s2">"Secrets injected."</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"Secrets already present."</span> <span class="k">fi</span> <span class="c"># --- 2. Update JCasC ---</span> <span class="nb">echo</span> <span class="s2">"Updating JCasC configuration..."</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$PY_HELPER</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Python helper script not found at </span><span class="nv">$PY_HELPER</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi </span>python3 <span class="s2">"</span><span class="nv">$PY_HELPER</span><span class="s2">"</span> <span class="c"># --- 3. Re-Deploy Jenkins ---</span> <span class="nb">echo</span> <span class="s2">"Triggering Jenkins Re-deployment (Container Recreate)..."</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-x</span> <span class="s2">"</span><span class="nv">$DEPLOY_SCRIPT</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Deploy script not found or not executable: </span><span class="nv">$DEPLOY_SCRIPT</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># Execute the deploy script from its own directory context</span> <span class="c"># This ensures it finds the Dockerfile and other assets correctly</span> <span class="o">(</span><span class="nb">cd</span> <span class="s2">"</span><span class="nv">$JENKINS_MODULE_DIR</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> ./03-deploy-controller.sh<span class="o">)</span> <span class="nb">echo</span> <span class="s2">"Integration update complete."</span> <span class="nb">echo</span> <span class="s2">"Jenkins is restarting. Wait for initialization."</span> </code></pre> </div> <h3> Deconstructing the Integrator </h3> <p><strong>1. The Token Handshake (Step 1)</strong><br> This section solves the secret management problem. We read the <code>SONAR_ADMIN_TOKEN</code> from our master <code>cicd.env</code> file (where we manually saved it) and inject it into the specific <code>jenkins.env</code> file that the Jenkins container consumes. Note the variable renaming: we map <code>SONAR_ADMIN_TOKEN</code> (Host Name) to <code>SONAR_AUTH_TOKEN</code> (Container Name). This matches the <code>${SONAR_AUTH_TOKEN}</code> placeholder we wrote in our JCasC file.</p> <p><strong>2. The Directory Context Switch (Step 3)</strong><br> This is a subtle but critical piece of shell scripting. The Jenkins deployment script (<code>03-deploy-controller.sh</code>) expects to be run from its own directory (because it references relative paths like <code>Dockerfile</code>). We use a subshell <code>(cd ... &amp;&amp; ./...)</code> to temporarily switch contexts, execute the deployment logic we wrote in <strong>Article 8</strong>, and return. This allows us to trigger a rebuild of the "Factory" from the "Inspector's" directory, maintaining loose coupling between our modules.</p> <p><strong>3. The "Re-Deploy" Philosophy</strong><br> We do not use <code>docker restart</code>. Simply restarting a container does <em>not</em> reload environment variables from the host file. By triggering the full deployment script (which performs <code>docker stop</code> / <code>docker rm</code> / <code>docker run</code>), we force Docker to read the updated <code>jenkins.env</code> file and inject the new token into the fresh container instance.</p> <h2> 5.5 The Return Path (Webhook Setup) </h2> <p>We have successfully handed the "Foreman" (Jenkins) the keys to the "Inspector's" office. Jenkins can now authenticate with SonarQube and upload analysis reports.</p> <p>However, the conversation is currently one-sided. When SonarQube finishes analyzing a report—a process that can take minutes for a large codebase—it has no way to tell Jenkins the result. Without this return signal, our pipeline’s <code>waitForQualityGate</code> step will simply hang until it times out, failing the build regardless of the code quality.</p> <p>We must configure the <strong>Inbound</strong> connection: the <strong>Webhook</strong>.</p> <p>Because this is a configuration setting inside the SonarQube application (application logic), not the server infrastructure, we must configure it via the UI (or API). We cannot configure this using Jenkins JCasC.</p> <p><strong>Action: Configure the Webhook (SonarQube UI)</strong></p> <ol> <li> Log in to SonarQube (<code>http://sonarqube.cicd.local:9000</code>) as <code>admin</code>.</li> <li> Navigate to <strong>Administration</strong> &gt; <strong>Configuration</strong> &gt; <strong>Webhooks</strong>.</li> <li> Click the <strong>Create</strong> button.</li> <li> <strong>Name:</strong> Enter <code>jenkins-webhook</code>.</li> <li> <strong>URL:</strong> Enter <code>https://jenkins.cicd.local:10400/sonarqube-webhook/</code>.</li> </ol> <p><strong>Critical Architectural Details:</strong></p> <ul> <li> <strong>The Protocol (<code>https://</code>):</strong> We are strictly using HTTPS. Jenkins is configured to reject insecure HTTP connections on its primary port. This connection is only possible because we built our <strong>Custom SonarQube Image</strong> in Chapter 3. If we were using the vanilla image, SonarQube would reject Jenkins' SSL certificate, and the webhook would fail silently.</li> <li> <strong>The Address (<code>jenkins.cicd.local</code>):</strong> We are using the internal Docker DNS name. This traffic never leaves our <code>cicd-net</code> bridge network; it travels directly from container to container, completely isolated from the host network.</li> <li> <strong>The Endpoint (<code>/sonarqube-webhook/</code>):</strong> This specific endpoint is exposed by the <strong>SonarQube Scanner for Jenkins</strong> plugin we installed in Article 8. It listens specifically for the JSON payload that SonarQube sends when a background task completes.</li> </ul> <p>Click <strong>Create</strong>. The bridge is now complete. Traffic can flow from Factory to Inspector and back again. We are ready to test the flow.</p> <h1> Chapter 6: The Toolchain Crisis - When Versions Collide </h1> <h2> 6.1 The Incident (The "Green Build" Breaks) </h2> <p>With our connectivity established and our project created in SonarQube, we were ready to attempt our first full "Quality Gate" build. We needed to transform our pipeline from a simple builder into an analytical engine.</p> <p>To do this, we first had to adapt our coverage generation logic. Our existing <code>run-coverage.sh</code> was designed for humans, generating graphical HTML reports. SonarQube, however, is a machine; it requires structured data formats like <strong>LCOV</strong> (for C/C++ and Rust) and <strong>Cobertura XML</strong> (for Python).</p> <p>We created a dedicated CI script, <code>run-coverage-cicd.sh</code>, to generate these specific artifacts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c"># run-coverage-cicd.sh</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># --- 1. C/C++ Coverage (LCOV) ---</span> <span class="nb">echo</span> <span class="s2">"--- Running C/C++ Tests &amp; Coverage ---"</span> <span class="o">(</span> <span class="nb">mkdir</span> <span class="nt">-p</span> build_debug <span class="nb">cd </span>build_debug <span class="o">||</span> <span class="nb">exit</span> <span class="c"># Ensure Debug build for coverage flags</span> cmake <span class="nt">-DCMAKE_BUILD_TYPE</span><span class="o">=</span>Debug .. cmake <span class="nt">--build</span> <span class="nb">.</span> <span class="nt">--</span> <span class="nt">-j</span><span class="si">$(</span><span class="nb">nproc</span><span class="si">)</span> <span class="c"># Reset counters</span> lcov <span class="nt">--directory</span> <span class="nb">.</span> <span class="nt">--zerocounters</span> <span class="c"># Run Tests</span> ctest <span class="nt">--output-on-failure</span> <span class="c"># Capture Coverage</span> lcov <span class="nt">--capture</span> <span class="se">\</span> <span class="nt">--directory</span> <span class="nb">.</span> <span class="se">\</span> <span class="nt">--output-file</span> coverage.info <span class="c"># Filter Artifacts</span> lcov <span class="nt">--remove</span> coverage.info <span class="se">\</span> <span class="s1">'/usr/*'</span> <span class="se">\</span> <span class="s1">'*/_deps/*'</span> <span class="se">\</span> <span class="s1">'*/tests/helpers.h'</span> <span class="se">\</span> <span class="s1">'*/benchmark/*'</span> <span class="se">\</span> <span class="s1">'*/apps/*'</span> <span class="se">\</span> <span class="s1">'*/docs/*'</span> <span class="se">\</span> <span class="s1">'*/cmake/*'</span> <span class="se">\</span> <span class="s1">'*/.cache/*'</span> <span class="se">\</span> <span class="nt">-o</span> coverage.filtered.info <span class="c"># Move to root for scanner pickup</span> <span class="nb">mv </span>coverage.filtered.info ../coverage.cxx.info <span class="o">)</span> <span class="c"># ... (Rust and Python sections omitted for brevity) ...</span> </code></pre> </div> <p>Next, we updated our <code>Jenkinsfile</code>. We replaced the old coverage script with our new CI-specific version and added the <strong>Code Analysis</strong> stage. Crucially, we wrapped the scanner in the <code>withSonarQubeEnv</code> block to inject our credentials and added the <code>waitForQualityGate</code> step to enforce the "Stop the Line" logic.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code> <span class="n">stage</span><span class="o">(</span><span class="s1">'Test &amp; Coverage'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">echo</span> <span class="s1">'--- Running Tests &amp; Generating Reports ---'</span> <span class="n">sh</span> <span class="s1">'chmod +x ./run-coverage-cicd.sh'</span> <span class="n">sh</span> <span class="s1">'./run-coverage-cicd.sh'</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Code Analysis'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="c1">// Inject SONAR_HOST_URL and SONAR_AUTH_TOKEN</span> <span class="n">withSonarQubeEnv</span><span class="o">(</span><span class="s1">'SonarQube'</span><span class="o">)</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">'sonar-scanner'</span> <span class="o">}</span> <span class="c1">// Pause pipeline and wait for the Quality Gate webhook</span> <span class="n">timeout</span><span class="o">(</span><span class="nl">time:</span> <span class="mi">5</span><span class="o">,</span> <span class="nl">unit:</span> <span class="s1">'MINUTES'</span><span class="o">)</span> <span class="o">{</span> <span class="n">waitForQualityGate</span> <span class="nl">abortPipeline:</span> <span class="kc">true</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>We pushed this configuration to GitLab, expecting the pipeline to turn green and populate our SonarQube dashboard with rich metrics.</p> <p>Instead, the build crashed.</p> <h2> 6.2 Forensics: CMake vs. LCOV </h2> <p>The Jenkins console output painted a very clear, albeit cryptic, picture of the disaster. Hidden among the standard build noise was this fatal error message:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lcov: ERROR: (version) Incompatible GCC/GCOV version found while processing ... Your test was built with 'B42*'. You are trying to capture with gcov tool '/usr/local/bin/gcov' which is version 'B52*'. </code></pre> </div> <p>To a systems programmer, this message is a "smoking gun." The GCOV data format is tightly coupled to the compiler version. The codes <strong><code>B42</code></strong> and <strong><code>B52</code></strong> are internal version identifiers for the GCOV format:</p> <ul> <li> <strong><code>B42</code> corresponds to GCC 12.</strong> This is the default system compiler shipped with Debian 12.</li> <li> <strong><code>B52</code> corresponds to GCC 15.</strong> This is the bleeding-edge compiler we manually compiled and installed in <strong>Article 8</strong>.</li> </ul> <p>This error revealed a critical <strong>"Split-Brain"</strong> condition in our Factory Worker.</p> <p>When the pipeline ran, two different tools made two different decisions about which compiler to use, resulting in a binary incompatibility:</p> <ol> <li> <strong>The Builder (CMake):</strong> When we ran <code>cmake ..</code>, it scanned the system for a C++ compiler. Because we had not explicitly told it otherwise, it looked for the standard <code>/usr/bin/c++</code> executable. On Debian, this is a symlink to the system's default <strong>GCC 12</strong>. It built our binaries using the old compiler.</li> <li> <strong>The Inspector (LCOV):</strong> When we ran <code>lcov</code>, it needed to use the <code>gcov</code> utility to read the coverage files. It searched the system <code>PATH</code>. Because we had added <code>/usr/local/bin</code> to the start of the <code>PATH</code> in our Dockerfile, it found our custom <strong>GCC 15</strong> <code>gcov</code> executable first.</li> </ol> <p>The result was a pipeline that built code with one version (v12) and tried to analyze it with another (v15). Since the binary format for coverage artifacts (<code>.gcno</code>) changes between major GCC versions, the analyzer crashed immediately.</p> <p>We had spent hours compiling a custom toolchain to avoid "it works on my machine" issues, yet our automated agent had silently drifted back to system defaults for compilation. To fix this, we had to understand <em>why</em> the agent behaved differently than our <code>dev-container</code>, where this setup worked perfectly.</p> <h2> 6.3 The "Drift": Interactive vs. Non-Interactive Shells </h2> <p>The key to this mystery lay in a subtle distinction between how we use Docker as humans versus how Jenkins uses it as a machine.</p> <p>When we, as developers, log into our <code>dev-container</code>, we typically start a <code>bash</code> shell. This is an <strong>Interactive Shell</strong>. When it starts, it reads configuration files like <code>~/.bashrc</code> to set up the user's environment. In <strong>Article 1</strong>, we added lines to <code>.bashrc</code> to export <code>CC=/usr/local/bin/gcc</code> and <code>CXX=/usr/local/bin/g++</code>. This ensured that whenever we typed <code>cmake</code>, our custom compiler was active.</p> <p>Jenkins, however, does not log in like a human. When the Jenkins Agent connects to the controller and executes a pipeline step (<code>sh './run-coverage-cicd.sh'</code>), it runs a <strong>Non-Interactive, Non-Login Shell</strong>.</p> <p>In this mode, <strong><code>.bashrc</code> is ignored</strong>.</p> <p>Because the environment variables were defined only in a user configuration file and not at the system level, the Jenkins agent reverted to the default behavior. It ignored our custom compiler settings, found the system default <code>/usr/bin/c++</code>, and built the project with GCC 12. Meanwhile, our <code>lcov</code> tool—installed globally in <code>/usr/local/bin</code>—remained at version 15.</p> <p>This "Environmental Drift" is a classic failure mode in CI/CD. It highlights why relying on user-level dotfiles (<code>.bashrc</code>, <code>.profile</code>) is dangerous for automation. To fix this, we must move our configuration from the "User Layer" to the "Image Layer."</p> <h2> 6.4 The Fix: Immutable Environment Variables </h2> <p>To solve this permanently, we must bake our toolchain selection directly into the Docker image metadata, ensuring it applies to <em>every</em> process, regardless of how it is spawned.</p> <p>We will return to <strong>Article 8</strong> and patch our <code>Dockerfile.agent</code>. We will use the <code>ENV</code> instruction to set the <code>CC</code>, <code>CXX</code>, and <code>LD_LIBRARY_PATH</code> variables. Unlike <code>RUN export ...</code>, which only affects the current build step, <code>ENV</code> variables persist in the final image.</p> <p>We will inject these instructions <em>after</em> our heavy compilation steps (GCC and Python) but <em>before</em> the final setup. This preserves our Docker build cache, saving us from recompiling GCC 15 (which takes ~30 minutes).</p> <p><strong>File Location:</strong> <code>~/Documents/FromFirstPrinciples/articles/0008_cicd_part04_jenkins/Dockerfile.agent</code></p> <p>Insert this block after the Python build loop:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># ... (End of Step 8: Build Python) ...</span> <span class="c"># 8.5. Force CMake to use the custom GCC</span> <span class="c"># We update .bashrc for interactive shells and set ENV for CI pipelines.</span> <span class="k">RUN </span><span class="nb">echo</span> <span class="s2">"export CC=/usr/local/bin/gcc"</span> <span class="o">&gt;&gt;</span> /root/.bashrc <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">"export CXX=/usr/local/bin/g++"</span> <span class="o">&gt;&gt;</span> /root/.bashrc <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">"export CC=/usr/local/bin/gcc"</span> <span class="o">&gt;&gt;</span> /home/jenkins/.bashrc <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">"export CXX=/usr/local/bin/g++"</span> <span class="o">&gt;&gt;</span> /home/jenkins/.bashrc <span class="k">ENV</span><span class="s"> CC="/usr/local/bin/gcc"</span> <span class="k">ENV</span><span class="s"> CXX="/usr/local/bin/g++"</span> <span class="k">ENV</span><span class="s"> LD_LIBRARY_PATH="/usr/local/lib64:${LD_LIBRARY_PATH}"</span> <span class="c"># ... (Start of Step 9: Install SonarScanner) ...</span> </code></pre> </div> <h2> 6.5 Verification </h2> <p>With the patch applied, we must rebuild the agent image.</p> <ol> <li> <p><strong>Rebuild:</strong> Run the builder script from <strong>Article 8</strong>:<br> </p> <pre class="highlight shell"><code><span class="nb">cd</span> ~/Documents/FromFirstPrinciples/articles/0008_cicd_part04_jenkins ./02-build-images.sh </code></pre> <p>Because we inserted the new instructions <em>after</em> the heavy compilation steps, Docker will use cached layers for GCC and Python. The rebuild should take seconds, not minutes.</p> </li> <li><p><strong>Retest:</strong> Trigger the <code>0004_std_lib_http_client</code> job in Jenkins again.</p></li> </ol> <p><strong>The Result:</strong><br> The <code>Incompatible GCC/GCOV version</code> error vanishes. CMake now correctly picks up our <code>ENV CC</code> variable, uses GCC 15 for compilation, and produces binaries compatible with our GCOV 15 analyzer.</p> <p>However, solving one problem reveals another. The logs now show a new warning: <code>lcov: WARNING: (inconsistent) ...</code>. We have fixed the toolchain, but now we must tune the analyzer. This leads us to our next challenge.</p> <h1> Chapter 7: The "Missing Language" - C/C++ and the Community Plugin </h1> <h2> 7.1 The "Paywall" Limitation </h2> <p>With our toolchain crisis resolved, the pipeline successfully completed a full execution. The compiler built our C, C++, Rust, and Python binaries using the correct GCC 15 instruction set. The scanner uploaded the report, and the dashboard populated.</p> <p>But a quick audit of the SonarQube dashboard reveals a glaring omission. We see lines of code for <strong>Python</strong>. We see lines of code for <strong>Rust</strong>. But our <strong>C</strong> and <strong>C++</strong> implementations—which constitute the core performance logic of our "Hero Project"—are completely missing. They are not just reporting zero coverage; they are invisible.</p> <p>This is not a configuration error; it is a feature gate.</p> <p>The <strong>SonarQube Community Build</strong> explicitly excludes C and C++ analysis from its feature set. These languages are reserved for the paid <strong>Developer Edition</strong>. For a standard enterprise, paying for this feature is often the correct path. However, for our "First Principles" laboratory, we are operating under the constraint of using open-source infrastructure.</p> <p>We cannot accept a partial view of our codebase. Our project contains distinct, idiomatic implementations in C23 and C++23. If we cannot inspect them, we cannot guarantee their quality. To solve this without breaking our budget, we must turn to the open-source ecosystem: the <strong>Community C++ Plugin (<code>sonar-cxx</code>)</strong>.</p> <p>This plugin is a robust alternative to the official analyzer. It provides full support for C and C++ parsing, metric calculation, and—crucially for our next chapter—native ingestion of coverage reports. However, installing it into a containerized, immutable architecture presents a new logistical challenge.</p> <h2> 7.2 The "Hot-Patch" Strategy </h2> <p>In a standard Docker build, we would simply add a <code>ADD</code> or <code>COPY</code> instruction to our <code>Dockerfile</code> to bake the plugin into the image. However, our architecture prevents this.</p> <p>In <strong>Article 5</strong>, we made a deliberate architectural decision to persist the SonarQube extensions directory using a <strong>Named Volume</strong> (<code>sonarqube-extensions</code>). This ensures that if we upgrade the container image, we don't lose our installed plugins.</p> <p>However, this persistence creates a deployment constraint: <strong>Volume Masking</strong>.<br> When Docker mounts a volume at <code>/opt/sonarqube/extensions</code>, it overlays the volume's contents on top of the container's filesystem. If we baked the plugin into the image at that path, the empty volume would mask it at runtime, effectively making it disappear.</p> <p>Therefore, we cannot install this plugin at build time. We must perform a <strong>"Hot-Patch."</strong> We will download the plugin to our Host machine and inject it directly into the running container's volume stream.</p> <p><strong>The "Toolkit" Trap</strong><br> Before we script this, we must heed a specific warning from the plugin maintainers. The release artifacts for <code>sonar-cxx</code> include two JAR files:</p> <ol> <li> <code>sonar-cxx-plugin-x.y.z.jar</code>: The actual plugin.</li> <li> <code>cxx-sslr-toolkit-x.y.z.jar</code>: A standalone command-line debugging tool.</li> </ol> <p>It is a common mistake to copy <em>both</em> files into the plugins directory. <strong>Do not do this.</strong> The toolkit is not a SonarQube plugin; it lacks the required manifest metadata. If you place it in the plugins folder, SonarQube will attempt to load it, fail to find the plugin key, and crash the web server with a <code>java.lang.NullPointerException</code>. We must be surgical, installing only the plugin JAR.</p> <h2> 7.3 The Installer Script (<code>06-install-cxx-plugin.sh</code>) </h2> <p>To execute this "Hot-Patch" reliably, we will encapsulate the logic in a script. This script acts as a bridge between the external open-source ecosystem and our internal, immutable infrastructure.</p> <p>It performs a precise sequence of operations:</p> <ol> <li> <strong>Fetch:</strong> It downloads the specific, pinned version of the plugin (<code>2.2.1</code>) to the Host machine. This avoids relying on <code>wget</code> or <code>curl</code> being present inside the minimal SonarQube container image.</li> <li> <strong>Clean:</strong> It removes any existing versions of the plugin from the container's volume. This prevents version conflicts (e.g., having both v2.1 and v2.2 JARs loaded simultaneously), which causes startup crashes.</li> <li> <strong>Inject:</strong> It uses <code>docker cp</code> to surgically insert the JAR into the running container's file stream.</li> <li> <strong>Secure:</strong> It repairs the file permissions. Files copied from the host often arrive owned by <code>root</code>. SonarQube runs as <code>sonarqube</code> (UID 1000). If we don't fix this ownership, the application will crash with <code>Permission Denied</code> when it tries to load the class.</li> <li> <strong>Reload:</strong> It restarts the container to force the Java Classloader to pick up the new library.</li> </ol> <p>Create this file at <code>~/cicd_stack/sonarqube/06-install-cxx-plugin.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 06-install-cxx-plugin.sh</span> <span class="c">#</span> <span class="c"># Installs the Community C++ Plugin (sonar-cxx) into the</span> <span class="c"># running SonarQube container.</span> <span class="c">#</span> <span class="c"># We do this post-deployment because the 'extensions'</span> <span class="c"># directory is a mounted volume, which obscures any</span> <span class="c"># plugins we might try to bake into the Docker image.</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># --- Configuration ---</span> <span class="c"># We pin the version to ensure reproducibility</span> <span class="nv">PLUGIN_VERSION</span><span class="o">=</span><span class="s2">"2.2.1.1248"</span> <span class="nv">PLUGIN_RELEASE</span><span class="o">=</span><span class="s2">"cxx-2.2.1"</span> <span class="nv">PLUGIN_JAR</span><span class="o">=</span><span class="s2">"sonar-cxx-plugin-</span><span class="k">${</span><span class="nv">PLUGIN_VERSION</span><span class="k">}</span><span class="s2">.jar"</span> <span class="nv">DOWNLOAD_URL</span><span class="o">=</span><span class="s2">"https://github.com/SonarOpenCommunity/sonar-cxx/releases/download/</span><span class="k">${</span><span class="nv">PLUGIN_RELEASE</span><span class="k">}</span><span class="s2">/</span><span class="k">${</span><span class="nv">PLUGIN_JAR</span><span class="k">}</span><span class="s2">"</span> <span class="nv">CONTAINER_NAME</span><span class="o">=</span><span class="s2">"sonarqube"</span> <span class="nv">CONTAINER_PLUGIN_DIR</span><span class="o">=</span><span class="s2">"/opt/sonarqube/extensions/plugins"</span> <span class="nb">echo</span> <span class="s2">"Starting C++ Plugin Installation..."</span> <span class="c"># --- 1. Download Plugin to Host ---</span> <span class="c"># We download to the host first to avoid dependency issues inside the container</span> <span class="nb">echo</span> <span class="s2">"Downloading </span><span class="nv">$PLUGIN_JAR</span><span class="s2">..."</span> wget <span class="nt">-q</span> <span class="nt">--show-progress</span> <span class="s2">"</span><span class="nv">$DOWNLOAD_URL</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$PLUGIN_JAR</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Download failed."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># --- 2. Remove Old Versions ---</span> <span class="c"># We check if an older version exists in the container and remove it</span> <span class="c"># to prevent classpath conflicts (having two versions of the same plugin).</span> <span class="nb">echo</span> <span class="s2">"Checking for existing C++ plugins..."</span> docker <span class="nb">exec</span> <span class="s2">"</span><span class="nv">$CONTAINER_NAME</span><span class="s2">"</span> <span class="se">\</span> bash <span class="nt">-c</span> <span class="s2">"rm -f </span><span class="nv">$CONTAINER_PLUGIN_DIR</span><span class="s2">/sonar-cxx-plugin-*.jar"</span> <span class="c"># --- 3. Install New Plugin ---</span> <span class="nb">echo</span> <span class="s2">"Installing new plugin..."</span> docker <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$PLUGIN_JAR</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$CONTAINER_NAME</span><span class="s2">:</span><span class="nv">$CONTAINER_PLUGIN_DIR</span><span class="s2">/"</span> <span class="c"># --- 4. Fix Permissions ---</span> <span class="c"># The file copied from host arrives owned by root.</span> <span class="c"># SonarQube runs as UID 1000. We must fix this or the app crashes.</span> <span class="nb">echo</span> <span class="s2">"Fixing permissions..."</span> docker <span class="nb">exec</span> <span class="nt">-u</span> 0 <span class="s2">"</span><span class="nv">$CONTAINER_NAME</span><span class="s2">"</span> <span class="se">\</span> <span class="nb">chown </span>1000:1000 <span class="s2">"</span><span class="nv">$CONTAINER_PLUGIN_DIR</span><span class="s2">/</span><span class="nv">$PLUGIN_JAR</span><span class="s2">"</span> <span class="c"># --- 5. Cleanup Host File ---</span> <span class="nb">rm</span> <span class="s2">"</span><span class="nv">$PLUGIN_JAR</span><span class="s2">"</span> <span class="c"># --- 6. Restart SonarQube ---</span> <span class="nb">echo</span> <span class="s2">"Restarting SonarQube to load plugin..."</span> docker restart <span class="s2">"</span><span class="nv">$CONTAINER_NAME</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Plugin installed. Please verify in Administration &gt; Marketplace &gt; Installed."</span> </code></pre> </div> <h3> Execution </h3> <p>Run this script from your host machine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x 06-install-cxx-plugin.sh ./06-install-cxx-plugin.sh </code></pre> </div> <p>Once the script completes and SonarQube restarts (which may take 2 minutes), log in to the UI and navigate to <strong>Administration &gt; Marketplace</strong>. You should see the <strong>CXX (Community)</strong> plugin listed in the "Installed" tab. The engine is now capable of understanding C++.</p> <h2> 7.4 Configuration: Enabling the Sensors </h2> <p>With the plugin physically present in the container's volume, we must now instruct the scanner to use it.</p> <p>If you were to run the build immediately after the restart, the dashboard would likely remain unchanged. This is because SonarQube scanners operate on a strictly <strong>Opt-In</strong> basis for file extensions. The default Java scanner claims <code>.java</code> files; the Python scanner claims <code>.py</code> files. Since the Community Build has no native C++ scanner, <code>.cpp</code> and <code>.h</code> files are currently "orphaned"—they belong to no one, so they are ignored during the indexing phase.</p> <p>We must explicitly assign these extensions to our new <code>cxx</code> plugin.</p> <p>We do this by updating our client-side configuration file, <code>sonar-project.properties</code>. While we will provide a comprehensive breakdown of this file's architecture—including Analysis Scopes and Test definitions—in <strong>Chapter 9</strong>, for now, we focus on the single property required to wake up the C++ sensors.</p> <p><strong>Action: Update <code>sonar-project.properties</code></strong></p> <p>Add the following line to your configuration file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="c"># --- LANGUAGE SPECIFICS --- # The sonar-cxx plugin uses these suffixes to claim ownership of files </span><span class="py">sonar.cxx.file.suffixes</span><span class="p">=</span><span class="s">.cxx,.cpp,.cc,.c,.h,.hpp</span> </code></pre> </div> <p><strong>Verification:</strong><br> Commit this change and trigger the <strong><code>0004_std_lib_http_client</code></strong> job in Jenkins.</p> <p>When the analysis completes, check the SonarQube dashboard. You will notice a significant change:</p> <ol> <li> <strong>Lines of Code:</strong> The total count will jump. You will see a new entry for <strong>C++</strong> (or "CFamily") in the language breakdown.</li> <li> <strong>Issues:</strong> You may start seeing "Code Smells" or style warnings generated by the plugin's internal rules.</li> <li> <strong>Coverage:</strong> This will likely still be <strong>0.0%</strong>.</li> </ol> <p>We have solved the <strong>Indexing</strong> problem (the files are visible), but we have not solved the <strong>Metrics</strong> problem. The plugin sees the code, but it cannot read the coverage report because the data format we are generating (LCOV) is clashing with the plugin's path resolution logic. This leads us to our next battle: The Data Format War.</p> <h1> Chapter 8: The Data Format War - LCOV vs. Cobertura </h1> <h2> 8.1 The "Tower of Babel" </h2> <p>We have successfully "jailbroken" our Community Build. By injecting the <code>sonar-cxx</code> plugin, we forced the scanner to acknowledge the existence of our C++ code. If you look at the dashboard now, you will see our <code>.cpp</code> files listed in the "Code" tab, and the "Lines of Code" metric finally reflects reality.</p> <p>However, a deeper look reveals a new failure. The <strong>Coverage</strong> column for C++ remains at <strong>0.0%</strong>, even though our Jenkins logs clearly show <code>lcov</code> successfully capturing data. We have the files, but we don't have the metrics.</p> <p>To understand why, we must look at the scanner logs from our last build. Hidden amongst the success messages is a flood of warnings:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>WARN Cannot sanitize file path './../src/c/httpc.c', ignoring coverage measures WARN Cannot sanitize file path './../src/cpp/httpcpp.cpp', ignoring coverage measures </code></pre> </div> <p>This is a classic "Tower of Babel" problem. Our builder and our inspector are speaking different languages regarding <strong>File Paths</strong>.</p> <ol> <li> <strong>The Builder's Perspective:</strong> We executed our tests and coverage capture inside the <code>build_debug</code> directory. From that vantage point, the source code lives one directory up (<code>../src</code>). <code>lcov</code> faithfully recorded these relative paths in the tracefile.</li> <li> <strong>The Inspector's Perspective:</strong> The SonarQube Scanner runs from the <strong>Project Root</strong>. It expects all paths to be relative to the root (e.g., <code>src/c/httpc.c</code>).</li> </ol> <p>When the plugin reads the LCOV file, it sees a record for <code>../src/c/httpc.c</code>. It tries to match this against the file index it built from the root. Since <code>../src</code> implies a path <em>outside</em> the project root, the sanitizer rejects it as a security risk or simply fails to map it. The data is discarded to prevent database corruption.</p> <p>To fix this, we must align our perspectives. We need a format that is robust enough to handle path translation, or we need to change our execution context so the paths match naturally.</p> <h2> 8.2 The Converter Strategy </h2> <p>We have two options to solve this.</p> <p>The "Hacker" approach would be to use <code>sed</code> to rewrite the text inside the LCOV file, stripping the <code>../</code> prefix before the scanner sees it. This is fragile. If we ever change our build directory depth (e.g., <code>build/debug/x86</code>), our pipeline breaks.</p> <p>The "First Principles" approach is to fix the <strong>Execution Context</strong>.</p> <p>The relative paths are being generated because we are running the <code>lcov --capture</code> command <em>inside</em> the <code>build_debug</code> directory. To <code>lcov</code>, the source files <em>are</em> literally one level up.</p> <p>If we move the execution of the capture command to the <strong>Project Root</strong>, the perspective changes. From the root, the source files are in <code>src/</code> and the object files are in <code>build_debug/</code>. If we tell <code>lcov</code> to capture from the root, it will generate paths starting with <code>src/</code>, which is exactly what SonarQube expects.</p> <p>Additionally, we will convert this data into <strong>Cobertura XML</strong>. While the <code>sonar-cxx</code> plugin supports LCOV, the Cobertura format is the "Lingua Franca" of CI/CD. It is more widely supported by other tools (like Jenkins' own coverage view) and tends to be more robust against path quirks than raw LCOV tracefiles.</p> <p>We will use a Python tool called <code>lcov_cobertura</code> to perform this translation on the fly. This fits perfectly into our polyglot agent, as we already have a Python environment available.</p> <h2> 8.3 The Patch (<code>run-coverage-cicd.sh</code>) </h2> <p>We need to rewrite the C++ section of our coverage script to change <em>where</em> the commands run.</p> <p><strong>The Changes:</strong></p> <ol> <li> <strong>Context Switch:</strong> We move the <code>lcov</code> capture logic <em>outside</em> the subshell that enters <code>build_debug</code>.</li> <li> <strong>Base Directory:</strong> We explicitly tell <code>lcov</code> that our base directory is the current folder (<code>.</code>), ensuring paths are calculated relative to the project root.</li> <li> <strong>The Converter:</strong> We install <code>lcov_cobertura</code> inside our existing Python virtual environment (to avoid PEP 668 system package errors) and use it to generate the final XML report.</li> </ol> <p>Update your <strong><code>run-coverage-cicd.sh</code></strong> with the following logic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c"># ... (Header) ...</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># --- 1. C/C++ Coverage (LCOV) ---</span> <span class="nb">echo</span> <span class="s2">"--- Running C/C++ Tests &amp; Coverage ---"</span> <span class="c"># A. Zero Counters (Run from Root, targeting build dir)</span> <span class="nb">mkdir</span> <span class="nt">-p</span> build_debug lcov <span class="nt">--directory</span> build_debug <span class="nt">--zerocounters</span> <span class="nt">--ignore-errors</span> inconsistent,unused,negative <span class="nt">-q</span> <span class="c"># B. Build &amp; Run Tests (Inside build dir)</span> <span class="o">(</span> <span class="nb">cd </span>build_debug <span class="o">||</span> <span class="nb">exit</span> <span class="c"># Ensure Debug build for coverage flags</span> cmake <span class="nt">-DCMAKE_BUILD_TYPE</span><span class="o">=</span>Debug .. cmake <span class="nt">--build</span> <span class="nb">.</span> <span class="nt">--</span> <span class="nt">-j</span><span class="si">$(</span><span class="nb">nproc</span><span class="si">)</span> ctest <span class="nt">--output-on-failure</span> <span class="o">)</span> <span class="c"># C. Capture &amp; Filter (Run from Root)</span> <span class="c"># We capture from the root so paths like 'src/c/httpc.c' are relative to here.</span> lcov <span class="nt">--capture</span> <span class="se">\</span> <span class="nt">--directory</span> build_debug <span class="se">\</span> <span class="nt">--output-file</span> coverage.cxx.info <span class="se">\</span> <span class="nt">--ignore-errors</span> inconsistent,unused,negative <span class="se">\</span> <span class="nt">--base-directory</span> <span class="nb">.</span> <span class="c"># Filter Artifacts</span> lcov <span class="nt">--remove</span> coverage.cxx.info <span class="se">\</span> <span class="s1">'/usr/*'</span> <span class="se">\</span> <span class="s1">'*/_deps/*'</span> <span class="se">\</span> <span class="s1">'*/tests/helpers.h'</span> <span class="se">\</span> <span class="s1">'*/benchmark/*'</span> <span class="se">\</span> <span class="s1">'*/apps/*'</span> <span class="se">\</span> <span class="s1">'*/docs/*'</span> <span class="se">\</span> <span class="s1">'*/cmake/*'</span> <span class="se">\</span> <span class="s1">'*/.cache/*'</span> <span class="se">\</span> <span class="nt">-o</span> coverage.cxx.filtered.info <span class="se">\</span> <span class="nt">--ignore-errors</span> inconsistent,unused,negative <span class="c"># Rename for final use</span> <span class="nb">mv </span>coverage.cxx.filtered.info coverage.cxx.info <span class="c"># ... (Rust Section Unchanged) ...</span> <span class="c"># --- 3. Python Coverage (XML) ---</span> <span class="nb">echo</span> <span class="s2">"--- Running Python Tests &amp; Installing Tools ---"</span> <span class="o">(</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-d</span> <span class="s2">".venv"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> <span class="nb">.</span> .venv/bin/activate <span class="k">fi </span><span class="nb">cd </span>src/python <span class="c"># Install lcov_cobertura here (inside the venv)</span> python3 <span class="nt">-m</span> pip <span class="nb">install</span> <span class="nt">--editable</span> .[test] lcov_cobertura <span class="nt">--quiet</span> <span class="c"># Run Python Tests</span> pytest <span class="nt">-sv</span> <span class="nt">--cov</span><span class="o">=</span>httppy <span class="nt">--cov-report</span><span class="o">=</span>xml:../../coverage.python.xml tests <span class="o">)</span> <span class="nb">echo</span> <span class="s2">"✅ Python coverage generated: coverage.python.xml"</span> <span class="c"># --- 4. Convert C++ LCOV to Cobertura XML (From Root) ---</span> <span class="nb">echo</span> <span class="s2">"--- Converting C++ LCOV to Cobertura XML ---"</span> <span class="o">(</span> <span class="c"># Activate the venv (using relative path from Root) to get access to lcov_cobertura</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"src/python/.venv/bin/activate"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> <span class="nb">.</span> src/python/.venv/bin/activate <span class="k">elif</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">".venv/bin/activate"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> <span class="nb">.</span> .venv/bin/activate <span class="k">fi</span> <span class="c"># Run conversion from ROOT so paths remain 'src/c/...' (matching the LCOV input)</span> lcov_cobertura coverage.cxx.info <span class="nt">--output</span> coverage.cxx.xml <span class="o">)</span> <span class="nb">echo</span> <span class="s2">"✅ C/C++ Cobertura XML generated: coverage.cxx.xml"</span> </code></pre> </div> <h2> 8.4 Verification: Closing the Loop </h2> <p>We have successfully bridged the "Tower of Babel." Our coverage script now performs a sophisticated translation: it compiles in C++, captures in LCOV, translates to Cobertura XML, and aligns all file paths to the project root.</p> <p>Now, we must tell the "Inspector" where to find this translated map.</p> <p>We return to our <code>sonar-project.properties</code> file. Previously, we attempted to use <code>sonar.cxx.lcov.reportPath</code>. We must now replace this with the Cobertura-specific property supported by the community plugin.</p> <p><strong>Action: Update <code>sonar-project.properties</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="c"># ... (Previous Python/Rust config) ... </span> <span class="c"># 3. C/C++ (Cobertura XML via sonar-cxx plugin) # We replaced the LCOV property with the Cobertura property # pointing to the file generated by our Python converter. </span><span class="py">sonar.cxx.cobertura.reportPaths</span><span class="p">=</span><span class="s">coverage.cxx.xml</span> </code></pre> </div> <p><strong>The Final Test</strong></p> <p>Commit this change and trigger the <strong><code>0004_std_lib_http_client</code></strong> job in Jenkins one last time.</p> <p>When the build completes, open the SonarQube dashboard. You will witness the final piece of the puzzle falling into place:</p> <ol> <li> <strong>Lines of Code:</strong> C++ is present.</li> <li> <strong>Issues:</strong> C++ code smells are present.</li> <li> <strong>Coverage:</strong> The "0.0%" is gone. You should see a valid coverage percentage (likely &gt;90% given our test suite) for your <code>.cpp</code> files.</li> </ol> <p>We have achieved what the official documentation implies is impossible for the Community Build: full, polyglot coverage analysis for C++, Rust, and Python in a single pipeline.</p> <h1> Chapter 9: Tuning the Signal - Scopes and Exclusions </h1> <h2> 9.1 The "Low Signal" Mystery </h2> <p>With our format wars resolved, we triggered another build. The results on the SonarQube dashboard were a mixed bag of triumph and confusion.</p> <p>On one hand, our <strong>C++</strong> coverage—previously a flat zero—had surged to over 90%, vindicating our efforts with the <code>sonar-cxx</code> plugin and the Cobertura converter. The scanner was successfully mapping the execution traces back to the source files.</p> <p>On the other hand, our <strong>Python</strong> coverage sat at a dismal <strong>24.8%</strong>. Even more alarming, our <strong>Rust</strong> code showed no coverage data at all, despite our logs confirming that <code>cargo-llvm-cov</code> had run successfully.</p> <p>We faced a new problem: <strong>Signal-to-Noise Ratio</strong>. We were piping data into the system, but the metrics were skewed. To understand why, we performed a forensic audit of the Python metrics.</p> <p>Drilling down into the <strong>Code</strong> tab for the Python module, we found the culprit immediately. Files like <code>src/python/tests/test_httppy.py</code> were marked with a red bar indicating <strong>0.0% Coverage</strong>.</p> <p>This revealed a fundamental misconfiguration in our <strong>Analysis Scope</strong>. By default, if you do not explicitly tell SonarQube otherwise, it assumes <em>every</em> file inside the <code>sonar.sources</code> directory is production code that must be tested.</p> <p>Our pipeline was calculating the coverage <strong>of</strong> our tests, rather than the coverage <strong>by</strong> our tests.</p> <p>Since test files generally do not test themselves, they report 0% coverage. In a project where the volume of test code roughly equals the volume of application code (a sign of a healthy project), this misconfiguration mathematically halts your coverage score at 50%. To fix this, we must teach the Inspector to distinguish between the <em>Target</em> (Source) and the <em>Evidence</em> (Tests).</p> <h2> 9.2 Defining the Scope (<code>sonar.sources</code> vs. <code>sonar.tests</code>) </h2> <p>To fix this, we must explicitly define our <strong>Analysis Scope</strong> in <code>sonar-project.properties</code>. We need to decouple what is <em>scanned</em> from what is <em>measured</em>.</p> <p>This requires a clear understanding of two properties that often confuse beginners:</p> <ol> <li> <strong><code>sonar.sources</code></strong>: This defines your <strong>Production Code</strong>. SonarQube will scan these files for bugs, code smells, and vulnerabilities. Crucially, these are the files that <em>must</em> be covered by tests. If a file is here, any uncovered line penalizes your score.</li> <li> <strong><code>sonar.tests</code></strong>: This defines your <strong>Test Code</strong>. SonarQube will scan these files for test-specific issues (e.g., "Assertion in a loop"), but it will <strong>exempt</strong> them from coverage calculations. It understands that these files exist to <em>provide</em> coverage, not to <em>consume</em> it.</li> </ol> <p>Our fix is to physically separate our directories into these two buckets.</p> <p><strong>Action: Update <code>sonar-project.properties</code></strong></p> <p>We will edit our properties file to explicitly list <code>src/python/tests</code> under <code>sonar.tests</code>, removing it from the default source scope.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="c"># --- ANALYSIS SCOPE --- </span> <span class="c"># 1. Main Sources (Targets for Coverage) # We include 'src' (code) and 'include' (C++ headers) </span><span class="py">sonar.sources</span><span class="p">=</span><span class="s">src,include</span> <span class="c"># 2. Test Sources (Providers of Coverage) # We explicitly list the top-level 'tests' folder AND the python-specific tests </span><span class="py">sonar.tests</span><span class="p">=</span><span class="s">tests, src/python/tests</span> </code></pre> </div> <p>By making this distinction, we tell the Inspector: "Analyze <code>src/python/httppy</code> to see if it is tested. Analyze <code>src/python/tests</code> to see if the tests themselves are well-written, but do not demand that I write tests for my tests."</p> <p>This single change instantly corrects the math, removing thousands of lines of "uncovered" test code from the denominator of our coverage equation.</p> <h2> 9.3 Awakening Rust </h2> <p>While fixing Python, we also addressed the missing Rust data. Our investigation revealed a simple oversight: we were generating the report, but we never told SonarQube where to find it.</p> <p>Unlike C++, which required a plugin and a format converter, <strong>Rust</strong> support in the Community Build is robust. The documentation confirms that the native Rust sensor supports <strong>LCOV</strong> ingestion out of the box.</p> <p>We simply need to map the file we generated in our CI pipeline (<code>coverage.rust.info</code>) to the correct property key.</p> <p><strong>Action: Update <code>sonar-project.properties</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="c"># --- COVERAGE REPORTING --- </span> <span class="c"># 2. Rust (LCOV) # Native support in Community Edition requires this specific property. # It tells the Rust sensor to read the LCOV file we generated with cargo-llvm-cov. </span><span class="py">sonar.rust.lcov.reportPaths</span><span class="p">=</span><span class="s">coverage.rust.info</span> </code></pre> </div> <p>This is a "First Principles" lesson in configuration: tools are useless if they are disconnected. We spent effort generating the data, but without this single line of glue code, that effort was invisible to the system.</p> <h2> 9.4 The Surgeon's Scalpel (Coverage Exclusions) </h2> <p>Finally, we apply a more granular tool: <strong>Coverage Exclusions</strong>.</p> <p>Sometimes, you have code that <em>is</em> production code (it belongs in <code>sonar.sources</code>), but it is structurally impossible or architecturally unnecessary to unit test.</p> <p>In our "Hero Project," our Rust implementation includes two binary entry points: <code>src/bin/httprust_client.rs</code> and <code>src/bin/reqwest_client.rs</code>. These files are thin wrappers—simple <code>main()</code> functions that parse arguments and call the library. Testing <code>main()</code> functions is notoriously difficult and often yields low value.</p> <p>However, because they are in <code>src/</code>, SonarQube treats them as production code and penalizes us for their 0% coverage.</p> <p>We do not want to use <code>sonar.exclusions</code>, because that would hide them completely. We <em>want</em> SonarQube to scan them for bugs (e.g., a memory leak in <code>main</code>). We just don't want them dragging down our coverage score.</p> <p>The solution is <strong><code>sonar.coverage.exclusions</code></strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="c"># 3. Coverage Exclusions # The Surgeon's Scalpel: Analyzed for bugs, but ignored for coverage stats. # We exclude the Rust binaries (executables) </span><span class="py">sonar.coverage.exclusions</span><span class="p">=</span><span class="s">src/rust/src/bin/**</span> </code></pre> </div> <p>This is the difference between a "blunt instrument" (hiding the file) and a "precision tool" (tuning the metric).</p> <p><strong>The Payoff:</strong><br> With these three changes—splitting scopes, mapping Rust reports, and excluding entry points—we committed the configuration and ran the build.</p> <p>The result was definitive. Our coverage score, once a broken 0% or a noisy 24%, stabilized at a rock-solid <strong>94.1%</strong>. We now have a clean, accurate signal.</p> <h2> 9.5 The Blueprint: Deconstructing <code>sonar-project.properties</code> </h2> <p>We have modified our <code>sonar-project.properties</code> file iteratively throughout this process. Now, let us step back and analyze the complete, final "Blueprint" that drives our inspection.</p> <p>This file is the single source of truth for the scanner. It bridges the gap between our source code structure and SonarQube's expectations.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="c"># 1. Project Identification # This key is the unique ID of the project in SonarQube's database. # Since we imported this project from GitLab, we MUST use the key # generated by SonarQube (e.g., with the UUID suffix). # You can find this key in the SonarQube UI -&gt; Project Information. </span><span class="py">sonar.projectKey</span><span class="p">=</span><span class="s">articles_0004_std_lib_http_client_47ae4183-478d-4d13-bb80-86217c694444</span> <span class="c"># 2. Analysis Scope (The "What") # sonar.sources defines Production Code (analyzed for bugs + coverage required). # We include 'src' (application code) and 'include' (C++ headers). </span><span class="py">sonar.sources</span><span class="p">=</span><span class="s">src,include</span> <span class="c"># sonar.tests defines Test Code (analyzed for bugs + NO coverage required). # We explicitly move 'src/python/tests' here to fix our Python coverage ratio. </span><span class="py">sonar.tests</span><span class="p">=</span><span class="s">tests, src/python/tests</span> <span class="c"># sonar.exclusions removes files from analysis entirely (invisible to SonarQube). # We hide build artifacts (.o, .so) and temporary directories. </span><span class="py">sonar.exclusions</span><span class="p">=</span><span class="s">build_debug/**, build_release/**, **/*.o, **/*.so, **/*.a, **/*.zip, **/*.crate, **/*.whl</span> <span class="c"># sonar.coverage.exclusions keeps files visible but ignores them for coverage stats. # We use this for our Rust binary entry points, which are hard to unit test. </span><span class="py">sonar.coverage.exclusions</span><span class="p">=</span><span class="s">src/rust/src/bin/**</span> <span class="c"># 3. Language Specifics # We hint the scanner to use Python 3.12 parsing rules. </span><span class="py">sonar.python.version</span><span class="p">=</span><span class="s">3.12</span> <span class="c"># We explicitly tell the 'sonar-cxx' plugin which extensions it owns. </span><span class="py">sonar.cxx.file.suffixes</span><span class="p">=</span><span class="s">.cxx,.cpp,.cc,.c,.h,.hpp</span> <span class="c"># 4. Coverage Reporting (The "Evidence") # Python: Native Cobertura XML support. </span><span class="py">sonar.python.coverage.reportPaths</span><span class="p">=</span><span class="s">coverage.python.xml</span> <span class="c"># Rust: Native LCOV support (Community Build feature). </span><span class="py">sonar.rust.lcov.reportPaths</span><span class="p">=</span><span class="s">coverage.rust.info</span> <span class="c"># C/C++: Cobertura XML support via the 'sonar-cxx' community plugin. # Note that we point to the file generated by our lcov_cobertura converter. </span><span class="py">sonar.cxx.cobertura.reportPaths</span><span class="p">=</span><span class="s">coverage.cxx.xml</span> </code></pre> </div> <h3> Where to find the Values </h3> <ul> <li> <strong><code>sonar.projectKey</code></strong>: This is the most critical value. If you get this wrong, the scanner will create a <em>new</em> project instead of updating the existing one. You find this in the SonarQube UI: <ol> <li> Go to your Project Dashboard.</li> <li> Click <strong>Project Information</strong> (usually on the right sidebar).</li> <li> Copy the <strong>Project Key</strong>.</li> </ol> </li> <li> <strong><code>sonar.sources</code> / <code>sonar.tests</code></strong>: These are relative paths from your repository root. You determine these by looking at your project structure (<code>ls -R</code>).</li> <li> <strong><code>sonar.*.reportPaths</code></strong>: These must match the output filenames defined in your <code>run-coverage-cicd.sh</code> script. Consistency between the shell script (Builder) and this properties file (Inspector) is mandatory.</li> </ul> <h1> Chapter 10: The Gatekeeper - Enforcing MQR Standards </h1> <h2> 10.1 The Shift to MQR (Multi-Quality Rule) Mode </h2> <p>When you open your SonarQube dashboard for the first time after a successful analysis, you might notice that the terminology differs from older tutorials or legacy versions of the software.</p> <p>In previous versions of SonarQube, issues were categorized into three rigid types: <strong>Bugs</strong>, <strong>Vulnerabilities</strong>, and <strong>Code Smells</strong>. While functional, this taxonomy often led to ambiguity. Is a memory leak a "Bug" or a "Code Smell"? Is a hardcoded password a "Vulnerability" or a "Security Hotspot"?</p> <p>Modern SonarQube (specifically the v10.x and v25.x Community Builds we are using) has shifted to a new default paradigm called <strong>MQR (Multi-Quality Rule) Mode</strong>.</p> <p>This mode reorients the analysis around three fundamental <strong>Software Qualities</strong>:</p> <ol> <li> <strong>Reliability:</strong> Will the software crash? Issues here include logic errors, unhandled exceptions, and memory leaks.</li> <li> <strong>Security:</strong> Can the software be exploited? Issues here include injection flaws, weak cryptography, and hardcoded secrets.</li> <li> <strong>Maintainability:</strong> Can the software be updated? Issues here include high cognitive complexity, duplicated blocks, and spaghetti code.</li> </ol> <h3> The Severity Shift </h3> <p>Crucially, MQR Mode decouples the <em>Type</em> of issue from its <em>Severity</em>. An issue is no longer just "Critical" or "Minor." It is rated on a specific scale of impact for each quality dimension:</p> <ul> <li> <strong>Blocker:</strong> A high probability of high impact (e.g., a buffer overflow). Immediate fix required.</li> <li> <strong>High:</strong> High impact or high probability.</li> <li> <strong>Medium:</strong> Moderate impact.</li> <li> <strong>Low:</strong> Low impact.</li> <li> <strong>Info:</strong> Contextual information.</li> </ul> <h3> The "Sonar way" Gate </h3> <p>This shift directly impacts how our <strong>Quality Gate</strong> functions.</p> <p>The default "Sonar way" gate that is currently applied to our project does not simply say "No Bugs." It enforces specific MQR metrics on <strong>New Code</strong>:</p> <ul> <li> <strong>Reliability Rating:</strong> Must be <strong>A</strong> (No High/Blocker reliability issues).</li> <li> <strong>Security Rating:</strong> Must be <strong>A</strong> (No High/Blocker security issues).</li> <li> <strong>Maintainability Rating:</strong> Must be <strong>A</strong> (Technical Debt Ratio &lt; 5%).</li> <li> <strong>Coverage:</strong> Must be <strong>&gt;= 80.0%</strong>.</li> <li> <strong>Duplicated Lines:</strong> Must be <strong>&lt;= 3.0%</strong>.</li> </ul> <p>By understanding this taxonomy, we understand what is required to pass the gate. It is not enough to just "write tests" (Coverage); we must also write clean, secure code (MQR Ratings).</p> <h2> 10.2 The Logic of the Gate (<code>waitForQualityGate</code>) </h2> <p>Now that we understand the criteria, we must examine the mechanism that enforces them.</p> <p>In our <strong>Article 9</strong> pipeline, we simply uploaded artifacts. If the build produced a binary, we shipped it. In our updated <code>Jenkinsfile</code>, we introduced a critical new step:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">timeout</span><span class="o">(</span><span class="nl">time:</span> <span class="mi">5</span><span class="o">,</span> <span class="nl">unit:</span> <span class="s1">'MINUTES'</span><span class="o">)</span> <span class="o">{</span> <span class="n">waitForQualityGate</span> <span class="nl">abortPipeline:</span> <span class="kc">true</span> <span class="o">}</span> </code></pre> </div> <p>This step is not a simple "sleep" command. It is a sophisticated, asynchronous state machine.</p> <ol> <li> <strong>The Handover:</strong> When the <code>sonar-scanner</code> finishes uploading the report, it leaves behind a metadata file (<code>report-task.txt</code>) in the workspace. This file contains a <strong>Compute Engine Task ID (<code>ceTaskId</code>)</strong>.</li> <li> <strong>The Pause:</strong> The <code>waitForQualityGate</code> step reads this ID. It then puts the Jenkins pipeline into a "Paused" state. The heavy executor is released (depending on the agent configuration), and the job enters a lightweight listening mode.</li> <li> <strong>The Processing:</strong> On the SonarQube server, the Compute Engine processes the report, calculates the metrics, and compares them against the Quality Gate conditions.</li> <li> <strong>The Callback:</strong> Once the status is determined (OK or ERROR), SonarQube uses the <strong>Webhook</strong> we configured in Chapter 5 to call back to Jenkins. It sends a JSON payload containing the status for that specific <code>ceTaskId</code>.</li> <li> <strong>The Decision:</strong> Jenkins receives the webhook. If the payload says <code>status: "OK"</code>, the pipeline resumes and proceeds to the <strong>Package</strong> stage. If it says <code>status: "ERROR"</code>, the <code>abortPipeline: true</code> flag triggers an immediate build failure, stopping the conveyor belt before a bad artifact can be created.</li> </ol> <h2> 10.3 The "Stop the Line" Verification </h2> <p>To prove that this system works, we must force a failure.</p> <p>However, triggering a failure naturally can be difficult in a new environment. The default "Sonar way" gate only checks <strong>New Code</strong>. Since our coverage is currently high (94.1%), and we haven't introduced new bugs, our build is passing.</p> <p>To simulate a "Bad Build," we will create a draconian Quality Gate that demands perfection—<strong>100% Coverage</strong>—and apply it to our project. Since we are at 94.1%, this is guaranteed to fail.</p> <h3> Action 1: Create the "Fail-Hard" Gate </h3> <ol> <li> Log in to SonarQube (<code>http://sonarqube.cicd.local:9000</code>).</li> <li> Navigate to <strong>Quality Gates</strong>.</li> <li> Click <strong>Create</strong>.</li> <li> <strong>Name:</strong> <code>fail-hard</code>.</li> <li> <strong>Add Condition:</strong> <ul> <li> <strong>Where:</strong> <strong>Overall Code</strong> (We want to fail immediately based on current state).</li> <li> <strong>Quality Gate fails when:</strong> Select <strong>Coverage</strong>.</li> <li> <strong>Operator:</strong> <strong>is less than</strong>.</li> <li> <strong>Value:</strong> <code>100.0</code>.</li> </ul> </li> <li> Click <strong>Add Condition</strong>.</li> </ol> <h3> Action 2: Enforce the Gate </h3> <p>We must now assign this strict gate to our specific project.</p> <ol> <li> Navigate to the <strong><code>articles_...</code></strong> Project Dashboard.</li> <li> Click <strong>Project Settings</strong> &gt; <strong>Quality Gate</strong>.</li> <li> Select <strong>Always use a specific Quality Gate</strong>.</li> <li> Choose <strong><code>fail-hard</code></strong> from the dropdown.</li> <li> Click <strong>Save</strong>.</li> </ol> <h3> Action 3: The Failed Build </h3> <p>Go to Jenkins and trigger the <strong><code>0004_std_lib_http_client</code></strong> job again.</p> <p><strong>The Observation:</strong></p> <ol> <li> The <strong>Test &amp; Coverage</strong> stage will pass (Green).</li> <li> The <strong>Code Analysis</strong> stage will start. The scanner will run.</li> <li> The pipeline will pause at <code>Checking status of SonarQube task...</code>.</li> <li> A few seconds later, the pipeline will turn <strong>Red</strong> and abort.</li> </ol> <p><strong>The Evidence:</strong><br> If you check the Console Output, you will see:<br> <code>SonarQube task '...' Quality gate is 'ERROR'</code><br> <code>Stage "Package" skipped due to earlier failure(s)</code><br> <code>Stage "Publish" skipped due to earlier failure(s)</code><br> <code>ERROR: Pipeline aborted due to quality gate failure: ERROR</code></p> <p>Crucially, if you check <strong>Artifactory</strong>, you will see that <strong>no new artifacts were uploaded</strong> for this build number. The system worked. The "Inspector" stopped the line, preventing a non-compliant product from reaching the warehouse.</p> <p>You can now revert the Quality Gate setting in SonarQube back to <strong>"Sonar way"</strong> to restore the passing state.</p> <h2> 10.4 Conclusion </h2> <p>We have reached a pivotal moment in our "City Planning."</p> <p>With the deployment of SonarQube and the enforcement of the Quality Gate, our infrastructure has evolved from a simple "build loop" into a sophisticated <strong>High-Assurance Software Supply Chain</strong>.</p> <p>Let's review the architectural state of our city:</p> <ol> <li> <strong>The Library (GitLab):</strong> Stores our blueprints securely.</li> <li> <strong>The Factory (Jenkins):</strong> Compiles our polyglot code using a precise, immutable toolchain (GCC 15/Python 3.12), resolving the binary incompatibility issues that plague manual builds.</li> <li> <strong>The Inspector (SonarQube):</strong> Analyzes the output using a custom-built image that trusts our internal PKI, ingesting data from three different languages (C++, Rust, Python) through a unified dashboard.</li> <li> <strong>The Warehouse (Artifactory):</strong> Receives <em>only</em> those artifacts that have passed the Inspector's rigorous MQR standards.</li> </ol> <p>We have solved the "Quantity over Quality" problem. We are no longer filling our warehouse with time bombs. If a developer commits code that leaks memory or fails tests, the factory line stops immediately. The artifact is rejected. The system protects itself.</p> <p>However, despite this sophistication, our city has one remaining flaw: <strong>It is silent.</strong></p> <p>When the Quality Gate slammed shut in our last test, the only way you knew was because you were staring at the Jenkins console. In a real team, developers push code and move on to the next task. They need to be notified <em>actively</em> when something breaks. They need the city to speak to them.</p> <p>In the next article, we will install the "Public Address System" of our city. We will deploy <strong>Mattermost</strong>, an open-source ChatOps platform. We will connect it to our Factory and our Inspector, ensuring that when the line stops, the entire engineering team gets the alert instantly.</p> cicd devops infrastructureascode sonarqube Warren Jitsing Fri, 19 Dec 2025 05:16:26 +0000 https://dev.to/warren_jitsing_dd1c1d6fc6/part-05-building-a-sovereign-software-factory-artifactory-the-strict-tls-trap-184a https://dev.to/warren_jitsing_dd1c1d6fc6/part-05-building-a-sovereign-software-factory-artifactory-the-strict-tls-trap-184a <p>GitHub: <a href="https://github.com/InfiniteConsult/0009_cicd_part05_artifactory" rel="noopener noreferrer">https://github.com/InfiniteConsult/0009_cicd_part05_artifactory</a></p> <p><strong>TL;DR:</strong> In this installment, we solve the "Incinerator Problem" where ephemeral build agents destroy valuable artifacts upon completion. We construct the <strong>"Secure Warehouse"</strong> by deploying <strong>JFrog Artifactory</strong>, but first, we must navigate the <strong>"Strict TLS" Trap</strong>: a conflict between Artifactory's Go-based Router and standard OpenSSL certificates. We implement a custom "Strict Compliance" certificate generation process, enforce <strong>PostgreSQL 15+</strong> schema security, and upgrade our Jenkins pipeline to package raw binaries into versioned "Products" (SDKs, Crates, Wheels) before shipping them to long-term storage.</p> <p><strong>The Sovereign Software Factory Series:</strong></p> <ol> <li> <strong>Part 01:</strong> Building a Sovereign Software Factory: Docker Networking &amp; Persistence</li> <li> <strong>Part 02:</strong> Building a Sovereign Software Factory: The Local Root CA &amp; Trust Chains</li> <li> <strong>Part 03:</strong> Building a Sovereign Software Factory: Self-Hosted GitLab &amp; Secrets Management</li> <li> <strong>Part 04:</strong> Building a Sovereign Software Factory: Jenkins Configuration as Code (JCasC)</li> <li> <strong>Part 05: Building a Sovereign Software Factory: Artifactory &amp; The "Strict TLS" Trap</strong> (You are here)</li> <li> <strong>Part 06:</strong> Building a Sovereign Software Factory: SonarQube Quality Gates</li> <li> <strong>Part 07:</strong> Building a Sovereign Software Factory: ChatOps with Mattermost</li> <li> <strong>Part 08:</strong> Building a Sovereign Software Factory: Observability with the ELK Stack</li> <li> <strong>Part 09:</strong> Building a Sovereign Software Factory: Monitoring with Prometheus &amp; Grafana</li> <li> <strong>Part 10:</strong> Building a Sovereign Software Factory: The Python API Package (Capstone)</li> </ol> <h1> Chapter 1: The Challenge - The "Incinerator" Problem </h1> <h2> 1.1 The Current State: A Factory Without a Warehouse </h2> <p>In the previous articles, we successfully established the two most visible pillars of our CI/CD city. We built the "Central Library" (GitLab) to store our blueprints, and we constructed the "Factory" (Jenkins) to execute our work.</p> <p>Our architecture is sound. We have a secure, "Control Center" (our <code>dev-container</code>) that orchestrates everything. We have a private road network (<code>cicd-net</code>) that allows our services to communicate securely over HTTPS using our own internal Certificate Authority. Most importantly, we have a working pipeline. When a developer pushes code to GitLab, a webhook fires, the Jenkins "Foreman" hires a "General Purpose Worker" (our custom Docker agent), and that worker successfully compiles our complex, polyglot "Hero Project."</p> <p>If you look at the Jenkins dashboard from our last session, you will see a green status. The tests passed. The C++ library (<code>libhttpc.so</code>), the Rust binary (<code>httprust</code>), and the Python wheel (<code>.whl</code>) were all successfully created.</p> <p>However, despite this success, our system has a critical architectural flaw. We have built a factory that incinerates its products immediately after manufacturing them.</p> <p>Because our Jenkins agents are ephemeral containers designed to provide a clean slate for every build, they are destroyed the moment the pipeline finishes. When the container is removed, every artifact inside it—the very software we aim to deliver—is deleted along with it. We are verifying the <em>process</em>, but we are failing to capture the <em>product</em>. We have a factory, but we have no warehouse.</p> <h2> 1.2 The "Incinerator" Pain Point (Compute vs. Storage) </h2> <p>To understand why this happens, we must distinguish between the <strong>Compute Plane</strong> and the <strong>Storage Plane</strong> of our infrastructure.</p> <p>Jenkins is a Compute engine. Its agents are designed to be ephemeral "cattle," not persistent "pets." This is a deliberate architectural choice. We want every build to start with a blank slate—a fresh filesystem, no leftover temporary files, and no side effects from previous runs—to guarantee reproducibility. If a build works on Monday, it must work on Tuesday, regardless of what happened in between.</p> <p>To achieve this, the Docker Plugin destroys the agent container the instant the job completes. This is excellent for hygiene but catastrophic for delivery. By destroying the container, we are effectively incinerating the finished goods.</p> <p>We are currently stuck in a loop of "verification without retention." We spend compute cycles to compile C++ code, link Rust binaries, and package Python wheels, only to verify that they <em>can</em> be built before throwing them away. We cannot deploy these binaries to a staging environment because they no longer exist. We cannot debug a production crash by inspecting the exact version that failed because that file is gone.</p> <p>We need a dedicated <strong>Storage Plane</strong>. We need a system designed to persist, organize, and secure these binary assets long after the compute resources that created them have vanished.</p> <h2> 1.3 The "Storage Plane": Why not just commit to Git? </h2> <p>The most common reaction to this problem is to ask: "Why do we need another server? We already have GitLab. Why not just commit the compiled binaries to the repository?"</p> <p>This is a seductive anti-pattern. It seems efficient to keep the source and the build output together, but it fundamentally misunderstands the mechanics of version control. We must distinguish between the "Filing Cabinet" (Git) and the "Warehouse" (Artifactory).</p> <p>Git is a "Time Machine" optimized for text. When you change a line of code, Git calculates the difference (the delta) and stores only that tiny change. It is incredibly efficient at tracking the evolution of text files over time.</p> <p>Binaries, however, are opaque blobs. If you recompile a 50MB executable, almost every bit in that file changes. Git cannot calculate a meaningful delta, so it must store a fresh, full copy of that 50MB file every single time you commit. If you build ten times a day, your repository grows by 500MB a day. Within a month, your agile "Filing Cabinet" is stuffed with heavy machinery. <code>git clone</code> operations that used to take seconds will start taking hours, choking the network and slowing down every developer on the team.</p> <p>We need a system designed for heavy lifting. We need a "Warehouse" optimized for storing large, immutable, checksum-based artifacts, not line-by-line text diffs.</p> <h2> 1.4 The Architectural Decision: Why Not Use GitLab's Registry? </h2> <p>Before we break ground on a new building, we must address the elephant in the room. Our GitLab container actually comes with a built-in "Package Registry." Why are we incurring the architectural cost of deploying <strong>JFrog Artifactory</strong>, a completely separate, resource-intensive application?</p> <p>We are choosing a dedicated component for four specific architectural reasons that align with our "City Planning" philosophy.</p> <p><strong>1. The "Universal Bucket" (Simplicity &amp; Licensing)</strong><br> Our "Hero Project" is polyglot. It produces C/C++ libraries, Rust binaries, and Python wheels. To store these in GitLab's registry, we would need to configure three separate, complex interactions: a PyPI upload for Python, a Cargo registry configuration for Rust, and a Generic upload for C++.</p> <p>However, there is a pragmatic constraint. We are using the free <strong>Artifactory OSS</strong> version. This version is strictly limited in the package types it supports (primarily Maven, Gradle, and Ivy). It <strong>does not</strong> natively support PyPI, Cargo, or Conan repositories.</p> <p>Therefore, using Artifactory's <strong>Generic Repository</strong> is not just a simplification; it is a necessity. It allows us to treat all our polyglot artifacts—tarballs, crates, and wheels—as simple files in a folder structure. It is a "Simple Bucket" that lets us focus on the pipeline flow first without needing the paid Enterprise features for specific language protocols.</p> <p><strong>2. Decoupling (Resilience)</strong><br> We are building a modular city. Ideally, the buildings should be independent. If we decide to demolish our Library (switch from GitLab to GitHub) in the future, our Warehouse should remain standing. By bundling our artifacts inside our SCM, we create vendor lock-in. Separating them ensures that our asset storage is independent of our source control choice.</p> <p><strong>3. The "Bunker" Foundation (Virtual Repositories)</strong><br> We are simulating a high-security "Air Gapped" environment. While we aren't configuring remote proxies today, deploying Artifactory lays the foundation for its superpower: <strong>Virtual Repositories</strong>. This allows a single URL to transparently aggregate local internal artifacts <em>and</em> proxied remote content (like Maven Central). This is the industry standard for secure supply chains, and we are pouring the foundation for it now.</p> <p><strong>4. The "Chain of Custody" (Build Info)</strong><br> GitLab Releases are designed for humans; they provide download links. Artifactory <strong>Build Info</strong> is designed for machines; it provides forensic audit trails.</p> <p>We need to capture more than just the file. We need to capture the <strong>context</strong>. The Build Info object links the specific SHA256 checksum of a binary back to the Git Commit hash, the Jenkins Build ID, the environment variables, and the dependencies used to create it. This creates a "Chain of Custody" that turns a random file into a trusted supply chain asset.</p> <h1> Chapter 2: The Architecture - Designing the Warehouse </h1> <h2> 2.1 The Database Pivot: "City Infrastructure" vs. "Private Utilities" </h2> <p>Before we can deploy the Artifactory container, we must make a fundamental architectural decision regarding its data storage. Unlike Jenkins, which stores its configuration and job history as flat XML files on the filesystem, Artifactory relies heavily on a transactional database to manage metadata, security tokens, and package indexing.</p> <p>By default, Artifactory ships with an embedded Apache Derby database. This is designed for "zero-config" trials: you run the container, the database spins up inside the same JVM process, and the application starts. While convenient for a five-minute test, this "Private Utility" model is architecturally unsound for a persistent, professional environment.</p> <p>The embedded database introduces significant risks. It runs within the application container, meaning if the container crashes or is killed abruptly (a common occurrence in Docker development), the database often fails to close its lock files or flush its transaction logs, leading to corruption. Furthermore, in the specific context of Artifactory 7.x running in Docker, the embedded database has known stability issues that can cause boot loops or data loss during upgrades.</p> <p>We will reject this default. Instead of allowing every new building in our city to drill its own private well, we will build a centralized water treatment plant. We will deploy <strong>PostgreSQL 17</strong> as a first-class piece of "City Infrastructure."</p> <p>This decision pays dividends beyond just Artifactory. By establishing a robust, SSL-secured, shared database service now, we are laying the foundation for the rest of our stack. When we deploy <strong>SonarQube</strong> (for code quality), <strong>Mattermost</strong> (for ChatOps), and <strong>Grafana</strong> (for monitoring) in future articles, they will not need their own private databases. They will simply plug into this existing, high-performance infrastructure. This reduces our resource footprint and centralizes our backup and security strategy to a single, manageable point.</p> <h2> 2.2 The Security Shift: Navigating PostgreSQL 15+ </h2> <p>Choosing to deploy a modern database comes with modern responsibilities. We are deploying <strong>PostgreSQL 17</strong>, the latest stable version supported by Artifactory and SonarQube. This forces us to confront a significant "breaking change" introduced in version 15 that alters the default security posture of the database.</p> <p>For decades, PostgreSQL had a permissive default: any user connected to a database had implicit permission to create tables in the default <code>public</code> schema. This was convenient for developers but presented a security risk—a compromised low-privilege account could fill the database with garbage data or malicious tables.</p> <p>In PostgreSQL 15, this default was revoked. The <code>public</code> schema is now owned strictly by the database owner, and the <code>PUBLIC</code> role (representing all users) no longer has <code>CREATE</code> privileges.</p> <p>This shift breaks the "lazy" setup scripts found in many older tutorials. If we simply create an <code>artifactory</code> user and a database, the application will crash on startup with "Permission Denied" errors when it attempts to initialize its schema.</p> <p>To navigate this, we must adopt a <strong>"Zero Trust"</strong> mindset in our initialization architecture. We cannot rely on implicit permissions. Our setup scripts must now be explicit, executing specific <code>GRANT CREATE, USAGE ON SCHEMA public</code> commands for each service user. This ensures that our database environment remains secure by default, with every privilege intentionally defined rather than accidentally inherited.</p> <h2> 2.3 The "Microservice Explosion" (Artifactory 7 vs. 6) </h2> <p>If you have used older versions of Artifactory (v6 and below), you might remember it as a standard Java web application running inside Apache Tomcat. You deployed a <code>.war</code> file, mapped port 8081, and you were done.</p> <p>Artifactory 7 abandoned this monolithic architecture in favor of a scalable, cloud-native design. It is no longer a single application; it is a <strong>cluster of microservices</strong> running inside a single container.</p> <p>When we launch our container, we aren't just starting a web app; we are spinning up an entire internal service mesh:</p> <ol> <li> <strong>Artifactory (Service):</strong> The core artifact management engine (Java).</li> <li> <strong>Access:</strong> A dedicated security service that handles authentication, tokens, and permissions (Java).</li> <li> <strong>Metadata:</strong> A service for indexing and calculating metadata for packages (Java).</li> <li> <strong>Frontend:</strong> The web UI service.</li> <li> <strong>Router:</strong> The API Gateway and service registry (written in Go, based on Traefik).</li> </ol> <p>This architectural shift creates new complexity for our "City Planning." We can no longer simply talk to the Tomcat backend on port 8081. Instead, all traffic must flow through the <strong>Router</strong> on <strong>port 8082</strong>.</p> <p>The Router is the traffic cop. It acts as the entry point for the "City," terminating SSL and directing requests to the correct internal microservice. This creates a complex internal environment where these services must communicate with each other securely over <code>localhost</code>. If this internal network is misconfigured, the Router will fail to connect to the Access service, and the entire container will enter a boot loop.</p> <h2> 2.4 The TLS Trap: "Strict Compliance" (Go vs. OpenSSL) </h2> <p>The introduction of the Go-based Router brings a subtle but critical compatibility challenge regarding our Public Key Infrastructure (PKI). In Article 2, we built a standard "Passport Printer" script using OpenSSL. We used this to generate certificates for GitLab (Nginx) and Jenkins (Jetty), and both accepted them without complaint.</p> <p>However, the Artifactory Router is different. It is built on the Go programming language's standard library (<code>crypto/x509</code>), which is notorious in the DevOps community for its strict, unforgiving adherence to RFC 5280 standards. While C-based libraries like OpenSSL are often permissive—ignoring minor spec violations—Go will reject a certificate that is technically imperfect.</p> <p>This creates a "TLS Trap." If we try to reuse our standard certificate generation script for Artifactory, the Router will fail to start, often with cryptic "handshake failure" or "unhandled critical extension" errors.</p> <p>The issue lies in the <strong>Key Usage</strong> extensions.</p> <ol> <li> <strong>Criticality:</strong> The RFC suggests that if a certificate defines specific Key Usages (like Digital Signature), that extension should be marked <strong>CRITICAL</strong>. Go enforces this; many others do not.</li> <li> <strong>Dual Role (mTLS):</strong> Because the Router acts as a <strong>Server</strong> (accepting traffic from your browser) <em>and</em> a <strong>Client</strong> (sending traffic to internal microservices like Access), it requires a certificate that explicitly permits <em>both</em> roles. It needs <code>ExtendedKeyUsage</code> values for <code>serverAuth</code> and <code>clientAuth</code>.</li> </ol> <p>To solve this, we cannot use our existing tools. We must engineer a bespoke "Strict Compliance" certificate generation process specifically for Artifactory, ensuring every flag is set exactly as the Go library expects.</p> <h2> 2.5 The "Hybrid Persistence" Pattern </h2> <p>Finally, we must address how we store the data. Artifactory creates massive amounts of binary data. Storing this in a standard Docker volume is best practice for performance and safety (preventing accidental deletion). However, Artifactory also relies on complex configuration files (like <code>system.yaml</code>) that we need to edit frequently from our host machine.</p> <p>If we mount a Docker volume to the data directory, the configuration files are buried inside the volume, inaccessible to our host's text editors. If we bind-mount a host directory, we expose the database files to potential permission corruption by the host OS.</p> <p>To resolve this, we will use a <strong>Hybrid Persistence</strong> pattern using layered mounts.</p> <ol> <li> <strong>The Foundation (Volume):</strong> We will mount a Docker-managed volume (<code>artifactory-data</code>) to the root application directory <code>/var/opt/jfrog/artifactory</code>. This handles the heavy, opaque data storage safely.</li> <li> <strong>The Overlays (Bind Mounts):</strong> We will then bind-mount specific subdirectories from our host (<code>~/cicd_stack/artifactory/var/etc</code>) <em>over</em> the corresponding directories inside the container.</li> </ol> <p>This strategy gives us the best of both worlds: the robustness of a managed volume for the "blob" storage, and the convenience of host-side editing for our configuration files.</p> <h1> Chapter 3: Action Plan (Part 1) - The Shared Data Layer </h1> <h2> 3.1 The Architect (<code>01-setup-database.sh</code>) </h2> <p>We begin by establishing our shared data infrastructure. This script acts as the "Architect" for our database service. It runs entirely on the host machine and is responsible for preparing the filesystem, generating cryptographic secrets, and defining the security policies that the database container will enforce upon startup.</p> <p>This script creates a directory structure at <code>~/cicd_stack/postgres</code>, populating it with SSL certificates, configuration files, and initialization scripts. It solves the "Bootstrap Paradox" by ensuring that all passwords and permissions exist <em>before</em> the database process is ever spawned.</p> <p>Create this file at <code>~/cicd_stack/postgres/01-setup-database.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 01-setup-database.sh</span> <span class="c">#</span> <span class="c"># This is the "Architect" script for the Shared Database.</span> <span class="c"># It prepares the host environment for PostgreSQL 17.</span> <span class="c">#</span> <span class="c"># 1. Secrets: Generates/Persists passwords for all 4 services.</span> <span class="c"># 2. Certs: Issues SSL certs and fixes permissions (UID 999).</span> <span class="c"># 3. Security: Generates pg_hba.conf enforcing SSL for cicd-net.</span> <span class="c"># 4. Init: Creates the SQL script to initialize databases with</span> <span class="c"># PostgreSQL 17 compatible permissions.</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># --- 1. Define Paths ---</span> <span class="nv">HOST_CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="nv">POSTGRES_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/postgres"</span> <span class="nv">MASTER_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/cicd.env"</span> <span class="c"># Directories to be mounted</span> <span class="nv">DIR_CERTS</span><span class="o">=</span><span class="s2">"</span><span class="nv">$POSTGRES_BASE</span><span class="s2">/certs"</span> <span class="nv">DIR_CONFIG</span><span class="o">=</span><span class="s2">"</span><span class="nv">$POSTGRES_BASE</span><span class="s2">/config"</span> <span class="nv">DIR_INIT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$POSTGRES_BASE</span><span class="s2">/init"</span> <span class="c"># Certificate Authority Paths</span> <span class="nv">CA_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/ca"</span> <span class="nv">SERVICE_NAME</span><span class="o">=</span><span class="s2">"postgres.cicd.local"</span> <span class="nv">CA_SERVICE_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/services/</span><span class="nv">$SERVICE_NAME</span><span class="s2">"</span> <span class="nv">SRC_CRT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_SERVICE_DIR</span><span class="s2">/</span><span class="nv">$SERVICE_NAME</span><span class="s2">.crt.pem"</span> <span class="nv">SRC_KEY</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_SERVICE_DIR</span><span class="s2">/</span><span class="nv">$SERVICE_NAME</span><span class="s2">.key.pem"</span> <span class="nv">SRC_ROOT_CA</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/certs/ca.pem"</span> <span class="nb">echo</span> <span class="s2">"Starting PostgreSQL 'Architect' Setup..."</span> <span class="c"># --- 2. Secrets Management ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 1: Secrets Management ---"</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Master env file not found at </span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">source</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="c"># Helper function to check and generate secret</span> check_and_generate_secret<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">var_name</span><span class="o">=</span><span class="nv">$1</span> <span class="nb">local </span><span class="nv">var_value</span><span class="o">=</span><span class="k">${</span><span class="p">!var_name</span><span class="k">}</span> <span class="nb">local </span><span class="nv">description</span><span class="o">=</span><span class="nv">$2</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$var_value</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Generating new </span><span class="nv">$description</span><span class="s2"> (</span><span class="nv">$var_name</span><span class="s2">)..."</span> <span class="c"># 32 bytes of entropy = 64 hex characters</span> <span class="nb">local </span><span class="nv">new_secret</span><span class="o">=</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> 32<span class="si">)</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"# </span><span class="nv">$description</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$var_name</span><span class="s2">=</span><span class="se">\"</span><span class="nv">$new_secret</span><span class="se">\"</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="c"># Export for current session</span> <span class="nb">export</span> <span class="nv">$var_name</span><span class="o">=</span><span class="s2">"</span><span class="nv">$new_secret</span><span class="s2">"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"Found existing </span><span class="nv">$var_name</span><span class="s2">."</span> <span class="k">fi</span> <span class="o">}</span> check_and_generate_secret <span class="s2">"POSTGRES_ROOT_PASSWORD"</span> <span class="s2">"PostgreSQL Root Password"</span> check_and_generate_secret <span class="s2">"ARTIFACTORY_DB_PASSWORD"</span> <span class="s2">"Artifactory DB Password"</span> check_and_generate_secret <span class="s2">"SONARQUBE_DB_PASSWORD"</span> <span class="s2">"SonarQube DB Password"</span> check_and_generate_secret <span class="s2">"MATTERMOST_DB_PASSWORD"</span> <span class="s2">"Mattermost DB Password"</span> check_and_generate_secret <span class="s2">"GRAFANA_DB_PASSWORD"</span> <span class="s2">"Grafana DB Password"</span> <span class="c"># --- 3. Certificate Preparation ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 2: TLS Certificate Preparation ---"</span> <span class="c"># Ensure local directories exist</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$DIR_CERTS</span><span class="s2">"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$DIR_CONFIG</span><span class="s2">"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$DIR_INIT</span><span class="s2">"</span> <span class="c"># Check if cert already exists in the CA structure</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$SRC_CRT</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Certificate for </span><span class="nv">$SERVICE_NAME</span><span class="s2"> not found in CA. Issuing new certificate..."</span> <span class="c"># Use a subshell to change directory without affecting the script</span> <span class="o">(</span> <span class="nb">cd</span> ../0006_cicd_part02_certificate_authority <span class="o">||</span> <span class="nb">exit </span>1 <span class="c"># Check if the script exists</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-x</span> <span class="s2">"./02-issue-service-cert.sh"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Cert issuance script not found or not executable."</span> <span class="nb">exit </span>1 <span class="k">fi</span> ./02-issue-service-cert.sh <span class="s2">"</span><span class="nv">$SERVICE_NAME</span><span class="s2">"</span> <span class="o">)</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"Certificate for </span><span class="nv">$SERVICE_NAME</span><span class="s2"> already exists. Skipping issuance."</span> <span class="k">fi</span> <span class="c"># Copy certificates to the Postgres mount directory</span> <span class="nb">echo</span> <span class="s2">"Copying certificates to </span><span class="nv">$DIR_CERTS</span><span class="s2">..."</span> <span class="c"># We rename them to standard postgres names for simplicity in the run command</span> <span class="nb">sudo cp</span> <span class="s2">"</span><span class="nv">$SRC_CRT</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$DIR_CERTS</span><span class="s2">/server.crt"</span> <span class="nb">sudo cp</span> <span class="s2">"</span><span class="nv">$SRC_KEY</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$DIR_CERTS</span><span class="s2">/server.key"</span> <span class="nb">sudo cp</span> <span class="s2">"</span><span class="nv">$SRC_ROOT_CA</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$DIR_CERTS</span><span class="s2">/root.crt"</span> <span class="c"># CRITICAL: Permission Fix for Container UID 999</span> <span class="c"># PostgreSQL refuses to start if the key file is readable by anyone else.</span> <span class="c"># The container user 'postgres' usually has UID 999.</span> <span class="nb">echo</span> <span class="s2">"Applying strict permissions to SSL keys (requires sudo)..."</span> <span class="nb">echo</span> <span class="s2">"Setting ownership to UID 999 and mode 0600."</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> 999:999 <span class="s2">"</span><span class="nv">$DIR_CERTS</span><span class="s2">"</span> <span class="nb">sudo chmod </span>600 <span class="s2">"</span><span class="nv">$DIR_CERTS</span><span class="s2">/server.key"</span> <span class="c"># Public certs can be readable</span> <span class="nb">sudo chmod </span>644 <span class="s2">"</span><span class="nv">$DIR_CERTS</span><span class="s2">/server.crt"</span> <span class="nb">sudo chmod </span>644 <span class="s2">"</span><span class="nv">$DIR_CERTS</span><span class="s2">/root.crt"</span> <span class="c"># --- 4. Security Policy (pg_hba.conf) ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 3: Generating pg_hba.conf ---"</span> <span class="nv">HBA_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$DIR_CONFIG</span><span class="s2">/pg_hba.conf"</span> <span class="c"># We explicitly restrict access to the docker subnet (172.30.0.0/24)</span> <span class="c"># and enforce SSL (hostssl).</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$HBA_FILE</span><span class="sh">" # TYPE DATABASE USER ADDRESS METHOD # 1. Localhost (Loopback) - Allow for local debugging/healthchecks local all all trust hostssl all all 127.0.0.1/32 scram-sha-256 # 2. CICD Network - Reject unencrypted connections hostnossl all all 172.30.0.0/24 reject # 3. CICD Network - Allow SSL connections with password hostssl all all 172.30.0.0/24 scram-sha-256 # 4. Reject everything else (Implicit, but good for documentation) # host all all 0.0.0.0/0 reject </span><span class="no">EOF </span><span class="nb">echo</span> <span class="s2">"Policy written to </span><span class="nv">$HBA_FILE</span><span class="s2">"</span> <span class="c"># --- 5. Init Script Generation ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 4: Generating Initialization SQL ---"</span> <span class="nv">INIT_SCRIPT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$DIR_INIT</span><span class="s2">/01-init.sh"</span> <span class="c"># We use a shell script that calls psql. This allows us to use variables.</span> <span class="c"># Note: We use 'cat &lt;&lt; "EOF"' (quoted EOF) to prevent variable expansion</span> <span class="c"># by the host shell during generation. The variables ($POSTGRES_USER, etc.)</span> <span class="c"># will be expanded by the CONTAINER shell at runtime.</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="sh">"</span><span class="no">EOF</span><span class="sh">" &gt; "</span><span class="nv">$INIT_SCRIPT</span><span class="sh">" #!/bin/bash set -e echo "--- Initializing Multi-Tenant Databases ---" # Define constants for PG17 Compatibility # We use 'C' collation to satisfy SonarQube's strict case-sensitivity requirement # while maintaining compatibility with Artifactory, Mattermost, and Grafana. DB_ENCODING='UTF8' DB_COLLATE='C' DB_CTYPE='C' # Execute SQL block psql -v ON_ERROR_STOP=1 --username "</span><span class="nv">$POSTGRES_USER</span><span class="sh">" --dbname "</span><span class="nv">$POSTGRES_DB</span><span class="sh">" &lt;&lt;-EOSQL -- =================================================== -- 1. ARTIFACTORY -- =================================================== CREATE USER artifactory WITH PASSWORD '</span><span class="nv">$ARTIFACTORY_DB_PASSWORD</span><span class="sh">'; CREATE DATABASE artifactory WITH OWNER artifactory ENCODING='</span><span class="nv">$DB_ENCODING</span><span class="sh">' LC_COLLATE='</span><span class="nv">$DB_COLLATE</span><span class="sh">' LC_CTYPE='</span><span class="nv">$DB_CTYPE</span><span class="sh">' TEMPLATE=template0; GRANT ALL PRIVILEGES ON DATABASE artifactory TO artifactory; -- PG17 Fix: Explicitly grant creation on public schema GRANT CREATE, USAGE ON SCHEMA public TO artifactory; -- =================================================== -- 2. SONARQUBE -- =================================================== CREATE USER sonarqube WITH PASSWORD '</span><span class="nv">$SONARQUBE_DB_PASSWORD</span><span class="sh">'; CREATE DATABASE sonarqube WITH OWNER sonarqube ENCODING='</span><span class="nv">$DB_ENCODING</span><span class="sh">' LC_COLLATE='</span><span class="nv">$DB_COLLATE</span><span class="sh">' LC_CTYPE='</span><span class="nv">$DB_CTYPE</span><span class="sh">' TEMPLATE=template0; GRANT ALL PRIVILEGES ON DATABASE sonarqube TO sonarqube; -- PG17 Fix: Explicitly grant creation on public schema GRANT CREATE, USAGE ON SCHEMA public TO sonarqube; -- =================================================== -- 3. MATTERMOST -- =================================================== CREATE USER mattermost WITH PASSWORD '</span><span class="nv">$MATTERMOST_DB_PASSWORD</span><span class="sh">'; CREATE DATABASE mattermost WITH OWNER mattermost ENCODING='</span><span class="nv">$DB_ENCODING</span><span class="sh">' LC_COLLATE='</span><span class="nv">$DB_COLLATE</span><span class="sh">' LC_CTYPE='</span><span class="nv">$DB_CTYPE</span><span class="sh">' TEMPLATE=template0; GRANT ALL PRIVILEGES ON DATABASE mattermost TO mattermost; -- PG17 Fix: Explicitly grant creation on public schema GRANT CREATE, USAGE ON SCHEMA public TO mattermost; -- =================================================== -- 4. GRAFANA -- =================================================== CREATE USER grafana WITH PASSWORD '</span><span class="nv">$GRAFANA_DB_PASSWORD</span><span class="sh">'; CREATE DATABASE grafana WITH OWNER grafana ENCODING='</span><span class="nv">$DB_ENCODING</span><span class="sh">' LC_COLLATE='</span><span class="nv">$DB_COLLATE</span><span class="sh">' LC_CTYPE='</span><span class="nv">$DB_CTYPE</span><span class="sh">' TEMPLATE=template0; GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana; -- PG17 Fix: Explicitly grant creation on public schema GRANT CREATE, USAGE ON SCHEMA public TO grafana; EOSQL echo "--- Database Initialization Complete ---" </span><span class="no">EOF </span><span class="c"># Make the init script executable</span> <span class="nb">chmod</span> +x <span class="s2">"</span><span class="nv">$INIT_SCRIPT</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Init script written to </span><span class="nv">$INIT_SCRIPT</span><span class="s2">"</span> <span class="c"># --- 6. Create Scoped Environment File ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 5: Creating Scoped postgres.env ---"</span> <span class="nv">SCOPED_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$POSTGRES_BASE</span><span class="s2">/postgres.env"</span> <span class="c"># We map the variables from our Master Env (Host) to the specific</span> <span class="c"># variable names expected by the Postgres Image and our Init Script.</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$SCOPED_ENV_FILE</span><span class="sh">" # Scoped Environment for PostgreSQL Container # Auto-generated by 01-setup-database.sh # 1. Standard PostgreSQL Image Variables # Note: We map our POSTGRES_ROOT_PASSWORD to POSTGRES_PASSWORD POSTGRES_PASSWORD=</span><span class="nv">$POSTGRES_ROOT_PASSWORD</span><span class="sh"> POSTGRES_USER=postgres POSTGRES_DB=postgres # 2. Application Passwords # These are required by /docker-entrypoint-initdb.d/01-init.sh ARTIFACTORY_DB_PASSWORD=</span><span class="nv">$ARTIFACTORY_DB_PASSWORD</span><span class="sh"> SONARQUBE_DB_PASSWORD=</span><span class="nv">$SONARQUBE_DB_PASSWORD</span><span class="sh"> MATTERMOST_DB_PASSWORD=</span><span class="nv">$MATTERMOST_DB_PASSWORD</span><span class="sh"> GRAFANA_DB_PASSWORD=</span><span class="nv">$GRAFANA_DB_PASSWORD</span><span class="sh"> </span><span class="no">EOF </span><span class="c"># Secure the file (contains cleartext passwords)</span> <span class="nb">chmod </span>600 <span class="s2">"</span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Scoped env file written to </span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"--- Setup Complete ---"</span> <span class="nb">echo</span> <span class="s2">"Secrets persisted in cicd.env"</span> <span class="nb">echo</span> <span class="s2">"Scoped secrets created in </span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Certificates prepared in </span><span class="nv">$DIR_CERTS</span><span class="s2"> (UID 999)"</span> <span class="nb">echo</span> <span class="s2">"Config generated in </span><span class="nv">$DIR_CONFIG</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Ready to run 02-deploy-database.sh"</span> </code></pre> </div> <h3> Deconstructing the Architect </h3> <p>This script performs five critical functions that transform a generic PostgreSQL image into a production-grade service.</p> <p><strong>1. The "Pre-Computation" Strategy (Phase 1)</strong><br> The <code>check_and_generate_secret</code> function generates high-entropy passwords using <code>openssl rand</code> and saves them to our master <code>cicd.env</code> file <em>before</em> the container ever starts. This prevents the "First Run" race condition where an application might try to connect before a password is fully established. Note that we generate passwords for Artifactory, SonarQube, Mattermost, and Grafana all at once. We are provisioning the city's infrastructure in one go.</p> <p><strong>2. The "Leaky Container" Fix (UID 999) (Phase 2)</strong><br> This is one of the most common "gotchas" in Docker database deployments. The official PostgreSQL container runs as user <code>postgres</code> with a fixed <strong>UID 999</strong>. When we bind-mount our host's certificate directory (<code>certs/</code>) into the container, the permissions bleed through. If the private key is owned by our host user (e.g., UID 1000), the database process inside the container (UID 999) cannot read it and will crash immediately.<br> We solve this with "Host-Side Surgery": <code>sudo chown -R 999:999</code>. We explicitly set the ownership on the host so it matches the guest's expectation.</p> <p><strong>3. The "Bouncer" (Phase 3)</strong><br> We generate a strict <code>pg_hba.conf</code> file. This acts as the firewall for the database application layer.</p> <ul> <li> <strong><code>hostnossl ... reject</code></strong>: This is the "No Shirt, No Service" policy. We explicitly reject any connection attempt from the network that does not use SSL.</li> <li> <strong><code>scram-sha-256</code></strong>: We enforce the modern SCRAM authentication method, replacing the vulnerable <code>md5</code> default. This adds cryptographic salt and channel binding, preventing "Pass-the-Hash" attacks.</li> </ul> <p><strong>4. The "Concrete Foundation" and "Zero Trust" (Phase 4)</strong><br> The <code>init.sh</code> script is where we handle the deep architectural requirements.</p> <ul> <li> <strong><code>DB_COLLATE='C'</code></strong>: We hardcode the collation to <code>C</code>. This forces the database to use raw byte-value sorting rather than complex, culturally-aware sorting logic. This is a hard requirement for <strong>SonarQube</strong> (our next article), which requires strict case sensitivity. Changing collation later is impossible without wiping the database, so we must pour this concrete correctly now.</li> <li> <strong><code>GRANT CREATE, USAGE ON SCHEMA public</code></strong>: This handles the PostgreSQL 15 security shift. By default, new users can no longer create tables in the public schema. We explicitly <code>GRANT</code> these permissions to our service users, adhering to a "Zero Trust" model where access is explicitly defined, not implicitly assumed.</li> </ul> <h2> 3.2 The Launcher (<code>02-deploy-database.sh</code>) </h2> <p>With our configuration assets generated and permissions fixed, we can now launch the database container. This script acts as the "Construction Crew," taking the blueprints provided by the Architect and assembling the running service.</p> <p>It performs a "Clean Slate" protocol—stopping and removing any existing instance—to ensure that configuration changes (like our new <code>pg_hba.conf</code>) are always applied fresh.</p> <p>Create this file at <code>~/cicd_stack/postgres/02-deploy-database.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 02-deploy-database.sh</span> <span class="c">#</span> <span class="c"># This is the "Launcher" script for the Shared Database.</span> <span class="c"># It runs the PostgreSQL 17 container using the assets</span> <span class="c"># prepared by 01-setup-database.sh.</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># --- 1. Define Paths ---</span> <span class="nv">HOST_CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="nv">POSTGRES_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/postgres"</span> <span class="c"># Prerequisite files</span> <span class="nv">SCOPED_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$POSTGRES_BASE</span><span class="s2">/postgres.env"</span> <span class="nv">SSL_KEY</span><span class="o">=</span><span class="s2">"</span><span class="nv">$POSTGRES_BASE</span><span class="s2">/certs/server.key"</span> <span class="nv">HBA_CONF</span><span class="o">=</span><span class="s2">"</span><span class="nv">$POSTGRES_BASE</span><span class="s2">/config/pg_hba.conf"</span> <span class="nb">echo</span> <span class="s2">"Starting PostgreSQL Deployment..."</span> <span class="c"># --- 2. Prerequisite Checks ---</span> <span class="c"># We fail fast if the architect script has not been run.</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Scoped env file not found at </span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Please run 01-setup-database.sh first."</span> <span class="nb">exit </span>1 <span class="k">fi if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$SSL_KEY</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: SSL Key not found at </span><span class="nv">$SSL_KEY</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Please run 01-setup-database.sh first."</span> <span class="nb">exit </span>1 <span class="k">fi if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$HBA_CONF</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: pg_hba.conf not found at </span><span class="nv">$HBA_CONF</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Please run 01-setup-database.sh first."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># --- 3. Clean Slate Protocol ---</span> <span class="c"># Stop and remove any existing container to ensure a clean start</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-q</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>postgres<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Stopping existing 'postgres' container..."</span> docker stop postgres <span class="k">fi if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-aq</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>postgres<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Removing existing 'postgres' container..."</span> docker <span class="nb">rm </span>postgres <span class="k">fi</span> <span class="c"># --- 4. Volume Management ---</span> <span class="c"># Create the persistent data volume if it doesn't exist</span> docker volume create postgres-data <span class="o">&gt;</span> /dev/null <span class="nb">echo</span> <span class="s2">"Verified 'postgres-data' volume."</span> <span class="c"># --- 5. Deploy Container ---</span> <span class="nb">echo</span> <span class="s2">"Launching PostgreSQL 17 container..."</span> <span class="c"># Notes on Mounts:</span> <span class="c"># 1. postgres-data: Persists the DB files.</span> <span class="c"># 2. certs: Provides the SSL keys (Must be owned by UID 999 - fixed in 01).</span> <span class="c"># 3. config: Provides the strict pg_hba.conf.</span> <span class="c"># 4. init: Provides the SQL script to create Artifactory/Sonar/etc users.</span> docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> postgres <span class="se">\</span> <span class="nt">--restart</span> always <span class="se">\</span> <span class="nt">--network</span> cicd-net <span class="se">\</span> <span class="nt">--hostname</span> postgres.cicd.local <span class="se">\</span> <span class="nt">--publish</span> 127.0.0.1:5432:5432 <span class="se">\</span> <span class="nt">--env-file</span> <span class="s2">"</span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--volume</span> postgres-data:/var/lib/postgresql/data <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$POSTGRES_BASE</span><span class="s2">/certs"</span>:/etc/postgresql/ssl <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$POSTGRES_BASE</span><span class="s2">/config/pg_hba.conf"</span>:/etc/postgresql/pg_hba.conf <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$POSTGRES_BASE</span><span class="s2">/init"</span>:/docker-entrypoint-initdb.d <span class="se">\</span> postgres:17 <span class="se">\</span> <span class="nt">-c</span> <span class="nv">ssl</span><span class="o">=</span>on <span class="se">\</span> <span class="nt">-c</span> <span class="nv">ssl_cert_file</span><span class="o">=</span>/etc/postgresql/ssl/server.crt <span class="se">\</span> <span class="nt">-c</span> <span class="nv">ssl_key_file</span><span class="o">=</span>/etc/postgresql/ssl/server.key <span class="se">\</span> <span class="nt">-c</span> <span class="nv">hba_file</span><span class="o">=</span>/etc/postgresql/pg_hba.conf <span class="nb">echo</span> <span class="s2">"PostgreSQL container started."</span> <span class="nb">echo</span> <span class="s2">"Monitor initialization logs with: docker logs -f postgres"</span> <span class="nb">echo</span> <span class="s2">"Wait for 'database system is ready to accept connections' before proceeding."</span> </code></pre> </div> <h3> Deconstructing the Launcher </h3> <p>This script connects the dots between our physical assets and the running container.</p> <p><strong>1. The Identity Assertion (<code>--hostname</code>)</strong><br> We explicitly set <code>--hostname postgres.cicd.local</code>. This is not cosmetic. This hostname matches the Common Name (CN) of the SSL certificate we generated in the Architect script. This match is what allows clients to use <code>sslmode=verify-full</code>. If the container's hostname did not match the certificate, clients would reject the connection as a potential Man-in-the-Middle attack.</p> <p><strong>2. The Mount Strategy</strong><br> We map four distinct volumes, each serving a specific architectural purpose:</p> <ul> <li> <code>postgres-data</code>: The <strong>Docker Volume</strong> for the actual database files (opaque, high-performance IO).</li> <li> <code>certs</code>: The <strong>Bind Mount</strong> containing our keys (permission-fixed to UID 999).</li> <li> <code>config</code>: The <strong>Bind Mount</strong> injecting our strict <code>pg_hba.conf</code> "Bouncer."</li> <li> <code>init</code>: The <strong>Bind Mount</strong> injecting our SQL script. PostgreSQL automatically executes any <code>.sh</code> or <code>.sql</code> file found in <code>/docker-entrypoint-initdb.d</code> during the very first startup.</li> </ul> <p><strong>3. The Runtime Flags (<code>-c</code>)</strong><br> We override the default PostgreSQL configuration directly in the command line.</p> <ul> <li> <code>-c ssl=on</code>: Forces the server to enable the SSL subsystem.</li> <li> <code>-c hba_file=...</code>: Tells PostgreSQL to ignore its default access rules and use our strict <code>pg_hba.conf</code> instead.</li> </ul> <h2> 3.3 The Audit (<code>03-verify-database.sh</code>) </h2> <p>Deploying the database is not enough. We must verify that our security controls are actually working <em>before</em> we try to connect complex applications like Artifactory. If we skip this step, we might spend hours debugging Artifactory connection errors, not knowing if the issue is the network, the password, or the SSL handshake.</p> <p>We will perform a formal audit using a "Negative Testing" methodology. We want to prove that the database <strong>rejects</strong> insecure connections.</p> <p>Create this file in your <strong>article source directory</strong> (on your host) at <code>~/Documents/FromFirstPrinciples/articles/0009_cicd_part05_artifactory/03-verify-database.sh</code>. This ensures it is mounted into our <code>dev-container</code>, where we will run the test.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 03-verify-database.sh</span> <span class="c">#</span> <span class="c"># This script audits the PostgreSQL 17 deployment.</span> <span class="c">#</span> <span class="c"># USAGE INSTRUCTIONS:</span> <span class="c"># 1. This script must be run INSIDE the 'dev-container'.</span> <span class="c"># 2. You must stage the secrets file on the HOST first:</span> <span class="c"># cp ~/cicd_stack/postgres/postgres.env ~/Documents/FromFirstPrinciples/data/</span> <span class="c">#</span> <span class="c"># What this script checks:</span> <span class="c"># 1. Network connectivity to postgres.cicd.local.</span> <span class="c"># 2. Strict SSL enforcement (PGSSLMODE=verify-full).</span> <span class="c"># 3. Negative Test: Ensures non-SSL connections are REJECTED.</span> <span class="c"># 4. Authentication for all 4 service users.</span> <span class="c"># 5. Authorization (Can they create tables in 'public'?).</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># Fix for Perl locale warnings in some containers</span> <span class="nb">export </span><span class="nv">LC_ALL</span><span class="o">=</span>C <span class="nb">echo</span> <span class="s2">"Starting Database Verification Audit..."</span> <span class="c"># --- 1. Dependency Check ---</span> <span class="c"># The dev-container might not have the psql client installed.</span> <span class="k">if</span> <span class="o">!</span> <span class="nb">command</span> <span class="nt">-v</span> psql &amp;&gt; /dev/null<span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"psql not found. Installing PostgreSQL 17 client..."</span> <span class="c"># We assume sudo is available or we are root in dev-container</span> <span class="nb">sudo </span>apt-get update <span class="nt">-qq</span> <span class="nb">sudo </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">-qq</span> postgresql-common <span class="c"># Install the official PG repo to get version 17</span> <span class="nb">yes</span> | <span class="nb">sudo</span> /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh <span class="nb">sudo </span>apt-get update <span class="nt">-qq</span> <span class="o">&amp;&amp;</span> <span class="nb">sudo </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">-qq</span> postgresql-client-17 <span class="k">fi</span> <span class="c"># --- 2. Load Environment Secrets ---</span> <span class="c"># We expect the file to be in ~/data (mapped from Host ~/Documents/FromFirstPrinciples/data)</span> <span class="nv">ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/data/postgres.env"</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"CRITICAL ERROR: Secrets file not found at </span><span class="nv">$ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Please run this command on your HOST machine first:"</span> <span class="nb">echo</span> <span class="s2">" cp ~/cicd_stack/postgres/postgres.env ~/Documents/FromFirstPrinciples/data/"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"Loading secrets from </span><span class="nv">$ENV_FILE</span><span class="s2">..."</span> <span class="nb">source</span> <span class="s2">"</span><span class="nv">$ENV_FILE</span><span class="s2">"</span> <span class="c"># --- 3. Negative Test: SSL Rejection ---</span> verify_ssl_rejection<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"---------------------------------------------------"</span> <span class="nb">echo</span> <span class="s2">"Security Audit: Verifying Non-SSL Rejection"</span> <span class="c"># Use Artifactory creds for the test (User doesn't matter, connection type does)</span> <span class="nb">export </span><span class="nv">PGPASSWORD</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ARTIFACTORY_DB_PASSWORD</span><span class="s2">"</span> <span class="c"># CRITICAL FIX: Use ENV variable, not --set</span> <span class="c"># We attempt to force a non-SSL connection.</span> <span class="nb">export </span><span class="nv">PGSSLMODE</span><span class="o">=</span><span class="s2">"disable"</span> <span class="c"># We explicitly want this command to FAIL.</span> <span class="k">if </span>psql <span class="se">\</span> <span class="nt">--host</span> <span class="s2">"postgres.cicd.local"</span> <span class="se">\</span> <span class="nt">--username</span> <span class="s2">"artifactory"</span> <span class="se">\</span> <span class="nt">--dbname</span> <span class="s2">"artifactory"</span> <span class="se">\</span> <span class="nt">--no-password</span> <span class="se">\</span> <span class="nt">--command</span> <span class="s2">"SELECT 1;"</span> &amp;&gt; /dev/null<span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" [FAIL] SECURITY BREACH! The database accepted a non-SSL connection."</span> <span class="nb">echo</span> <span class="s2">" Check your pg_hba.conf file for 'hostnossl ... reject'."</span> <span class="nb">exit </span>1 <span class="k">else </span><span class="nb">echo</span> <span class="s2">" [PASS] Connection rejected (Expected). The database correctly blocked non-SSL traffic."</span> <span class="k">fi</span> <span class="c"># Unset the variable so it doesn't pollute later tests</span> <span class="nb">unset </span>PGSSLMODE <span class="o">}</span> <span class="c"># --- 4. Positive Test: Functional Verification ---</span> verify_service_db<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">user</span><span class="o">=</span><span class="nv">$1</span> <span class="nb">local </span><span class="nv">pass</span><span class="o">=</span><span class="nv">$2</span> <span class="nb">local </span><span class="nv">db</span><span class="o">=</span><span class="nv">$3</span> <span class="nb">echo</span> <span class="s2">"---------------------------------------------------"</span> <span class="nb">echo</span> <span class="s2">"Auditing Service: </span><span class="nv">$user</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$pass</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" [FAIL] Password variable is empty."</span> <span class="k">return </span>1 <span class="k">fi </span><span class="nb">export </span><span class="nv">PGPASSWORD</span><span class="o">=</span><span class="s2">"</span><span class="nv">$pass</span><span class="s2">"</span> <span class="c"># CRITICAL FIXES:</span> <span class="c"># 1. Force strict verification</span> <span class="nb">export </span><span class="nv">PGSSLMODE</span><span class="o">=</span><span class="s2">"verify-full"</span> <span class="c"># 2. Tell libpq to look at the System Certificate Bundle (where your CA is)</span> <span class="c"># Instead of looking in ~/.postgresql/root.crt</span> <span class="nb">export </span><span class="nv">PGSSLROOTCERT</span><span class="o">=</span><span class="s2">"/etc/ssl/certs/ca-certificates.crt"</span> psql <span class="se">\</span> <span class="nt">--host</span> <span class="s2">"postgres.cicd.local"</span> <span class="se">\</span> <span class="nt">--username</span> <span class="s2">"</span><span class="nv">$user</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--dbname</span> <span class="s2">"</span><span class="nv">$db</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--no-password</span> <span class="se">\</span> <span class="nt">--set</span> <span class="nv">ON_ERROR_STOP</span><span class="o">=</span>1 <span class="se">\</span> <span class="o">&lt;&lt;-</span><span class="no">EOSQL</span><span class="sh"> -- 1. Check SSL Status (Using pg_stat_ssl view) SELECT CASE WHEN ssl THEN 'SSL: ACTIVE' ELSE 'SSL: INACTIVE' END AS security_status FROM pg_stat_ssl WHERE pid = pg_backend_pid(); -- 2. Check PG17 Permissions (Create Table in Public) CREATE TABLE public.verification_test (id int); -- 3. Cleanup DROP TABLE public.verification_test; </span><span class="no"> EOSQL </span> <span class="k">if</span> <span class="o">[</span> <span class="nv">$?</span> <span class="nt">-eq</span> 0 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" [PASS] Authentication successful."</span> <span class="nb">echo</span> <span class="s2">" [PASS] SSL encryption verified."</span> <span class="nb">echo</span> <span class="s2">" [PASS] PG17 Schema permissions verified (CRUD OK)."</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">" [FAIL] Verification failed for user: </span><span class="nv">$user</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="o">}</span> <span class="c"># --- 5. Execution Loop ---</span> <span class="c"># 1. First, verify the security controls</span> verify_ssl_rejection <span class="c"># 2. Then verify functionality for all tenants</span> verify_service_db <span class="s2">"artifactory"</span> <span class="s2">"</span><span class="nv">$ARTIFACTORY_DB_PASSWORD</span><span class="s2">"</span> <span class="s2">"artifactory"</span> verify_service_db <span class="s2">"sonarqube"</span> <span class="s2">"</span><span class="nv">$SONARQUBE_DB_PASSWORD</span><span class="s2">"</span> <span class="s2">"sonarqube"</span> verify_service_db <span class="s2">"mattermost"</span> <span class="s2">"</span><span class="nv">$MATTERMOST_DB_PASSWORD</span><span class="s2">"</span> <span class="s2">"mattermost"</span> verify_service_db <span class="s2">"grafana"</span> <span class="s2">"</span><span class="nv">$GRAFANA_DB_PASSWORD</span><span class="s2">"</span> <span class="s2">"grafana"</span> <span class="nb">echo</span> <span class="s2">"---------------------------------------------------"</span> <span class="nb">echo</span> <span class="s2">"AUDIT COMPLETE: All database services are healthy and secure."</span> </code></pre> </div> <h3> Deconstructing the Audit </h3> <p><strong>1. The "Negative Testing" Philosophy</strong><br> Most tutorials only show you how to connect successfully. We prioritize verifying that we <em>cannot</em> connect insecurely.</p> <ul> <li> <strong><code>PGSSLMODE="disable"</code></strong>: We deliberately attempt to break our own rules by forcing a clear-text connection.</li> <li> <strong>The Payoff:</strong> The script considers it a <strong><code>[PASS]</code></strong> only if the connection fails. This proves that our <code>pg_hba.conf</code> "Bouncer" is physically rejecting unencrypted traffic.</li> </ul> <p><strong>2. The "Identity" Check (<code>verify-full</code>)</strong><br> In the positive tests, we set <code>PGSSLMODE="verify-full"</code>.</p> <ul> <li> <strong><code>verify-ca</code></strong> only checks the signature (Is this a valid passport?).</li> <li> <strong><code>verify-full</code></strong> checks the hostname (Is this <em>your</em> passport?). By enforcing this, we validate that the certificate we generated (<code>postgres.cicd.local</code>) correctly matches the hostname resolved by our internal DNS. This prevents Man-in-the-Middle attacks within our own network.</li> </ul> <h3> Executing the Audit </h3> <p>This script requires a small "data bridging" step because the <code>dev-container</code> cannot see the <code>cicd_stack</code> deployment directory on the host (for security reasons).</p> <ol> <li> <p><strong>On your Host:</strong> Stage the secrets file where the dev container can see it.<br> </p> <pre class="highlight shell"><code><span class="nb">cp</span> ~/cicd_stack/postgres/postgres.env ~/Documents/FromFirstPrinciples/data/ </code></pre> </li> <li> <p><strong>Enter the Dev Container:</strong><br> </p> <pre class="highlight shell"><code>./dev-container.sh </code></pre> <p>OR, if already started<br> </p> <pre class="highlight shell"><code>ssh <span class="nt">-i</span> ~/.ssh/id_rsa <span class="nt">-p</span> 10200 &lt;your_username&gt;@127.0.0.1 </code></pre> <p>OR<br> </p> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> dev-container bash </code></pre> </li> <li> <p><strong>Run the Audit:</strong><br> </p> <pre class="highlight shell"><code><span class="c"># Inside dev-container</span> <span class="nb">cd </span>articles/0009_cicd_part05_artifactory <span class="nb">chmod</span> +x 03-verify-database.sh ./03-verify-database.sh </code></pre> </li> </ol> <p><strong>The Result:</strong><br> You will see <code>[PASS] Connection rejected</code> when the script attempts an insecure connection. You will then see <code>[PASS] SSL encryption verified</code> for every service user, confirming that your <code>init.sh</code> script successfully provisioned the multi-tenant architecture with the correct PostgreSQL 17 permissions.</p> <h1> Chapter 4: Action Plan (Part 2) - The Secure Warehouse </h1> <h2> 4.1 The Architecture: A Cluster in a Container </h2> <p>With our shared database layer operational, we turn our attention to the application itself. Deploying Artifactory 7.x is fundamentally different from deploying a standard web application like Jenkins. While Jenkins is a single process, Artifactory is a distributed system packaged into a single container. It consists of several distinct microservices—<strong>Artifactory</strong> (the core), <strong>Access</strong> (security), <strong>Metadata</strong>, <strong>Router</strong>, and <strong>Frontend</strong>—that must coordinate with one another to function.</p> <p>This microservice architecture necessitates a sophisticated internal trust model. We are not just managing a username and password; we are managing the cryptographic trust root for a cluster.</p> <p>To secure this "Cluster in a Container," we must explicitly manage two critical cryptographic assets:</p> <ol> <li> <strong>The Master Key:</strong> This is an AES-256 key used for <strong>Data at Rest</strong> encryption. Artifactory uses this to encrypt sensitive data within the configuration files (like the database password we just generated) and inside the database itself. If you lose this key, the data is cryptographically locked forever.</li> <li> <strong>The Join Key:</strong> This is a shared secret used for <strong>Data in Motion</strong> trust. When the internal microservices (like Metadata or Access) start up, they use this key to "handshake" with one another and establish a circle of trust. Once trusted, they exchange short-lived tokens for API access.</li> </ol> <p>In a default installation, Artifactory generates these keys automatically on the first run. However, relying on auto-generation creates a "Black Box" deployment where we do not possess the recovery keys for our own infrastructure. It also introduces potential race conditions during the initial boot where services might time out waiting for key generation.</p> <p>We will define these keys manually on the host <em>before</em> the container starts. By generating high-entropy keys ourselves, we ensure we own the "Root of Trust" for our warehouse from the very first second.</p> <h2> 4.2 The Architect (<code>04-setup-artifactory.sh</code>) </h2> <p>To orchestrate this complex internal environment, we need a robust Architect script. This script is responsible for generating the Master and Join keys, creating the specific directory structure required for the bootstrap process, and—most critically—generating the "Strict Compliance" TLS certificates required by the Artifactory Router.</p> <p>Create this file at <code>~/cicd_stack/artifactory/04-setup-artifactory.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 04-setup-artifactory.sh</span> <span class="c">#</span> <span class="c"># This is the "Architect" script for Artifactory.</span> <span class="c">#</span> <span class="c"># UPDATED: "Docs Compliance Mode"</span> <span class="c"># 1. Generates Certificate with clientAuth + Critical KeyUsage.</span> <span class="c"># 2. Sets shared.node.ip to match Certificate CN.</span> <span class="c"># 3. Uses Bootstrap mechanism for SSL ingest.</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># --- 1. Define Paths ---</span> <span class="nv">HOST_CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="nv">ARTIFACTORY_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/artifactory"</span> <span class="nv">VAR_ETC</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ARTIFACTORY_BASE</span><span class="s2">/var/etc"</span> <span class="nv">VAR_BOOTSTRAP</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ARTIFACTORY_BASE</span><span class="s2">/var/bootstrap"</span> <span class="nv">MASTER_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/cicd.env"</span> <span class="c"># CA Paths</span> <span class="nv">CA_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/ca"</span> <span class="nv">CA_CERT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/certs/ca.pem"</span> <span class="nv">CA_KEY</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CA_DIR</span><span class="s2">/pki/private/ca.key"</span> <span class="nv">CA_PASSWORD</span><span class="o">=</span><span class="s2">"your_secure_password"</span> <span class="nb">echo</span> <span class="s2">"Starting Artifactory 'Architect' Setup..."</span> <span class="c"># --- 2. Secrets Management ---</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Master env file not found at </span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">source</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$ARTIFACTORY_DB_PASSWORD</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: ARTIFACTORY_DB_PASSWORD not found in cicd.env"</span> <span class="nb">echo</span> <span class="s2">"Please run 01-setup-database.sh first."</span> <span class="nb">exit </span>1 <span class="k">fi </span>check_and_generate_secret<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">var_name</span><span class="o">=</span><span class="nv">$1</span> <span class="nb">local </span><span class="nv">var_value</span><span class="o">=</span><span class="k">${</span><span class="p">!var_name</span><span class="k">}</span> <span class="nb">local </span><span class="nv">description</span><span class="o">=</span><span class="nv">$2</span> <span class="nb">local </span><span class="nv">length</span><span class="o">=</span><span class="nv">$3</span> <span class="c"># bytes</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$var_value</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Generating new </span><span class="nv">$description</span><span class="s2"> (</span><span class="nv">$var_name</span><span class="s2">)..."</span> <span class="nb">local </span><span class="nv">new_secret</span><span class="o">=</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> <span class="nv">$length</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"# </span><span class="nv">$description</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$var_name</span><span class="s2">=</span><span class="se">\"</span><span class="nv">$new_secret</span><span class="se">\"</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">export</span> <span class="nv">$var_name</span><span class="o">=</span><span class="s2">"</span><span class="nv">$new_secret</span><span class="s2">"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"Found existing </span><span class="nv">$var_name</span><span class="s2">."</span> <span class="k">fi</span> <span class="o">}</span> check_and_generate_secret <span class="s2">"ARTIFACTORY_MASTER_KEY"</span> <span class="s2">"Artifactory Master Key"</span> 32 check_and_generate_secret <span class="s2">"ARTIFACTORY_JOIN_KEY"</span> <span class="s2">"Artifactory Join Key"</span> 16 check_and_generate_secret <span class="s2">"ARTIFACTORY_ADMIN_PASSWORD"</span> <span class="s2">"Artifactory Initial Admin Password"</span> 16 <span class="c"># --- 3. Directory Preparation ---</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$VAR_ETC</span><span class="s2">/security/keys/trusted"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$VAR_ETC</span><span class="s2">/access"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$VAR_ETC</span><span class="s2">/artifactory"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$VAR_BOOTSTRAP</span><span class="s2">/router/keys"</span> <span class="c"># --- 4. Strict Certificate Generation ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 3: Generating Strict Compliance Certificate ---"</span> <span class="nv">ROUTER_CERT_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$VAR_BOOTSTRAP</span><span class="s2">/router/keys"</span> <span class="nv">ROUTER_KEY</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ROUTER_CERT_DIR</span><span class="s2">/custom-server.key"</span> <span class="nv">ROUTER_CSR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ROUTER_CERT_DIR</span><span class="s2">/custom-server.csr"</span> <span class="nv">ROUTER_CRT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ROUTER_CERT_DIR</span><span class="s2">/custom-server.crt"</span> <span class="nv">ROUTER_CNF</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ROUTER_CERT_DIR</span><span class="s2">/router.cnf"</span> <span class="c"># 1. Generate Private Key</span> openssl genrsa <span class="nt">-out</span> <span class="s2">"</span><span class="nv">$ROUTER_KEY</span><span class="s2">"</span> 4096 <span class="nb">chmod </span>600 <span class="s2">"</span><span class="nv">$ROUTER_KEY</span><span class="s2">"</span> <span class="c"># 2. Create OpenSSL Config (The Requirements from Docs)</span> <span class="nb">cat</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$ROUTER_CNF</span><span class="s2">"</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> [req] default_bits = 4096 prompt = no default_md = sha256 distinguished_name = dn req_extensions = v3_req [dn] C=ZA ST=Gauteng L=Johannesburg O=Local CICD Stack CN=artifactory.cicd.local [v3_req] # REQ 1: Key usage extension must be marked CRITICAL # REQ 2: digitalSignature + keyEncipherment must be enabled keyUsage = critical, digitalSignature, keyEncipherment # REQ 3: Extended key usage tlsWebServerAuthentication + tlsWebClientAuthentication extendedKeyUsage = serverAuth, clientAuth basicConstraints = critical, CA:FALSE subjectAltName = @alt_names [alt_names] # REQ 4: SANs must include the subject (CN) DNS.1 = artifactory.cicd.local DNS.2 = localhost IP.1 = 127.0.0.1 </span><span class="no">EOF </span><span class="c"># 3. Generate CSR</span> openssl req <span class="nt">-new</span> <span class="nt">-key</span> <span class="s2">"</span><span class="nv">$ROUTER_KEY</span><span class="s2">"</span> <span class="nt">-out</span> <span class="s2">"</span><span class="nv">$ROUTER_CSR</span><span class="s2">"</span> <span class="nt">-config</span> <span class="s2">"</span><span class="nv">$ROUTER_CNF</span><span class="s2">"</span> <span class="c"># 4. Sign with Root CA</span> openssl x509 <span class="nt">-req</span> <span class="nt">-in</span> <span class="s2">"</span><span class="nv">$ROUTER_CSR</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-CA</span> <span class="s2">"</span><span class="nv">$CA_CERT</span><span class="s2">"</span> <span class="nt">-CAkey</span> <span class="s2">"</span><span class="nv">$CA_KEY</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-CAcreateserial</span> <span class="nt">-out</span> <span class="s2">"</span><span class="nv">$ROUTER_CRT</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-days</span> 365 <span class="se">\</span> <span class="nt">-sha256</span> <span class="se">\</span> <span class="nt">-extensions</span> v3_req <span class="nt">-extfile</span> <span class="s2">"</span><span class="nv">$ROUTER_CNF</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-passin</span> pass:<span class="nv">$CA_PASSWORD</span> <span class="c"># Cleanup</span> <span class="nb">rm</span> <span class="s2">"</span><span class="nv">$ROUTER_CSR</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$ROUTER_CNF</span><span class="s2">"</span> <span class="nb">chmod </span>644 <span class="s2">"</span><span class="nv">$ROUTER_CRT</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Compliant Certificate generated."</span> <span class="c"># --- 5. Trust Staging ---</span> <span class="c"># Docs: "Copy the CA of the custom TLS certificate in etc/security/keys/trusted/"</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$CA_CERT</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$VAR_ETC</span><span class="s2">/security/keys/trusted/ca.pem"</span> <span class="nb">echo</span> <span class="s2">"Root CA staged."</span> <span class="c"># --- 6. Secret File Generation ---</span> <span class="nb">echo</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$ARTIFACTORY_MASTER_KEY</span><span class="s2">"</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$VAR_ETC</span><span class="s2">/security/master.key"</span> <span class="nb">chmod </span>600 <span class="s2">"</span><span class="nv">$VAR_ETC</span><span class="s2">/security/master.key"</span> <span class="nb">echo</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$ARTIFACTORY_JOIN_KEY</span><span class="s2">"</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$VAR_ETC</span><span class="s2">/security/join.key"</span> <span class="nb">chmod </span>600 <span class="s2">"</span><span class="nv">$VAR_ETC</span><span class="s2">/security/join.key"</span> <span class="nb">echo</span> <span class="s2">"admin@*=</span><span class="nv">$ARTIFACTORY_ADMIN_PASSWORD</span><span class="s2">"</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$VAR_ETC</span><span class="s2">/access/bootstrap.creds"</span> <span class="nb">chmod </span>600 <span class="s2">"</span><span class="nv">$VAR_ETC</span><span class="s2">/access/bootstrap.creds"</span> <span class="nb">echo</span> <span class="s2">"Secret files created."</span> <span class="c"># --- 7. Configuration Imports ---</span> <span class="c"># A. Access Config (Enable TLS)</span> <span class="nv">ACCESS_IMPORT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$VAR_ETC</span><span class="s2">/access/access.config.import.yml"</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$ACCESS_IMPORT</span><span class="sh">" security: tls: true </span><span class="no">EOF </span><span class="c"># B. Artifactory Config (Base URL)</span> <span class="nv">ART_IMPORT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$VAR_ETC</span><span class="s2">/artifactory/artifactory.config.import.yml"</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$ART_IMPORT</span><span class="sh">" version: 1 GeneralConfiguration: # We point to the HTTPS port 8443 baseUrl: "https://artifactory.cicd.local:8443" OnboardingConfiguration: repoTypes: - maven - gradle - docker - pypi - npm </span><span class="no">EOF </span><span class="c"># --- 8. System Configuration (system.yaml) ---</span> <span class="nb">echo</span> <span class="s2">"--- Phase 5: Generating system.yaml ---"</span> <span class="nv">SYSTEM_YAML</span><span class="o">=</span><span class="s2">"</span><span class="nv">$VAR_ETC</span><span class="s2">/system.yaml"</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$SYSTEM_YAML</span><span class="sh">" configVersion: 1 shared: # REQ 5: The certificate's subject must match the property shared.node.ip node: ip: artifactory.cicd.local # IPv4 Fix (Still required for Docker stability) extraJavaOpts: "-Djava.net.preferIPv4Stack=true" database: type: postgresql driver: org.postgresql.Driver url: "jdbc:postgresql://postgres.cicd.local:5432/artifactory?sslmode=verify-full&amp;sslrootcert=/var/opt/jfrog/artifactory/etc/security/keys/trusted/ca.pem" username: "artifactory" password: "</span><span class="k">${</span><span class="nv">ARTIFACTORY_DB_PASSWORD</span><span class="k">}</span><span class="sh">" artifactory: tomcat: httpsConnector: enabled: true port: 8443 # We do not specify file paths. We rely on Bootstrap to import them # into the internal keystore. </span><span class="no">EOF </span><span class="nb">echo</span> <span class="s2">"system.yaml generated."</span> <span class="c"># --- 9. Final Permissions ---</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> 1030:1030 <span class="s2">"</span><span class="nv">$ARTIFACTORY_BASE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"--- Setup Complete ---"</span> </code></pre> </div> <h3> Deconstructing the Architect </h3> <p><strong>1. The "Strict Compliance" Certificate</strong><br> This section is the solution to the "Go vs. OpenSSL" conflict we identified in the architectural phase.</p> <ul> <li> <strong>The Config:</strong> We create a temporary <code>router.cnf</code> file.</li> <li> <strong><code>keyUsage = critical</code></strong>: This line is non-negotiable. It satisfies the strict RFC 5280 requirement of the Go crypto library.</li> <li> <strong><code>extendedKeyUsage = serverAuth, clientAuth</code></strong>: This handles the dual role of the Router. It serves the browser (<code>serverAuth</code>) and connects to internal services (<code>clientAuth</code>). Without this dual designation, the internal mTLS handshake would fail, and the Router would crash.</li> </ul> <p><strong>2. Fixing "Split Brain" Networking (<code>extraJavaOpts</code>)</strong><br> In the <code>system.yaml</code> generation block, we inject <code>extraJavaOpts: "-Djava.net.preferIPv4Stack=true"</code>.<br> This prevents a common Docker networking issue. The JVM (Tomcat) often attempts to bind to IPv6 (<code>::1</code>) by default, while the Go Router attempts to connect via IPv4 (<code>127.0.0.1</code>). This mismatch causes "Connection Refused" errors on <code>localhost</code>. By forcing the JVM to use the IPv4 stack, we align the internal protocols.</p> <p><strong>3. The "Bootstrap" Pattern (<code>config.import.yml</code>)</strong><br> We use a powerful Artifactory feature called "Configuration Import."<br> Instead of clicking through the "Welcome Wizard" manually, we write our desired state to <code>artifactory.config.import.yml</code> and <code>access.config.import.yml</code>. Artifactory detects these files on boot, ingests the configuration (setting the Base URL to <code>https://artifactory.cicd.local:8443</code>), enables TLS for the Access service, and then deletes the files. This turns the interactive setup process into immutable Infrastructure-as-Code.</p> <p><strong>4. Permission Management (<code>chown 1030</code>)</strong><br> Just as we handled UID 999 for Postgres, we handle <strong>UID 1030</strong> for Artifactory. The container runs as a non-root user. We must ensure that the configuration directories we just created on the host are readable and writable by this specific internal user ID, or the container will crash with a <code>Permission Denied</code> error.</p> <h2> 4.3 The Launcher (<code>05-deploy-artifactory.sh</code>) </h2> <p>With our filesystem prepared and our certificates minted, we are ready to launch the container. This script is the "Construction Crew." It takes the assets prepared by the Architect and brings the application to life.</p> <p>This script also addresses two specific runtime environment challenges: <strong>Version Stability</strong> and the <strong>Proxy Trap</strong>.</p> <p>Create this file at <code>~/cicd_stack/artifactory/05-deploy-artifactory.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 05-deploy-artifactory.sh</span> <span class="c">#</span> <span class="c"># This is the "Construction Crew" script.</span> <span class="c"># It launches the Artifactory container.</span> <span class="c">#</span> <span class="c"># UPDATED:</span> <span class="c"># 1. Version 7.90.15.</span> <span class="c"># 2. Ports 8443 (HTTPS) / 8082 (Router).</span> <span class="c"># 3. Bootstrap Mount Enabled.</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># --- 1. Define Paths ---</span> <span class="nv">HOST_CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="nv">ARTIFACTORY_BASE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOST_CICD_ROOT</span><span class="s2">/artifactory"</span> <span class="nv">VAR_ETC</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ARTIFACTORY_BASE</span><span class="s2">/var/etc"</span> <span class="nv">VAR_BOOTSTRAP</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ARTIFACTORY_BASE</span><span class="s2">/var/bootstrap"</span> <span class="nv">SYSTEM_YAML</span><span class="o">=</span><span class="s2">"</span><span class="nv">$VAR_ETC</span><span class="s2">/system.yaml"</span> <span class="nv">MASTER_KEY</span><span class="o">=</span><span class="s2">"</span><span class="nv">$VAR_ETC</span><span class="s2">/security/master.key"</span> <span class="nv">JOIN_KEY</span><span class="o">=</span><span class="s2">"</span><span class="nv">$VAR_ETC</span><span class="s2">/security/join.key"</span> <span class="nb">echo</span> <span class="s2">"Starting Artifactory Deployment..."</span> <span class="c"># --- 2. Prerequisite Checks ---</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$SYSTEM_YAML</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: system.yaml not found. Run 04-setup-artifactory.sh first."</span> <span class="nb">exit </span>1 <span class="k">fi if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$MASTER_KEY</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: master.key not found. Run 04-setup-artifactory.sh first."</span> <span class="nb">exit </span>1 <span class="k">fi if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$JOIN_KEY</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: join.key not found. Run 04-setup-artifactory.sh first."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># --- 3. Clean Slate Protocol ---</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-q</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>artifactory<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Stopping existing 'artifactory' container..."</span> docker stop artifactory <span class="k">fi if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-aq</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>artifactory<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Removing existing 'artifactory' container..."</span> docker <span class="nb">rm </span>artifactory <span class="k">fi</span> <span class="c"># --- 4. Launch Container ---</span> <span class="nb">echo</span> <span class="s2">"Launching Artifactory OSS container (v7.90.15)..."</span> docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> artifactory <span class="se">\</span> <span class="nt">--restart</span> always <span class="se">\</span> <span class="nt">--network</span> cicd-net <span class="se">\</span> <span class="nt">--hostname</span> artifactory.cicd.local <span class="se">\</span> <span class="nt">--publish</span> 127.0.0.1:8443:8443 <span class="se">\</span> <span class="nt">--publish</span> 127.0.0.1:8082:8082 <span class="se">\</span> <span class="nt">--env</span> <span class="nv">no_proxy</span><span class="o">=</span><span class="s2">"localhost,127.0.0.1,postgres.cicd.local,artifactory.cicd.local"</span> <span class="se">\</span> <span class="nt">--env</span> <span class="nv">NO_PROXY</span><span class="o">=</span><span class="s2">"localhost,127.0.0.1,postgres.cicd.local,artifactory.cicd.local"</span> <span class="se">\</span> <span class="nt">--volume</span> artifactory-data:/var/opt/jfrog/artifactory <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$VAR_ETC</span><span class="s2">"</span>:/var/opt/jfrog/artifactory/etc <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$VAR_BOOTSTRAP</span><span class="s2">"</span>:/var/opt/jfrog/artifactory/bootstrap <span class="se">\</span> releases-docker.jfrog.io/jfrog/artifactory-oss:7.90.15 <span class="nb">echo</span> <span class="s2">"Artifactory container started."</span> <span class="nb">echo</span> <span class="s2">" This is a heavy Java application."</span> <span class="nb">echo</span> <span class="s2">" It will take 1-2 minutes to initialize."</span> <span class="nb">echo</span> <span class="s2">" Monitor logs with: docker logs -f artifactory"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">" Wait for: 'Router (jfrou) ... Listening on port: 8082'"</span> <span class="nb">echo</span> <span class="s2">" Then access: https://artifactory.cicd.local:8443"</span> </code></pre> </div> <h3> Deconstructing the Launcher </h3> <p><strong>1. Version Pinning (<code>7.90.15</code>)</strong><br> We are explicitly pinning the image to version <code>7.90.15</code>. In the world of Enterprise Java applications, "latest" is a dangerous tag. We discovered during development that newer versions (v7.90.20+) introduced a race condition where the Frontend (<code>jffe</code>) service would crash before the Router was fully initialized, sending the container into a boot loop. By pinning to a known-good version, we ensure stability.</p> <p><strong>2. The "Proxy Trap" (<code>no_proxy</code>)</strong><br> This is a critical fix for corporate or complex network environments.<br> If your host machine defines <code>HTTP_PROXY</code> variables (common in office environments), Docker containers inherit them by default. This creates a routing disaster: when the internal Router tries to talk to the internal Metadata service on <code>localhost:8081</code>, the Go HTTP client sees the proxy variable and attempts to route that request <em>out</em> to the corporate proxy server. The proxy server, having no idea what "localhost" inside your container refers to, rejects the connection.<br> By injecting <code>no_proxy="localhost,127.0.0.1,..."</code>, we explicitly tell the internal services to bypass the proxy and communicate directly for local addresses.</p> <p><strong>3. The Hybrid Mounts</strong><br> We mount our three persistence layers:</p> <ul> <li> <code>artifactory-data</code>: The Docker volume for the massive binary blobs.</li> <li> <code>etc</code>: The host directory containing our keys and <code>system.yaml</code>.</li> <li> <code>bootstrap</code>: The host directory containing our certificates and config import files. This structure allows us to "seed" the configuration from the host while keeping the heavy data storage managed by Docker.</li> </ul> <h2> 4.4 Verification (<code>06-verify-artifactory.py</code>) </h2> <p>With the container running, we need to verify that the internal "City" is actually functioning. Because Artifactory is a mesh of microservices, a simple "container running" status is insufficient. The container might be up, but the Router could be failing to talk to the Metadata service, or the Database connection might be hanging.</p> <p>We will use a Python script to perform a "pulse check" on the system. This script hits specific health endpoints that aggregate the status of the internal components. It also attempts to verify our administrative access, though we expect that part to skip until we perform our manual UI setup in the next chapter.</p> <p>Create this file at <code>~/Documents/FromFirstPrinciples/articles/0009_cicd_part05_artifactory/06-verify-artifactory.py</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">ssl</span> <span class="kn">import</span> <span class="n">urllib.request</span> <span class="kn">import</span> <span class="n">urllib.error</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="c1"># --- Configuration --- </span><span class="n">ENV_FILE_PATH</span> <span class="o">=</span> <span class="n">Path</span><span class="p">.</span><span class="nf">home</span><span class="p">()</span> <span class="o">/</span> <span class="sh">"</span><span class="s">cicd_stack</span><span class="sh">"</span> <span class="o">/</span> <span class="sh">"</span><span class="s">cicd.env</span><span class="sh">"</span> <span class="n">BASE_URL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://artifactory.cicd.local:8082</span><span class="sh">"</span> <span class="c1"># Endpoints </span><span class="n">HEALTH_ENDPOINT</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE_URL</span><span class="si">}</span><span class="s">/router/api/v1/system/health</span><span class="sh">"</span> <span class="n">PING_ENDPOINT</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE_URL</span><span class="si">}</span><span class="s">/artifactory/api/system/ping</span><span class="sh">"</span> <span class="c1"># We use the endpoint you confirmed works with your token </span><span class="n">TOKEN_LIST_ENDPOINT</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE_URL</span><span class="si">}</span><span class="s">/access/api/v1/tokens</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">load_env</span><span class="p">(</span><span class="n">env_path</span><span class="p">):</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">env_path</span><span class="p">.</span><span class="nf">exists</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[FAIL] Configuration error: </span><span class="si">{</span><span class="n">env_path</span><span class="si">}</span><span class="s"> not found.</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">env_path</span><span class="p">,</span> <span class="sh">'</span><span class="s">r</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">f</span><span class="p">:</span> <span class="n">line</span> <span class="o">=</span> <span class="n">line</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="k">if</span> <span class="n">line</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">line</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">'</span><span class="s">#</span><span class="sh">'</span><span class="p">)</span> <span class="ow">and</span> <span class="sh">'</span><span class="s">=</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">line</span><span class="p">:</span> <span class="n">key</span><span class="p">,</span> <span class="n">value</span> <span class="o">=</span> <span class="n">line</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="n">key</span><span class="p">.</span><span class="nf">strip</span><span class="p">()]</span> <span class="o">=</span> <span class="n">value</span><span class="p">.</span><span class="nf">strip</span><span class="p">().</span><span class="nf">strip</span><span class="p">(</span><span class="sh">'"</span><span class="se">\'</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">def</span> <span class="nf">get_ssl_context</span><span class="p">():</span> <span class="c1"># Trusts the system CA store (where our Root CA lives) </span> <span class="k">return</span> <span class="n">ssl</span><span class="p">.</span><span class="nf">create_default_context</span><span class="p">()</span> <span class="k">def</span> <span class="nf">print_response_error</span><span class="p">(</span><span class="n">response</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Helper to print the full error body for debugging</span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="n">body</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> [SERVER RESPONSE]: </span><span class="si">{</span><span class="n">body</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> [SERVER RESPONSE]: (Could not decode body)</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">check_health</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="se">\n</span><span class="s">--- Test 1: Router Health (Unauthenticated) ---</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">GET </span><span class="si">{</span><span class="n">HEALTH_ENDPOINT</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">ctx</span> <span class="o">=</span> <span class="nf">get_ssl_context</span><span class="p">()</span> <span class="k">try</span><span class="p">:</span> <span class="n">req</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nc">Request</span><span class="p">(</span><span class="n">HEALTH_ENDPOINT</span><span class="p">)</span> <span class="k">with</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">context</span><span class="o">=</span><span class="n">ctx</span><span class="p">)</span> <span class="k">as</span> <span class="n">response</span><span class="p">:</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">status</span> <span class="o">==</span> <span class="mi">200</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">())</span> <span class="n">state</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">router</span><span class="sh">'</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">state</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">UNKNOWN</span><span class="sh">'</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[PASS] Status: 200 OK</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Router State: </span><span class="si">{</span><span class="n">state</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[FAIL] Status: </span><span class="si">{</span><span class="n">response</span><span class="p">.</span><span class="n">status</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print_response_error</span><span class="p">(</span><span class="n">response</span><span class="p">)</span> <span class="k">except</span> <span class="n">urllib</span><span class="p">.</span><span class="n">error</span><span class="p">.</span><span class="n">HTTPError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[FAIL] HTTP </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">code</span><span class="si">}</span><span class="s">: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">reason</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print_response_error</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[FAIL] </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">check_ping</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="se">\n</span><span class="s">--- Test 2: System Ping (Unauthenticated) ---</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">GET </span><span class="si">{</span><span class="n">PING_ENDPOINT</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">ctx</span> <span class="o">=</span> <span class="nf">get_ssl_context</span><span class="p">()</span> <span class="k">try</span><span class="p">:</span> <span class="n">req</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nc">Request</span><span class="p">(</span><span class="n">PING_ENDPOINT</span><span class="p">)</span> <span class="k">with</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">context</span><span class="o">=</span><span class="n">ctx</span><span class="p">)</span> <span class="k">as</span> <span class="n">response</span><span class="p">:</span> <span class="n">body</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">().</span><span class="nf">strip</span><span class="p">()</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">status</span> <span class="o">==</span> <span class="mi">200</span> <span class="ow">and</span> <span class="n">body</span> <span class="o">==</span> <span class="sh">"</span><span class="s">OK</span><span class="sh">"</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[PASS] Status: 200 OK</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Response: </span><span class="si">{</span><span class="n">body</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[FAIL] Unexpected response: </span><span class="si">{</span><span class="n">body</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">urllib</span><span class="p">.</span><span class="n">error</span><span class="p">.</span><span class="n">HTTPError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[FAIL] HTTP </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">code</span><span class="si">}</span><span class="s">: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">reason</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print_response_error</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[FAIL] </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">check_admin_token</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="se">\n</span><span class="s">--- Test 3: Admin Token Verification ---</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">GET </span><span class="si">{</span><span class="n">TOKEN_LIST_ENDPOINT</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">token</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">ARTIFACTORY_ADMIN_TOKEN</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">token</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[SKIP] ARTIFACTORY_ADMIN_TOKEN not found in cicd.env</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="c1"># We use the Bearer header as confirmed by the search AI </span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Bearer </span><span class="si">{</span><span class="n">token</span><span class="si">}</span><span class="sh">"</span><span class="p">}</span> <span class="n">ctx</span> <span class="o">=</span> <span class="nf">get_ssl_context</span><span class="p">()</span> <span class="k">try</span><span class="p">:</span> <span class="n">req</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nc">Request</span><span class="p">(</span><span class="n">TOKEN_LIST_ENDPOINT</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="k">with</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">context</span><span class="o">=</span><span class="n">ctx</span><span class="p">)</span> <span class="k">as</span> <span class="n">response</span><span class="p">:</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">status</span> <span class="o">==</span> <span class="mi">200</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">())</span> <span class="n">tokens</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">tokens</span><span class="sh">'</span><span class="p">,</span> <span class="p">[])</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[PASS] Status: 200 OK</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Admin Access Confirmed.</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Visible Tokens: </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">tokens</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">tokens</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> First Token ID: </span><span class="si">{</span><span class="n">tokens</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">token_id</span><span class="sh">'</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[FAIL] Status: </span><span class="si">{</span><span class="n">response</span><span class="p">.</span><span class="n">status</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print_response_error</span><span class="p">(</span><span class="n">response</span><span class="p">)</span> <span class="k">except</span> <span class="n">urllib</span><span class="p">.</span><span class="n">error</span><span class="p">.</span><span class="n">HTTPError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[FAIL] HTTP </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">code</span><span class="si">}</span><span class="s">: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">reason</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print_response_error</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="k">if</span> <span class="n">e</span><span class="p">.</span><span class="n">code</span> <span class="o">==</span> <span class="mi">403</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> (Token is valid but lacks permission to list tokens)</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">e</span><span class="p">.</span><span class="n">code</span> <span class="o">==</span> <span class="mi">401</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> (Token is invalid or expired)</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[FAIL] </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="k">if</span> <span class="nf">load_env</span><span class="p">(</span><span class="n">ENV_FILE_PATH</span><span class="p">):</span> <span class="nf">check_health</span><span class="p">()</span> <span class="nf">check_ping</span><span class="p">()</span> <span class="nf">check_admin_token</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">--- Verification Complete ---</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> Running the Verification </h3> <p>Unlike the database audit, we can run this script directly from the <strong>Host</strong>, provided you have Python 3 installed. We want to prove that our host machine—which will act as the developer workstation—can trust the Artifactory SSL certificate.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># On the Host Machine</span> <span class="nb">cd</span> ~/Documents/FromFirstPrinciples/articles/0009_cicd_part05_artifactory <span class="nb">chmod</span> +x 06-verify-artifactory.py ./06-verify-artifactory.py </code></pre> </div> <p>You should see <code>[PASS]</code> for the Router Health and System Ping. The Admin Token verification will currently <code>[SKIP]</code>. This is expected; we have the infrastructure running, but we haven't yet logged in to generate the keys for the castle. We will handle that next.</p> <h1> Chapter 5: UI Configuration - Opening the Warehouse </h1> <h2> 5.1 First Login &amp; The "Wizard Bypass" </h2> <p>The infrastructure is live. We have a running database, a secure microservice mesh, and a listening web server. Now, we verify the user experience.</p> <p>Open your browser on your host machine and navigate to:</p> <p><strong><code>https://artifactory.cicd.local:8443</code></strong></p> <p>Because we meticulously established our Public Key Infrastructure in Article 2 and imported the Root CA into our host's trust store, the page should load immediately with a secure lock icon. There are no "Your connection is not private" warnings to click through.</p> <p>You will be greeted by the JFrog login screen. To log in, use the credentials we generated in our <code>01-setup-database.sh</code> script.</p> <ul> <li> <strong>Username:</strong> <code>admin</code> </li> <li> <strong>Password:</strong> Open your <code>~/cicd_stack/cicd.env</code> file and copy the value of <code>ARTIFACTORY_ADMIN_PASSWORD</code>.</li> </ul> <h3> The "Wizard Bypass" </h3> <p>Upon logging in, you might expect to see a "Welcome Wizard" asking you to accept terms, set a Base URL, and create default repositories.</p> <p>You will not see this. You will be taken directly to the main dashboard.</p> <p>This is the payoff for the <code>artifactory.config.import.yml</code> file we injected during the setup phase. By defining our desired state (Base URL and Repository Types) in code and bootstrapping it into the container, we have effectively "skipped" the manual onboarding process. This is a critical pattern for "Infrastructure as Code"—we treat the application configuration just like the server configuration.</p> <p>To verify this, navigate to <strong>Administration</strong> (on the top menu) -&gt; <strong>General Management</strong> -&gt; <strong>Settings</strong>. You will see that the <strong>Custom Base URL</strong> is already correctly set to <code>https://artifactory.cicd.local:8443</code>.</p> <h2> 5.2 Creating the Admin Token (The Integration Key) </h2> <p>Now that we are logged in, we need to generate the credentials that Jenkins will use. We cannot simply give Jenkins our admin password. Modern CI/CD best practices dictate the use of <strong>Access Tokens</strong>, which provide better auditability and can be revoked without changing the root password.</p> <p>Specifically, we need a <strong>Global Admin Token</strong>. As we discovered in our research, Artifactory 7.x distinguishes between "Project Admin" tokens (which are sandboxed to specific projects) and "Global" tokens. Since Jenkins acts as the orchestrator for our entire city—publishing global Build Info metadata and interacting with the system APIs—it requires an Admin-scoped token.</p> <p>Here is the procedure to generate the correct token:</p> <ol> <li> Navigate to <strong>Administration</strong> (top menu) -&gt; <strong>User Management</strong> -&gt; <strong>Access Tokens</strong>.</li> <li> Click the <strong>"Generate Token"</strong> button.</li> <li> <strong>Token Type:</strong> Select <strong>"Scoped Token"</strong>.</li> <li> <strong>Token Scope:</strong> Select <strong>"Admin"</strong>. This ensures the token inherits the full administrative power required for global operations.</li> <li> <strong>User Name:</strong> Enter <code>admin</code>.</li> <li> <strong>Service:</strong> Click the <strong>"All"</strong> checkbox. (Note: In the OSS version, "Artifactory" is likely the only service listed, but checking "All" ensures forward compatibility).</li> <li> <strong>Expiration Time:</strong> Set to <strong>"Never"</strong> for the purpose of this lab. In a production environment, you would set a rotation policy here.</li> <li> Click <strong>"Generate"</strong>.</li> </ol> <p>You will be presented with a <code>Reference Token</code> (a short string) and an <code>Access Token</code> (a very long JWT string). <strong>Copy the long Access Token immediately.</strong> You will not be able to see it again once you close this window.</p> <h3> Updating the Secrets File </h3> <p>We must now save this token to our master secrets file so our automation scripts can use it.</p> <p>On your host machine, open <code>~/cicd_stack/cicd.env</code> and add the following line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">ARTIFACTORY_ADMIN_TOKEN</span><span class="o">=</span><span class="s2">"&lt;paste_your_long_token_here&gt;"</span> </code></pre> </div> <p>This token is the "Key to the Warehouse." It will allow our <code>07-update-jenkins.sh</code> script to securely inject credentials into the Jenkins container in the next chapter.</p> <h2> 5.3 Creating the Repository (<code>generic-local</code>) </h2> <p>With our admin token secured, we need to prepare the "Landing Zone" for our artifacts.</p> <p>Recall that in our <code>artifactory.config.import.yml</code> bootstrap file, we defined several default repository types (<code>maven</code>, <code>gradle</code>, <code>docker</code>, <code>npm</code>). However, we intentionally omitted the <strong>Generic</strong> type. This highlights a key architectural distinction: while package-specific repositories (like Maven) come with complex indexing and metadata rules, a Generic repository is essentially a smart file system.</p> <p>Because we didn't bootstrap it, we must create it manually. This will be the destination for our C++ SDKs, Rust Crates, and Python Wheels.</p> <ol> <li> Navigate to <strong>Administration</strong> -&gt; <strong>Repositories</strong>.</li> <li> Click the <strong>"Create Repository"</strong> button in the top right.</li> <li> Select <strong>"Local"</strong>. We want a repository that stores files on our own disk (in the PostgreSQL metadata / Docker Volume blob store), not a proxy to a remote URL.</li> <li> Select <strong>"Generic"</strong> as the package type.</li> <li> <strong>Repository Key:</strong> Enter <code>generic-local</code>.</li> <li> Click <strong>"Create Local Repository"</strong>.</li> </ol> <p>We now have an empty storage bucket. Unlike the "Filing Cabinet" (Git), this "Warehouse" doesn't care about diffs or merge conflicts. It simply accepts binary blobs and stores them forever.</p> <h3> A Note on Layouts </h3> <p>By default, a Generic repository treats paths literally. When we configure our pipeline later to upload to <code>http-client/16/</code>, Artifactory will simply create a folder named <code>http-client</code> and a subfolder named <code>16</code>.</p> <p>It is important to understand that Artifactory does not automatically know that "16" is a version number. In a more advanced setup, we would apply a <strong>Custom Repository Layout</strong> (using Regex) to teach Artifactory how to parse our folder structure (e.g., <code>[org]/[module]/[baseRev]</code>). For our current needs, the physical folder structure is sufficient organization.</p> <h2> 5.4 The "Set Me Up" Experience (Developer Productivity) </h2> <p>Before we leave the UI, we should verify that our repository is accessible to developers. One of the primary benefits of using an Artifact Manager over a simple file server is the <strong>Developer Experience (DX)</strong>.</p> <p>In the <strong>Application</strong> module (top menu), navigate to <strong>Artifactory</strong> -&gt; <strong>Artifacts</strong>. Select your new <code>generic-local</code> repository in the tree view.</p> <p>Click the <strong>"Set Me Up"</strong> button in the top right corner.</p> <p>Artifactory will dynamically generate the exact commands a developer needs to interact with this repository. Because we correctly configured our Base URL (<code>https://artifactory.cicd.local:8443</code>) and our SSL certificates, the command provided will be production-ready:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-uadmin</span>:&lt;TOKEN&gt; <span class="nt">-T</span> &lt;PATH_TO_FILE&gt; <span class="s2">"https://artifactory.cicd.local:8443/artifactory/generic-local/&lt;TARGET_FILE_PATH&gt;"</span> </code></pre> </div> <p>This validates our entire networking stack. It confirms that:</p> <ol> <li> The system knows its own external DNS name (<code>artifactory.cicd.local</code>).</li> <li> It knows it is serving HTTPS on port 8443.</li> <li> It is ready to accept uploads.</li> </ol> <p>This is the "Warehouse" equivalent of a loading dock with clear signage. We don't force developers to guess the URL structure; we provide it.</p> <h1> Chapter 6: Action Plan (Part 3) - The Integrator </h1> <p>We have a fully functional Factory (Jenkins) and a fully functional Warehouse (Artifactory). Currently, however, they are completely unaware of each other. To complete our supply chain, we need to introduce them.</p> <p>This integration requires two distinct operations:</p> <ol> <li> <strong>Authentication:</strong> Jenkins needs the "Keys to the Warehouse" (the Admin Token we just generated).</li> <li> <strong>Configuration:</strong> Jenkins needs to know the address of the Warehouse (<code>artifactory.cicd.local</code>) and be configured to use the Artifactory Plugin.</li> </ol> <p>We will automate this process using a new script, <code>07-update-jenkins.sh</code>. However, before we write the code, we must navigate a specific Docker behavior that trips up many DevOps engineers during day-two operations.</p> <h2> 6.1 The "Stale Env" Trap </h2> <p>Our first task is to get the <code>ARTIFACTORY_ADMIN_TOKEN</code> from our host's master secrets file (<code>cicd.env</code>) into the Jenkins container.</p> <p>In Article 4, we established a "Scoped Environment" pattern. We created a specific file, <code>jenkins.env</code>, which is passed to the container using the <code>--env-file</code> flag. The logical assumption is that if we append a new variable to <code>jenkins.env</code> and restart the container, Jenkins will see it.</p> <p>This assumption is false.</p> <p>Docker containers are immutable snapshots. When you run <code>docker run</code>, the Docker daemon reads the <code>--env-file</code>, resolves the variables, and <strong>bakes them into the container's configuration</strong>. The link to the file on the host is severed immediately after creation.</p> <p>If you run <code>docker stop jenkins-controller</code> and then <code>docker start jenkins-controller</code>, Docker simply reloads the <em>original</em> configuration snapshot. It does <strong>not</strong> re-read the file on the host. The container will come back up, but it will still have the "Stale Environment" from when it was first built, effectively ignoring our new token.</p> <p>To solve this, we cannot use a simple restart. We must destroy the container (<code>docker rm</code>) and recreate it (<code>docker run</code>). This forces the daemon to read the modified <code>jenkins.env</code> file and generate a new configuration snapshot. Our integration script will handle this by triggering the <code>03-deploy-controller.sh</code> script we wrote in the previous article, ensuring a clean environment reload.</p> <h2> 6.2 The "JCasC Schema" Nightmare </h2> <p>With the credentials ready to be injected, we face our second integration hurdle: configuring the Jenkins plugin itself.</p> <p>In a standard "Configuration as Code" setup, you would typically find the plugin's YAML schema by looking at the documentation or exporting the current configuration. If you search online for "Jenkins Artifactory JCasC example," 99% of the results—including official JFrog examples from just a year ago—will tell you to use a block named <code>artifactoryServers</code>.</p> <p>If you try to use that block with the modern plugin (version 4.x+), Jenkins will crash on startup.</p> <p>This is due to a massive, undocumented architectural shift. The newer Jenkins Artifactory Plugin is no longer a standalone integration; it has been re-architected as a wrapper around the JFrog CLI. This change silently broke the JCasC schema. The configuration key <code>artifactoryServers</code> was removed and replaced with <code>jfrogInstances</code>.</p> <p>To make matters worse, the internal structure changed as well. Simple fields like <code>credentialsId</code> were moved inside nested objects like <code>deployerCredentialsConfig</code> and <code>resolverCredentialsConfig</code>.</p> <p>We discovered this only by reverse-engineering the error logs during our build process. The plugin threw an <code>UnknownAttributesException</code>, listing <code>jfrogInstances</code> as a valid attribute. This validates a core DevOps principle: <strong>Never trust the documentation blindly; trust the error logs.</strong> We must construct our configuration to match this new, strict schema, or the "Foreman" will never be able to talk to the "Warehouse."</p> <h2> 6.3 Structured Data vs. Text Hacking (The Python Helper) </h2> <p>To inject this complex <code>jfrogInstances</code> configuration block into our existing <code>jenkins.yaml</code>, we have a choice of tools.</p> <p>The "quick and dirty" approach would be to use <code>sed</code> or <code>cat</code> to append text to the end of the file. This is <strong>Text Hacking</strong>. It is fragile, dangerous, and unprofessional. YAML relies on strict indentation. A single misplaced space in a <code>sed</code> command can break the entire Jenkins configuration, causing the controller to fail on boot. Furthermore, <code>sed</code> has no concept of structure; it cannot check if the configuration already exists, leading to duplicate entries if the script runs twice.</p> <p>The "First Principles" approach is <strong>Structured Data Manipulation</strong>. We treat the YAML file as a data object, not a text stream.</p> <p>We will write a Python helper script, <code>update_jcasc.py</code>. This script uses the <code>PyYAML</code> library to:</p> <ol> <li> <strong>Parse</strong> the existing <code>jenkins.yaml</code> into a Python dictionary.</li> <li> <strong>Check</strong> if the Artifactory configuration already exists (Idempotency).</li> <li> <strong>Inject</strong> the new <code>jfrogInstances</code> block with the correct indentation and structure.</li> <li> <strong>Dump</strong> the valid YAML back to disk.</li> </ol> <p>Create this file at <code>~/cicd_stack/jenkins/config/update_jcasc.py</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">import</span> <span class="n">yaml</span> <span class="kn">import</span> <span class="n">os</span> <span class="c1"># Path to the JCasC file </span><span class="n">JCAS_FILE</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">expanduser</span><span class="p">(</span><span class="sh">"</span><span class="s">~/cicd_stack/jenkins/config/jenkins.yaml</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">update_jcasc</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[INFO] Reading JCasC file: </span><span class="si">{</span><span class="n">JCAS_FILE</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">JCAS_FILE</span><span class="p">,</span> <span class="sh">'</span><span class="s">r</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">jcasc</span> <span class="o">=</span> <span class="n">yaml</span><span class="p">.</span><span class="nf">safe_load</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> <span class="k">except</span> <span class="nb">FileNotFoundError</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[ERROR] File not found: </span><span class="si">{</span><span class="n">JCAS_FILE</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># 1. Add Artifactory Credentials </span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[INFO] Injecting Artifactory credentials block...</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">jcasc</span><span class="p">:</span> <span class="n">jcasc</span><span class="p">[</span><span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="sh">'</span><span class="s">system</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">domainCredentials</span><span class="sh">'</span><span class="p">:</span> <span class="p">[{</span><span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span><span class="p">:</span> <span class="p">[]}]}}</span> <span class="n">artifactory_cred</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">usernamePassword</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">artifactory-creds</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">scope</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">GLOBAL</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">description</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Artifactory Admin Token</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">${JENKINS_ARTIFACTORY_USERNAME}</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">${JENKINS_ARTIFACTORY_PASSWORD}</span><span class="sh">'</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Navigate to credentials list safely </span> <span class="k">if</span> <span class="sh">'</span><span class="s">system</span><span class="sh">'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">jcasc</span><span class="p">[</span><span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span><span class="p">]:</span> <span class="n">jcasc</span><span class="p">[</span><span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">system</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="sh">'</span><span class="s">domainCredentials</span><span class="sh">'</span><span class="p">:</span> <span class="p">[{</span><span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span><span class="p">:</span> <span class="p">[]}]}</span> <span class="n">domain_creds</span> <span class="o">=</span> <span class="n">jcasc</span><span class="p">[</span><span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">system</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">domainCredentials</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">domain_creds</span><span class="p">:</span> <span class="n">domain_creds</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span><span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span><span class="p">:</span> <span class="p">[]})</span> <span class="n">creds_list</span> <span class="o">=</span> <span class="n">domain_creds</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="n">creds_list</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="n">creds_list</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">domain_creds</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="n">creds_list</span> <span class="c1"># Check existence (Idempotency) </span> <span class="n">exists</span> <span class="o">=</span> <span class="bp">False</span> <span class="k">for</span> <span class="n">cred</span> <span class="ow">in</span> <span class="n">creds_list</span><span class="p">:</span> <span class="k">if</span> <span class="sh">'</span><span class="s">usernamePassword</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">cred</span> <span class="ow">and</span> <span class="n">cred</span><span class="p">[</span><span class="sh">'</span><span class="s">usernamePassword</span><span class="sh">'</span><span class="p">].</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">)</span> <span class="o">==</span> <span class="sh">'</span><span class="s">artifactory-creds</span><span class="sh">'</span><span class="p">:</span> <span class="n">exists</span> <span class="o">=</span> <span class="bp">True</span> <span class="k">break</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">exists</span><span class="p">:</span> <span class="n">creds_list</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">artifactory_cred</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[INFO] Credential </span><span class="sh">'</span><span class="s">artifactory-creds</span><span class="sh">'</span><span class="s"> added.</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[INFO] Credential </span><span class="sh">'</span><span class="s">artifactory-creds</span><span class="sh">'</span><span class="s"> already exists. Skipping.</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 2. Add Artifactory Server Configuration (Updated Schema) </span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[INFO] Injecting Artifactory Server configuration (v4+ Schema)...</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="sh">'</span><span class="s">unclassified</span><span class="sh">'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">jcasc</span><span class="p">:</span> <span class="n">jcasc</span><span class="p">[</span><span class="sh">'</span><span class="s">unclassified</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">{}</span> <span class="c1"># The v4+ Schema: 'jfrogInstances' instead of 'artifactoryServers' </span> <span class="n">jcasc</span><span class="p">[</span><span class="sh">'</span><span class="s">unclassified</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">artifactoryBuilder</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">useCredentialsPlugin</span><span class="sh">'</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">'</span><span class="s">jfrogInstances</span><span class="sh">'</span><span class="p">:</span> <span class="p">[{</span> <span class="sh">'</span><span class="s">instanceId</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">artifactory</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">url</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">${JENKINS_ARTIFACTORY_URL}</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">artifactoryUrl</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">${JENKINS_ARTIFACTORY_URL}</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">deployerCredentialsConfig</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">credentialsId</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">artifactory-creds</span><span class="sh">'</span> <span class="p">},</span> <span class="sh">'</span><span class="s">resolverCredentialsConfig</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">credentialsId</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">artifactory-creds</span><span class="sh">'</span> <span class="p">},</span> <span class="sh">'</span><span class="s">bypassProxy</span><span class="sh">'</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">'</span><span class="s">connectionRetry</span><span class="sh">'</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="sh">'</span><span class="s">timeout</span><span class="sh">'</span><span class="p">:</span> <span class="mi">300</span> <span class="p">}]</span> <span class="p">}</span> <span class="c1"># 3. Write back to file </span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[INFO] Writing updated JCasC file...</span><span class="sh">"</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">JCAS_FILE</span><span class="p">,</span> <span class="sh">'</span><span class="s">w</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">yaml</span><span class="p">.</span><span class="nf">dump</span><span class="p">(</span><span class="n">jcasc</span><span class="p">,</span> <span class="n">f</span><span class="p">,</span> <span class="n">default_flow_style</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">sort_keys</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[INFO] JCasC update complete.</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">update_jcasc</span><span class="p">()</span> </code></pre> </div> <h3> Deconstructing the Helper </h3> <ul> <li> <strong>The Schema Logic:</strong> Notice the structure under <code>artifactoryBuilder</code>. We define <code>jfrogInstances</code> (plural) as a list containing our single server. We use <code>${JENKINS_ARTIFACTORY_URL}</code> as a placeholder, which Jenkins will resolve at runtime from the environment variables we are about to inject.</li> <li> <strong><code>bypassProxy: True</code>:</strong> This is a critical networking setting for our architecture. If your host machine uses a corporate proxy, Jenkins might try to route requests for <code>artifactory.cicd.local</code> through that external proxy, causing a connection failure. This flag forces Jenkins to treat Artifactory as an internal, direct-access service.</li> <li> <strong>Idempotency:</strong> The script checks <code>if not exists</code> before appending the credential. This allows us to run the integration script multiple times without corrupting the file with duplicate entries.</li> </ul> <h2> 6.4 The Integrator Script (<code>07-update-jenkins.sh</code>) </h2> <p>We now have all the components required for integration: the Admin Token in <code>cicd.env</code>, the Python helper to patch the YAML, and the understanding that we must recreate the container to apply these changes.</p> <p>This script is the conductor. It orchestrates the entire update process in a specific order to ensure a clean state transition.</p> <p>Create this file at <code>~/cicd_stack/artifactory/07-update-jenkins.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 07-update-jenkins.sh</span> <span class="c">#</span> <span class="c"># This script integrates Jenkins with Artifactory.</span> <span class="c">#</span> <span class="c"># 1. Prereqs: Installs python3-yaml on host.</span> <span class="c"># 2. Secrets: Injects Artifactory secrets into jenkins.env.</span> <span class="c"># 3. JCasC: Updates jenkins.yaml with Artifactory config.</span> <span class="c"># 4. Apply: Re-deploys Jenkins (Recreate Container).</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># --- Paths ---</span> <span class="nv">CICD_ROOT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="c"># The module where we defined the Jenkins deployment scripts</span> <span class="nv">JENKINS_MODULE_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/Documents/FromFirstPrinciples/articles/0008_cicd_part04_jenkins"</span> <span class="nv">JENKINS_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$JENKINS_MODULE_DIR</span><span class="s2">/jenkins.env"</span> <span class="nv">DEPLOY_SCRIPT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$JENKINS_MODULE_DIR</span><span class="s2">/03-deploy-controller.sh"</span> <span class="c"># Path to the Python helper</span> <span class="nv">PY_HELPER</span><span class="o">=</span><span class="s2">"update_jcasc.py"</span> <span class="c"># Path to master secrets</span> <span class="nv">MASTER_ENV</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CICD_ROOT</span><span class="s2">/cicd.env"</span> <span class="nb">echo</span> <span class="s2">"[INFO] Starting Jenkins &lt;-&gt; Artifactory Integration..."</span> <span class="c"># --- 1. Prerequisites ---</span> <span class="nb">echo</span> <span class="s2">"[INFO] Checking for Python YAML library..."</span> <span class="k">if</span> <span class="o">!</span> python3 <span class="nt">-c</span> <span class="s2">"import yaml"</span> 2&gt;/dev/null<span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"[WARN] python3-yaml not found. Installing..."</span> <span class="nb">sudo </span>apt-get update <span class="nt">-qq</span> <span class="nb">sudo </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">-qq</span> python3-yaml python3-dotenv <span class="k">else </span><span class="nb">echo</span> <span class="s2">"[INFO] python3-yaml is already installed."</span> <span class="k">fi</span> <span class="c"># --- 2. Secret Injection ---</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$MASTER_ENV</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"[ERROR] Master environment file not found: </span><span class="nv">$MASTER_ENV</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># Load ARTIFACTORY_ADMIN_TOKEN</span> <span class="nb">source</span> <span class="s2">"</span><span class="nv">$MASTER_ENV</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$ARTIFACTORY_ADMIN_TOKEN</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"[ERROR] ARTIFACTORY_ADMIN_TOKEN not found in cicd.env."</span> <span class="nb">echo</span> <span class="s2">" Please ensure you have completed Module 05 setup."</span> <span class="nb">exit </span>1 <span class="k">fi if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$JENKINS_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"[ERROR] Jenkins env file not found at: </span><span class="nv">$JENKINS_ENV_FILE</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"[INFO] Injecting Artifactory secrets into jenkins.env..."</span> <span class="c"># Append secrets only if they don't exist</span> <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"JENKINS_ARTIFACTORY_URL"</span> <span class="s2">"</span><span class="nv">$JENKINS_ENV_FILE</span><span class="s2">"</span> <span class="o">||</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt;&gt; "</span><span class="nv">$JENKINS_ENV_FILE</span><span class="sh">" # --- Artifactory Integration --- JENKINS_ARTIFACTORY_URL=https://artifactory.cicd.local:8082/artifactory JENKINS_ARTIFACTORY_USERNAME=admin JENKINS_ARTIFACTORY_PASSWORD=</span><span class="nv">$ARTIFACTORY_ADMIN_TOKEN</span><span class="sh"> </span><span class="no">EOF </span><span class="nb">echo</span> <span class="s2">"[INFO] Secrets injected."</span> <span class="c"># --- 3. Update JCasC ---</span> <span class="nb">echo</span> <span class="s2">"[INFO] Updating JCasC configuration..."</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$PY_HELPER</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"[ERROR] Python helper script not found at </span><span class="nv">$PY_HELPER</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" Please create the update_jcasc.py script first."</span> <span class="nb">exit </span>1 <span class="k">fi </span>python3 <span class="s2">"</span><span class="nv">$PY_HELPER</span><span class="s2">"</span> <span class="c"># --- 4. Re-Deploy Jenkins ---</span> <span class="nb">echo</span> <span class="s2">"[INFO] Triggering Jenkins Re-deployment (Container Recreate)..."</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-x</span> <span class="s2">"</span><span class="nv">$DEPLOY_SCRIPT</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"[ERROR] Deploy script not found or not executable: </span><span class="nv">$DEPLOY_SCRIPT</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># Execute the deploy script from its own directory context</span> <span class="o">(</span><span class="nb">cd</span> <span class="s2">"</span><span class="nv">$JENKINS_MODULE_DIR</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> ./03-deploy-controller.sh<span class="o">)</span> <span class="nb">echo</span> <span class="s2">"[SUCCESS] Integration update complete."</span> <span class="nb">echo</span> <span class="s2">"[INFO] Jenkins is restarting. Wait for initialization."</span> </code></pre> </div> <h3> Deconstructing the Integrator </h3> <p><strong>1. Prerequisites (The "Python Capability"):</strong><br> We cannot assume the host machine has the necessary libraries to run our helper script. The script checks for <code>python3-yaml</code> and installs it via <code>apt</code> if missing. This ensures our automation doesn't crash due to missing dependencies.</p> <p><strong>2. Secret Injection (Bridging the Gap):</strong><br> This block acts as the bridge between the two articles. It reads the <code>ARTIFACTORY_ADMIN_TOKEN</code> from the central <code>cicd.env</code> (created in this article) and appends it to the <code>jenkins.env</code> (created in the previous article).<br> Notice the variable mapping:</p> <ul> <li> <code>JENKINS_ARTIFACTORY_PASSWORD</code> is populated with the value of <code>ARTIFACTORY_ADMIN_TOKEN</code>. This cleanly injects the secret into the Jenkins container's scope without exposing it in the Docker command history.</li> </ul> <p><strong>3. The "Re-Deploy" (Solving the Stale Env):</strong><br> This is the critical fix for the "Stale Env" trap. Instead of running <code>docker restart</code>, the script changes directory (<code>cd</code>) to the Jenkins module and executes <code>./03-deploy-controller.sh</code>. This effectively stops, removes, and recreates the container using the <em>newly modified</em> <code>jenkins.env</code> file, ensuring the new token is actually loaded into the environment.</p> <h2> 6.5 Verification </h2> <p>Run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x 07-update-jenkins.sh ./07-update-jenkins.sh </code></pre> </div> <p>Watch the logs. The Jenkins controller will restart. Once it is back online (approx. 2 minutes), perform the final verification:</p> <ol> <li> Log in to Jenkins at <code>https://jenkins.cicd.local:10400</code>.</li> <li> Navigate to <strong>Manage Jenkins</strong> -&gt; <strong>System</strong>.</li> <li> Scroll down to the <strong>JFrog</strong> (or Artifactory) section.</li> <li> You will see the "artifactory" server configuration pre-filled.</li> <li> Click <strong>Test Connection</strong>.</li> </ol> <p>You should see the message: <strong>"Found JFrog Artifactory 7.90.15 at <a href="https://www.google.com/search?q=https://artifactory.cicd.local:8082/artifactory" rel="noopener noreferrer">https://artifactory.cicd.local:8082/artifactory</a>"</strong>.</p> <p>This single green message confirms everything:</p> <ul> <li> <strong>DNS Resolution:</strong> Jenkins found <code>artifactory.cicd.local</code>.</li> <li> <strong>SSL Trust:</strong> The JVM trusted the certificate.</li> <li> <strong>Authentication:</strong> The injected Admin Token worked.</li> <li> <strong>Plugin Logic:</strong> The <code>jfrogInstances</code> JCasC schema was parsed correctly.</li> </ul> <p>The "Factory" and the "Warehouse" are now connected.</p> <h1> Chapter 7: Packaging Theory - From "Binaries" to "Products" </h1> <h2> 7.1 The Concept: A Binary is Not a Product </h2> <p>We have connected our Factory to our Warehouse. We have a secure pipe ready to transport goods. But before we turn on the conveyor belt, we must ask a fundamental question: <em>what exactly are we shipping?</em></p> <p>In our current V1 pipeline, our build script produces <strong>Raw Binaries</strong>: <code>libhttpc.so</code> and <code>libhttpcpp.so</code>.</p> <p>This leads to the <strong>"Raw Binary" Trap</strong>. A shared library file is useless on its own. If a developer downloads <code>libhttpc.so</code> from Artifactory, they cannot use it. They are missing the "Contract"—the C header files (<code>.h</code>) that define the API. Without the headers, the binary is a black box. Furthermore, they don't know if it was built for Debug or Release, or what dependencies it requires.</p> <p>To run a professional software supply chain, we must stop thinking in terms of <em>compiling binaries</em> and start thinking in terms of <strong>packaging products</strong>.</p> <p>We are building <strong>Software Development Kits (SDKs)</strong> and <strong>Packages</strong>. A "Product" is a self-contained, versioned, and consumable archive that a downstream developer can ingest without knowing or caring about how it was built.</p> <p>For our polyglot Hero Project, this means we need to produce three distinct, standardized formats:</p> <ol> <li> <strong>C &amp; C++:</strong> An <strong>SDK Archive</strong> (<code>.tar.gz</code>) containing both the "Implementation" (<code>lib/</code>) and the "Interface" (<code>include/</code>).</li> <li> <strong>Rust:</strong> A <strong>Standard Crate</strong> (<code>.crate</code>) containing source code and metadata, ready for the Rust ecosystem.</li> <li> <strong>Python:</strong> A <strong>Binary Wheel</strong> (<code>.whl</code>) containing pre-compiled bindings and metadata, ready for <code>pip</code>.</li> </ol> <p>We will now update our build systems to generate these packages natively.</p> <h2> 7.2 The C/C++ Strategy: The "SDK" Archive </h2> <p>For our C and C++ artifacts, we will use <strong>CPack</strong>. CPack is bundled with CMake and is the industry standard for creating distribution packages.</p> <p>Instead of writing a fragile shell script in Jenkins to <code>cp</code> files into a temporary directory and <code>tar</code> them up, we define "Install Rules" directly in our <code>CMakeLists.txt</code>. This pushes the packaging logic down into the build system where it belongs, making it portable and reproducible on any machine (developer workstation or CI agent).</p> <p>We need to modify <code>0004_std_lib_http_client/CMakeLists.txt</code> in two places.</p> <p><strong>1. The GoogleTest Fix (The "Pollution" Trap)</strong><br> During our initial packaging tests, we discovered that CPack was bundling <code>libgtest.a</code> and <code>libgmock.a</code> into our SDK. This is because GoogleTest defines its own install rules, and CPack grabs <em>everything</em>. We must explicitly disable this to keep our SDK clean.</p> <p>Locate the <code>FetchContent</code> block for GoogleTest and inject the <code>INSTALL_GTEST OFF</code> setting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cmake"><code><span class="nf">FetchContent_Declare</span><span class="p">(</span> googletest GIT_REPOSITORY https://github.com/google/googletest.git GIT_TAG v1.17.0 <span class="p">)</span> <span class="c1"># --- FIX: Disable GTest Installation ---</span> <span class="c1"># Prevents test libraries from polluting our SDK package</span> <span class="nb">set</span><span class="p">(</span>INSTALL_GTEST OFF CACHE BOOL <span class="s2">""</span> FORCE<span class="p">)</span> <span class="nb">set</span><span class="p">(</span>gtest_force_shared_crt ON CACHE BOOL <span class="s2">""</span> FORCE<span class="p">)</span> <span class="nf">FetchContent_MakeAvailable</span><span class="p">(</span>googletest<span class="p">)</span> </code></pre> </div> <p><strong>2. The Packaging Logic</strong><br> Append the following block to the very end of your <code>CMakeLists.txt</code>. This defines the layout of our SDK: headers go to <code>include/</code>, and binaries go to <code>lib/</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cmake"><code><span class="c1"># --- Packaging Configuration (CPack) ---</span> <span class="c1"># 1. Define Install Rules</span> <span class="c1"># These tell CMake what files belong in the final package.</span> <span class="c1"># Install the compiled Shared Libraries (.so) into a 'lib/' folder</span> <span class="nb">install</span><span class="p">(</span>TARGETS httpc_lib httpcpp_lib LIBRARY DESTINATION lib ARCHIVE DESTINATION lib RUNTIME DESTINATION bin <span class="p">)</span> <span class="c1"># Install the Public Headers into an 'include/' folder</span> <span class="nb">install</span><span class="p">(</span>DIRECTORY include/ DESTINATION include<span class="p">)</span> <span class="c1"># 2. Configure the Package Metadata</span> <span class="nb">set</span><span class="p">(</span>CPACK_PACKAGE_NAME <span class="s2">"http-client-cpp-sdk"</span><span class="p">)</span> <span class="nb">set</span><span class="p">(</span>CPACK_PACKAGE_VENDOR <span class="s2">"Warren Jitsing"</span><span class="p">)</span> <span class="nb">set</span><span class="p">(</span>CPACK_PACKAGE_DESCRIPTION_SUMMARY <span class="s2">"Multi-Language HTTP Client SDK (C/C++)"</span><span class="p">)</span> <span class="nb">set</span><span class="p">(</span>CPACK_PACKAGE_VERSION <span class="s2">"1.0.0"</span><span class="p">)</span> <span class="nb">set</span><span class="p">(</span>CPACK_PACKAGE_CONTACT <span class="s2">"warren.jitsing@infcon.co.za"</span><span class="p">)</span> <span class="c1"># 3. Configure the Generator</span> <span class="c1"># We want a simple .tar.gz (TGZ) archive</span> <span class="nb">set</span><span class="p">(</span>CPACK_GENERATOR <span class="s2">"TGZ"</span><span class="p">)</span> <span class="c1"># This must be the last command in the file</span> <span class="nb">include</span><span class="p">(</span>CPack<span class="p">)</span> </code></pre> </div> <p>Now, running <code>cpack -G TGZ</code> will generate a standardized <code>http-client-cpp-sdk-1.0.0.tar.gz</code>.</p> <h2> 7.3 The Rust Strategy: The ".crate" Standard </h2> <p>For our Rust implementation, the standard distribution format is the <strong>Crate</strong>. Unlike C++, where we often distribute pre-compiled binaries, the Rust ecosystem distributes <em>source code</em> bundled with a manifest (<code>Cargo.toml</code>). The consumer downloads the crate and compiles it locally, ensuring compatibility with their specific architecture and kernel.</p> <p>To create a standard crate, we use the <code>cargo package</code> command. This command creates a <code>.crate</code> file (which is essentially a tarball of the source) in <code>target/package/</code>.</p> <p>However, <code>cargo package</code> imposes a "Bureaucracy Check." It enforces strict metadata requirements to ensure the package is publishable to <em>crates.io</em> (or Artifactory). If your <code>Cargo.toml</code> is missing fields like <code>description</code>, <code>license</code>, or <code>repository</code>, the command will fail.</p> <p>We must update <code>src/rust/Cargo.toml</code> to satisfy these requirements and ensure our package name matches our library name standard.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[package]</span> <span class="py">name</span> <span class="p">=</span> <span class="s">"httprust"</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"0.1.0"</span> <span class="py">edition</span> <span class="p">=</span> <span class="s">"2021"</span> <span class="c"># --- Metadata Required for Packaging ---</span> <span class="py">description</span> <span class="p">=</span> <span class="s">"A standard library HTTP client implementation"</span> <span class="py">license</span> <span class="p">=</span> <span class="s">"MIT"</span> <span class="py">repository</span> <span class="p">=</span> <span class="s">"https://gitlab.cicd.local/Articles/0004_std_lib_http_client"</span> <span class="py">authors</span> <span class="p">=</span> <span class="p">[</span><span class="s">"Warren Jitsing &lt;warren.jitsing@infcon.co.za&gt;"</span><span class="p">]</span> <span class="nn">[lib]</span> <span class="py">name</span> <span class="p">=</span> <span class="s">"httprust"</span> <span class="py">path</span> <span class="p">=</span> <span class="s">"src/lib.rs"</span> <span class="nn">[dependencies]</span> <span class="py">libc</span> <span class="p">=</span> <span class="s">"0.2"</span> <span class="py">reqwest</span> <span class="o">=</span> <span class="p">{</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"0.12.23"</span><span class="p">,</span> <span class="py">features</span> <span class="p">=</span> <span class="p">[</span><span class="s">"blocking"</span><span class="p">]</span> <span class="p">}</span> <span class="nn">[[bin]]</span> <span class="py">name</span> <span class="p">=</span> <span class="s">"httprust_client"</span> <span class="py">path</span> <span class="p">=</span> <span class="s">"src/bin/httprust_client.rs"</span> <span class="nn">[[bin]]</span> <span class="py">name</span> <span class="p">=</span> <span class="s">"reqwest_client"</span> <span class="py">path</span> <span class="p">=</span> <span class="s">"src/bin/reqwest_client.rs"</span> </code></pre> </div> <h2> 7.4 The Python Strategy: The Binary Wheel </h2> <p>For Python, the standard "Product" is the <strong>Binary Wheel (<code>.whl</code>)</strong>. This is a pre-compiled package that includes metadata and, crucially, any compiled C-extensions. It allows consumers to install the package via <code>pip</code> instantly without needing a compiler toolchain installed on their machine.</p> <p>Our <code>setup.sh</code> script already handles this. It uses the standard <code>build</code> module to generate the wheel.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (From setup.sh)</span> python3 <span class="nt">-m</span> build <span class="nt">--wheel</span> <span class="nt">--outdir</span> <span class="k">${</span><span class="nv">CMAKE_BINARY_DIR</span><span class="k">}</span>/wheelhouse src/python </code></pre> </div> <p>We do not need to change our build logic here; we simply need to know that our "Product" will be waiting for us in <code>build_release/wheelhouse/*.whl</code>.</p> <h2> 7.5 The "Staging Area" Pattern (<code>dist/</code>) </h2> <p>We now have three different build systems (CMake, Cargo, Python Build) outputting artifacts to three different locations (<code>build_release/</code>, <code>src/rust/target/package/</code>, <code>build_release/wheelhouse/</code>).</p> <p>If we try to configure the Jenkins Artifactory plugin to hunt down these files individually, our pipeline code will become messy and fragile.</p> <p>Instead, we will adopt the <strong>Staging Area</strong> pattern. Before we trigger the upload, we will move all finished products into a single, clean directory named <code>dist/</code>. This decouples the <em>Build</em> logic from the <em>Publish</em> logic. The Artifactory plugin will have a single, simple instruction: "Upload everything in <code>dist/</code>."</p> <p>This completes our packaging theory. We are ready to implement the V2 Pipeline.</p> <h1> Chapter 8: Practical Application - The Pipeline V2 </h1> <h2> 8.1 The Evolution: From "Build" to "Deliver" </h2> <p>We are now ready to upgrade our pipeline. Our V1 <code>Jenkinsfile</code> was a "Continuous Integration" (CI) pipeline; it verified that the code compiled and passed tests. Our V2 <code>Jenkinsfile</code> will be a "Continuous Delivery" (CD) pipeline; it will produce shipping-ready artifacts.</p> <p>To achieve this, we insert a new <strong>Package</strong> stage between "Test" and the final "Publish" step. This stage is responsible for executing the specific packaging commands we enabled in Chapter 7 (<code>cpack</code>, <code>cargo package</code>) and consolidating the outputs into our "Staging Area" (<code>dist/</code>).</p> <p>Open <code>0004_std_lib_http_client/Jenkinsfile</code> and insert the following stage after <code>Test &amp; Coverage</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code> <span class="n">stage</span><span class="o">(</span><span class="s1">'Package'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">echo</span> <span class="s1">'--- Packaging Artifacts ---'</span> <span class="c1">// 1. Create the "Staging Area"</span> <span class="c1">// This is the single folder Artifactory will look at later.</span> <span class="n">sh</span> <span class="s1">'mkdir -p dist'</span> <span class="c1">// 2. Package C/C++ SDK (CPack)</span> <span class="c1">// We must run inside 'build_release' because CPack relies on </span> <span class="c1">// the CMakeCache.txt generated during the build stage.</span> <span class="n">dir</span><span class="o">(</span><span class="s1">'build_release'</span><span class="o">)</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">'cpack -G TGZ -C Release'</span> <span class="c1">// Move the resulting tarball to our staging area</span> <span class="n">sh</span> <span class="s1">'mv *.tar.gz ../dist/'</span> <span class="o">}</span> <span class="c1">// 3. Package Rust Crate</span> <span class="c1">// We run inside the rust source directory.</span> <span class="n">dir</span><span class="o">(</span><span class="s1">'src/rust'</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// This command generates the .crate file in target/package/</span> <span class="n">sh</span> <span class="s1">'cargo package'</span> <span class="c1">// Move it to the staging area</span> <span class="n">sh</span> <span class="s1">'cp target/package/*.crate ../../dist/'</span> <span class="o">}</span> <span class="c1">// 4. Collect Python Wheel</span> <span class="c1">// The wheel was already built by setup.sh in the earlier stage.</span> <span class="c1">// We simply retrieve it from the wheelhouse.</span> <span class="n">sh</span> <span class="s1">'cp build_release/wheelhouse/*.whl dist/'</span> <span class="c1">// 5. Verification</span> <span class="c1">// List the contents so we can see exactly what we are about to ship in the logs.</span> <span class="n">sh</span> <span class="s1">'ls -l dist/'</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Deconstructing the Package Stage </h3> <p>This stage is the implementation of our "Universal Bucket" strategy. It normalizes the chaos of our polyglot build system into a single, uniform directory.</p> <ol> <li> <strong>The Context Switch (<code>dir</code>):</strong> Notice how we repeatedly use the <code>dir()</code> directive. This is crucial. <code>cpack</code> <em>must</em> run in the build directory to find its configuration. <code>cargo package</code> <em>must</em> run in the source directory to find <code>Cargo.toml</code>. The pipeline navigates the filesystem so the tools don't have to guess.</li> <li> <strong>The Consolidation:</strong> Regardless of where the tool puts the file (<code>target/package</code>, <code>wheelhouse</code>), we forcefully move it to <code>dist/</code>. This means our subsequent "Publish" stage will never need to know about the internal structure of our build. It just needs to know about <code>dist/</code>.</li> <li> <strong>The Artifacts:</strong> At the end of this stage, <code>dist/</code> will contain three files: <ul> <li><code>http-client-cpp-sdk-1.0.0-Linux.tar.gz</code></li> <li><code>httprust-0.1.0.crate</code></li> <li><code>httppy-0.1.0-py3-none-any.whl</code></li> </ul> </li> </ol> <h2> 8.2 The "Publish" Stage and the Syntax Traps </h2> <p>With our artifacts neatly organized in the <code>dist/</code> directory, we can define the final stage of our pipeline: <strong>Publish</strong>.</p> <p>This stage uses the Artifactory Plugin to upload our files and, critically, publish the build metadata. However, configuring this step involves navigating three specific syntax traps that often trip up first-time users: <strong>String Interpolation</strong>, <strong>Pattern Matching</strong>, and <strong>Silent Failures</strong>.</p> <p>Here is the complete <code>Publish</code> stage. Add this to your <code>Jenkinsfile</code> immediately after the <code>Package</code> stage.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code> <span class="n">stage</span><span class="o">(</span><span class="s1">'Publish'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">echo</span> <span class="s1">'--- Publishing to Artifactory ---'</span> <span class="c1">// 1. Upload the Artifacts</span> <span class="n">rtUpload</span> <span class="o">(</span> <span class="c1">// Use the ID 'artifactory' defined in our JCasC global config</span> <span class="nl">serverId:</span> <span class="s1">'artifactory'</span><span class="o">,</span> <span class="c1">// 2. The File Spec</span> <span class="c1">// We use Triple Double-Quotes (""") to allow variable interpolation</span> <span class="nl">spec:</span> <span class="s2">"""{ "files": [ { "pattern": "dist/*", "target": "generic-local/http-client/${BUILD_NUMBER}/", "flat": "true" } ] }"""</span><span class="o">,</span> <span class="c1">// 3. The "Silent Failure" Fix</span> <span class="c1">// Force the build to fail if no files match the pattern</span> <span class="nl">failNoOp:</span> <span class="kc">true</span><span class="o">,</span> <span class="c1">// Associate files with this Jenkins Job</span> <span class="nl">buildName:</span> <span class="s2">"${JOB_NAME}"</span><span class="o">,</span> <span class="nl">buildNumber:</span> <span class="s2">"${BUILD_NUMBER}"</span> <span class="o">)</span> <span class="c1">// 4. Publish Build Info (The "Bill of Materials")</span> <span class="n">rtPublishBuildInfo</span> <span class="o">(</span> <span class="nl">serverId:</span> <span class="s1">'artifactory'</span><span class="o">,</span> <span class="nl">buildName:</span> <span class="s2">"${JOB_NAME}"</span><span class="o">,</span> <span class="nl">buildNumber:</span> <span class="s2">"${BUILD_NUMBER}"</span> <span class="o">)</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Deconstructing the Syntax Traps </h3> <p><strong>1. The Interpolation Trap (<code>"""</code> vs <code>'''</code>)</strong><br> In Jenkins Groovy, strings behave differently based on quotes.</p> <ul> <li> <code>'''Triple Single Quotes'''</code>: Treat the string literally. If we used this, Jenkins would send the string <code>${BUILD_NUMBER}</code> to Artifactory as literal text, resulting in a folder named <code>${BUILD_NUMBER}</code> instead of <code>16</code>.</li> <li> <code>"""Triple Double Quotes"""</code>: Enable <strong>Variable Interpolation</strong>. Jenkins replaces <code>${BUILD_NUMBER}</code> with the actual build number (e.g., <code>16</code>) <em>before</em> sending the command. This ensures our artifacts land in the correct versioned folder.</li> </ul> <p><strong>2. The Pattern Trap (Regex vs. Wildcards)</strong><br> The Artifactory File Spec supports both Regex and Wildcards. Regex is powerful but fragile. During our testing, complex regex patterns like <code>dist/(.*)</code> failed to match files correctly without specific flags.<br> We opted for the robust simplicity of <strong>Wildcards</strong>: <code>"pattern": "dist/*"</code>.<br> Combined with <code>"flat": "true"</code>, this tells Artifactory: "Take every file inside <code>dist/</code>, ignore the folder structure, and upload them directly to the target path."</p> <p><strong>3. The "Silent Failure" Trap (<code>failNoOp</code>)</strong><br> This is the most dangerous default behavior in the Artifactory plugin. By default, if your pattern (<code>dist/*</code>) matches <strong>zero files</strong> (perhaps because the package stage failed silently), the <code>rtUpload</code> step returns <strong>SUCCESS</strong>.<br> This leads to "Green Builds" that delivered nothing—a phantom release.<br> We explicitly set <code>failNoOp: true</code>. This forces the pipeline to turn <strong>Red</strong> (Failure) if it uploads nothing. This guarantees that a successful build actually indicates a successful delivery.</p> <p><strong>4. The "Chain of Custody" (<code>rtPublishBuildInfo</code>)</strong><br> The final step, <code>rtPublishBuildInfo</code>, does not upload files. It uploads <strong>Metadata</strong>. It scrapes the Jenkins environment (Git Commit Hash, User, Timestamp, Dependencies) and creates a JSON manifest. It sends this manifest to Artifactory, atomically linking it to the files we just uploaded. This is what allows us to trace a binary back to the source code.</p> <h1> Chapter 9: The Result - Visualizing the Supply Chain </h1> <h2> 9.1 The Artifact Browser: Exploring the Warehouse </h2> <p>The infrastructure is ready, and the pipeline definition is updated. It is time to run the supply chain.</p> <p>Go to your Jenkins dashboard and navigate to the <strong><code>Articles/0004_std_lib_http_client</code></strong> job. Click into the <strong><code>main</code></strong> branch and hit <strong>"Build Now"</strong>.</p> <p>Watch the console output. You will see the new <strong>Package</strong> stage execute, compressing our artifacts into the <code>dist/</code> directory. Then, you will see the <strong>Publish</strong> stage kick in. Unlike our previous tests, this will not be a silent success; the logs will explicitly show the upload of our three specific files to the Artifactory server.</p> <p>Once the build is green, we can verify the physical results.</p> <p>Navigate to your Artifactory instance at <code>https://artifactory.cicd.local:8443</code> and log in. Open the <strong>Application</strong> module and go to <strong>Artifactory -&gt; Artifacts</strong>.</p> <p>In the tree view, expand the <code>generic-local</code> repository. You will see a new folder structure that mirrors the logic we defined in our <code>Jenkinsfile</code>.</p> <p>Instead of a flat list of files, you will see a structured hierarchy: <code>http-client</code> (the Project), followed by <code>16</code> (the Build Number). Inside that versioned folder, you will find our three distinct products sitting side-by-side.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>generic-local/ └── http-client/ └── 16/ ├── http-client-cpp-sdk-1.0.0-Linux.tar.gz (The C++ SDK) ├── httprust-0.1.0.crate (The Rust Source) └── httppy-0.1.0-py3-none-any.whl (The Python Wheel) </code></pre> </div> <p>This view validates our "Universal Bucket" strategy. We did not need to configure a complex PyPI registry, a Cargo registry, and a Conan server to get started. We successfully captured the output of a polyglot build into a single, unified, and versioned location. These files are now immutable; unlike the Jenkins workspace, they will not disappear when the next build starts.</p> <h2> 9.2 The "Build Info" Ledger </h2> <p>While seeing the files in the repository confirms <em>storage</em>, it doesn't confirm <em>provenance</em>. To see the "Chain of Custody," we need to look at the metadata generated by our pipeline's <code>rtPublishBuildInfo</code> step.</p> <p>Artifactory stores this metadata as a structured JSON document in a special internal repository.</p> <p>To view the raw ledger entry:</p> <ol> <li> Navigate to <strong>Application</strong> -&gt; <strong>Artifacts</strong>.</li> <li> In the repository tree, select <strong><code>artifactory-build-info</code></strong>.</li> <li> Drill down into the folder structure: <strong><code>Articles</code></strong> -&gt; <strong><code>0004_std_lib_http_client</code></strong> -&gt; <strong><code>main</code></strong>.</li> <li> You will see a JSON file named after your build number (e.g., <code>16-&lt;timestamp&gt;.json</code>).</li> <li> Right-click the file and select <strong>View</strong>.</li> </ol> <p>You will see a detailed manifest like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"version"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"Articles/0004_std_lib_http_client/main"</span><span class="p">,</span><span class="w"> </span><span class="nl">"number"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"16"</span><span class="p">,</span><span class="w"> </span><span class="nl">"agent"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"Jenkins"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"2.528.2"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"started"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-11-22T14:05:59.821+0000"</span><span class="p">,</span><span class="w"> </span><span class="nl">"durationMillis"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="mi">174180</span><span class="p">,</span><span class="w"> </span><span class="nl">"url"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"https://jenkins.cicd.local:10400/job/Articles/job/0004_std_lib_http_client/job/main/16/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"vcs"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"revision"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"f2fc8640ad0690b94cd7b0536f0c97fcf3afb8fd"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">":bug: bug(Jenkinsfile): fix upload spec regexp"</span><span class="p">,</span><span class="w"> </span><span class="nl">"url"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"https://gitlab.cicd.local:10300/articles/0004_std_lib_http_client.git"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"modules"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"Articles/0004_std_lib_http_client/main"</span><span class="p">,</span><span class="w"> </span><span class="nl">"artifacts"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"gz"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sha256"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"1bd7a4407b6e2ac7c3b22eea93f6493992f172fe6f50382dd635401694945e85"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"http-client-cpp-sdk-1.0.0-Linux.tar.gz"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"http-client/16/http-client-cpp-sdk-1.0.0-Linux.tar.gz"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"crate"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sha256"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"7934cf01ec3331565a97de79d93c07ec1a839c749d546acf9da863c592329526"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"rust-0.1.0.crate"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"http-client/16/rust-0.1.0.crate"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"whl"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sha256"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"808ffa9c2c532bcf52cf5e3c006ea825cf6e252797657068f5fbc2e506202e9d"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"httppy-0.1.0-py3-none-any.whl"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"http-client/16/httppy-0.1.0-py3-none-any.whl"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> 9.3 Traceability: The "Chain of Custody" </h2> <p>This document is the forensic evidence that links our "Factory" to our "Library."</p> <ul> <li><p><strong>The Source (<code>vcs.revision</code>):</strong><br> We see the exact Git Commit SHA: <code>f2fc8640...</code>. This is the specific version of the blueprint used to manufacture this release. If a bug is found in this artifact years from now, we know exactly which line of code caused it.</p></li> <li><p><strong>The Process (<code>url</code>):</strong><br> We have a direct link back to the Jenkins build log: <code>https://jenkins.cicd.local.../16/</code>. This provides the context of <em>how</em> it was built (logs, environment variables, test results).</p></li> <li><p><strong>The Product (<code>artifacts.sha256</code>):</strong><br> Most importantly, we have the cryptographic checksums of the output. <code>1bd7a...</code> is the unique fingerprint of our C++ SDK. If a user downloads a file claiming to be version 16, we can verify its integrity against this ledger.</p></li> </ul> <p>This completes the "Chain of Custody." We have successfully linked Binary -&gt; Build -&gt; Source.</p> <h1> Chapter 10: Conclusion </h1> <h2> 10.1 What We've Built: The "Software Supply Chain" </h2> <p>Let's take a moment to appreciate the architectural shift we have accomplished in this article. We began with a "Factory" (Jenkins) that was incredibly efficient at manufacturing but terrible at logistics. Every time a build finished, the factory floor was scrubbed clean, and the finished products were incinerated along with the waste.</p> <p>By deploying <strong>Artifactory</strong>, we have moved from a simple "Build Loop" to a true <strong>Software Supply Chain</strong>.</p> <p>We have established a permanent, secure flow of assets through our city:</p> <ol> <li> <strong>Blueprints (GitLab):</strong> The source of truth for our code.</li> <li> <strong>Manufacturing (Jenkins):</strong> The ephemeral compute engine that compiles the code in a clean room.</li> <li> <strong>Packaging (CPack/Cargo):</strong> The standardization step that wraps raw binaries into consumable products (SDKs, Crates).</li> <li> <strong>Warehousing (Artifactory):</strong> The persistent storage layer that retains the products and the forensic data (Build Info) linking them back to the blueprints.</li> </ol> <p>Our "City" is growing up. We now have a Library, a Factory, a Warehouse, and a Shared Power Plant (PostgreSQL) underpinning it all.</p> <h2> 10.2 The "Blind Spot": Quantity over Quality </h2> <p>However, looking at our populated <code>generic-local</code> repository reveals a new, invisible danger. We have solved the problem of <em>retention</em>, but we have not solved the problem of <em>inspection</em>.</p> <p>Our pipeline is uncritical. It assumes that if code compiles, it is worth keeping. If a developer commits code that contains a massive memory leak, a hardcoded password, or a critical security vulnerability, our pipeline will happily build it, package it, and ship it to the warehouse. We will then have a perfectly versioned, immutable, and signed package of broken software.</p> <p>We have built a high-speed conveyor belt that moves boxes into the warehouse. But we have no idea if the boxes contain diamonds or ticking time bombs.</p> <h2> 10.3 Next Steps: The "Quality Gate" </h2> <p>To solve this, we need an Inspector. We need a tool that can look inside the box <em>before</em> we seal it. We need a system that analyzes the internal structure of the code—measuring complexity, detecting bugs, and identifying security flaws—without just relying on the compiler.</p> <p>In the next article, we will deploy <strong>SonarQube</strong>. We will connect it to our Shared Database, integrate it into our Jenkins pipeline, and establish a <strong>Quality Gate</strong>. This gate will sit between the "Build" and "Package" stages, giving it the power to stop the conveyor belt and fail the build if the code does not meet our standards. We will move from "Continuous Delivery" to "Continuous Quality."</p> cicd devops artifactory docker Warren Jitsing Thu, 18 Dec 2025 07:17:27 +0000 https://dev.to/warren_jitsing_dd1c1d6fc6/part-04-building-a-sovereign-software-factory-jenkins-configuration-as-code-jcasc-30o5 https://dev.to/warren_jitsing_dd1c1d6fc6/part-04-building-a-sovereign-software-factory-jenkins-configuration-as-code-jcasc-30o5 <p>GitHub: <a href="https://github.com/InfiniteConsult/0008_cicd_part04_jenkins" rel="noopener noreferrer">https://github.com/InfiniteConsult/0008_cicd_part04_jenkins</a></p> <p><strong>TL;DR:</strong> In this installment, we construct the <strong>"Factory"</strong> of our city. We deploy a self-hosted <strong>Jenkins</strong> controller, but we reject the fragility of manual UI configuration. Instead, we implement a strict <strong>Configuration as Code (JCasC)</strong> architecture, using a "Blueprint First" strategy to define our security matrix, credentials, and toolchains in version-controlled YAML. We solve the "Docker-in-Docker" permission trap by architecting a scalable <strong>Controller/Agent</strong> model, where ephemeral "General Purpose Workers" are hired on-demand to build our polyglot code.</p> <p><strong>The Sovereign Software Factory Series:</strong></p> <ol> <li> <strong>Part 01:</strong> Building a Sovereign Software Factory: Docker Networking &amp; Persistence</li> <li> <strong>Part 02:</strong> Building a Sovereign Software Factory: The Local Root CA &amp; Trust Chains</li> <li> <strong>Part 03:</strong> Building a Sovereign Software Factory: Self-Hosted GitLab &amp; Secrets Management</li> <li> <strong>Part 04: Building a Sovereign Software Factory: Jenkins Configuration as Code (JCasC)</strong> (You are here)</li> <li> <strong>Part 05:</strong> Building a Sovereign Software Factory: Artifactory &amp; The "Strict TLS" Trap</li> <li> <strong>Part 06:</strong> Building a Sovereign Software Factory: SonarQube Quality Gates</li> <li> <strong>Part 07:</strong> Building a Sovereign Software Factory: ChatOps with Mattermost</li> <li> <strong>Part 08:</strong> Building a Sovereign Software Factory: Observability with the ELK Stack</li> <li> <strong>Part 09:</strong> Building a Sovereign Software Factory: Monitoring with Prometheus &amp; Grafana</li> <li> <strong>Part 10:</strong> Building a Sovereign Software Factory: The Python API Package (Capstone)</li> </ol> <p><strong>UPDATE 2025-12-09: Critical Plugin Change (GitLab Branch Source)</strong></p> <p>The <code>gitlab-branch-source</code> plugin has recently undergone a major update (versions &gt; 736), migrating to a newer GitLab API client. This introduces a breaking change regarding authentication.</p> <p><strong>The Issue:</strong><br> Previously, we used a standard <code>usernamePassword</code> credential (where the password was the token) for git checkout. On newer plugin versions, this method fails with <code>HTTP 403 Forbidden</code> or <code>USER NOT FOUND</code> errors because the plugin now strictly enforces credential types.</p> <p><strong>The Solution:</strong><br> Newer versions require specific <strong>GitLab Group Access Token</strong> or <strong>GitLab Personal Access Token</strong> credential types to perform checkouts. To ensure this tutorial works for all versions, we will configure <strong>both</strong> the legacy credential and the new <strong>Group Access Token (GAT)</strong> in our system.</p> <p><strong>Action Required:</strong><br> We will introduce a new token variable. Please create a <strong>Group Access Token</strong> in GitLab (Scope: <code>api</code>, <code>read_repository</code>, Role: <code>Maintainer</code>) for your top-level <code>Articles</code> group and add it to your <code>cicd.env</code> file alongside your existing tokens:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># cicd.env</span> <span class="c"># ... existing tokens ...</span> <span class="nv">ARTICLES_GAT</span><span class="o">=</span><span class="s2">"glpat-m2BG...[redacted]..."</span> </code></pre> </div> <p>In the following sections, we will update our scripts to pass this new token to Jenkins. When configuring your job, you can then simply select the credential type that works for your specific installed version of the plugin.</p> <h1> Chapter 1: The Challenge: Our Code is Just Sitting on a Shelf </h1> <p>In our last article, we built our "Central Library," a secure, self-hosted GitLab instance. This was a massive step forward. Our code—including our polyglot "hero project"—is now version-controlled, secure, and stored in a central, trusted location. But this success has also revealed our next, and most obvious, challenge: our code is just <em>sitting there</em>.</p> <p>It's inert. A developer can <code>git push</code> a new feature, but nothing <em>happens</em>. The connection between our code repository and an actual build process is completely missing. We have a fantastic source of truth, but no <em>action</em>.</p> <h2> Deconstructing the "It Works On My Machine" Flaw </h2> <p>Without an automated system, we are forced to fall back on a manual build process. A developer would clone the repository, run <code>./setup.sh</code> on their local workstation, and then run <code>./run-coverage.sh</code>. This "manual build" process is fraught with problems that prevent any real, scalable development.</p> <p>The most famous of these is the "it works on my machine" flaw. This isn't just a meme; it's a critical business risk that stems from two core issues:</p> <ol> <li> <strong>Environment Inconsistency:</strong> My workstation is not identical to yours. I might be running a slightly different version of <code>cmake</code>, a newer patch of the Rust toolchain, or a different set of Python libraries. A build that succeeds for me might fail for you simply because our environments have "drifted" apart. This makes it impossible to guarantee that a given commit is truly stable.</li> <li> <strong>Lack of Auditability:</strong> The manual build process is a black hole. There is no central, immutable record of <em>who</em> built <em>what</em>, <em>when</em>. Which commit was used for the "release" binary that was just emailed to the client? Was it built with the latest changes? Was it built in "Debug" or "Release" mode? Did all the tests <em>actually</em> pass, or did the developer just <em>say</em> they did? We have no way to know.</li> </ol> <p>This manual, unscalable process is unacceptable. We need a centralized, automated orchestrator that can act as the "brain" of our entire operation.</p> <h2> The Solution: An Automated "Factory Foreman" </h2> <p>This is where we introduce <strong>Jenkins</strong>. Jenkins will be the "Factory Foreman" for our CI/CD city.</p> <p>Its job is to watch our "Central Library" (GitLab) for new signals. When a developer opens a Merge Request, GitLab will send a webhook to Jenkins. Jenkins will then, in a fully automated capacity:</p> <ol> <li> <strong>Receive the signal</strong> from GitLab.</li> <li> <strong>Provision a sterile, consistent build environment</strong> (our <code>general-purpose-agent</code>).</li> <li> <strong>Run the standardized "assembly line"</strong> that we will define in a <code>Jenkinsfile</code>.</li> <li> <strong>Report the <code>SUCCESS</code> or <code>FAILURE</code></strong> of that assembly line directly back to the GitLab Merge Request.</li> </ol> <p>This single integration solves all our manual-build problems. It guarantees that every single commit is built and tested in the <em>exact same way</em>, every single time. It provides a full, auditable log for every build, and it scales far beyond what any single developer could manage. It's the engine that will power our entire CI/CD stack.</p> <h1> Chapter 2: The "What" - Our "Controller/Agent" Architecture </h1> <p>Before we can deploy Jenkins, we have to decide on its architecture. A default Jenkins installation is a single, monolithic application that does everything: it serves the UI, manages plugins, <em>and</em> runs builds all on the same machine. This is simple, but it's a fragile and insecure design that doesn't scale.</p> <p>This monolithic model leads to several immediate problems:</p> <ul> <li> <strong>Toolchain Conflicts:</strong> What if "Project A" needs Java 11 but "Project B" needs Java 17? You end up polluting the controller's filesystem with conflicting dependencies.</li> <li> <strong>Security:</strong> A build script that runs on the controller has access to the controller's entire environment, including its credentials and the Docker socket. A rogue script could be disastrous.</li> <li> <strong>Performance:</strong> A heavy build (like compiling C++) can consume all the controller's CPU and RAM, making the UI slow or unresponsive for all other users.</li> </ul> <p>We will build a modern, container-based architecture that solves all these problems. Our solution is built on two core concepts: "Pipeline-as-Code" and "Configuration-as-Code."</p> <h2> 2.1. The "First Principle": Pipeline-as-Code (<code>Jenkinsfile</code>) </h2> <p>The first part of our solution is deciding where the "assembly line" instructions live. The build logic (checkout, compile, test, etc.) must be version-controlled <em>with</em> the code it's meant to build.</p> <p>We will accomplish this using a <strong><code>Jenkinsfile</code></strong>.</p> <p>This is a plain text file, named <code>Jenkinsfile</code>, that lives in the root of our <code>http-client</code> repository. It defines every stage of our pipeline directly in a Groovy-based syntax. This is a fundamental shift in responsibility:</p> <ul> <li> <strong>Jenkins (the Controller)</strong> no longer <em>defines</em> the build. It only <em>executes</em> the build.</li> <li> <strong>The Project (the Code)</strong> is now responsible for telling Jenkins <em>how</em> it should be built.</li> </ul> <p>This approach means our build process is now versioned, auditable, and can be reviewed in a Merge Request just like any other piece of code.</p> <h2> 2.2. The "Second Principle": Configuration-as-Code (JCasC) </h2> <p>The <code>Jenkinsfile</code> defines the build process for <em>a project</em>, but what about the configuration of the <em>Jenkins controller itself</em>? We still need to install plugins, set up security, define our API tokens, and configure our build agents.</p> <p>If we did this manually through the UI, we would create a <strong>"Snowflake Server"</strong>—a fragile, unique instance that is impossible to replicate and has no audit trail.</p> <p>Our solution is <strong>Configuration-as-Code (JCasC)</strong>. Just as the <code>Jenkinsfile</code> defines the pipeline, a <code>jenkins.yaml</code> file will define the <em>entire configuration of the controller</em>. This YAML file will be our single source of truth for:</p> <ul> <li>Creating our <code>admin</code> user and setting its password.</li> <li>Defining our security matrix (who can do what).</li> <li>Installing all our plugins (GitLab, Docker, etc.).</li> <li>Connecting to our GitLab server.</li> <li>Defining our API credentials.</li> <li>Configuring our "cloud" of build agents.</li> </ul> <p>By managing our controller's setup in this file, we make our Jenkins instance 100% reproducible, version-controlled, and auditable.</p> <h2> 2.3. Our Architecture: The "Foreman and the Ephemeral Worker" </h2> <p>With these two "as-Code" principles, we can now define our final architecture. We will build two separate, specialized Docker images:</p> <ol> <li> <strong>The Controller (Our "Foreman"):</strong> This is our <code>jenkins-controller</code> image. Its <em>only</em> job is to serve the UI, manage the API, and orchestrate jobs. We will configure it with <strong>zero executors</strong>, meaning it will <em>never</em> run a build on its own. It is the "brain" of the operation.</li> <li> <strong>The Agent (Our "Ephemeral Worker"):</strong> This is our <code>general-purpose-agent</code> image. This container is our disposable, "polyglot" toolset, pre-loaded with our entire C++, Rust, and Python toolchain.</li> </ol> <p>This "Foreman/Worker" model is the core of our solution. When a build is triggered, the Controller (Foreman) will "hire" an Agent (Worker) for that one specific job.</p> <h2> 2.4. The "Mechanism": The Docker Plugin </h2> <p>This "hiring" process is not magic; it's a specific plugin we will configure in our <code>jenkins.yaml</code>: the <strong>Docker Plugin</strong>.</p> <p>This plugin is the "hiring department" for our factory. Here is how it will work:</p> <ol> <li> A developer opens a Merge Request in GitLab.</li> <li> GitLab sends a webhook to our "Foreman" (the Jenkins Controller).</li> <li> The Foreman sees the build request and consults its <code>jenkins.yaml</code> configuration.</li> <li> It instructs the <strong>Docker Plugin</strong> to provision a new agent.</li> <li> The Docker Plugin, using its Docker-out-of-Docker (DooD) capability, connects to the host's <code>docker.sock</code> and issues a command: <code>docker run --network cicd-net general-purpose-agent:latest ...</code> </li> <li> This new "Worker" container starts, connects to the "Foreman" via our <code>cicd-net</code>, and runs the pipeline defined in the <code>Jenkinsfile</code>.</li> <li> After the build is done, the Worker reports <code>SUCCESS</code> and is <strong>immediately and automatically destroyed</strong>.</li> </ol> <p>This architecture is the perfect solution. It's scalable, secure (builds are isolated from the controller), and provides a clean, consistent environment for every single build.</p> <h1> Chapter 3: Architecture Deep Dive: Solving the Java &amp; Docker Puzzles </h1> <p>Deploying Jenkins into our secure, container-based ecosystem presents a unique set of technical hurdles. It's not as simple as our GitLab deployment. This is because Jenkins is a Java application and has its own specific, and sometimes rigid, ways of handling security and networking.</p> <p>We're about to solve four distinct challenges:</p> <ol> <li> Securing the Jenkins UI (which can't read our <code>.pem</code> files).</li> <li> Granting the Jenkins Controller secure access to the Docker socket (DooD).</li> <li> Making the Jenkins Controller's JVM trust our internal GitLab server.</li> <li> Making the Jenkins Agent's environment trust our GitLab server.</li> </ol> <p>Let's tackle them one by one.</p> <h2> 3.1. Puzzle #1: The Controller's HTTPS Keystore (<code>.p12</code>) </h2> <p>Our first challenge is that we can't secure the Jenkins UI the same way we secured GitLab.</p> <p>With GitLab, we simply mounted our <code>gitlab.cicd.local.crt.pem</code> and <code>gitlab.cicd.local.key.pem</code> files and told its Nginx web server to use them. This worked because Nginx is a C-based application that natively reads <code>.pem</code> files.</p> <p>Jenkins, however, is a Java application. Its web server (Jetty) does not natively read separate <code>.pem</code> certificate and key files. Instead, the Java ecosystem prefers a single, password-protected database file called a <strong>Java Keystore (<code>.jks</code> or <code>.p12</code>)</strong>.</p> <p>To secure our Jenkins UI at <code>https://jenkins.cicd.local:10400</code>, we must convert our "passport" (<code>.pem</code> certificate) and its "key" (<code>.key</code> file) from Article 2 into this single <code>.p12</code> file that Java understands.</p> <p>Our solution will be to use the <code>openssl pkcs12 -export</code> command. This command will bundle our certificate and private key together into a new, password-protected file named <code>jenkins.p12</code>. We will then tell Jenkins to use this file to serve HTTPS by passing its path and password in the <code>JENKINS_OPTS</code> environment variable when we run the container.</p> <h2> 3.2. Puzzle #2: The "Build-Time" DooD Fix (Controller) </h2> <p>Our "Foreman" (the Jenkins Controller) needs the ability to "hire" workers. In our architecture, this means it must be able to run Docker commands to spawn our <code>general-purpose-agent</code> containers. This requires a Docker-out-of-Docker (DooD) setup.</p> <p>The obvious first step is to mount the host's Docker socket: <code>-v /var/run/docker.sock:/var/run/docker.sock</code>. However, this alone will fail.</p> <p>This creates an immediate and critical permissions challenge, the same one we solved back in Article 1. The <code>docker.sock</code> file on the host machine is a protected resource. It's owned by <code>root</code> and accessible only by members of the <code>docker</code> group. This group has a specific Group ID (GID) on the host, for example, <code>998</code>.</p> <p>Inside our container, the <code>jenkins</code> user runs with its own GID (e.g., <code>1000</code>). When the <code>jenkins</code> user tries to access the mounted socket, the host's kernel sees a request from GID <code>1000</code>, compares it to the socket's required GID <code>998</code>, and denies access.</p> <p>We will solve this not at runtime, but at <em>build time</em>. This is a cleaner, more permanent solution.</p> <ol> <li> Our <code>02-build-images.sh</code> script will first inspect the host and find the numerical GID of its <code>docker</code> group.</li> <li> It will pass this number into the <code>docker build</code> command using the <code>--build-arg HOST_DOCKER_GID</code> flag.</li> <li> Inside our <code>Dockerfile.controller</code>, we will receive this argument. We will then execute a <code>RUN</code> command that: <ul> <li>Installs the <code>docker-ce-cli</code> package.</li> <li>Creates a new <code>docker</code> group <em>inside the container</em>.</li> <li>Crucially, it uses the <code>HOST_DOCKER_GID</code> to <strong>set the new group's GID to the exact same number as the host</strong>.</li> <li>Finally, it adds the <code>jenkins</code> user to this newly created, correctly-ID'd group.</li> </ul> </li> </ol> <p>By baking this permission into the image itself, we create a controller that is <em>born</em> with the correct permissions. This makes our deployment script much cleaner, as we no longer need to use runtime flags like <code>--group-add</code> to modify the user's identity.</p> <h2> 3.3. Puzzle #3: The "Baked-in" JVM Trust (Controller) </h2> <p>This is one of the most significant challenges in the entire stack. Even with our DooD permissions fixed, our controller will still fail.</p> <p>The moment our <code>gitlab-branch-source</code> plugin (which we'll configure in JCasC) tries to scan our repository at <code>https://gitlab.cicd.local</code>, the build will fail with a <code>javax.net.ssl.SSLHandshakeException</code>.</p> <p>The reason for this is that the <strong>Java Virtual Machine (JVM) maintains its own, isolated trust store</strong>.</p> <p>When we built our controller image, we fixed the <em>operating system's</em> trust store by running <code>update-ca-certificates</code>. This is great for OS-level tools like <code>git</code> or <code>curl</code>. However, the Jenkins controller is a Java application. The JVM <em>completely ignores</em> the OS trust store and only trusts the certificates found inside its own <code>cacerts</code> file (a Java-specific keystore).</p> <p>Our internal CA is not in that file, so from the JVM's perspective, our <code>gitlab.cicd.local</code> certificate is untrusted, and it will refuse all SSL connections.</p> <p>Our solution is to "bake" our CA's trust directly into the controller's JVM. During our <code>Dockerfile.controller</code> build, right after we <code>COPY</code> our <code>ca.pem</code> file, we will add a <code>RUN</code> command. This command will use the Java <code>keytool</code> utility—the standard tool for managing Java keystores—to import our <code>ca.pem</code> directly into the JVM's master <code>cacerts</code> file.</p> <p>This permanently solves the problem. Our custom <code>jenkins-controller</code> image will now be born with a JVM that implicitly trusts every certificate (like GitLab's) that our internal CA has signed. This will allow all Java-based plugins to make secure HTTPS connections to our other internal services without any errors.</p> <h2> 3.4. Puzzle #4: The Agent's "Dual Trust" </h2> <p>Finally, we must solve the trust problem for our ephemeral agents. It's a common oversight to assume that because the controller trusts GitLab, the agents will too. But the agent is a completely separate container, with its own filesystem, its own OS, and its own trust stores.</p> <p>When our pipeline kicks off, the <em>agent</em> is the container that actually runs the <code>git clone</code> command against <code>https://gitlab.cicd.local</code>. If the agent doesn't trust our CA, the clone will immediately fail with an SSL verification error.</p> <p>This reveals a new, more complex challenge: the agent has a "dual trust" requirement. It needs to trust our internal CA in <strong>two different places</strong> to satisfy our "polyglot" toolchain:</p> <ol> <li> <strong>OS-Level Trust (for <code>git</code>):</strong> The <code>git</code> command is a standard Linux application. It relies on the operating system's trust store (the certificates in <code>/usr/local/share/ca-certificates/</code>) to validate the SSL connection.</li> <li> <strong>JVM-Level Trust (for <code>sonar-scanner</code>):</strong> Our pipeline will <em>also</em> run Java-based tools. The most important one for our stack will be the <code>sonar-scanner</code> CLI (for our future SonarQube article). Just like the Jenkins controller, this is a Java tool that <em>completely ignores</em> the OS trust store and relies <em>only</em> on its own <code>cacerts</code> file.</li> </ol> <p>A failure in either store will break our pipeline. The <code>git clone</code> would fail, or the quality scan would fail.</p> <p>Therefore, our <code>Dockerfile.agent</code> must solve <em>both</em> problems simultaneously. We will add a build step that:</p> <ol> <li> <code>COPY</code>-ies our <code>ca.pem</code> file into the build context.</li> <li> Runs <code>update-ca-certificates</code> to add the CA to the OS trust store. This fixes <code>git</code>.</li> <li> Runs the Java <code>keytool -importcert</code> command to add the <em>same</em> CA to the JVM's <code>cacerts</code> file. This fixes <code>sonar-scanner</code> and any other Java-based tools.</li> </ol> <p>By baking in this "dual trust," our <code>general-purpose-agent</code> will be born ready to communicate securely with all other services in our stack, regardless of the tool being used.</p> <h1> Chapter 4: Action Plan (Part 1) – The "Blueprints" (Dockerfiles &amp; Plugins) </h1> <p>With our architecture defined and our key integration challenges solved, we can now start building our two Docker images. We'll start by defining the "blueprints" for our controller and agent.</p> <p>The first step is to create the "shopping list" of plugins our controller will need. This file, <code>plugins.txt</code>, will be fed to the Jenkins plugin installer during our image build, ensuring our controller is born with all the "office furniture" it needs to do its job.</p> <h2> 4.1. The "Plugin List" (<code>plugins.txt</code>) </h2> <p>This file is a simple list of plugin IDs and their versions (we'll use <code>latest</code> for simplicity). Each one adds a critical piece of functionality that enables our specific architecture.</p> <p>Here is the complete <code>plugins.txt</code> file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># # ----------------------------------------------------------- # plugins.txt # # This file lists all plugins to be installed by the # 'jenkins-plugin-cli' during our image build. # # Each plugin is a piece of "office furniture" for our # "Foreman," giving it new capabilities. # ----------------------------------------------------------- # --- Dependencies and standard plugins --- pipeline-model-definition:latest cloudbees-folder:latest antisamy-markup-formatter:latest build-timeout:latest credentials-binding:latest timestamper:latest ws-cleanup:latest ant:latest gradle:latest workflow-aggregator:latest github-branch-source:latest pipeline-github-lib:latest pipeline-graph-analysis:latest git:latest ssh-slaves:latest ldap:latest email-ext:latest mailer:latest dark-theme:latest # --- Core Setup &amp; Configuration --- # The "Blueprint Reader": Allows us to configure Jenkins using # our 'jenkins.yaml' file. The core of JCasC. configuration-as-code:latest # The "Security Guard": Allows us to create the granular # "who-can-do-what" permissions matrix. matrix-auth:latest # --- CI/CD Integration Plugins --- # The "Red Phone": The bridge to GitLab. This plugin # allows Jenkins to receive webhooks from GitLab and # provides the "Multibranch Pipeline" job type. gitlab-branch-source:latest # The "Hiring Department": This is the Docker Cloud plugin. # It's what allows our controller to "spawn" our # 'general-purpose-agent' containers. docker-plugin:latest # The "Secure Warehouse" Connector: Provides the native # 'rtUpload' steps to publish our artifacts to Artifactory. artifactory:latest # The "Quality Inspector" Connector: Provides the # 'withSonarQubeEnv' and 'waitForQualityGate' steps. sonar:latest </code></pre> </div> <h3> Deconstructing <code>plugins.txt</code> </h3> <p>Here are the key plugins we're installing and what they do:</p> <ul> <li> <strong><code>configuration-as-code</code>:</strong> This is the core of our "Configuration-as-Code" (JCasC) strategy. It's the plugin that will read our <code>jenkins.yaml</code> file on boot and configure the entire Jenkins instance, from security realms to API tokens.</li> <li> <strong><code>matrix-auth</code>:</strong> This is the "security guard" plugin. It provides the granular, grid-based permission system (<code>globalMatrix</code>) that our <code>jenkins.yaml</code> file will configure. This is what allows us to lock down anonymous users while granting full rights to our <code>admin</code> user.</li> <li> <strong><code>gitlab-branch-source</code>:</strong> This is the modern, official "bridge" to GitLab. It provides two essential features: <ol> <li> The <strong>"Multibranch Pipeline"</strong> job type, which can scan a GitLab project and build all its branches.</li> <li> The webhook endpoint (<code>/gitlab-webhook/trigger</code>) that allows GitLab to notify Jenkins of new commits and merge requests instantly.</li> </ol> </li> <li> <strong><code>docker-plugin</code>:</strong> This is our "hiring department." It's the plugin that allows the controller to connect to the Docker socket, interpret our "cloud" configuration from <code>jenkins.yaml</code>, and physically spawn our <code>general-purpose-agent</code> containers.</li> <li> <strong><code>pipeline-model-definition</code>:</strong> This is a crucial dependency we discovered during our research. The <code>docker-plugin</code> will not load correctly without it, as it provides the core APIs for defining the declarative pipelines that our agent-based model relies on.</li> </ul> <h2> 4.2. The "Foreman's Office" (<code>Dockerfile.controller</code>) </h2> <p>With our plugin list defined, we can now write the blueprint for our "Foreman" or <code>jenkins-controller</code>. This <code>Dockerfile</code> is a surgical script designed to solve our specific architectural challenges <em>at build time</em>, resulting in a clean, secure, and ready-to-run image.</p> <p>Here is the complete <code>Dockerfile.controller</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># Dockerfile.controller</span> <span class="c">#</span> <span class="c"># This blueprint builds our "Foreman" (Jenkins Controller).</span> <span class="c">#</span> <span class="c"># 1. DooD: Installs Docker CLI &amp; fixes GID permissions.</span> <span class="c"># 2. CA Trust: Bakes in our Local CA to the JVM trust store.</span> <span class="c"># 3. Plugins: Installs all plugins from 'plugins.txt'.</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 1. Start from the official Jenkins Long-Term Support image</span> <span class="k">FROM</span><span class="s"> jenkins/jenkins:lts-jdk21</span> <span class="k">LABEL</span><span class="s"> authors="warren_jitsing"</span> <span class="c"># 2. Accept the host's 'docker' GID as a build-time argument</span> <span class="k">ARG</span><span class="s"> HOST_DOCKER_GID</span> <span class="c"># 3. Switch to 'root' to install software and fix permissions</span> <span class="k">USER</span><span class="s"> root</span> <span class="c"># 4. Copy our Local CA cert from the build context</span> <span class="c"># (Our '01-setup-jenkins.sh' will place this file here)</span> <span class="k">COPY</span><span class="s"> ca.pem /tmp/ca.pem</span> <span class="c"># 5. Fix CA Trust (for both OS/git and JVM)</span> <span class="c"># This is "baked in" for simplicity and robustness</span> <span class="k">RUN </span><span class="nb">cp</span> /tmp/ca.pem /usr/local/share/ca-certificates/cicd-stack-ca.crt <span class="se">\ </span> <span class="o">&amp;&amp;</span> update-ca-certificates <span class="se">\ </span> <span class="o">&amp;&amp;</span> keytool <span class="nt">-importcert</span> <span class="se">\ </span> <span class="nt">-keystore</span> /opt/java/openjdk/lib/security/cacerts <span class="se">\ </span> <span class="nt">-storepass</span> changeit <span class="se">\ </span> <span class="nt">-file</span> /tmp/ca.pem <span class="se">\ </span> <span class="nt">-alias</span> <span class="s2">"CICD-Root-CA"</span> <span class="se">\ </span> <span class="nt">-noprompt</span> <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> /tmp/ca.pem <span class="c"># 6. Install Docker CLI &amp; Fix GID Mismatch</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">--no-install-recommends</span> <span class="se">\ </span> curl <span class="se">\ </span> gnupg <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">install</span> <span class="nt">-m</span> 0755 <span class="nt">-d</span> /etc/apt/keyrings <span class="se">\ </span> <span class="o">&amp;&amp;</span> curl <span class="nt">-fsSL</span> https://download.docker.com/linux/debian/gpg <span class="nt">-o</span> /etc/apt/keyrings/docker.asc <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">chmod </span>a+r /etc/apt/keyrings/docker.asc <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="se">\ </span> <span class="s2">"deb [arch=</span><span class="si">$(</span>dpkg <span class="nt">--print-architecture</span><span class="si">)</span><span class="s2"> signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian </span><span class="se">\ </span><span class="s2"> </span><span class="si">$(</span><span class="nb">.</span> /etc/os-release <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$VERSION_CODENAME</span><span class="s2">"</span><span class="si">)</span><span class="s2"> stable"</span> | <span class="se">\ </span> <span class="nb">tee</span> /etc/apt/sources.list.d/docker.list <span class="o">&gt;</span> /dev/null <span class="se">\ </span> <span class="o">&amp;&amp;</span> apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">--no-install-recommends</span> <span class="se">\ </span> docker-ce-cli <span class="se">\ </span> <span class="o">&amp;&amp;</span> groupadd <span class="nt">--gid</span> <span class="nv">$HOST_DOCKER_GID</span> docker <span class="se">\ </span> <span class="o">&amp;&amp;</span> usermod <span class="nt">-aG</span> docker jenkins <span class="se">\ </span> <span class="o">&amp;&amp;</span> apt-get clean <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="c"># 7. Switch back to the unprivileged 'jenkins' user</span> <span class="k">USER</span><span class="s"> jenkins</span> <span class="c"># 8. Copy our plugin list into the official ref directory</span> <span class="k">COPY</span><span class="s"> plugins.txt /usr/share/jenkins/ref/plugins.txt</span> <span class="c"># 9. Run the official plugin installer script</span> <span class="k">RUN </span>jenkins-plugin-cli <span class="nt">-f</span> /usr/share/jenkins/ref/plugins.txt </code></pre> </div> <h3> Deconstructing <code>Dockerfile.controller</code> </h3> <p>Let's walk through this blueprint layer by layer to understand how it solves our specific challenges.</p> <ul> <li><p><strong><code>FROM jenkins/jenkins:lts-jdk21</code></strong><br> We start with the official Long-Term Support (LTS) image for the Jenkins controller. This provides a trusted, stable foundation with a recent Java version.</p></li> <li><p><strong><code>ARG HOST_DOCKER_GID</code></strong><br> This instruction defines a build-time argument. It's how we'll pass the host's Docker group ID into the image when we run our <code>02-build-images.sh</code> script.</p></li> <li><p><strong><code>USER root</code></strong><br> We switch to the <code>root</code> user because we need to perform two critical, system-level installations that the standard <code>jenkins</code> user doesn't have permission to do.</p></li> <li><p><strong>Step 5: Fix CA Trust</strong><br> This <code>RUN</code> command solves our <strong>"JVM Trust" puzzle</strong>. It <code>COPY</code>-ies the <code>ca.pem</code> we staged in our setup script and:</p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Runs `update-ca-certificates` to add our CA to the **Operating System's** trust store. 2. Runs the Java `keytool` command to import the *same certificate* into the **JVM's** master `cacerts` file. By "baking" this trust into the image, we permanently solve any `SSLHandshakeException` errors. Our controller is now born with a JVM that implicitly trusts our internal GitLab server. </code></pre> </div> <ul> <li> <strong>Step 6: Install Docker CLI &amp; Fix GID Mismatch</strong> This <code>RUN</code> command solves our <strong>"DooD Permission" puzzle</strong>. It's a single, multi-step command that:</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Adds the official Docker APT repository. 2. Installs the `docker-ce-cli` package, giving our controller the `docker` command. 3. **Fixes the GID.** This is the key. It executes `groupadd --gid $HOST_DOCKER_GID docker` to create a new `docker` group *inside the container* that has the *exact same numerical GID* as the one on our host. 4. Finally, it adds the `jenkins` user to this new, correctly-ID'd group. This is a permanent, clean solution. By solving the permission issue at the image level, we don't have to use any special `--group-add` flags in our `docker run` command. </code></pre> </div> <ul> <li><p><strong><code>USER jenkins</code></strong><br> With all our system-level modifications complete, we switch back to the low-privilege <code>jenkins</code> user for the rest of the build.</p></li> <li><p><strong>Steps 8 &amp; 9: Install Plugins</strong><br> This is the final step. We <code>COPY</code> our <code>plugins.txt</code> "shopping list" into the official location Jenkins uses for pre-installing plugins. We then <code>RUN</code> the <code>jenkins-plugin-cli</code> script, which reads this list and installs every plugin. This ensures our controller boots up for the first time with all the tools (JCasC, Docker, GitLab) it needs.</p></li> </ul> <h2> 4.3. The "Factory Worker" (<code>Dockerfile.agent</code>) </h2> <p>This is the blueprint for our <code>general-purpose-agent</code>, our "polyglot" factory worker. This image is the real workhorse of our pipeline. Its entire purpose is to be a self-contained, pre-loaded toolset, ready to build our complex "hero project" with zero setup.</p> <p>We start <code>FROM jenkins/agent:latest-jdk21</code>. This is a crucial starting point. Unlike the <code>jenkins/jenkins</code> controller image, this one is a bare-bones Debian base that includes the Java JDK and the <code>agent.jar</code> file, which is responsible for communicating with the controller.</p> <p>Here is the complete <code>Dockerfile.agent</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># Dockerfile.agent</span> <span class="c">#</span> <span class="c"># This blueprint builds our "General Purpose Worker".</span> <span class="c"># It starts from the base Jenkins agent image and "harvests"</span> <span class="c"># all the complex toolchains from our dev-container to</span> <span class="c"># create a "polyglot" builder.</span> <span class="c">#</span> <span class="c"># It is a "cattle" image: stateless, disposable, but</span> <span class="c"># loaded with all the tools our "hero project" needs.</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 1. Start from the official Jenkins agent image (Debian 12 + JDK 21)</span> <span class="k">FROM</span><span class="s"> jenkins/agent:latest-jdk21</span> <span class="k">LABEL</span><span class="s"> authors="warren_jitsing"</span> <span class="c"># 2. Get ARGs from our dev-container for custom builds</span> <span class="k">ARG</span><span class="s"> py312="3.12.12"</span> <span class="k">ARG</span><span class="s"> py313="3.13.9"</span> <span class="k">ARG</span><span class="s"> py314="3.14.0"</span> <span class="k">ARG</span><span class="s"> gcc15="15.2.0"</span> <span class="c"># 3. Switch to 'root' to install everything</span> <span class="k">USER</span><span class="s"> root</span> <span class="c"># 4. Copy our Local CA cert from the build context</span> <span class="c"># (Our '01-setup-jenkins.sh' will place this file here)</span> <span class="k">COPY</span><span class="s"> ca.pem /tmp/ca.pem</span> <span class="c"># 5. Install all OS dependencies (harvested from dev-container + hero project)</span> <span class="c"># This includes base tools, "hero project" deps, and Python build deps</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">--no-install-recommends</span> <span class="se">\ </span> build-essential ca-certificates cmake curl flex <span class="se">\ </span> git git-lfs gnupg2 <span class="nb">sudo </span>wget unzip <span class="se">\ </span> llvm lcov hyperfine libcurl4-openssl-dev libboost-all-dev <span class="se">\ </span> libbz2-dev libffi-dev libgdbm-compat-dev libgdbm-dev liblzma-dev <span class="se">\ </span> libncurses5-dev libreadline-dev libsqlite3-dev libssl-dev <span class="se">\ </span> python3-dev python3-pip python3-tk uuid-dev zlib1g-dev <span class="se">\ </span> m4 patch pkg-config procps <span class="se">\ </span> <span class="o">&amp;&amp;</span> apt-get clean <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="c"># 6. Build and install custom GCC</span> <span class="k">RUN </span><span class="nb">mkdir</span> <span class="nt">-p</span> /tmp/deps/gcc <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">cd</span> /tmp/deps/gcc <span class="se">\ </span> <span class="o">&amp;&amp;</span> curl <span class="nt">-fsSL</span> <span class="s2">"https://github.com/gcc-mirror/gcc/archive/refs/tags/releases/gcc-</span><span class="k">${</span><span class="nv">gcc15</span><span class="k">}</span><span class="s2">.tar.gz"</span> | <span class="nb">tar</span> <span class="nt">-xz</span> <span class="nt">--strip-components</span><span class="o">=</span>1 <span class="se">\ </span> <span class="o">&amp;&amp;</span> ./contrib/download_prerequisites <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">mkdir </span>build <span class="o">&amp;&amp;</span> <span class="nb">cd </span>build <span class="se">\ </span> <span class="o">&amp;&amp;</span> ../configure <span class="nt">--disable-multilib</span> <span class="nt">--enable-languages</span><span class="o">=</span>c,c++ <span class="se">\ </span> <span class="o">&amp;&amp;</span> make <span class="nt">-j</span> <span class="si">$(</span><span class="nb">nproc</span><span class="si">)</span> <span class="se">\ </span> <span class="o">&amp;&amp;</span> make <span class="nb">install</span> <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">cd</span> / <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-rf</span> /tmp/deps <span class="c"># 7. Add our new custom GCC to the system-wide PATH</span> <span class="k">RUN </span><span class="nb">echo</span> <span class="s1">'export PATH="/usr/local/bin:${PATH}"'</span> <span class="o">&gt;</span> /etc/profile.d/gcc.sh <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s1">'export LD_LIBRARY_PATH="/usr/local/lib64:${LD_LIBRARY_PATH}"'</span> <span class="o">&gt;&gt;</span> /etc/profile.d/gcc.sh <span class="c"># 8. Build and install custom Python versions</span> <span class="k">RUN for </span>version <span class="k">in</span> <span class="nv">$py312</span> <span class="nv">$py313</span> <span class="nv">$py314</span><span class="p">;</span> <span class="k">do</span> <span class="se">\ </span> <span class="nb">echo</span> <span class="s2">"--- Building Python version </span><span class="k">${</span><span class="nv">version</span><span class="k">}</span><span class="s2"> ---"</span><span class="p">;</span> <span class="se">\ </span> <span class="nb">mkdir</span> <span class="nt">-p</span> /tmp/deps/python<span class="p">;</span> <span class="se">\ </span> <span class="nb">cd</span> /tmp/deps/python<span class="p">;</span> <span class="se">\ </span> curl <span class="nt">-fsSL</span> <span class="s2">"https://github.com/python/cpython/archive/refs/tags/v</span><span class="k">${</span><span class="nv">version</span><span class="k">}</span><span class="s2">.tar.gz"</span> | <span class="nb">tar</span> <span class="nt">-xz</span> <span class="nt">--strip-components</span><span class="o">=</span>1<span class="p">;</span> <span class="se">\ </span> <span class="nv">CONFIGURE_FLAGS</span><span class="o">=</span><span class="s2">"--enable-optimizations --enable-loadable-sqlite-extensions --with-lto=full"</span><span class="p">;</span> <span class="se">\ </span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$version</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"</span><span class="nv">$py313</span><span class="s2">"</span> <span class="o">]</span> <span class="o">||</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$version</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"</span><span class="nv">$py314</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> <span class="se">\ </span> <span class="nb">echo</span> <span class="s2">"--- Adding --disable-gil flag for nogil build ---"</span><span class="p">;</span> <span class="se">\ </span> <span class="nv">CONFIGURE_FLAGS</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CONFIGURE_FLAGS</span><span class="s2"> --disable-gil"</span><span class="p">;</span> <span class="se">\ </span> <span class="k">fi</span><span class="p">;</span> <span class="se">\ </span> ./configure <span class="nv">$CONFIGURE_FLAGS</span><span class="p">;</span> <span class="se">\ </span> make <span class="nt">-j</span> <span class="si">$(</span><span class="nb">nproc</span><span class="si">)</span><span class="p">;</span> <span class="se">\ </span> make altinstall<span class="p">;</span> <span class="se">\ </span> <span class="nb">cd</span> / <span class="p">;</span> <span class="se">\ </span> <span class="k">done</span> <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-rf</span> /tmp/deps <span class="c"># 9. Install SonarScanner CLI (as root)</span> <span class="k">RUN </span>wget <span class="nt">-O</span> /tmp/sonar.zip <span class="s2">"https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.3.0.5189-linux-x64.zip"</span> <span class="se">\ </span> <span class="o">&amp;&amp;</span> unzip /tmp/sonar.zip <span class="nt">-d</span> /opt <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">mv</span> /opt/sonar-scanner-<span class="k">*</span> /opt/sonar-scanner <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">ln</span> <span class="nt">-s</span> /opt/sonar-scanner/bin/sonar-scanner /usr/bin/sonar-scanner <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> /tmp/sonar.zip <span class="c"># 10. Fix CA Trust (for both OS/git and JVM) (as root)</span> <span class="k">RUN </span><span class="nb">cp</span> /tmp/ca.pem /usr/local/share/ca-certificates/cicd-stack-ca.crt <span class="se">\ </span> <span class="o">&amp;&amp;</span> update-ca-certificates <span class="se">\ </span> <span class="o">&amp;&amp;</span> keytool <span class="nt">-importcert</span> <span class="se">\ </span> <span class="nt">-keystore</span> /opt/java/openjdk/lib/security/cacerts <span class="se">\ </span> <span class="nt">-storepass</span> changeit <span class="se">\ </span> <span class="nt">-file</span> /tmp/ca.pem <span class="se">\ </span> <span class="nt">-alias</span> <span class="s2">"CICD-Root-CA"</span> <span class="se">\ </span> <span class="nt">-noprompt</span> <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> /tmp/ca.pem <span class="c"># 11. Switch to the default agent user</span> <span class="k">USER</span><span class="s"> jenkins</span> <span class="c"># 12. Install user-specific toolchains (Rust and Julia)</span> <span class="k">RUN </span>curl https://sh.rustup.rs <span class="nt">-sSf</span> | sh <span class="nt">-s</span> <span class="nt">--</span> <span class="nt">-y</span> <span class="se">\ </span> <span class="o">&amp;&amp;</span> curl <span class="nt">-fsSL</span> https://install.julialang.org | sh <span class="nt">-s</span> <span class="nt">--</span> <span class="nt">-y</span> <span class="c"># 13. Install cargo-llvm-cov</span> <span class="c"># We must source the env file in the *same* command</span> <span class="k">RUN </span><span class="nb">.</span> <span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/.cargo/env"</span> <span class="o">&amp;&amp;</span> cargo <span class="nb">install </span>cargo-llvm-cov <span class="c"># 14. Add the new toolchains to the container's PATH</span> <span class="c"># This ENV instruction makes them available to all subsequent</span> <span class="c"># Jenkins 'sh' steps.</span> <span class="k">ENV</span><span class="s"> PATH="/home/jenkins/.cargo/bin:/home/jenkins/.juliaup/bin:${PATH}"</span> <span class="c"># 15. Set the Entrypoint (must be last)</span> <span class="k">ENTRYPOINT</span><span class="s"> ["java", "-jar", "/usr/share/jenkins/agent.jar"]</span> </code></pre> </div> <h3> Deconstructing <code>Dockerfile.agent</code> </h3> <p>This <code>Dockerfile</code> is more complex than the controller's because it's responsible for building our actual "polyglot" toolchain.</p> <ul> <li><p><strong>Steps 1-8: Harvesting the Toolchain</strong><br> Just like our controller, we switch to <code>root</code> to install system software. The <code>apt-get</code> command is a "harvested" list from our <code>dev-container</code>, containing all the C++, Boost, and Python dependencies our "hero project" needs. We then run the <em>exact same</em> build-from-source commands for <strong>GCC</strong> and <strong>Python</strong>. This is the key to solving the "it works on my machine" problem: our build agent's toolchain is now identical to our development environment's.</p></li> <li><p><strong>Step 9: Pre-installing Future Tools</strong><br> We also take this opportunity to install the <code>sonar-scanner</code> CLI. We aren't using it yet, but pre-installing it here means our agent will be ready for our SonarQube (Quality Assurance) article without needing another rebuild.</p></li> <li><p><strong>Step 10: The "Dual Trust" Fix</strong><br> This <code>RUN</code> command is critical. It solves the trust problem for <em>both</em> toolchains on the agent:</p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. `update-ca-certificates`: This makes the **Operating System** (and thus tools like `git` and `curl`) trust our internal CA. 2. `keytool -importcert...`: This makes the **JVM** (and thus Java-based tools like `sonar-scanner`) trust our internal CA. Without this "dual fix," either our `git clone` or our future quality scan would fail. </code></pre> </div> <ul> <li><p><strong>Steps 11-14: The User-Context Switch</strong><br> This is the solution to our <code>cargo: command not found</code> debugging session. We switch to the <code>USER jenkins</code> <em>before</em> installing user-space tools. The <code>rustup</code> and <code>juliaup</code> installers now correctly place their binaries in <code>/home/jenkins/.cargo/bin</code>. We then use the <code>ENV</code> instruction to permanently add this new directory to the <code>jenkins</code> user's <code>PATH</code>, making <code>cargo</code> and <code>rustc</code> available to all pipeline steps.</p></li> <li><p><strong>Step 15: The <code>ENTRYPOINT</code> Fix</strong><br> This is the final, and most important, instruction. Our investigation with <code>docker image inspect</code> revealed that the <code>jenkins/agent</code> base image has no <code>ENTRYPOINT</code>. This was the cause of our <code>exec: "-url": executable file not found</code> error, as the Docker plugin was passing its connection arguments as a command. This line "promotes" our image from a simple "bag of tools" to a functional, executable agent. This Java command is the program that will run, consume the connection arguments, and successfully link our worker to the controller.</p></li> </ul> <h1> Chapter 5: Action Plan (Part 2) – The "Factory Layout" (JCasC) </h1> <p>With our two "blueprints" (<code>Dockerfile.controller</code> and <code>Dockerfile.agent</code>) designed, we now need to write the "master plan" that tells the Jenkins controller how to operate. This is our Configuration-as-Code (JCasC) file, <code>jenkins.yaml</code>.</p> <p>This file is the "factory layout" for our "Foreman's office." It defines everything: where the doors are, who has keys, what tools are in the cabinets, and how to contact the "hiring department."</p> <p>We won't write this file by hand. Instead, our <code>01-setup-jenkins.sh</code> script will <em>generate</em> it. This allows us to programmatically inject values like our port numbers and use environment variables for our secrets. This approach gives us the best of both worlds: a clean, version-controlled YAML structure and a secure way to handle sensitive passwords and tokens.</p> <p>Let's deconstruct the <code>jenkins.yaml</code> file that our setup script will create.</p> <h2> 5.1. The <code>jenkins.yaml</code> File </h2> <h3> The <code>jenkins:</code> Block: Core Configuration </h3> <p>This is the main block for the controller itself.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jenkins</span><span class="pi">:</span> <span class="na">systemMessage</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Jenkins</span><span class="nv"> </span><span class="s">Controller</span><span class="nv"> </span><span class="s">-</span><span class="nv"> </span><span class="s">CI/CD</span><span class="nv"> </span><span class="s">Stack</span><span class="nv"> </span><span class="s">-</span><span class="nv"> </span><span class="s">${HOSTNAME}"</span> <span class="na">numExecutors</span><span class="pi">:</span> <span class="m">0</span> <span class="na">slaveAgentPort</span><span class="pi">:</span> <span class="m">10401</span> <span class="na">securityRealm</span><span class="pi">:</span> <span class="na">local</span><span class="pi">:</span> <span class="na">allowsSignup</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">users</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s2">"</span><span class="s">admin"</span> <span class="na">password</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${JENKINS_ADMIN_PASSWORD}"</span> <span class="na">authorizationStrategy</span><span class="pi">:</span> <span class="na">globalMatrix</span><span class="pi">:</span> <span class="na">entries</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">admin"</span> <span class="na">permissions</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">Overall/Administer"</span> <span class="c1"># ... (other permissions) ...</span> </code></pre> </div> <p>Here's what we're defining:</p> <ul> <li> <strong><code>numExecutors: 0</code></strong>: This is the most important setting for our architecture. We are explicitly telling the "Foreman" (Controller) that it is <strong>not allowed to run any builds itself</strong>. Its executor count is zero. This enforces our "Controller/Agent" model, ensuring all work is delegated to ephemeral agents.</li> <li> <strong><code>slaveAgentPort: 10401</code></strong>: This defines the internal port our agents will use to connect back to the controller (via the JNLP protocol). We define this here in JCasC, which is the modern, correct way to set it. We'll then expose this port in our <code>docker run</code> command.</li> <li> <strong><code>securityRealm:</code></strong>: This block creates our users. We define a local <code>admin</code> user and set its password by reading from the <code>${JENKINS_ADMIN_PASSWORD}</code> environment variable. This variable will be passed into the container from our <code>jenkins.env</code> file.</li> <li> <strong><code>authorizationStrategy:</code></strong>: This is where our <code>matrix-auth</code> plugin comes in. We use <code>globalMatrix</code> to grant our <code>admin</code> user full <code>Overall/Administer</code> permissions. This locks down the instance so that only our <code>admin</code> user can do anything, securing Jenkins from the moment it boots.</li> </ul> <h3> The <code>credentials:</code> Block: The "Key Cabinet" </h3> <p>This block is at the <strong>root level</strong> (not nested under <code>jenkins:</code>). This is one of those syntax details we discovered through debugging. This block defines all the secret tokens our Jenkins system needs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">credentials</span><span class="pi">:</span> <span class="na">system</span><span class="pi">:</span> <span class="na">domainCredentials</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">credentials</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">string</span><span class="pi">:</span> <span class="na">id</span><span class="pi">:</span> <span class="s2">"</span><span class="s">gitlab-api-token"</span> <span class="na">scope</span><span class="pi">:</span> <span class="s">GLOBAL</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">GitLab</span><span class="nv"> </span><span class="s">API</span><span class="nv"> </span><span class="s">Token</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">Jenkins"</span> <span class="na">secret</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${GITLAB_API_TOKEN}"</span> <span class="pi">-</span> <span class="na">usernamePassword</span><span class="pi">:</span> <span class="na">id</span><span class="pi">:</span> <span class="s2">"</span><span class="s">gitlab-checkout-credentials"</span> <span class="na">scope</span><span class="pi">:</span> <span class="s">GLOBAL</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">GitLab</span><span class="nv"> </span><span class="s">Project</span><span class="nv"> </span><span class="s">Token</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">repo</span><span class="nv"> </span><span class="s">checkout"</span> <span class="na">username</span><span class="pi">:</span> <span class="s2">"</span><span class="s">gitlab-checkout-bot"</span> <span class="na">password</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${GITLAB_CHECKOUT_TOKEN}"</span> <span class="c1"># NEW: Modern credential for Plugin &gt; v736</span> <span class="pi">-</span> <span class="na">gitlabGroupAccessToken</span><span class="pi">:</span> <span class="na">id</span><span class="pi">:</span> <span class="s2">"</span><span class="s">articles-gat"</span> <span class="na">scope</span><span class="pi">:</span> <span class="s">GLOBAL</span> <span class="na">token</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${ARTICLES_GAT}"</span> </code></pre> </div> <p>Here, we are creating two critical credentials:</p> <ol> <li> <strong><code>gitlab-api-token</code></strong>: This is a <code>string</code> (or secret text) credential. It holds our "all-powerful" GitLab PAT. The controller itself will use this token for API calls, like scanning repositories or reporting build status.</li> <li> <strong><code>gitlab-checkout-credentials</code></strong>: This is a <code>usernamePassword</code> credential. It holds the <em>Project Access Token</em> we created for our <code>http-client</code> project. The <code>username</code> is just a descriptive label, and the <code>password</code> is the token itself (read from <code>${GITLAB_CHECKOUT_TOKEN}</code>). Our pipeline job will use this to <code>git clone</code> the private repository.</li> <li> <strong><code>articles-gat</code></strong> <strong>(New for 2025)</strong>: Newer versions of the gitlab-branch-source plugin (v736+) require a strictly typed Group Access Token. We define this as a gitlabGroupAccessToken credential using the ${ARTICLES_GAT} variable. This ensures that if you are using a modern plugin version, you will have a valid credential available for checkout that avoids the 403 Forbidden error.</li> </ol> <h3> The <code>unclassified:</code> Block: The "GitLab Bridge" </h3> <p>This is another root-level block, and its name is not obvious. <code>unclassified</code> is the JCasC key for plugins that don't have their own, cleaner top-level key. Here, we configure the <code>gitlab-branch-source</code> plugin.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">unclassified</span><span class="pi">:</span> <span class="na">gitLabServers</span><span class="pi">:</span> <span class="na">servers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Local</span><span class="nv"> </span><span class="s">GitLab"</span> <span class="na">serverUrl</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://gitlab.cicd.local:10300"</span> <span class="na">credentialsId</span><span class="pi">:</span> <span class="s2">"</span><span class="s">gitlab-api-token"</span> <span class="na">manageWebHooks</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>This configuration tells Jenkins:</p> <ul> <li>There is one GitLab server, and its name is "Local GitLab".</li> <li>Its URL is <code>https://gitlab.cicd.local:10300</code>.</li> <li>To authenticate against its API, it should use the <code>gitlab-api-token</code> credential we just defined.</li> <li> <code>manageWebHooks: true</code>: This is a powerful setting. It gives Jenkins permission to <em>automatically</em> create webhooks in our GitLab projects for us.</li> </ul> <h3> The <code>clouds:</code> Block: The "Hiring Department" </h3> <p>This final root-level block is the most complex and important. It's where we configure the <code>docker-plugin</code> and define our entire "Foreman/Worker" dynamic.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">clouds</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">docker</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">docker-local"</span> <span class="na">dockerApi</span><span class="pi">:</span> <span class="na">dockerHost</span><span class="pi">:</span> <span class="na">uri</span><span class="pi">:</span> <span class="s2">"</span><span class="s">unix:///var/run/docker.sock"</span> <span class="na">templates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">general-purpose-agent"</span> <span class="na">labelString</span><span class="pi">:</span> <span class="s2">"</span><span class="s">general-purpose-agent"</span> <span class="na">remoteFs</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/home/jenkins/agent"</span> <span class="na">pullStrategy</span><span class="pi">:</span> <span class="s1">'</span><span class="s">PULL_NEVER'</span> <span class="na">dockerCommand</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">removeVolumes</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">dockerTemplateBase</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s2">"</span><span class="s">general-purpose-agent:latest"</span> <span class="na">network</span><span class="pi">:</span> <span class="s2">"</span><span class="s">cicd-net"</span> <span class="na">connector</span><span class="pi">:</span> <span class="na">jnlp</span><span class="pi">:</span> <span class="na">jenkinsUrl</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://jenkins.cicd.local:10400/"</span> </code></pre> </div> <p>Let's deconstruct this:</p> <ul> <li> <strong><code>dockerApi:</code></strong>: We point the plugin to the DooD socket at <code>unix:///var/run/docker.sock</code>.</li> <li> <strong><code>templates:</code></strong>: This is the list of "worker types" our Foreman can hire. We define one: <ul> <li> <strong><code>labelString: "general-purpose-agent"</code></strong>: This is the "job title." Our <code>Jenkinsfile</code> will request a worker with this label (<code>agent { label 'general-purpose-agent' }</code>).</li> <li> <strong><code>pullStrategy: 'PULL_NEVER'</code></strong>: This was a key discovery. It tells Jenkins to <em>never</em> try to pull the image from Docker Hub and to <em>only</em> use the local <code>general-purpose-agent:latest</code> image we built.</li> <li> <strong><code>dockerCommand: ""</code></strong>: This was our <em>other</em> major debugging fix. It tells the plugin to <em>not</em> override the container's <code>ENTRYPOINT</code>, which is what we thought would finally solve our <code>exec: "-url": executable file not found</code> error.</li> <li> <strong><code>removeVolumes: true</code></strong>: This is a cleanup fix. It tells Jenkins to delete the agent's anonymous volumes when the container is removed, preventing our host from filling up with orphaned volumes.</li> <li> <strong><code>dockerTemplateBase:</code></strong>: This defines the agent's runtime. <ul> <li> <strong><code>image: "general-purpose-agent:latest"</code></strong>: The name of our custom-built image.</li> <li> <strong><code>network: "cicd-net"</code></strong>: This is critical. It connects our agent to our private "city" network, allowing it to resolve <code>gitlab.cicd.local</code>.</li> </ul> </li> <li> <strong><code>connector:</code></strong>: This tells the agent <em>how</em> to find the Foreman. We give it the full JNLP URL: <code><a href="https://jenkins.cicd.local:10400/" rel="noopener noreferrer">https://jenkins.cicd.local:10400/</a></code>.</li> </ul> </li> </ul> <h3> A Critical Note on JCasC and Credentials </h3> <p>This <code>credentials:</code> block highlights a fundamental, and critical, part of our Configuration-as-Code architecture that we discovered during our testing.</p> <p><strong>1. The JCasC File is the Single Source of Truth</strong></p> <p>Our <code>jenkins.yaml</code> file is the <em>authoritative</em> definition of our Jenkins configuration. When the controller starts, the JCasC plugin reads this file and forces the system's configuration to match it.</p> <p>This means <strong>any credentials you add manually via the UI will be lost</strong> when the container is restarted or re-deployed. We experienced this ourselves: after manually adding our <code>gitlab-checkout-credentials</code> in the UI, a simple container restart wiped them out, causing our builds to fail again.</p> <p>The only way to create <em>permanent</em> credentials that survive restarts is to define them here, in our <code>jenkins.yaml</code> blueprint.</p> <p><strong>2. Understanding GitLab Tokens in JCasC</strong></p> <p>In our file, we are using two <em>different</em> credential <em>kinds</em> for two different GitLab tokens. This is a deliberate choice for our architecture:</p> <ul> <li><p><strong><code>string</code> (for <code>gitlab-api-token</code>):</strong> This is a <strong>Personal Access Token (PAT)</strong> with <code>api</code> scope. It's used by the <code>gitlab-branch-source</code> plugin itself to scan repositories and report build statuses. The plugin is designed to read a <code>string</code> (or "Secret Text") credential.</p></li> <li> <p><strong><code>usernamePassword</code> (for <code>gitlab-checkout-credentials</code>):</strong> This is a <strong>Project Access Token (PAT)</strong> with a much more limited <code>read_repository</code> scope. This is the token our pipeline's <code>git clone</code> command will use. We use the <code>usernamePassword</code> type because it's what the Git checkout step expects.</p> <ul> <li> <strong>The <code>username</code> is just a label.</strong> GitLab's token auth does not care what is in the <code>username</code> field (<code>gitlab-checkout-bot</code>). It only cares about the token. We are putting the token in the <code>password</code> field, which is what <code>git</code> will present to the server.</li> </ul> </li> </ul> <p>You can use a Personal, Group, or Project token for the <code>usernamePassword</code> credential. Our choice to use a <strong>Project Access Token</strong> here is an example of the <strong>Principle of Least Privilege</strong>: the build pipeline only gets permission to <em>read this one project</em>, not our entire GitLab instance.</p> <h1> Chapter 6: Action Plan (Part 3) – The "Architect, Build, Deploy" Scripts </h1> <p>With our "blueprints" (<code>Dockerfiles</code>) and "factory layout" (the <code>jenkins.yaml</code> design) complete, it's time to execute our plan. We will use a three-script "Architect, Build, Deploy" pattern, just as we did for our previous services.</p> <p>This separates our logic cleanly:</p> <ol> <li> <strong><code>01-setup-jenkins.sh</code></strong>: The "Architect" script that runs on the host to <em>prepare</em> all configuration.</li> <li> <strong><code>02-build-images.sh</code></strong>: The "Build" script that <em>creates</em> our custom Docker images.</li> <li> <strong><code>03-deploy-controller.sh</code></strong>: The "Deploy" script that <em>runs</em> the Jenkins controller.</li> </ol> <p>Let's start with the "Architect."</p> <h2> 6.1. The "Architect" Script (<code>01-setup-jenkins.sh</code>) </h2> <p>This is our master setup script. Its sole purpose is to run on the host machine and generate <em>all</em> the configuration "artifacts" our other scripts and Dockerfiles will need. It's the "blueprint processor" that assembles all our plans and secrets into ready-to-use files.</p> <p>Here is the complete script.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 01-setup-jenkins.sh</span> <span class="c">#</span> <span class="c"># This is the master "architect" script for Jenkins.</span> <span class="c">#</span> <span class="c"># It runs *once* on the host machine to generate all the</span> <span class="c"># "blueprints" (JCasC, etc.) needed to deploy our Controller.</span> <span class="c">#</span> <span class="c"># 1. Scoped Env: Creates a 'jenkins.env' file.</span> <span class="c"># 2. Keystore: Generates the 'jenkins.p12' Java keystore.</span> <span class="c"># 3. JCasC: Writes the 'jenkins.yaml' file with the</span> <span class="c"># correct Docker Cloud syntax.</span> <span class="c"># 4. CA Trust: Copies 'ca.pem' into the build context</span> <span class="c"># for both Dockerfiles to use.</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"🚀 Starting Jenkins 'Architect' Setup..."</span> <span class="c"># --- 1. Define Core Paths &amp; Variables ---</span> <span class="c"># This is our main config directory from Article 1</span> <span class="nv">JENKINS_CONFIG_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack/jenkins/config"</span> <span class="c"># This is our Jenkins build context (current directory)</span> <span class="nv">BUILD_CONTEXT_DIR</span><span class="o">=</span><span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span> <span class="c"># Master "Secrets" file from Article 1</span> <span class="nv">MASTER_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack/cicd.env"</span> <span class="c"># Source the master secrets file to load them into this script</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"⛔ ERROR: Master env file not found at </span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">source</span> <span class="s2">"</span><span class="nv">$MASTER_ENV_FILE</span><span class="s2">"</span> <span class="c"># --- 2. Define Ports &amp; Passwords ---</span> <span class="c"># We will use the 104xx block for Jenkins</span> <span class="nv">JENKINS_HTTPS_PORT</span><span class="o">=</span><span class="s2">"10400"</span> <span class="nv">JENKINS_JNLP_PORT</span><span class="o">=</span><span class="s2">"10401"</span> <span class="c"># Generate passwords if they aren't set in the env file</span> : <span class="s2">"</span><span class="k">${</span><span class="nv">JENKINS_ADMIN_PASSWORD</span>:<span class="p">=</span><span class="s2">"admin-</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> 8<span class="si">)</span><span class="s2">"</span><span class="k">}</span><span class="s2">"</span> : <span class="s2">"</span><span class="k">${</span><span class="nv">JENKINS_KEYSTORE_PASSWORD</span>:<span class="p">=</span><span class="s2">"key-</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> 12<span class="si">)</span><span class="s2">"</span><span class="k">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"🔧 Jenkins Ports Set:"</span> <span class="nb">echo</span> <span class="s2">" - UI (HTTPS): </span><span class="nv">$JENKINS_HTTPS_PORT</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" - Agent (JNLP): </span><span class="nv">$JENKINS_JNLP_PORT</span><span class="s2">"</span> <span class="c"># --- 3. Create "Scoped" jenkins.env File ---</span> <span class="c"># This is our "Least Privilege" secrets file for the container</span> <span class="nv">SCOPED_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$BUILD_CONTEXT_DIR</span><span class="s2">/jenkins.env"</span> <span class="nb">echo</span> <span class="s2">"🔑 Creating scoped 'jenkins.env' file..."</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$SCOPED_ENV_FILE</span><span class="sh">" # This file is auto-generated by 01-setup-jenkins.sh # It contains *only* the secrets needed by Jenkins. # --- JCasC Variables --- JENKINS_ADMIN_PASSWORD=</span><span class="k">${</span><span class="nv">JENKINS_ADMIN_PASSWORD</span><span class="k">}</span><span class="sh"> GITLAB_API_TOKEN=</span><span class="k">${</span><span class="nv">GITLAB_API_TOKEN</span><span class="k">}</span><span class="sh"> GITLAB_CHECKOUT_TOKEN=</span><span class="k">${</span><span class="nv">GITLAB_CHECKOUT_TOKEN</span><span class="k">}</span><span class="sh"> ARTICLES_GAT=</span><span class="k">${</span><span class="nv">ARTICLES_GAT</span><span class="k">}</span><span class="sh"> # --- Keystore Password --- JENKINS_KEYSTORE_PASSWORD=</span><span class="k">${</span><span class="nv">JENKINS_KEYSTORE_PASSWORD</span><span class="k">}</span><span class="sh"> </span><span class="no">EOF </span><span class="nb">grep</span> <span class="nt">-qxF</span> <span class="s2">"jenkins.env"</span> .gitignore <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"jenkins.env"</span> <span class="o">&gt;&gt;</span> .gitignore <span class="nb">echo</span> <span class="s2">" Done."</span> <span class="c"># --- 4. Prepare Certificate Assets ---</span> <span class="nb">echo</span> <span class="s2">"🔐 Preparing SSL certificates..."</span> <span class="c"># Create directories for the Keystore</span> <span class="nv">SSL_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$JENKINS_CONFIG_DIR</span><span class="s2">/ssl"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$SSL_DIR</span><span class="s2">"</span> <span class="c"># Define CA and Service Cert paths from Article 2</span> <span class="nv">CA_CERT_PATH</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack/ca/pki/certs/ca.pem"</span> <span class="nv">SERVICE_CERT_PATH</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack/ca/pki/services/jenkins.cicd.local/jenkins.cicd.local.crt.pem"</span> <span class="nv">SERVICE_KEY_PATH</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack/ca/pki/services/jenkins.cicd.local/jenkins.cicd.local.key.pem"</span> <span class="nv">P12_KEYSTORE_PATH</span><span class="o">=</span><span class="s2">"</span><span class="nv">$SSL_DIR</span><span class="s2">/jenkins.p12"</span> <span class="c"># 4a. Copy 'ca.pem' into our build context for both Dockerfiles</span> <span class="c"># This will be .gitignore'd</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$CA_CERT_PATH</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$BUILD_CONTEXT_DIR</span><span class="s2">/ca.pem"</span> <span class="nb">grep</span> <span class="nt">-qxF</span> <span class="s2">"ca.pem"</span> .gitignore <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"ca.pem"</span> <span class="o">&gt;&gt;</span> .gitignore <span class="c"># 4b. Create the .p12 Java Keystore for the Controller's UI</span> <span class="nb">echo</span> <span class="s2">" Generating 'jenkins.p12' Java Keystore..."</span> openssl pkcs12 <span class="nt">-export</span> <span class="se">\</span> <span class="nt">-in</span> <span class="s2">"</span><span class="nv">$SERVICE_CERT_PATH</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-inkey</span> <span class="s2">"</span><span class="nv">$SERVICE_KEY_PATH</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-name</span> jenkins <span class="se">\</span> <span class="nt">-out</span> <span class="s2">"</span><span class="nv">$P12_KEYSTORE_PATH</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-passout</span> <span class="s2">"pass:</span><span class="k">${</span><span class="nv">JENKINS_KEYSTORE_PASSWORD</span><span class="k">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" Done."</span> <span class="c"># --- 5. Generate JCasC 'jenkins.yaml' ---</span> <span class="nv">JCAS_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$JENKINS_CONFIG_DIR</span><span class="s2">/jenkins.yaml"</span> <span class="nb">echo</span> <span class="s2">"📝 Generating 'jenkins.yaml' (JCasC) blueprint..."</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; "</span><span class="nv">$JCAS_FILE</span><span class="sh">" # # This file is auto-generated by 01-setup-jenkins.sh # It is the "factory layout" (JCasC) for our Jenkins Controller. # jenkins: # Set the system message systemMessage: "Jenkins Controller - CI/CD Stack - </span><span class="k">${</span><span class="nv">HOSTNAME</span><span class="k">}</span><span class="sh">" # This is the fix for the "built-in node" security warning numExecutors: 0 # Configure our JNLP agent port slaveAgentPort: </span><span class="k">${</span><span class="nv">JENKINS_JNLP_PORT</span><span class="k">}</span><span class="sh"> # --- Security Configuration --- # Use the modern, nested 'entries' syntax authorizationStrategy: globalMatrix: entries: # Grant 'admin' full administrator permissions - user: name: "admin" permissions: - "Overall/Administer" - "Overall/Read" - "Agent/Build" - "Agent/Configure" - "Agent/Connect" - "Agent/Create" - "Agent/Delete" - "Agent/Disconnect" - "Credentials/Create" - "Credentials/Delete" - "Credentials/ManageDomains" - "Credentials/Update" - "Credentials/View" - "Job/Build" - "Job/Cancel" - "Job/Configure" - "Job/Create" - "Job/Delete" - "Job/Discover" - "Job/Move" - "Job/Read" - "Job/Workspace" - "Run/Delete" - "Run/Replay" - "Run/Update" - "View/Configure" - "View/Create" - "View/Delete" - "View/Read" # Grant 'anonymous' read-only access - group: name: "anonymous" permissions: - "Overall/Read" - "Job/Read" - "Job/Discover" # Grant 'authenticated' (all logged-in users) basic job rights - group: name: "authenticated" permissions: - "Overall/Read" - "Job/Read" - "Job/Build" - "Job/Discover" # 'securityRealm' is a child of 'jenkins:' securityRealm: local: allowsSignup: false users: # Create our 'admin' user with the password from our .env file - id: "admin" password: "</span><span class="se">\$</span><span class="sh">{JENKINS_ADMIN_PASSWORD}" # --- Cloud Configuration (The "Hiring Department") --- # 'clouds' is a valid top-level attribute of 'jenkins:' clouds: - docker: name: "docker-local" # Point to the DooD socket (permissions fixed in Dockerfile) dockerApi: dockerHost: uri: "unix:///var/run/docker.sock" # Define our "General Purpose Worker" template templates: - name: "general-purpose-agent" # This is the correct attribute for the label labelString: "general-purpose-agent" # The agent's working directory remoteFs: "/home/jenkins/agent" pullStrategy: 'PULL_NEVER' dockerCommand: "" removeVolumes: true # All base properties are nested inside dockerTemplateBase dockerTemplateBase: # The custom image we built image: "general-purpose-agent:latest" # The "road network" for our city network: "cicd-net" # The connector stays at the top level connector: jnlp: # This 'jenkinsUrl' is for the *agent* to find the controller jenkinsUrl: "https://jenkins.cicd.local:</span><span class="k">${</span><span class="nv">JENKINS_HTTPS_PORT</span><span class="k">}</span><span class="sh">/" # --- Tool Configuration --- # This 'tool' block is at the ROOT level, not inside 'jenkins:' tool: git: installations: - name: "Default" home: "git" # --- Credentials Configuration --- credentials: system: domainCredentials: - credentials: - string: id: "gitlab-api-token" scope: GLOBAL description: "GitLab API Token for Jenkins" secret: "</span><span class="se">\$</span><span class="sh">{GITLAB_API_TOKEN}" - usernamePassword: id: "gitlab-checkout-credentials" scope: GLOBAL description: "GitLab Project Token for repo checkout" username: "gitlab-checkout-bot" password: "</span><span class="se">\$</span><span class="sh">{GITLAB_CHECKOUT_TOKEN}" # NEW: Modern credential for Plugin &gt; v736 - gitlabGroupAccessToken: id: "articles-gat" scope: GLOBAL token: "</span><span class="se">\$</span><span class="sh">{ARTICLES_GAT}" # --- Plugin Configuration (The "Bridge" to GitLab) --- unclassified: # The correct JCasC root for 'gitlab-branch-source' is 'gitLabServers' gitLabServers: servers: - name: "Local GitLab" serverUrl: "https://gitlab.cicd.local:10300" credentialsId: "gitlab-api-token" # We don't need 'clientBuilderId' for this plugin, # but we do need to enable hook management. manageWebHooks: true manageSystemHooks: false </span><span class="no">EOF </span><span class="nb">echo</span> <span class="s2">" Done."</span> <span class="nb">echo</span> <span class="s2">"✅ Jenkins 'Architect' setup is complete."</span> <span class="nb">echo</span> <span class="s2">" All blueprints (JCasC, env) are generated."</span> <span class="nb">echo</span> <span class="s2">" All certs are staged in the correct locations."</span> <span class="nb">echo</span> <span class="s2">" You can now run '02-build-images.sh'."</span> </code></pre> </div> <h3> Deconstructing the "Architect" Script </h3> <p>This script performs five critical setup tasks before we ever build an image or run a container.</p> <ol> <li> <strong>Sources the Master <code>cicd.env</code> File:</strong> It pulls in all our master secrets (like <code>GITLAB_API_TOKEN</code>) so it can use them to populate other files.</li> <li> <strong>Creates a "Scoped" <code>jenkins.env</code> File:</strong> This is a key security practice. Instead of passing all our secrets to the controller, this creates a new <code>jenkins.env</code> file that contains <em>only</em> the secrets Jenkins needs: its admin password, the GitLab API token, the checkout token, and the keystore password. This file is what we'll pass to our container.</li> <li> <strong>Copies the <code>ca.pem</code>:</strong> It copies our CA certificate from Article 2 into the current directory. Our <code>Dockerfile.controller</code> and <code>Dockerfile.agent</code> will <code>COPY</code> this file to "bake in" trust.</li> <li> <strong>Generates the <code>.p12</code> Keystore:</strong> This is the Java SSL solution from Chapter 3. It runs the <code>openssl pkcs12 -export</code> command, bundling our <code>jenkins.cicd.local</code> certificate and key into the <code>jenkins.p12</code> file that the controller's web server can understand.</li> <li> <strong>Generates the <code>jenkins.yaml</code> JCasC File:</strong> This is the script's main job. It writes our entire "factory layout" to <code>jenkins.yaml</code>, programmatically inserting our port numbers (<code>$JENKINS_HTTPS_PORT</code>) and using the <code>\${VARIABLE}</code> syntax to template the secrets. This generated file is the complete, final blueprint for our controller.</li> </ol> <h2> 6.2. The "Build" Script (<code>02-build-images.sh</code>) </h2> <p>With our "Architect" script having prepared all the blueprints and staged the <code>ca.pem</code> file, we're ready to "build" our images. This script's job is to run the <code>docker build</code> commands, feeding our <code>Dockerfiles</code> all the build-time arguments they need.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 02-build-images.sh</span> <span class="c">#</span> <span class="c"># This is the "build" script. It builds our two custom</span> <span class="c"># Docker images:</span> <span class="c">#</span> <span class="c"># 1. jenkins-controller: The "Foreman" (UI)</span> <span class="c"># 2. general-purpose-agent: The "Worker" (Build Tools)</span> <span class="c">#</span> <span class="c"># It's responsible for finding the host's 'docker' GID</span> <span class="c"># and passing all the correct build-time arguments to</span> <span class="c"># each Dockerfile.</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"🚀 Starting Jenkins Image Build..."</span> <span class="c"># --- 1. Find Host Docker GID ---</span> <span class="c"># We need this for the "build-time" GID fix in Dockerfile.controller</span> <span class="nv">HOST_DOCKER_GID</span><span class="o">=</span><span class="si">$(</span>getent group docker | <span class="nb">cut</span> <span class="nt">-d</span>: <span class="nt">-f3</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$HOST_DOCKER_GID</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"⛔ ERROR: 'docker' group not found on host."</span> <span class="nb">echo</span> <span class="s2">"Please ensure the docker group exists and your user is a member."</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"🔧 Host 'docker' GID found: </span><span class="nv">$HOST_DOCKER_GID</span><span class="s2">"</span> <span class="c"># --- 2. Define Toolchain Build Arguments ---</span> <span class="c"># These ARGs must match what Dockerfile.agent expects</span> <span class="nv">PY312</span><span class="o">=</span><span class="s2">"3.12.12"</span> <span class="nv">PY313</span><span class="o">=</span><span class="s2">"3.13.9"</span> <span class="nv">PY314</span><span class="o">=</span><span class="s2">"3.14.0"</span> <span class="nv">GCC15</span><span class="o">=</span><span class="s2">"15.2.0"</span> <span class="c"># --- 3. Build the Controller Image ---</span> <span class="nb">echo</span> <span class="s2">"--- Building 'jenkins-controller:latest' ---"</span> docker build <span class="nt">--progress</span><span class="o">=</span>plain <span class="se">\</span> <span class="nt">--build-arg</span> <span class="nv">HOST_DOCKER_GID</span><span class="o">=</span><span class="nv">$HOST_DOCKER_GID</span> <span class="se">\</span> <span class="nt">-f</span> Dockerfile.controller <span class="se">\</span> <span class="nt">-t</span> jenkins-controller:latest <span class="nb">.</span> <span class="nb">echo</span> <span class="s2">"✅ 'jenkins-controller' build complete."</span> <span class="c"># --- 4. Build the Agent Image ---</span> <span class="nb">echo</span> <span class="s2">"--- Building 'general-purpose-agent:latest' ---"</span> docker build <span class="nt">--progress</span><span class="o">=</span>plain <span class="se">\</span> <span class="nt">--build-arg</span> <span class="nv">py312</span><span class="o">=</span><span class="nv">$PY312</span> <span class="se">\</span> <span class="nt">--build-arg</span> <span class="nv">py313</span><span class="o">=</span><span class="nv">$PY313</span> <span class="se">\</span> <span class="nt">--build-arg</span> <span class="nv">py314</span><span class="o">=</span><span class="nv">$PY314</span> <span class="se">\</span> <span class="nt">--build-arg</span> <span class="nv">gcc15</span><span class="o">=</span><span class="nv">$GCC15</span> <span class="se">\</span> <span class="nt">-f</span> Dockerfile.agent <span class="se">\</span> <span class="nt">-t</span> general-purpose-agent:latest <span class="nb">.</span> <span class="nb">echo</span> <span class="s2">"✅ 'general-purpose-agent' build complete."</span> <span class="nb">echo</span> <span class="s2">"🎉 Both Jenkins images are built and ready."</span> <span class="nb">echo</span> <span class="s2">" You can now run '03-deploy-controller.sh'."</span> </code></pre> </div> <h3> Deconstructing the "Build" Script </h3> <p>This script is straightforward but performs one vital task:</p> <ol> <li> <strong>Find Host Docker GID:</strong> The script starts by finding the numerical GID of the <code>docker</code> group on the host. This is the solution to our DooD permission challenge.</li> <li> <strong>Build the Controller Image:</strong> It runs the first <code>docker build</code> command, using <code>-f Dockerfile.controller</code> to specify our "Foreman" blueprint. Critically, it passes the <code>--build-arg HOST_DOCKER_GID=$HOST_DOCKER_GID</code> flag. This injects the host's GID into the build, allowing our <code>Dockerfile.controller</code> to "bake in" the correct permissions.</li> <li> <strong>Build the Agent Image:</strong> It runs the second <code>docker build</code> command, using <code>-f Dockerfile.agent</code>. This build doesn't need the GID but <em>does</em> need the toolchain version arguments (<code>PY312</code>, <code>GCC15</code>, etc.), which we've hardcoded here to match our <code>dev-container</code> environment.</li> </ol> <p>With this script, we now have two custom images, <code>jenkins-controller:latest</code> and <code>general-purpose-agent:latest</code>, built locally and ready for deployment.</p> <h2> 6.3. The "Deploy" Script (<code>03-deploy-controller.sh</code>) </h2> <p>This is the final assembly. This script takes our newly built <code>jenkins-controller</code> image and launches it as a container, connecting all the pieces we've built across this entire series. It connects our network, mounts our configs, passes our secrets, and enables our security.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># -----------------------------------------------------------</span> <span class="c"># 03-deploy-controller.sh</span> <span class="c">#</span> <span class="c"># This is the "deploy" script. It runs the 'docker run'</span> <span class="c"># command to launch our 'jenkins-controller' container.</span> <span class="c">#</span> <span class="c"># It's responsible for connecting all our "first principles"</span> <span class="c"># components together:</span> <span class="c">#</span> <span class="c"># 1. Network: Connects to 'cicd-net' with hostname 'jenkins'.</span> <span class="c"># 2. Ports: Publishes the UI (10400) and Agent (10401) ports.</span> <span class="c"># 3. Secrets: Passes the *scoped* 'jenkins.env' file.</span> <span class="c"># 4. Volumes: Mounts our JCasC config, our .p12 keystore,</span> <span class="c"># the 'jenkins-home' data volume, and the</span> <span class="c"># 'docker.sock' for DooD.</span> <span class="c"># 5. HTTPS: Passes 'JENKINS_OPTS' to enable SSL using</span> <span class="c"># our .p12 keystore and its password.</span> <span class="c"># -----------------------------------------------------------</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"🚀 Deploying Jenkins Controller..."</span> <span class="c"># --- 1. Define Paths ---</span> <span class="nv">JENKINS_CONFIG_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack/jenkins/config"</span> <span class="nv">SCOPED_ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span><span class="s2">/jenkins.env"</span> <span class="c"># --- 2. Stop and Remove Old Container (if it exists) ---</span> <span class="c"># This ensures a clean start</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-q</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>jenkins-controller<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Stopping existing 'jenkins-controller'..."</span> docker stop jenkins-controller <span class="k">fi if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span>docker ps <span class="nt">-aq</span> <span class="nt">-f</span> <span class="nv">name</span><span class="o">=</span>jenkins-controller<span class="si">)</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Removing existing 'jenkins-controller'..."</span> docker <span class="nb">rm </span>jenkins-controller <span class="k">fi</span> <span class="c"># --- 3. Source Keystore Password from Scoped Env File ---</span> <span class="c"># We need this *one* variable on the host to build the JENKINS_OPTS string</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"⛔ ERROR: Scoped 'jenkins.env' file not found."</span> <span class="nb">echo</span> <span class="s2">"Please run '01-setup-jenkins.sh' first."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># Source the file to load its variables into our script</span> <span class="nb">source</span> <span class="s2">"</span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$JENKINS_KEYSTORE_PASSWORD</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"⛔ ERROR: JENKINS_KEYSTORE_PASSWORD not found in 'jenkins.env'."</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"🔐 Keystore password loaded."</span> <span class="c"># --- 4. Define Ports (from our 01-setup.sh) ---</span> <span class="nv">JENKINS_HTTPS_PORT</span><span class="o">=</span><span class="s2">"10400"</span> <span class="nv">JENKINS_JNLP_PORT</span><span class="o">=</span><span class="s2">"10401"</span> <span class="c"># --- 5. Run the Controller Container ---</span> <span class="nb">echo</span> <span class="s2">"--- Starting 'jenkins-controller' container ---"</span> docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> <span class="s2">"jenkins-controller"</span> <span class="se">\</span> <span class="nt">--restart</span> always <span class="se">\</span> <span class="nt">--network</span> <span class="s2">"cicd-net"</span> <span class="se">\</span> <span class="nt">--hostname</span> <span class="s2">"jenkins.cicd.local"</span> <span class="se">\</span> <span class="nt">--publish</span> <span class="s2">"127.0.0.1:</span><span class="k">${</span><span class="nv">JENKINS_HTTPS_PORT</span><span class="k">}</span><span class="s2">:</span><span class="k">${</span><span class="nv">JENKINS_HTTPS_PORT</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--publish</span> <span class="s2">"127.0.0.1:</span><span class="k">${</span><span class="nv">JENKINS_JNLP_PORT</span><span class="k">}</span><span class="s2">:</span><span class="k">${</span><span class="nv">JENKINS_JNLP_PORT</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--env-file</span> <span class="s2">"</span><span class="nv">$SCOPED_ENV_FILE</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--env</span> <span class="s2">"CASC_JENKINS_CONFIG=/var/jenkins_home/casc_configs/"</span> <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"jenkins-home:/var/jenkins_home"</span> <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="nv">$JENKINS_CONFIG_DIR</span><span class="s2">:/var/jenkins_home/casc_configs:ro"</span> <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"/var/run/docker.sock:/var/run/docker.sock"</span> <span class="se">\</span> <span class="nt">--env</span> <span class="nv">JENKINS_OPTS</span><span class="o">=</span><span class="s2">"--httpPort=-1 </span><span class="se">\</span><span class="s2"> --httpsPort=</span><span class="k">${</span><span class="nv">JENKINS_HTTPS_PORT</span><span class="k">}</span><span class="s2"> </span><span class="se">\</span><span class="s2"> --httpsKeyStore=/var/jenkins_home/casc_configs/ssl/jenkins.p12 </span><span class="se">\</span><span class="s2"> --httpsKeyStorePassword=</span><span class="k">${</span><span class="nv">JENKINS_KEYSTORE_PASSWORD</span><span class="k">}</span><span class="s2"> </span><span class="se">\</span><span class="s2"> --webroot=/var/jenkins_home/war </span><span class="se">\</span><span class="s2"> --sessionTimeout=3600 </span><span class="se">\</span><span class="s2"> --sessionEviction=3600"</span> <span class="se">\</span> jenkins-controller:latest <span class="c"># We no longer override the entrypoint. The image will</span> <span class="c"># run its default 'jenkins.sh' command.</span> <span class="nb">echo</span> <span class="s2">"✅ Jenkins Controller is starting."</span> <span class="nb">echo</span> <span class="s2">" Monitor logs with: docker logs -f jenkins-controller"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">" Wait for the 'Jenkins is fully up and running' log message."</span> <span class="nb">echo</span> <span class="s2">" Then, access the UI at: https://jenkins.cicd.local:10400"</span> <span class="nb">echo</span> <span class="s2">" (Remember to add '127.0.0.1 jenkins.cicd.local' to your /etc/hosts file!)"</span> </code></pre> </div> <h3> Deconstructing the "Deploy" Script </h3> <p>This <code>docker run</code> command is the final assembly of our entire architecture:</p> <ul> <li> <code>--network "cicd-net"</code> &amp; <code>--hostname "jenkins.cicd.local"</code>: Connects our "Foreman" to our "city" network and gives it the FQDN that our CA certificate and GitLab are expecting.</li> <li> <code>--publish "127.0.0.1:..."</code>: Binds the UI (<code>10400</code>) and JNLP (<code>10401</code>) ports <em>only</em> to the host's <code>localhost</code> interface for security.</li> <li> <code>--env-file "$SCOPED_ENV_FILE"</code>: Passes in our "scoped" <code>jenkins.env</code> file, providing all the <code>${...}</code> variables that our <code>jenkins.yaml</code> needs for secrets.</li> <li> <code>--env "CASC_JENKINS_CONFIG=..."</code>: This is the magic flag that activates the JCasC plugin and tells it <em>where</em> to find our <code>jenkins.yaml</code> file.</li> <li> <code>--volume "jenkins-home:..."</code>: Connects our Docker-managed volume (from Article 1) to store all of Jenkins's data (jobs, build history, etc.).</li> <li> <code>--volume "$JENKINS_CONFIG_DIR:..."</code>: This is our JCasC mount. We mount our host's <code>config</code> directory (which contains our <code>jenkins.yaml</code> and the <code>ssl/jenkins.p12</code> keystore) into the location specified by <code>CASC_JENKINS_CONFIG</code>.</li> <li> <code>--volume "/var/run/docker.sock:..."</code>: This provides the DooD capability, allowing the controller to spawn agents.</li> <li> <strong>The Missing Flag:</strong> Notice there is no <code>--group-add</code> flag. Because we "baked" the GID fix into our <code>Dockerfile.controller</code>, this runtime flag is no longer necessary.</li> <li> <code>--env JENKINS_OPTS="..."</code>: This is the final and most critical piece. We use this environment variable to pass start-up commands to the Jenkins Java process. We tell it: <ul> <li> <code>--httpPort=-1</code>: <strong>Disable HTTP entirely.</strong> </li> <li> <code>--httpsPort=${JENKINS_HTTPS_PORT}</code>: Enable HTTPS on our specified port.</li> <li> <code>--httpsKeyStore=...</code>: Point to the <code>.p12</code> keystore file we just mounted.</li> <li> <code>--httpsKeyStorePassword=...</code>: Provide the password (which we sourced from <code>jenkins.env</code>) to unlock the keystore.</li> </ul> </li> </ul> <p>This command launches our controller, which will now boot up, read our <code>jenkins.yaml</code>, configure itself, and be fully secured with our custom SSL certificate.</p> <h1> Chapter 7: Verification &amp; First Login </h1> <p>With our <code>03-deploy-controller.sh</code> script running, the Jenkins controller will take a few minutes to boot, load all the plugins, and process our <code>jenkins.yaml</code> file. You can monitor this process with <code>docker logs -f jenkins-controller</code>. Once you see the "Jenkins is fully up and running" log message, our "Foreman" is ready for inspection.</p> <h2> 7.1. Verification (UI): First Login &amp; The JCasC Payoff </h2> <p>First, we'll verify the User Interface. Open your browser and navigate to the controller's FQDN:</p> <p><strong><code>https://jenkins.cicd.local:10400</code></strong></p> <p>(Remember, this only works because you've edited your <code>/etc/hosts</code> file, as we did in the GitLab article).</p> <p>You should immediately see three signs of success:</p> <ol> <li> <strong>A Secure Lock Icon:</strong> Your browser trusts the Jenkins UI. This proves our entire SSL chain is working: your host's OS trusts our Local CA (from Article 2), and the controller is correctly serving its <code>jenkins.p12</code> keystore (from our <code>JENKINS_OPTS</code> flag).</li> <li> <strong>No "Unlock Jenkins" Screen:</strong> The JCasC plugin has worked. We are not asked to find a secret password in a log file.</li> <li> <strong>A Login Page:</strong> We are taken directly to the login page.</li> </ol> <p>Now, log in using the credentials we defined in our <code>jenkins.yaml</code> file (via the <code>jenkins.env</code>):</p> <ul> <li> <strong>Username:</strong> <code>admin</code> </li> <li> <strong>Password:</strong> (The <code>JENKINS_ADMIN_PASSWORD</code> you set)</li> </ul> <p>Once logged in, let's confirm JCasC did its job. Navigate to <strong>Manage Jenkins</strong> in the left sidebar:</p> <ul> <li> <strong>Check Credentials:</strong> Go to <strong>Credentials</strong>. You should see our two JCasC-defined credentials: <strong><code>gitlab-api-token</code></strong> and <strong><code>gitlab-checkout-credentials</code></strong>. This proves the <code>credentials:</code> block worked.</li> <li> <strong>Check Cloud Config:</strong> Go to <strong>Clouds</strong>. You will see our <strong><code>docker-local</code></strong> cloud. Click <strong>Configure</strong>. You'll see it's correctly set up to use our <code>general-purpose-agent</code> and <code>cicd-net</code>. This proves the <code>clouds:</code> block worked.</li> </ul> <h2> 7.2. Verification (API): The <code>403 Forbidden</code> Debugging Journey </h2> <p>The UI is working, but the most critical verification is to test the API. We will use our <code>04-verify-jenkins.py</code> script to do this.</p> <p>This verification was one of our most complex debugging challenges. Our first attempts to connect—even with a valid user and password—failed with an <code>HTTP Error 403: Forbidden</code>. This wasn't an <em>authentication</em> failure (the server knew who we were); it was an <em>authorization</em> failure (it was blocking our request).</p> <p>Our investigation revealed two key facts about the Jenkins API:</p> <ol> <li> <strong>API Tokens are Required:</strong> Jenkins blocks password-based authentication for most of its API, especially high-security endpoints like <code>/scriptText</code>. The correct way to authenticate is with an API Token.</li> <li> <strong><code>urllib</code> Auth is Complex:</strong> Our attempts to use <code>urllib</code>'s "smart" handlers (like <code>HTTPBasicAuthHandler</code> and <code>HTTPCookieProcessor</code>) created a state-management conflict. The handlers would send a session cookie <em>and</em> a token, or a token <em>and</em> a crumb, confusing the server and resulting in a 403.</li> </ol> <p>The solution was to stop being "smart" and to be explicit. We must <strong>manually build the <code>Authorization: Basic</code> header</strong> ourselves and send <em>only</em> that. This is the most direct and reliable way to authenticate.</p> <h3> Action 1: Manually Generate an API Token </h3> <p>First, we must generate the API token for our <code>admin</code> user. JCasC cannot do this for us.</p> <ol> <li> In the Jenkins UI, click your <code>admin</code> username (top right).</li> <li> In the left-hand sidebar, click <strong>Security</strong>.</li> <li> Find the <strong>"API Token"</strong> section.</li> <li> Click <strong>"Add new Token"</strong>, give it a name (like <code>admin-api-token</code>), and click <strong>"Generate"</strong>.</li> <li> <strong>Copy the generated token immediately.</strong> You will not see it again.</li> <li> Open your <code>jenkins.env</code> file (in your <code>0008_...</code> article directory) and add this token as <code>JENKINS_API_TOKEN</code>. (Our <code>01-setup-jenkins.sh</code> already added <code>GITLAB_CHECKOUT_TOKEN</code>, but we must add this one manually).</li> </ol> <h3> Action 2: Run the Verification Script </h3> <p>The following script, <code>04-verify-jenkins.py</code>, is our final, working solution. It reads the <code>JENKINS_API_TOKEN</code> from our <code>jenkins.env</code> file, manually base64-encodes it into a Basic Auth header, and sends it with a simple Groovy script to test our access.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">ssl</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">urllib.request</span> <span class="kn">import</span> <span class="n">urllib.parse</span> <span class="kn">import</span> <span class="n">base64</span> <span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="c1"># --- Configuration --- </span><span class="n">ENV_FILE_PATH</span> <span class="o">=</span> <span class="n">Path</span><span class="p">.</span><span class="nf">cwd</span><span class="p">()</span> <span class="o">/</span> <span class="sh">"</span><span class="s">jenkins.env</span><span class="sh">"</span> <span class="n">JENKINS_URL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://jenkins.cicd.local:10400</span><span class="sh">"</span> <span class="n">JENKINS_USER</span> <span class="o">=</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span> <span class="c1"># --- 1. Standard Library .env parser --- </span><span class="k">def</span> <span class="nf">load_env</span><span class="p">(</span><span class="n">env_path</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Reads a .env file and loads its variables into os.environ. </span><span class="sh">"""</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Loading environment from: </span><span class="si">{</span><span class="n">env_path</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">env_path</span><span class="p">.</span><span class="nf">exists</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">⛔ ERROR: Environment file not found at </span><span class="si">{</span><span class="n">env_path</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Please run </span><span class="sh">'</span><span class="s">01-setup-jenkins.sh</span><span class="sh">'</span><span class="s"> first.</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">env_path</span><span class="p">,</span> <span class="sh">'</span><span class="s">r</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">f</span><span class="p">:</span> <span class="n">line</span> <span class="o">=</span> <span class="n">line</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="k">if</span> <span class="n">line</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">line</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">'</span><span class="s">#</span><span class="sh">'</span><span class="p">)</span> <span class="ow">and</span> <span class="sh">'</span><span class="s">=</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">line</span><span class="p">:</span> <span class="n">key</span><span class="p">,</span> <span class="n">value</span> <span class="o">=</span> <span class="n">line</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="n">key</span> <span class="o">=</span> <span class="n">key</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="n">value</span> <span class="o">=</span> <span class="n">value</span><span class="p">.</span><span class="nf">strip</span><span class="p">().</span><span class="nf">strip</span><span class="p">(</span><span class="sh">'"</span><span class="se">\'</span><span class="sh">'</span><span class="p">)</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="n">key</span><span class="p">]</span> <span class="o">=</span> <span class="n">value</span> <span class="k">return</span> <span class="bp">True</span> <span class="c1"># --- 2. Main Verification --- </span><span class="k">def</span> <span class="nf">verify_jenkins_api</span><span class="p">(</span><span class="n">base_url</span><span class="p">,</span> <span class="n">username</span><span class="p">,</span> <span class="n">api_token</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Connects to Jenkins using a manually-crafted Basic Auth header (token) and attempts an authenticated API call. This method does not use or need a CSRF crumb. </span><span class="sh">"""</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Creating default SSL context...</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># This proves our host's CA trust (from Article 2) is working </span> <span class="n">context</span> <span class="o">=</span> <span class="n">ssl</span><span class="p">.</span><span class="nf">create_default_context</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Attempting authenticated API call (Groovy script)...</span><span class="sh">"</span><span class="p">)</span> <span class="n">script_url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">base_url</span><span class="si">}</span><span class="s">/scriptText</span><span class="sh">"</span> <span class="c1"># This simple script just tests the connection. </span> <span class="n">groovy_script</span> <span class="o">=</span> <span class="sh">"</span><span class="s">return jenkins.model.Jenkins.get().getSystemMessage()</span><span class="sh">"</span> <span class="n">data</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">parse</span><span class="p">.</span><span class="nf">urlencode</span><span class="p">({</span><span class="sh">'</span><span class="s">script</span><span class="sh">'</span><span class="p">:</span> <span class="n">groovy_script</span><span class="p">}).</span><span class="nf">encode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># --- Manually build the Authorization Header --- </span> <span class="c1"># This was the solution to our 403 Forbidden errors. </span> <span class="n">auth_string</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">username</span><span class="si">}</span><span class="s">:</span><span class="si">{</span><span class="n">api_token</span><span class="si">}</span><span class="sh">"</span> <span class="n">auth_bytes</span> <span class="o">=</span> <span class="n">auth_string</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)</span> <span class="n">auth_base64</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64encode</span><span class="p">(</span><span class="n">auth_bytes</span><span class="p">).</span><span class="nf">decode</span><span class="p">(</span><span class="sh">'</span><span class="s">ascii</span><span class="sh">'</span><span class="p">)</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Authorization</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Basic </span><span class="si">{</span><span class="n">auth_base64</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">'</span><span class="s">Content-Type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">application/x-www-form-urlencoded</span><span class="sh">'</span> <span class="p">}</span> <span class="c1"># We do NOT send a Jenkins-Crumb header. </span> <span class="n">req</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nc">Request</span><span class="p">(</span><span class="n">script_url</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">data</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">method</span><span class="o">=</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># We use the default urlopen, passing our context. </span> <span class="k">with</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">context</span><span class="o">=</span><span class="n">context</span><span class="p">)</span> <span class="k">as</span> <span class="n">response</span><span class="p">:</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">status</span> <span class="o">==</span> <span class="mi">200</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">✅✅✅ Jenkins Verification SUCCESS! ✅✅✅</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Authenticated API call returned: </span><span class="si">{</span><span class="n">result</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">⛔ ERROR: API call failed. Status: </span><span class="si">{</span><span class="n">response</span><span class="p">.</span><span class="n">status</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Response: </span><span class="si">{</span><span class="n">response</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">urllib</span><span class="p">.</span><span class="n">error</span><span class="p">.</span><span class="n">URLError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">⛔ ERROR: Connection failed. Did you add </span><span class="sh">'</span><span class="s">127.0.0.1 jenkins.cicd.local</span><span class="sh">'</span><span class="s"> to /etc/hosts?</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Details: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="nf">hasattr</span><span class="p">(</span><span class="n">e</span><span class="p">,</span> <span class="sh">'</span><span class="s">read</span><span class="sh">'</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Response: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">⛔ ERROR: API call failed.</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Details: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="nf">hasattr</span><span class="p">(</span><span class="n">e</span><span class="p">,</span> <span class="sh">'</span><span class="s">read</span><span class="sh">'</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Response: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># --- 6. Main execution --- </span><span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">load_env</span><span class="p">(</span><span class="n">ENV_FILE_PATH</span><span class="p">):</span> <span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">JENKINS_TOKEN</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">JENKINS_API_TOKEN</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">JENKINS_TOKEN</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">⛔ ERROR: JENKINS_API_TOKEN not found in </span><span class="sh">'</span><span class="s">jenkins.env</span><span class="sh">'"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Please generate one in the UI and add it to the file.</span><span class="sh">"</span><span class="p">)</span> <span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="nf">verify_jenkins_api</span><span class="p">(</span><span class="n">JENKINS_URL</span><span class="p">,</span> <span class="n">JENKINS_USER</span><span class="p">,</span> <span class="n">JENKINS_TOKEN</span><span class="p">)</span> </code></pre> </div> <h3> The Payoff </h3> <p>When you run this script (<code>python3 04-verify-jenkins.py</code>), you will see the successful output. This proves our API is accessible, our token is valid, and our JCasC-defined <code>admin</code> user has the correct <code>Overall/Administer</code> permissions to access the script console. Our "Foreman" is fully operational and ready to work.</p> <h1> Chapter 8: Practical Application - The "Hero Project" Pipeline (V1) </h1> <p>Our "Factory Foreman" (Jenkins) is fully operational. We've verified its UI is secure, its API is accessible, and its "hiring department" (the Docker Cloud) is correctly configured. The infrastructure is complete.</p> <p>Now it's time to put it to work.</p> <p>The goal of this chapter is to connect our "Factory" to our "Central Library" (GitLab) and run our first <em>real</em> build. We will connect Jenkins to our <code>0004_std_lib_http_client</code> "hero project" and use its "polyglot" build agent to compile, test, and run our C++, Rust, and Python code.</p> <h2> 8.1. Action 1: The <code>Jenkinsfile</code> (V1) </h2> <p>Our first step is to create the "assembly line" instructions. As we discussed in Chapter 2, these instructions live <em>with the code</em>. We will create a new file named <code>Jenkinsfile</code> (with no extension) in the root of our <code>0004_std_lib_http_client</code> repository.</p> <p>This file is a "declarative pipeline" script. It tells the Jenkins agent <em>what</em> to do and in <em>what order</em>. Here is the complete V1 <code>Jenkinsfile</code> for our project.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="c1">// Jenkinsfile</span> <span class="n">pipeline</span> <span class="o">{</span> <span class="c1">// 1. Define our "Worker"</span> <span class="c1">// This tells Jenkins to spin up our custom-built agent</span> <span class="c1">// which already has all system dependencies (cmake, rust, python).</span> <span class="n">agent</span> <span class="o">{</span> <span class="n">label</span> <span class="s1">'general-purpose-agent'</span> <span class="o">}</span> <span class="n">stages</span> <span class="o">{</span> <span class="c1">// 2. Setup &amp; Build Stage</span> <span class="c1">// This runs the project's own setup.sh.</span> <span class="c1">// It will create the Python venv, install pip requirements,</span> <span class="c1">// and compile both the Debug and Release builds.</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Setup &amp; Build'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">echo</span> <span class="s1">'--- Running project setup.sh ---'</span> <span class="n">sh</span> <span class="s1">'chmod +x ./setup.sh'</span> <span class="n">sh</span> <span class="s1">'./setup.sh'</span> <span class="o">}</span> <span class="o">}</span> <span class="c1">// 3. Test &amp; Coverage Stage</span> <span class="c1">// This runs the project's coverage script, which</span> <span class="c1">// depends on the 'build_debug' created in the prior stage.</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Test &amp; Coverage'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">echo</span> <span class="s1">'--- Running CTest, Cargo-Cov, and Pytest ---'</span> <span class="n">sh</span> <span class="s1">'chmod +x ./run-coverage.sh'</span> <span class="n">sh</span> <span class="s1">'./run-coverage.sh'</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Deconstructing the <code>Jenkinsfile</code> </h3> <p>This simple file is incredibly powerful because it leans on the work we've already done.</p> <ul> <li><p><strong><code>agent { label 'general-purpose-agent' }</code></strong><br> This is the "hiring" instruction. It tells the Jenkins controller to request a new "worker" from the cloud named <code>docker-local</code> that has the label <code>general-purpose-agent</code>. This label matches <em>exactly</em> what we defined in our <code>jenkins.yaml</code> file, which in turn points to our <code>general-purpose-agent:latest</code> Docker image.</p></li> <li><p><strong><code>stage('Setup &amp; Build')</code></strong><br> This is our first assembly line station. Instead of cluttering our pipeline with <code>cmake</code> and <code>python</code> commands, we simply make our scripts executable (<code>chmod +x</code>) and run the project's own <code>setup.sh</code>. This is a clean separation of concerns: the <code>Jenkinsfile</code> orchestrates <em>what</em> to do, and the <code>setup.sh</code> script knows <em>how</em> to do it. This stage will create the Python venv and build both the Debug and Release versions of our libraries.</p></li> <li><p><strong><code>stage('Test &amp; Coverage')</code></strong><br> This is our "quality assurance" station. Once the build is complete, it runs the <code>run-coverage.sh</code> script. This script executes all three test suites (C/C++ <code>ctest</code>, Rust <code>cargo llvm-cov</code>, and Python <code>pytest</code>) against the <code>build_debug</code> directory created in the previous stage.</p></li> </ul> <p>Now, <strong>add this <code>Jenkinsfile</code> to the root of your <code>0004_std_lib_http_client</code> project, commit it, and push it to your GitLab server.</strong></p> <p>Our "blueprint" is now in the "Library," waiting for the "Foreman" to find it.</p> <h3> A Note on Credentials: Creating Your Project Access Token </h3> <p>Before our <code>Jenkinsfile</code> can work, it needs permission to clone our private <code>0004_std_lib_http_client</code> repository. We will give it this permission by creating a new, limited-scope <strong>Project Access Token</strong> in GitLab.</p> <p>This token is the value we will store as <code>GITLAB_CHECKOUT_TOKEN</code> in our <code>cicd.env</code> file. It's crucial to do this <em>before</em> you deploy Jenkins, so that when the controller starts, our JCasC file can read this token and create the permanent <code>gitlab-checkout-credentials</code> credential.</p> <p>If you haven't created this token yet, follow these steps:</p> <ol> <li> <strong>Navigate to Your Project:</strong> Open your GitLab instance and go to the <code>0004_std_lib_http_client</code> project.</li> <li> <strong>Go to Access Tokens:</strong> In the project's left-hand sidebar, navigate to <strong>Settings &gt; Access Tokens</strong>.</li> <li> <strong>Add New Token:</strong> Click the <strong>"Add new token"</strong> button.</li> <li> <strong>Fill out the form:</strong> <ul> <li> <strong>Name:</strong> <code>jenkins-checkout-token</code> </li> <li> <strong>Role:</strong> Select <code>Developer</code>. This provides just enough permission to clone the repository.</li> <li> <strong>Scopes:</strong> Check the box for <strong><code>read_repository</code></strong>. This is the <em>only</em> scope this token needs, following the Principle of Least Privilege.</li> </ul> </li> <li> <strong>Create and Copy:</strong> Click the <strong>"Create project access token"</strong> button. GitLab will display the token one time. Copy this token.</li> <li> <p><strong>Update Your <code>cicd.env</code>:</strong> Open your master <code>cicd.env</code> file (in <code>~/cicd_stack/</code>) and add this token:<br> </p> <pre class="highlight plaintext"><code>GITLAB_CHECKOUT_TOKEN="glpat-..." </code></pre> </li> <li> <p><strong>Update <code>jenkins.env</code>:</strong> Open your <code>jenkins.env</code> file (in the Jenkins article directory) and add the same line:<br> </p> <pre class="highlight plaintext"><code>GITLAB_CHECKOUT_TOKEN="glpat-..." </code></pre> </li> </ol> <p>Now, when you run your <code>01-setup-jenkins.sh</code> and <code>03-deploy-controller.sh</code> scripts, our JCasC file will automatically read this token and create the permanent <code>gitlab-checkout-credentials</code> in Jenkins. If you add this credential manually in the UI, <strong>it will be deleted the next time your controller restarts.</strong></p> <p><strong>UPDATE 2025-12-09: Creating the Group Access Token</strong></p> <p>To satisfy the <code>articles-gat</code> requirement for newer plugins, you must also create a <strong>Group Access Token</strong>.</p> <ol> <li> <strong>Navigate to the Group:</strong> Go to your top-level <strong>"Articles"</strong> group in GitLab (not the specific project).</li> <li> <strong>Access Tokens:</strong> Go to <strong>Settings &gt; Access Tokens</strong>.</li> <li> <strong>Create Token:</strong> <ul> <li> <strong>Name:</strong> <code>jenkins-group-token</code> </li> <li> <strong>Role:</strong> <code>Maintainer</code> (recommended for full webhook management) or <code>Developer</code>.</li> <li> <strong>Scopes:</strong> Select <code>api</code> and <code>read_repository</code>.</li> </ul> </li> <li> <strong>Save:</strong> Copy the token (<code>glpat-...</code>).</li> <li> <strong>Update <code>cicd.env</code>:</strong> Add this token to your <code>cicd.env</code> file as <code>ARTICLES_GAT</code>. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">ARTICLES_GAT</span><span class="o">=</span><span class="s2">"glpat-..."</span> </code></pre> </div> <h2> 8.2. Action 2: Jenkins UI (Create the Job) </h2> <p>With our <code>Jenkinsfile</code> pushed to the repository, our "Foreman" (Jenkins) is ready to be given its assignment. We need to create a job that tells Jenkins to "watch" this specific GitLab project.</p> <p>We will use the <strong>"Multibranch Pipeline"</strong> job type. This is a powerful feature provided by our <code>gitlab-branch-source</code> plugin. Instead of creating a separate, static job for our <code>main</code> branch, we will create one "project" job that <em>automatically</em> discovers all branches, merge requests, and tags that contain a <code>Jenkinsfile</code> and creates jobs for them.</p> <p>Here are the steps to set this up:</p> <ol> <li> <strong>Log in to Jenkins</strong> at <code>https://jenkins.cicd.local:10400</code> as your <code>admin</code> user.</li> <li> From the dashboard, you can create a folder for organization (e.g., "Articles") or create the job directly. Click <strong>"New Item"</strong> in the left sidebar.</li> <li> <strong>Enter an item name:</strong> <code>0004_std_lib_http_client</code> </li> <li> Select <strong>"Multibranch Pipeline"</strong> from the list of job types and click <strong>"OK"</strong>.</li> <li> You'll be taken to the configuration page. Scroll down to the <strong>"Branch Sources"</strong> section.</li> <li> Click <strong>"Add source"</strong> and select <strong>"GitLab project"</strong>. This option is only here because we installed the <code>gitlab-branch-source</code> plugin.</li> <li> <p>Fill out the source configuration:</p> <ul> <li> <strong>Server:</strong> Select <strong>"Local GitLab"</strong>. This is the server connection we defined in our <code>jenkins.yaml</code> file.</li> <li> <strong>Owner:</strong> Select your GitLab group, <strong>"Articles"</strong>. Jenkins will use the <code>gitlab-api-token</code> (defined in JCasC) to scan this group for projects.</li> <li> <strong>Project:</strong> A dropdown will appear. Select <strong><code>0004_std_lib_http_client</code></strong>.</li> <li> <strong>Checkout Credentials:</strong> This is the solution to our "authentication failed" problem. In the dropdown, select our JCasC-defined credential: <strong>`gitlab-checkout-bot / **</strong><strong>`</strong>. This tells Jenkins to use our limited-scope Project Access Token for all <code>git clone</code> operations.</li> </ul> </li> <li><p>Click <strong>"Save"</strong>.</p></li> </ol> <p>As soon as you save, Jenkins will automatically perform an initial "Branch Indexing" scan. You can watch the log for this scan in the "Scan Multibranch Pipeline Log" in the sidebar. It will connect to GitLab (proving our controller's JVM trust), find your <code>main</code> branch, see the <code>Jenkinsfile</code>, and create a new job for it.</p> <p><strong>UPDATE 2025-12-09</strong></p> <p><strong>Step 7 (Checkout Credentials):</strong><br> When selecting credentials, the dropdown behavior depends on your plugin version:</p> <ul> <li> <strong>Legacy Plugin:</strong> Select <code>gitlab-checkout-bot</code> (Username/Password).</li> <li> <strong>Modern Plugin:</strong> Select <code>articles-gat</code> (Group Access Token). If you see "403" errors or if the legacy credential is missing from the list, choose this option.</li> </ul> <h2> 8.3. Action 3: GitLab UI (Set the Webhook) </h2> <p>At this point, our job exists, but it doesn't know <em>when</em> we push new code. We could tell Jenkins to "Periodically scan," but this is inefficient. We want an instant, event-driven trigger.</p> <p>The solution is a <strong>webhook</strong>. We need to tell GitLab to send a "ping" to Jenkins every time we create a Merge Request.</p> <p>Normally, this is a manual step, but our plugin stack has a final surprise for us:</p> <ol> <li> In your browser, go to your GitLab project: <code>https://gitlab.cicd.local:10300/Articles/0004_std_lib_http_client</code>.</li> <li> In the left sidebar, go to <strong>Settings &gt; Webhooks</strong>.</li> </ol> <p>You will see that a webhook pointing to our Jenkins instance <strong>already exists</strong>.</p> <p>This is the final payoff of our JCasC setup. When we configured the "Local GitLab" server in our <code>jenkins.yaml</code> and set <code>manageWebHooks: true</code>, we gave Jenkins (using its <code>gitlab-api-token</code>) permission to <em>automatically</em> create this webhook for us when we created the Multibranch job.</p> <p><strong>All we have to do is test it and tweak it:</strong></p> <ol> <li> Click the <strong>"Edit"</strong> button for the auto-generated webhook.</li> <li> <strong>Tweak Triggers:</strong> By default, it's likely set for "Push events." We want to follow our professional workflow. <strong>Uncheck "Push events"</strong> and ensure <strong>"Merge request events"</strong> is <strong>checked</strong>.</li> <li> <strong>Test the Connection:</strong> Scroll down and click the <strong>"Test"</strong> button. Select <strong>"Merge request events"</strong> from the dropdown and click <strong>"Test webhook"</strong>.</li> </ol> <p>At the top of the page, you will see a green <strong><code>Hook executed successfully: HTTP 200</code></strong> message.</p> <p>This single message proves our entire security architecture is working end-to-end. It confirms that GitLab (whose JVM trusts our CA) successfully sent a secure HTTPS request to our Jenkins controller (which is serving traffic using its <code>.p12</code> keystore). The "Factory" and the "Library" are now fully and securely connected.</p> <h3> A Note on Advanced Triggers: The V2 Pipeline </h3> <p>For our V1 pipeline, we've configured the webhook to trigger <em>only</em> on "Merge request events." This is a robust and common workflow that ensures we only run our full, expensive build and test suite when we're preparing to merge code.</p> <p>However, this is just the beginning. A more sophisticated, real-world pipeline would use <strong>conditional logic</strong> to run <em>different</em> sets of tasks based on the <em>type</em> of trigger.</p> <p>It is entirely possible (and standard practice) to enable both <strong>"Push events"</strong> and <strong>"Merge request events."</strong> We would then make our <code>Jenkinsfile</code> "smarter" by using its <code>when</code> directive to inspect the build's context.</p> <p>For example, in a V2 pipeline, we could configure:</p> <ol> <li> <strong>On a simple <code>git push</code> to a feature branch:</strong> The <code>Jenkinsfile</code> would detect <code>env.BRANCH_NAME != 'main'</code> and <code>when { NOT { changeRequest() } }</code>. It would then <em>only</em> run fast jobs like linting and unit tests, giving the developer feedback in seconds.</li> <li> <strong>On a <code>push</code> to a Merge Request:</strong> The <code>Jenkinsfile</code> would detect <code>when { changeRequest() }</code>. This would trigger our <em>full</em> validation pipeline: build, all tests (C++, Rust, Python), and coverage. This is our "quality gate."</li> <li> <strong>On a merge to the <code>main</code> branch (or a Git tag):</strong> The <code>Jenkinsfile</code> would detect <code>env.BRANCH_NAME == 'main'</code>. This would run the full pipeline <em>plus</em> our new "Publish" stage (which we'll build in the next article) to save the compiled artifacts to Artifactory.</li> </ol> <p>We have started with a simple, effective "build everything on MR" strategy. We will build on this foundation later to create these more complex, conditional workflows.</p> <h1> Chapter 9: The Payoff - The First Automated Build </h1> <p>Our infrastructure is 100% complete. Our <code>Jenkinsfile</code> is in the repository, our Jenkins job is configured to use our JCasC-defined credentials, and the GitLab webhook is automatically set up and tested.</p> <p>All that's left is to see it in action.</p> <h2> 9.1. The "Scan" </h2> <p>When you first created the "Multibranch Pipeline" job in the last chapter, Jenkins automatically performed an initial "Branch Indexing" scan. In the "Scan Multibranch Pipeline Log" (or by clicking "Scan Repository Now"), you would have seen Jenkins:</p> <ol> <li> Connect to <code>https://gitlab.cicd.local</code> (proving the controller's JVM trust).</li> <li> Use the <code>gitlab-api-token</code> to scan the <code>Articles/0004_std_lib_http_client</code> project.</li> <li> Discover the <code>main</code> branch.</li> <li> Find the <code>Jenkinsfile</code> in that branch.</li> <li> Automatically create a new pipeline job named "main" and queue it for a build.</li> </ol> <p>This first build is the complete validation of our setup.</p> <h2> 9.2. The "Build": Deconstructing the Success Log </h2> <p>When you open the log for that first successful build, you are seeing the payoff for every single piece of our architecture. Let's narrate the log:</p> <ol> <li><p><strong><code>Provisioning 'general-purpose-agent...'</code></strong><br> This first line is a triumph. It proves our "Foreman" (Controller) has successfully used the <strong>Docker Plugin</strong> (configured by JCasC) to begin "hiring" our worker.</p></li> <li><p><strong>No "Pulling image..." Step</strong><br> You'll notice the log does <em>not</em> show a "Pulling image..." step. It immediately moves to creating the container. This proves our <strong><code>pullStrategy: 'PULL_NEVER'</code></strong> setting in <code>jenkins.yaml</code> is working, forcing the controller to use our local image.</p></li> <li><p><strong><code>Started container ID ...</code> &amp; <code>Accepted JNLP4-connect connection...</code></strong><br> This is the proof that our agent is working. The container started <em>without</em> the <code>exec: "-url": executable file not found</code> error. This confirms our <strong><code>ENTRYPOINT ["java", "-jar", ...]</code></strong> instruction in <code>Dockerfile.agent</code> is correct. The agent is up and connected.</p></li> <li> <p><strong><code>using credential std-lib-http-client</code> &amp; <code>git clone ...</code></strong><br> The <code>git clone</code> succeeds. This proves two things:</p> <ul> <li>Our JCasC-defined <strong><code>gitlab-checkout-credentials</code></strong> are working.</li> <li>Our agent's <strong>OS-level trust</strong> (<code>update-ca-certificates</code>) is working, allowing <code>git</code> to trust <code>https://gitlab.cicd.local</code>.</li> </ul> </li> <li><p><strong><code>Found Rust: /home/jenkins/.rustup/toolchains...</code></strong><br> This confirms our <code>Dockerfile.agent</code> build process was correct. <code>cmake</code> is running as the <code>jenkins</code> user and is finding the Rust toolchain in <code>/home/jenkins/.cargo/bin</code> because we installed it under the correct user and added it to the <code>PATH</code>.</p></li> <li><p><strong><code>[100%] Built target...</code> &amp; <code>100% tests passed...</code></strong><br> The <code>setup.sh</code> and <code>run-coverage.sh</code> scripts complete. Our polyglot build—C++, Rust, and Python—has been successfully built and tested by our custom, ephemeral agent.</p></li> <li><p><strong><code>Finished: SUCCESS</code></strong><br> The pipeline is complete. The agent container is automatically destroyed, along with all its build files.</p></li> </ol> <h2> 9.3. The "Trigger": The Final Verification </h2> <p>The manual scan proves the build works. This final test proves the <em>automation</em> works. We will now simulate a developer's workflow and watch the entire loop trigger automatically.</p> <ol> <li><p>First, we'll go to the GitLab Webhooks page and show that the <code>gitlab-branch-source</code> plugin <strong>automatically created the webhook for us</strong>. We'll use the "Test" button to prove the <code>HTTP 200</code> connection.</p></li> <li><p>Then, we'll guide the user to make a <em>real</em> change: <code>git checkout -b feature/test-trigger</code>, add a comment, <code>git push</code>, and <strong>open a new Merge Request in GitLab</strong>.</p></li> <li><p>We'll watch the Jenkins UI as the <code>MR-1</code> build appears <em>instantly</em>, proving the webhook is functioning perfectly.</p></li> </ol> <p>This confirms our "Factory" and "Library" are perfectly connected.</p> <h1> Chapter 10: Conclusion </h1> <h2> 10.1. What We've Built </h2> <p>We have successfully built a complete, automated, and scalable CI (Continuous Integration) system. Our "Factory Foreman" (Jenkins) is fully operational and perfectly integrated with our "Central Library" (GitLab).</p> <p>Let's summarize what our new system accomplishes:</p> <ul> <li> <strong>Fully Automated Builds:</strong> When a developer opens a Merge Request, a build is triggered <em>instantly</em> and automatically, with no human intervention.</li> <li> <strong>Secure &amp; Trusted:</strong> The entire connection is secured with our internal CA. GitLab sends a secure webhook to Jenkins, and Jenkins clones from GitLab over a trusted HTTPS connection.</li> <li> <strong>Scalable &amp; Isolated Compute:</strong> We are using a modern "Controller/Agent" architecture. The controller only orchestrates, and the <em>real</em> work is done by our <code>general-purpose-agent</code> containers. This means we can run multiple builds in parallel, each in its own clean, isolated environment.</li> <li> <strong>Consistent, Polyglot Environment:</strong> Our custom agent image, built with our "dual-trust" fix and the correct user-context, is proven to work. It can build and test our complex C++, Rust, and Python project in a single, unified pipeline.</li> </ul> <h2> 10.2. The New Problem: The "Ephemeral Artifact" </h2> <p>Our pipeline log <code>Finished: SUCCESS</code> is a huge victory, but it also highlights our next major challenge. Our <code>setup.sh</code> script successfully compiled our C++ library (<code>libhttpc.so</code>), our Rust binaries, and our Python wheel (<code>.whl</code>), and <code>run-coverage.sh</code> proved they work.</p> <p>But what happened to them?</p> <p>They were created inside the <code>general-purpose-agent</code> container. The moment the build finished, that container was <strong>immediately and permanently destroyed</strong>, taking all those valuable, compiled "finished goods" with it.</p> <p>Our factory is running at 100% capacity, but we're just throwing every finished product into the incinerator. We have a "build," but we have no <em>artifacts</em>.</p> <h2> 10.3. Next Steps: Building the "Secure Warehouse" </h2> <p>Our "factory" is missing its "loading dock" and "warehouse."</p> <p>We need a central, persistent, and secure location to <em>store</em> our finished products. We need a system that can:</p> <ol> <li> Receive the compiled <code>libhttpc.so</code>, the <code>httprust_client</code> binary, and the <code>httppy-0.1.0-py3-none-any.whl</code> file from our build agent.</li> <li> Store them permanently and give them a version number.</li> <li> Allow other developers or servers to download and use these "blessed" artifacts without having to rebuild the entire project themselves.</li> </ol> <p>This is the exact role of an <strong>Artifact Repository Manager</strong>. In the next article, we will build our "Secure Warehouse": <strong>JFrog Artifactory</strong>. We will then add a final "Publish" stage to our <code>Jenkinsfile</code> to solve this "ephemeral artifact" challenge once and for all.</p> jenkins cicd devops tutorial Warren Jitsing Wed, 17 Dec 2025 05:45:49 +0000 https://dev.to/warren_jitsing_dd1c1d6fc6/part-03-building-a-sovereign-software-factory-self-hosted-gitlab-secrets-management-209e https://dev.to/warren_jitsing_dd1c1d6fc6/part-03-building-a-sovereign-software-factory-self-hosted-gitlab-secrets-management-209e <p>GitHub: <a href="https://github.com/InfiniteConsult/0007_cicd_part03_gitlab" rel="noopener noreferrer">https://github.com/InfiniteConsult/0007_cicd_part03_gitlab</a></p> <p><strong>TL;DR:</strong> In this installment, we construct the <strong>"Central Library"</strong> of our city. We deploy a self-hosted <strong>GitLab CE</strong> instance inside our private network, rejecting the "SaaS Pain Points" of public GitHub (latency, data sovereignty, and paid features). We implement a "Blueprint First" deployment strategy to solve the Docker "First Run" password conflict, configure SMTP for notifications, and verify our internal DNS and SSL trust chain by pushing code securely from our Control Center.</p> <p><strong>The Sovereign Software Factory Series:</strong></p> <ol> <li> <strong>Part 01:</strong> Building a Sovereign Software Factory: Docker Networking &amp; Persistence</li> <li> <strong>Part 02:</strong> Building a Sovereign Software Factory: The Local Root CA &amp; Trust Chains</li> <li> <strong>Part 03: Building a Sovereign Software Factory: Self-Hosted GitLab &amp; Secrets Management</strong> (You are here)</li> <li> <strong>Part 04:</strong> Building a Sovereign Software Factory: Jenkins Configuration as Code (JCasC)</li> <li> <strong>Part 05:</strong> Building a Sovereign Software Factory: Artifactory &amp; The "Strict TLS" Trap</li> <li> <strong>Part 06:</strong> Building a Sovereign Software Factory: SonarQube Quality Gates</li> <li> <strong>Part 07:</strong> Building a Sovereign Software Factory: ChatOps with Mattermost</li> <li> <strong>Part 08:</strong> Building a Sovereign Software Factory: Observability with the ELK Stack</li> <li> <strong>Part 09:</strong> Building a Sovereign Software Factory: Monitoring with Prometheus &amp; Grafana</li> <li> <strong>Part 10:</strong> Building a Sovereign Software Factory: The Python API Package (Capstone)</li> </ol> <h1> Chapter 1: The "Why" - Rejecting the SaaS "Pain Point" </h1> <h2> 1.1 Goal: Building the "Central Library" </h2> <p>We have successfully built our "city" foundations. We have a secure "Control Center" (DooD), private "roads" (<code>cicd-net</code>), persistent "foundations" (our hybrid volume strategy), and a trusted "security office" (our Local CA).</p> <p>We are <em>ready</em> to build, but we have no "blueprints." Our code—the very thing we want to build, test, and deploy—has no home.</p> <p>This is the "chaos" pain point. Without a <strong>Source Code Manager (SCM)</strong>, our projects live in a state of entropy: <code>project-final-v2.zip</code>, <code>project-final-v3-JOHNS-EDITS.zip</code>. It's impossible to know who changed what or which version is the "real" one.</p> <p>We will solve this by deploying <strong>GitLab Community Edition (CE)</strong>. This will be the first "skyscraper" in our city and will serve as the "Central Library"—the single source of truth for all our code.</p> <h2> 1.2 The "First Principles" Question: Why Not Just Use GitHub.com? </h2> <p>Before we run a single command, we must address the obvious "easy button" solution. Why go through the trouble of deploying a complex, self-hosted SCM when <code>GitHub.com</code> exists?</p> <p>The answer is that <code>GitHub.com</code> is a <strong>SaaS (Software-as-a-Service)</strong> solution. It's a "black box" that introduces "pain points" that are in direct conflict with the "first principles" architecture we have so carefully built.</p> <blockquote> <p><strong>The Analogy:</strong> We are building a private, secure, self-contained "city." <code>GitHub.com</code> is the <em>public library</em> located across town, on the other side of the ocean.</p> <p>To build our "factories" (Jenkins) and "warehouses" (Artifactory) <em>inside</em> our city walls and then have them rely on a library on another continent is an architectural flaw. It creates dependencies, security risks, and latency.</p> <p>The <em>only</em> architecturally-sound solution is to build our <em>own</em> "Central Library" <em>inside</em> our city walls, on our private "road network."</p> </blockquote> <h2> 1.3 Deconstructing the SaaS "Pain Points" </h2> <p>Relying on an external <code>GitHub.com</code> fails our "first principles" test by creating three critical "pain points."</p> <h3> 1. The Network Isolation Pain Point </h3> <p>This is the most immediate problem. <code>GitHub.com</code> lives on the public internet. Our entire CI/CD stack lives <em>inside</em> our private, isolated <strong><code>cicd-net</code></strong>.</p> <p>This breaks the integration. How can <code>GitHub.com</code> (on the public internet) send a webhook to <code>https://jenkins.cicd.local:8443</code> (a private hostname on our <code>cicd-net</code>)? It can't. It's like shouting from the public library and expecting our "factory foreman" (Jenkins) to hear it inside our walled city.</p> <p>To make this work, we would have to punch dangerous holes in our host firewall, set up complex reverse proxies, and expose our internal Jenkins server to the entire internet—a massive security risk.</p> <h3> 2. The Data Sovereignty &amp; Control Pain Point </h3> <p>When you use <code>GitHub.com</code>, you are a <strong>"tenant"</strong> on Microsoft's platform. Your source code, your intellectual property, and your project's metadata are all stored on their servers.</p> <p>By self-hosting GitLab CE, we become the <strong>"landlord."</strong> We have 100% control over our own data. Our code lives on our <code>gitlab-data</code> volume, secured by our Local CA, and is never exposed to a third party.</p> <h3> 3. The Cost &amp; Feature "Pain Point" </h3> <p>The "free" tier on SaaS platforms is feature-gated to push you to paid plans.</p> <ul> <li> <strong>CI/CD "Minutes":</strong> Public CI services (like GitHub Actions) charge you for compute time, often after a small free quota. This creates a "pain point" of unpredictable costs and limits how often you can build.</li> <li> <strong>"Protected Branches":</strong> This is the most critical pedagogical "gotcha." On <code>GitHub.com</code>, the ability to "protect" a branch (e.g., to force all changes to go through a Merge Request) is a <strong>paid feature</strong>.</li> </ul> <p>This breaks our workflow. The entire <em>point</em> of our CI pipeline is to run on Merge Requests. By self-hosting <strong>GitLab CE</strong>, this critical "Protected Branch" feature is <strong>100% free</strong>.</p> <h2> 1.4 The Solution: Our Self-Hosted Foundation </h2> <p>A self-hosted GitLab CE instance is the only choice that respects our architecture. It solves all three "pain points":</p> <ol> <li> It will live <strong>inside</strong> our <code>cicd-net</code>, allowing it to talk to <code>jenkins</code> and our other tools securely.</li> <li> It gives us <strong>100% data sovereignty</strong>.</li> <li> It gives us critical enterprise features like "Protected Branches" for <strong>free</strong>.</li> </ol> <p>We will now build our "Central Library" on the "foundation" we prepared in Articles 1 and 2.</p> <h1> Chapter 2: The "What" - Core SCM &amp; GitLab Concepts </h1> <h2> 2.1. The "First Principles" of Source Code Management </h2> <p>To understand <em>why</em> GitLab is the "Central Library" for our "city," we must first deconstruct the problem it solves. This isn't just a GitLab concept; it's the fundamental "pain point" of all software development: <strong>managing change over time.</strong></p> <h3> The "Chaos" (No SCM) </h3> <p>Without an SCM, we live in a world of chaos. We use file naming conventions that are, in effect, a cry for help:</p> <ul> <li><code>project-v1.zip</code></li> <li><code>project-v2-final.zip</code></li> <li><code>project-v2-final-REVISED.zip</code></li> <li><code>project-v2-final-JOHNS-EDITS.zip</code></li> </ul> <p>This "shared folder" model has no "first principles." There is no history, no accountability, and no way to safely merge changes from two developers.</p> <h3> The "Old" Solution: Centralized SCM (e.g., Subversion) </h3> <p>The first generation of tools solved this by introducing a "central server." These are <strong>Centralized Version Control Systems (CVCS)</strong>. The most famous example is <strong>Subversion (SVN)</strong>.</p> <blockquote> <p><strong>The Analogy:</strong> An SVN server is a <strong>"Central Library" with a single, strict "Librarian."</strong></p> <p>To edit a file, you must "check it out" from the librarian. While you have it, no one else can edit it (a "lock"). When you are done, you "check it in," and the librarian saves the new version.</p> </blockquote> <p>This was a massive improvement, but it created a new, critical "pain point":</p> <ol> <li> <strong>It's a Single Point of Failure:</strong> If the "Central Library" (the SVN server) crashes or the network goes down, <em>all development stops</em>. No one can "check in" or "check out" code.</li> <li> <strong>It's Not Truly "Versioned":</strong> Your local machine only has the <em>one version</em> you checked out. You do not have the <em>entire history</em> of the project.</li> </ol> <h3> The "Modern" Solution: Distributed SCM (i.e., Git) </h3> <p><strong>Git</strong> is the "first principles" solution to the "pain points" of SVN. It is a <strong>Distributed Version Control System (DVCS)</strong>.</p> <p>This is the most critical concept to understand:</p> <blockquote> <p><strong>The Analogy:</strong> With Git, you don't just "check out a book" from the library. You <strong>"clone" the entire library.</strong></p> <p>Every single developer on your team has a full, 1-to-1 copy of the <em>entire project and its complete history</em> on their local machine.</p> </blockquote> <p>This solves all of SVN's "pain points":</p> <ol> <li> <strong>There is No Single Point of Failure:</strong> If the "Central Library" server (which we will build with GitLab) goes down, you don't even notice. You can still browse the full history, create new commits, and switch branches, all on your local machine.</li> <li> <strong>It's Blazing Fast:</strong> Since the entire "library" (the <code>.git</code> directory) is on your local disk, checking history or creating a branch is instantaneous.</li> </ol> <h3> The "First Principles" of Git (The Commands) </h3> <p>This "distributed" model is what gives us the core "first principle" concepts that GitLab is built on top of:</p> <ul> <li> <p><strong>Repository (Repo):</strong> This is the "library" itself—the project folder containing all your code and the hidden <code>.git</code> directory (the "ledger").</p> <ul> <li> <code>git init</code> (Creates a new, empty "library")</li> <li> <code>git clone &lt;url&gt;</code> (Copies an <em>entire existing library</em> to your machine)</li> </ul> </li> <li> <p><strong>Commit:</strong> This is a "snapshot" or a "save point" in your local library. It's a permanent record of a change.</p> <ul> <li> <code>git add .</code> (Stages your changes for the snapshot)</li> <li> <code>git commit -m "My change description"</code> (Creates the permanent snapshot in your local history)</li> </ul> </li> <li> <p><strong>Branch:</strong> This is an "independent line of development." It's a "copy" of the "master blueprint" that you can safely work on without disturbing the main, stable version.</p> <ul> <li> <code>git checkout -b my-new-feature</code> (Creates a new branch <em>and</em> switches to it)</li> <li> <code>git checkout main</code> (Switches back to the main, stable branch)</li> </ul> </li> </ul> <p>This is the "engine" that runs <em>locally</em>. This leaves one final "pain point": if everyone has their own "copy of the library," how does everyone <em>sync up</em> their changes?</p> <p>That is the role of <strong>GitLab</strong>. It is the "Central Library" that we <em>designate</em> as the "single source of truth." It's the "public square" where all developers bring their local changes (<code>git push</code>) and share them with the team (<code>git pull</code>).</p> <h2> 2.2. The "Collaboration" Principle: The Merge Request </h2> <p>We have established the "first principle" of Git: everyone has a <em>local</em> "copy of the library" (<code>.git</code> directory) and can make <em>local</em> "snapshots" (<code>git commit</code>).</p> <p>This leaves us with the final and most important operational "pain point": <strong>How do we safely merge all these individual, distributed changes back into the "Central Library" (GitLab)?</strong></p> <p>The "easy" or "naive" way is for every developer to simply push their changes directly to the <code>main</code> branch:<br> <code>git push origin main</code></p> <p>This is architecturally reckless and creates a new "pain point" of <strong>workflow chaos</strong>.</p> <blockquote> <p><strong>The Analogy:</strong> Allowing direct pushes to <code>main</code> is like letting <em>any</em> engineer walk into the "Central Library" at <em>any</em> time and scribble directly on the <strong>master blueprint</strong>.</p> <p>What if their change is wrong? What if it's incomplete? What if two engineers try to edit the same page at the same time? The "master blueprint" becomes a mess of conflicting, untested, and unverified changes. This breaks the build for everyone and defeats the purpose of having a "single source of truth."</p> </blockquote> <h3> The "First Principles" Solution: The Merge Request </h3> <p>To solve this "collaboration pain point," we introduce the <strong>Merge Request (MR)</strong>. (This is known as a "Pull Request" or "PR" on GitHub, but we will use GitLab's terminology).</p> <p>A Merge Request is the "first principle" of professional, team-based collaboration. It is a formal <em>process</em> for managing change, not just a <em>command</em>.</p> <p>The workflow is as follows:</p> <ol> <li> A developer <strong>never</strong> works on the <code>main</code> branch.</li> <li> They create a new <strong>branch</strong> (their "private copy" of the blueprint) (e.g., <code>git checkout -b feature/add-login-button</code>).</li> <li> They make all their <strong>commits</strong> safely on this private branch.</li> <li> When their work is complete, they <code>git push</code> their <em>branch</em> (not <code>main</code>) to GitLab.</li> <li> Finally, they go to the GitLab UI and open a <strong>Merge Request</strong>.</li> </ol> <blockquote> <p><strong>The Analogy:</strong> A Merge Request is a <strong>"formal proposal"</strong> submitted to the "head librarian" (the project maintainers).</p> <p>You are not <em>making</em> the change to the master blueprint. You are <em>proposing</em> it. You are saying:</p> <p>"I have finished my work on my private copy (my 'feature' branch). Here is a summary of my changes. Please review them. If you and the rest of the team approve, please <em>merge</em> my proposal into the master blueprint ('main')."</p> </blockquote> <p>This simple process changes everything. It creates a central, auditable "lobby" for every proposed change. It's the place where your team can:</p> <ul> <li> <strong>Review the Code:</strong> Leave comments, suggest improvements, and ensure quality.</li> <li> <strong>Discuss the Change:</strong> Debate the solution and its impact.</li> <li> <strong>Verify the Solution:</strong> This is the most critical part.</li> </ul> <p>This <strong>Merge Request</strong> is the <strong>key trigger</strong> for our entire CI/CD stack. It is the "starting gun" for our whole automation pipeline. The moment an MR is opened, our "Central Library" (GitLab) will send a signal (a webhook) to our "Factory Foreman" (Jenkins), which will automatically run all the builds, tests, and quality scans.</p> <p>This is the <em>entire reason</em> we are building our stack: to automate the <em>verification</em> of these "proposals" <em>before</em> they are ever merged into our "master blueprint."</p> <h2> 2.3. The "Permissions Pain Point" (GitHub vs. GitLab) </h2> <p>We have our "Central Library" (GitLab) and a formal "proposal" process (Merge Requests). This introduces the final core concept: <strong>access control</strong>. Who is allowed in the library, and what are they allowed to do?</p> <p>This is a massive "pain point" in any large organization. If you have 100 developers and 50 projects, how do you manage their permissions? Manually adding 100 users to 50 different projects (5,000 operations) is not just tedious; it's an auditing and security nightmare.</p> <p>This is where the architectural differences between SCM platforms become critical.</p> <ul> <li><p><strong>The GitHub "Organization" Model:</strong> GitHub's solution is the <strong>"Organization."</strong> This is a good model that gathers all your projects under one "roof." You can then create "Teams" (e.g., "Frontend Developers," "Backend Developers") and grant those <em>teams</em> access to individual repositories. This is a big improvement, but the structure is relatively flat. You still have to manually manage the connections between many teams and many repositories.</p></li> <li><p><strong>The GitLab "Group" Model (The Architectural Solution):</strong> GitLab solves this "permissions pain point" with a more powerful, <strong>hierarchical namespace</strong>.</p></li> </ul> <blockquote> <p><strong>The Analogy:</strong> A GitHub "Organization" is like a <em>single, large library building</em>. You create "teams" (like "History Department") and give them keys to specific rooms (repositories).</p> <p>A GitLab <strong>"Group"</strong> is like an entire <strong>"University Campus."</strong></p> </blockquote> <p>This is the key distinction. A GitLab "Group" (e.g., "College of Engineering") is a container that can hold both:</p> <ol> <li> <strong>Projects</strong> (e.g., the "Robotics Lab Project")</li> <li> <strong>Sub-Groups</strong> (e.g., the entire "Computer Science Department," which <em>itself</em> has its own projects)</li> </ol> <p>The architectural advantage here is <strong>permission inheritance</strong>.</p> <p>When you hire a new developer, you don't give them 50 different keys. You simply add their user account to the "College of Engineering" <strong>Group</strong> <em>one time</em> and assign them the "Developer" role.</p> <p>By inheritance, they <em>automatically</em> get "Developer" access to:</p> <ul> <li>The "Robotics Lab Project."</li> <li>The <em>entire</em> "Computer Science Department" sub-group.</li> <li> <em>Every single project</em> inside the "Computer Science Department."</li> </ul> <p>This hierarchical "Group" model is a far superior architectural solution for managing a complex organization, and it's a core reason we have chosen GitLab as our "Central Library's" architecture. We will use this "Group" feature to organize all the projects for our new "city."</p> <h1> Chapter 3: Action Plan (Part 1) — The "Blueprint First" Strategy </h1> <h2> 3.1. Prerequisite: The <code>cicd.env</code> File </h2> <p>Before we run a single script, we must perform our one and only manual setup step. We need to provide the secrets that our setup script will "bake" into the GitLab configuration.</p> <p>We will create a file named <strong><code>cicd.env</code></strong> inside our project's <code>~/cicd_stack</code> directory. This file is <strong>not</strong> used by Docker. It is a prerequisite that is read <em>only</em> by our <code>01-initial-setup.sh</code> script. Our setup script is smart enough to add this filename to <code>.gitignore</code> automatically, ensuring we never accidentally commit our private passwords.</p> <p>On your host machine, create this file. You can use <code>nano</code> or any text editor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nano ~/cicd_stack/cicd.env </code></pre> </div> <p>Add the following two lines. It is <strong>critical</strong> that you replace the placeholder values with your real credentials.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="py">GITLAB_ROOT_PASSWORD</span><span class="p">=</span><span class="s">"your-secure-password-here"</span> <span class="py">GMAIL_APP_PASSWORD</span><span class="p">=</span><span class="s">"your-16-char-password-here"</span> </code></pre> </div> <blockquote> <p><strong>A Note on Passwords:</strong></p> <ul> <li> <strong><code>GITLAB_ROOT_PASSWORD</code></strong>: This will become the password for the <code>root</code> administrator account. Make it strong and memorable.</li> <li> <strong><code>GMAIL_APP_PASSWORD</code></strong>: This is <strong>not</strong> your regular Gmail password. It is a 16-character "App Password" you must generate from your Google Account security settings. (We will walk through the exact UI steps for this in Chapter 5, but it must be generated for this script to work).</li> </ul> </blockquote> <p>Once this file is saved, you have completed the only manual prerequisite. Our setup script will handle everything else.</p> <h2> 3.2. The "First Run" Conflict (Our Key Discovery) </h2> <p>With our secrets file in place, we were ready to build our configuration. Our goal was to provide all configuration <em>before</em> the container started. This led us to what <em>should</em> have been a simple, two-part setup:</p> <ol> <li> <strong>For SSL/SMTP:</strong> Write a custom <code>gitlab.rb</code> file and bind-mount it to <code>/etc/gitlab</code>.</li> <li> <strong>For the Password:</strong> Securely pass the <code>GITLAB_ROOT_PASSWORD</code> using the <code>--env-file</code> flag in our <code>docker run</code> command.</li> </ol> <p>This logical approach led us to a critical failure and our most important discovery. When we ran the container with <strong>both</strong> the bind-mounted <code>gitlab.rb</code> <em>and</em> the <code>--env-file</code> flag, the container entered a "confused" state.</p> <p>This is the conflict:</p> <ul> <li>The container started successfully.</li> <li>NGINX read our <code>gitlab.rb</code> and loaded our SSL certificates.</li> <li>But the "first-run" password logic <strong>failed silently</strong>.</li> <li>The password from our <code>--env-file</code> was <strong>ignored</strong>.</li> <li>The container <strong>did not</strong> generate a random password, because it assumed our environment variable would work.</li> </ul> <p>We were left with a perfectly-secured, SSL-enabled container that had no <code>root</code> password. The login page would just fail indefinitely.</p> <p>We discovered that the presence of the <strong><code>--env-file</code></strong> flag, when used <em>in combination with</em> a pre-populated <code>/etc/gitlab</code> volume, breaks the container's "first-run" password logic.</p> <p>This discovery was the key. We couldn't trust the container to manage its environment and our config file at the same time. We had to choose one.</p> <h2> 3.3. The Solution: "Baking" Credentials </h2> <p>This discovery led us to our final, robust solution. Since the container cannot be trusted to handle both an environment file and a pre-configured <code>gitlab.rb</code> file, we will remove the source of the conflict: <strong>we will not use the <code>--env-file</code> flag at all.</strong></p> <p>Instead, we will create a master "blueprint" on our host <em>before</em> the container ever runs. This blueprint (<code>gitlab.rb</code>) will contain <strong>everything</strong> the container needs to know: our SSL paths, our SMTP settings, and, most importantly, the administrator password.</p> <p>We will accomplish this using our <strong><code>01-initial-setup.sh</code></strong> script. This script will act as our "architect," performing a clever "bake-in" process:</p> <ol> <li> It will first read our <code>cicd.env</code> file on the host, loading the <code>GITLAB_ROOT_PASSWORD</code> and <code>GMAIL_APP_PASSWORD</code> into its own environment.</li> <li> It will then programmatically "bake" (i.e., hardcode) the <em>values</em> of these variables directly into the text of the <code>gitlab.rb</code> file it generates.</li> </ol> <p>When the GitLab container starts, it will be completely unaware of our <code>cicd.env</code> file. It will simply see a <code>gitlab.rb</code> file with lines like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># (This is what the container will see)</span> <span class="n">gitlab_rails</span><span class="p">[</span><span class="s1">'initial_root_password'</span><span class="p">]</span> <span class="o">=</span> <span class="s1">'MySuperSecurePassword123'</span> <span class="n">gitlab_rails</span><span class="p">[</span><span class="s1">'smtp_password'</span><span class="p">]</span> <span class="o">=</span> <span class="s1">'ab12cd34ef56gh78'</span> </code></pre> </div> <p>This bypasses the container's broken "first-run" logic entirely. The container's setup script will read this hardcoded value from <code>gitlab.rb</code> and use it to correctly initialize the database.</p> <p>While hardcoding secrets in a configuration file is generally not ideal, it is the only reliable and repeatable method to solve this specific "first-run" conflict caused by the GitLab Docker image. This "Blueprint First" strategy gives us a single, complete, and fully-configured blueprint to hand off to our deployment script.</p> <h2> 3.4. The "Architect" Script (<code>01-initial-setup.sh</code>) </h2> <p>This is our "architect" script. Its sole purpose is to run on the host machine and prepare the <em>entire</em> configuration "blueprint" (<code>gitlab.rb</code>) and "site" (the required directories) <em>before</em> the container is ever created. It performs all the preparation we've discussed: checking prerequisites, creating directories, solving our CA trust issue, and "baking" our secrets.</p> <p>Here is the complete script.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c">#</span> <span class="c"># 🚀 01-initial-setup.sh</span> <span class="c">#</span> <span class="c"># This script prepares the host environment for the GitLab container.</span> <span class="c">#</span> <span class="c"># ❗ PREREQUISITE:</span> <span class="c"># You MUST create the 'cicd.env' file in the '~/cicd_stack' directory</span> <span class="c"># *before* running this script. It must contain:</span> <span class="c">#</span> <span class="c"># GITLAB_ROOT_PASSWORD="your-secure-password"</span> <span class="c"># GMAIL_APP_PASSWORD="your-16-char-password"</span> <span class="c">#</span> <span class="c"># --- Configuration ---</span> <span class="nv">CICD_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/cicd_stack"</span> <span class="nv">ENV_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CICD_DIR</span><span class="s2">/cicd.env"</span> <span class="nv">GITIGNORE_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CICD_DIR</span><span class="s2">/.gitignore"</span> <span class="nv">GITIGNORE_ENTRY</span><span class="o">=</span><span class="s2">"cicd.env"</span> <span class="c"># --- GitLab Config Paths ---</span> <span class="nv">GITLAB_CONFIG_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CICD_DIR</span><span class="s2">/gitlab/config"</span> <span class="nv">GITLAB_TRUSTED_CERTS_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$GITLAB_CONFIG_DIR</span><span class="s2">/trusted-certs"</span> <span class="nv">GITLAB_CONFIG_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$GITLAB_CONFIG_DIR</span><span class="s2">/gitlab.rb"</span> <span class="c"># --- CA Paths ---</span> <span class="nv">CA_CERT_SOURCE</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">HOME</span><span class="k">}</span><span class="s2">/cicd_stack/ca/pki/certs/ca.pem"</span> <span class="nv">CA_CERT_DEST</span><span class="o">=</span><span class="s2">"</span><span class="nv">$GITLAB_TRUSTED_CERTS_DIR</span><span class="s2">/ca.pem"</span> <span class="c"># --- Script ---</span> <span class="nb">echo</span> <span class="s2">"🚀 Starting setup..."</span> <span class="c"># 1. 🛑 PREREQUISITE CHECK: Stop if cicd.env is missing</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$ENV_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"---------------------------------------------------------------"</span> <span class="nb">echo</span> <span class="s2">"⛔ ERROR: '</span><span class="nv">$ENV_FILE</span><span class="s2">' not found."</span> <span class="nb">echo</span> <span class="s2">"Please create this file with your passwords before running."</span> <span class="nb">echo</span> <span class="s2">"It must contain:"</span> <span class="nb">echo</span> <span class="s2">" GITLAB_ROOT_PASSWORD=</span><span class="se">\"</span><span class="s2">...</span><span class="se">\"</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" GMAIL_APP_PASSWORD=</span><span class="se">\"</span><span class="s2">...</span><span class="se">\"</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"---------------------------------------------------------------"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># 2. Ensure the base directory exists (owned by user)</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$CICD_DIR</span><span class="s2">"</span> <span class="c"># 3. Add cicd.env to .gitignore (owned by user)</span> <span class="k">if</span> <span class="o">!</span> <span class="nb">grep</span> <span class="nt">-q</span> <span class="nt">-F</span> <span class="s2">"</span><span class="nv">$GITIGNORE_ENTRY</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$GITIGNORE_FILE</span><span class="s2">"</span> 2&gt;/dev/null<span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Adding </span><span class="nv">$GITIGNORE_ENTRY</span><span class="s2"> to </span><span class="nv">$GITIGNORE_FILE</span><span class="s2">..."</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$GITIGNORE_ENTRY</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> <span class="s2">"</span><span class="nv">$GITIGNORE_FILE</span><span class="s2">"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$GITIGNORE_ENTRY</span><span class="s2"> is already in </span><span class="nv">$GITIGNORE_FILE</span><span class="s2">. Skipping."</span> <span class="k">fi</span> <span class="c"># 4. Ensure the gitlab config directories exist (requires sudo)</span> <span class="nb">echo</span> <span class="s2">"Ensuring GitLab config directories exist (may ask for password)..."</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$GITLAB_CONFIG_DIR</span><span class="s2">"</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$GITLAB_TRUSTED_CERTS_DIR</span><span class="s2">"</span> <span class="c"># 5. Copy the CA certificate into the trusted-certs directory (requires sudo)</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$CA_CERT_SOURCE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Copying CA certificate to </span><span class="nv">$CA_CERT_DEST</span><span class="s2"> (may ask for password)..."</span> <span class="nb">sudo cp</span> <span class="s2">"</span><span class="nv">$CA_CERT_SOURCE</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$CA_CERT_DEST</span><span class="s2">"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"⚠️ WARNING: CA certificate not found at </span><span class="nv">$CA_CERT_SOURCE</span><span class="s2">."</span> <span class="nb">echo</span> <span class="s2">"Please ensure your CA is generated before running GitLab."</span> <span class="k">fi</span> <span class="c"># 6. Create the gitlab.rb configuration file (requires sudo)</span> <span class="nb">echo</span> <span class="s2">"Creating custom gitlab.rb configuration (may ask for password)..."</span> <span class="c"># Load the .env file variables into this script's environment</span> <span class="nb">set</span> <span class="nt">-a</span> <span class="c"># Automatically export all variables that are defined</span> <span class="nb">source</span> <span class="s2">"</span><span class="nv">$ENV_FILE</span><span class="s2">"</span> <span class="nb">set</span> +a <span class="c"># Stop auto-exporting</span> <span class="c"># This sudo block injects the *values* from the .env file</span> <span class="c"># directly into the gitlab.rb file.</span> <span class="nb">sudo </span>bash <span class="nt">-c</span> <span class="s2">"cat &lt;&lt; EOF &gt; </span><span class="nv">$GITLAB_CONFIG_FILE</span><span class="s2"> # --- Main GitLab URL --- # This is the address all containers on 'cicd-net' will use. external_url 'https://gitlab.cicd.local:10300' # --- Custom SSL Configuration --- nginx['enable'] = true nginx['ssl_certificate'] = '/etc/gitlab/ssl/gitlab.cicd.local.crt.pem' nginx['ssl_certificate_key'] = '/etc/gitlab/ssl/gitlab.cicd.local.key.pem' # --- Disable Let's Encrypt --- letsencrypt['enable'] = false # --- SMTP Email (Gmail) Configuration --- # NOTE: Update 'YOUR_GMAIL_EMAIL_HERE' with your actual Gmail address # The password is hardcoded from the .env file during setup. gitlab_rails['smtp_enable'] = true gitlab_rails['smtp_address'] = 'smtp.gmail.com' gitlab_rails['smtp_port'] = 587 gitlab_rails['smtp_user_name'] = 'YOUR_GMAIL_EMAIL_HERE' gitlab_rails['smtp_password'] = '</span><span class="k">${</span><span class="nv">GMAIL_APP_PASSWORD</span><span class="k">}</span><span class="s2">' gitlab_rails['smtp_domain'] = 'smtp.gmail.com' gitlab_rails['smtp_authentication'] = 'login' gitlab_rails['smtp_enable_starttls_auto'] = true gitlab_rails['smtp_tls'] = false # --- Email From/Reply-to Settings --- # NOTE: Update 'YOUR_GMAIL_EMAIL_HERE' and 'YOUR_DOMAIN_HERE' gitlab_rails['gitlab_email_from'] = 'YOUR_GMAIL_EMAIL_HERE' gitlab_rails['gitlab_email_reply_to'] = 'noreply@YOUR_DOMAIN_HERE' # --- Set Initial Root Password --- # The password is hardcoded from the .env file during setup. gitlab_rails['initial_root_password'] = '</span><span class="k">${</span><span class="nv">GITLAB_ROOT_PASSWORD</span><span class="k">}</span><span class="s2">' EOF"</span> <span class="nb">echo</span> <span class="s2">"✅ Setup complete. You are now ready to run 02-create-docker.sh"</span> </code></pre> </div> <h2> 3.5. Deconstruction of <code>01-initial-setup.sh</code> </h2> <p>This script is dense, but every step is a deliberate solution to a problem we uncovered. Let's deconstruct it.</p> <ul> <li><p><strong>Step 1: Prerequisite Check</strong>: The script begins with a critical safety check. It ensures the <code>cicd.env</code> file we created in 3.1 actually exists. If it doesn't, the script immediately exits with a helpful error message. This prevents us from ever running a misconfigured setup.</p></li> <li><p><strong>Steps 2 &amp; 3: Housekeeping</strong>: These steps create the base <code>~/cicd_stack</code> directory and add our secret <code>cicd.env</code> file to <code>.gitignore</code> to prevent us from ever accidentally committing it.</p></li> <li> <p><strong>Steps 4 &amp; 5: Directory Scaffolding &amp; CA Trust</strong>: This is where we see the first piece of our proactive strategy. The script creates the <code>gitlab/config</code> and, crucially, the <strong><code>gitlab/config/trusted-certs</code></strong> directories. It then immediately copies our <code>ca.pem</code> (from Article 2) <em>into</em> this <code>trusted-certs</code> folder.</p> <ul> <li> <strong>This single step solves the "Outbound Trust" problem before it ever begins.</strong> When GitLab starts for the first time, its <code>reconfigure</code> script will see our CA certificate already in place and will automatically build its trust store, adding our CA. It will then be able to send secure webhooks to <code>https://jenkins.cicd.local</code> or talk to other internal, SSL-secured services without a single SSL error. No second <code>reconfigure</code> is ever needed.</li> </ul> </li> <li><p><strong>Step 6: The "Bake-in"</strong>: This is the most important part of the script and the core of our solution.</p></li> </ul> <ol> <li> <strong><code>set -a / source "$ENV_FILE" / set +a</code></strong>: This triplet of commands loads our secrets. <code>source</code> "runs" the <code>cicd.env</code> file, which sets the <code>GITLAB_ROOT_PASSWORD</code> and <code>GMAIL_APP_PASSWORD</code> variables within the script's environment.</li> <li> <strong><code>sudo bash -c "cat &lt;&lt; EOF &gt; ..."</code></strong>: This is the "bake-in" operation. We use <code>sudo</code> to gain root privileges, which are necessary to write into the <code>gitlab/config</code> directory (as <code>sudo</code> created it). The <code>cat &lt;&lt; EOF &gt; $GITLAB_CONFIG_FILE</code> command writes a "here document" (all the text until the final <code>EOF</code>) into our <code>gitlab.rb</code> file.</li> <li> <strong>Variable Expansion</strong>: Because we <code>source</code>'d the variables first, the shell <em>expands</em> them <em>before</em> <code>sudo</code> ever runs. This means the line <code>gitlab_rails['initial_root_password'] = '${GITLAB_ROOT_PASSWORD}'</code> becomes <code>gitlab_rails['initial_root_password'] = 'MySuperSecurePassword123'</code> <em>inside</em> the final file.</li> </ol> <h2> 3.6. Deconstruction of the "Baked" <code>gitlab.rb</code> </h2> <p>The <code>gitlab.rb</code> file generated by our script is the master blueprint for the entire container. Let's analyze each block:</p> <ul> <li><p><strong><code>external_url 'https://gitlab.cicd.local:10300'</code></strong><br> This is arguably the most critical setting. It tells GitLab what its "public" URL is. Because all our CI/CD services (like Jenkins, SonarQube, and our dev-container) live on the same <code>cicd-net</code>, they will all be able to find and access this container using its internal DNS name, <code>gitlab.cicd.local</code>. We match the port to the host port to prevent browser issues stemming from the split-horizon DNS problem.</p></li> <li><p><strong><code>nginx['...']</code> and <code>letsencrypt['...']</code></strong><br> This block tells GitLab's built-in Nginx web server to <em>disable</em> its default Let's Encrypt integration (<code>letsencrypt['enable'] = false</code>). Instead, we explicitly point it to the "passports" (our custom SSL certificate and key from Article 2) that we will be mounting into the <code>/etc/gitlab/ssl/</code> directory.</p></li> <li><p><strong><code>gitlab_rails['smtp_...']</code></strong><br> This is our full SMTP configuration for sending notification emails via Gmail. It sets the server, port, and authentication. Most importantly, the line <code>gitlab_rails['smtp_password'] = '${GMAIL_APP_PASSWORD}'</code> is where the 16-character App Password (which we "baked-in") is placed, allowing GitLab to authenticate with Google. You will still need to edit this file one time to replace <code>YOUR_GMAIL_EMAIL_HERE</code> with your actual email address.</p></li> <li><p><strong><code>gitlab_rails['initial_root_password'] = '${GITLAB_ROOT_PASSWORD}'</code></strong><br> This is the <strong>solution to our entire login problem</strong>. By "baking" the password from our <code>cicd.env</code> file directly into this line, we force GitLab's "first-run" database script to use <em>our</em> password. It bypasses all the broken logic, never generates a random password, and ensures that when the container is ready, we can log in with the exact credentials we intended.</p></li> </ul> <h1> Chapter 4: Action Plan (Part 2) — Deployment &amp; First Login </h1> <p>With our "architect" script (<code>01-initial-setup.sh</code>) having perfectly prepared the host environment, our "blueprint" (<code>gitlab.rb</code>) is now complete, with all our configurations and secrets "baked" in.</p> <p>The hard part is over. All that's left is to bring in the "construction crew" and build the skyscraper. This second script is beautifully simple, as all the complex logic now lives in the configuration file we just built.</p> <h2> 4.1. The "Construction" Script (<code>02-create-docker.sh</code>) </h2> <p>This script's only job is to run the <code>docker run</code> command. It takes our prepared config directory, our SSL certificates, and our persistent volumes and assembles them into a single, running container.</p> <p>Here is the complete <code>02-create-docker.sh</code> script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c"># This script launches the GitLab container with all</span> <span class="c"># the networking, volumes, and security settings.</span> <span class="nb">echo</span> <span class="s2">"🚀 Starting GitLab container..."</span> docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> gitlab <span class="se">\</span> <span class="nt">--restart</span> always <span class="se">\</span> <span class="nt">--hostname</span> gitlab.cicd.local <span class="se">\</span> <span class="nt">--network</span> cicd-net <span class="se">\</span> <span class="nt">--publish</span> 127.0.0.1:10300:443 <span class="se">\</span> <span class="nt">--publish</span> 127.0.0.1:10301:22 <span class="se">\</span> <span class="nt">--volume</span> gitlab-data:/var/opt/gitlab <span class="se">\</span> <span class="nt">--volume</span> gitlab-logs:/var/log/gitlab <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="k">${</span><span class="nv">HOME</span><span class="k">}</span><span class="s2">/cicd_stack/gitlab/config"</span>:/etc/gitlab <span class="se">\</span> <span class="nt">--volume</span> <span class="s2">"</span><span class="k">${</span><span class="nv">HOME</span><span class="k">}</span><span class="s2">/cicd_stack/ca/pki/services/gitlab.cicd.local"</span>:/etc/gitlab/ssl:ro <span class="se">\</span> <span class="nt">--shm-size</span> 256m <span class="se">\</span> gitlab/gitlab-ce:latest <span class="nb">echo</span> <span class="s2">"✅ GitLab container is starting."</span> <span class="nb">echo</span> <span class="s2">"Monitor its progress with: docker logs -f gitlab"</span> </code></pre> </div> <h2> 4.2. Deconstruction of the <code>docker run</code> Command </h2> <p>Every single flag in this command is a deliberate architectural decision, connecting back to the foundations we laid in Articles 1 and 2.</p> <ul> <li><p><strong><code>--network cicd-net</code> &amp; <code>--hostname gitlab.cicd.local</code></strong>: This is the payoff from Article 1. We connect our "skyscraper" to our private "city road network" (<code>cicd-net</code>) and give it an internal DNS name (<code>gitlab</code>). This is what will allow our dev-container (and later, Jenkins) to find it by simply using the address <code>https://gitlab.cicd.local</code>.</p></li> <li> <p><strong><code>--publish 127.0.0.1:10300:443</code> &amp; <code>--publish 127.0.0.1:10301:22</code></strong>: This is our port mapping scheme.</p> <ul> <li>It exposes the container's internal HTTPS (443) and SSH (22) ports to <code>10300</code> and <code>10301</code> on our host.</li> <li>Critically, it binds <strong>only to <code>127.0.0.1</code> (localhost)</strong>. This is a key security choice. It means our GitLab instance is <em>not</em> exposed to our local LAN (e.g., your office Wi-Fi). It is only accessible from your host machine.</li> </ul> </li> <li><p><strong><code>--volume gitlab-data:/var/opt/gitlab</code> &amp; <code>--volume gitlab-logs:/var/log/gitlab</code></strong>: This is our "storage locker" persistence strategy from Article 1. We are mounting our pre-made named volumes to store all of GitLab's opaque, internal data (like its database, repositories, and logs).</p></li> <li><p><strong><code>--volume "${HOME}/cicd_stack/gitlab/config":/etc/gitlab</code></strong>: This is the <strong>grand payoff</strong> of our entire "Blueprint First" strategy. We are mounting our <em>fully-configured</em> host directory (which contains our baked <code>gitlab.rb</code> and <code>trusted-certs</code> folder) directly into the container.</p></li> <li><p><strong><code>--volume "${HOME}/cicd_stack/ca/pki/services/gitlab.cicd.local":/etc/gitlab/ssl:ro</code></strong>: This is the payoff from Article 2. We mount our <code>gitlab</code> "passport" (its SSL certificate and key) into the container in <code>ro</code> (read-only) mode for security.</p></li> <li><p><strong><code>--shm-size 256m</code></strong>: This is a performance optimization. GitLab's internal services use shared memory, and the Docker default is too small (64m), which can cause random crashes. We explicitly give it more memory to ensure stability.</p></li> <li><p><strong>The Missing Flag: <code>--env-file</code></strong><br><br> The most important part of this command is what's <em>missing</em>. We are <strong>intentionally not using <code>--env-file</code></strong>. By "baking" our secrets directly into <code>gitlab.rb</code>, we have eliminated the source of our "first-run" conflict, leading to a much cleaner and more reliable deployment.</p></li> </ul> <h2> 4.3. The First Run: "Reconfiguring..." </h2> <p>Now, it's time to launch.</p> <p>The workflow is simple:</p> <ol> <li> Ensure you have created and edited your <code>~/cicd_stack/cicd.env</code> file.</li> <li> Run your setup script: <code>./01-initial-setup.sh</code> </li> <li> Run your deployment script: <code>./02-create-docker.sh</code> </li> </ol> <p>As soon as you run the second script, you must be patient. GitLab is a very large application. On first boot, it will run its internal <code>reconfigure</code> script to apply all the settings from our <code>gitlab.rb</code> file, build its database, and start all its services.</p> <p>This process can take <strong>3 to 5 minutes</strong>.</p> <p>You can (and should) watch this process in real-time by running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker logs <span class="nt">-f</span> gitlab </code></pre> </div> <p>You will see a massive flood of text as it configures all its components. You will know it is finished when the log messages slow down and you see "Chef Client finished" messages, followed by the services (Puma, Sidekiq, etc.) starting up. Do not attempt to log in until this process is complete.</p> <h2> 4.4. Verification: The First Login </h2> <p>Once the logs have settled, open your web browser on your host machine and navigate to the <code>localhost</code> port we published:</p> <p><strong><code>https://127.0.0.1:10300</code></strong></p> <p>Thanks to the foundational work we did in Article 2—where we imported our Local CA's root certificate into our host machine's system trust store—your browser will greet you with a <strong>secure lock icon</strong>. There will be no security warnings. Your browser recognizes and trusts the <code>gitlab</code> certificate because it was signed by our now-trusted Certificate Authority.</p> <p>You will see the GitLab login page.</p> <p>Now, for the moment of truth. Log in using the credentials <strong>you</strong> defined in your <code>cicd.env</code> file:</p> <ul> <li> <strong>Username:</strong> <code>root</code> </li> <li> <strong>Password:</strong> (The <code>GITLAB_ROOT_PASSWORD</code> value you set)</li> </ul> <p>Because we "baked" this password directly into the <code>gitlab.rb</code> file, it will work on the very first try.</p> <p>It is advisable to change the root password by clicking on the root user's avatar, clicking Preferences and navigating to the Password tab.</p> <h3> Verification (Curls) </h3> <p>Finally, let's run our "proof of success" checks from our terminals.</p> <ul> <li> <strong>From your Host terminal:</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl https://127.0.0.1:10300 </code></pre> </div> <ul> <li> <strong>From your dev-container terminal:</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># (Inside the dev-container)</span> curl https://gitlab.cicd.local:10300 </code></pre> </div> <p>In both cases, you should see a <code>302 Found</code> redirect and the HTML for the login page. The commands will work without any <code>-k</code> or <code>--insecure</code> flags, proving that both your host and your dev-container trust our new GitLab instance. This confirms that your host port mapping, internal DNS, and end-to-end SSL are all working perfectly.</p> <h1> Chapter 5: UI Configuration (Securing the Workflow) </h1> <p>With our GitLab container running, secured, and accessible, the "construction" phase is complete. We now put on our "administrator" hat. The next steps involve configuring the GitLab application itself, creating the structures for our teams, and securing our development workflow.</p> <p>We will also complete the setup for one of our "baked-in" configurations: the <code>GMAIL_APP_PASSWORD</code>.</p> <h2> 5.1. UI Guide: Creating a Google "App Password" </h2> <p>In our <code>01-initial-setup.sh</code> script, we "baked" a <code>GMAIL_APP_PASSWORD</code> into our <code>gitlab.rb</code> file. This is <strong>not</strong> your normal Gmail password. Google's modern security ("Less Secure Apps" deprecation) requires us to generate a special, 16-character password for third-party applications like GitLab.</p> <p>If you haven't generated this password yet, here is the new, more direct process:</p> <ol> <li> Go to your Google Account settings: <strong><a href="https://myaccount.google.com/" rel="noopener noreferrer">myaccount.google.com</a></strong> </li> <li> Navigate to the <strong>Security</strong> tab.</li> <li> Ensure <strong>2-Step Verification</strong> is turned <strong>On</strong>. You cannot create App Passwords without it.</li> <li> Use the search bar at the top of your account page and type in <strong>"App Passwords"</strong>. Click the result.</li> <li> You will be prompted to sign in again for security.</li> <li> On the App Passwords screen, you will be prompted to give your new password a name. <ul> <li> <strong>App name:</strong> Give it a descriptive name, like <strong>"GitLab-CICD"</strong>.</li> <li>Click <strong>Generate</strong>.</li> </ul> </li> <li> Google will present you with a 16-character password in a yellow box (e.g., <code>xxxx yyyy zzzz wwww</code>).</li> <li> This is the password you must place in your <code>~/cicd_stack/cicd.env</code> file for the <code>GMAIL_APP_PASSWORD</code> variable.</li> </ol> <p>If you already had this set up, your email notifications for password resets and new accounts will now work. If you just generated this password for the first time, you must:</p> <ol> <li> Update your <code>~/cicd_stack/cicd.env</code> file with the new password.</li> <li> Re-run <code>./01-initial-setup.sh</code> to "re-bake" the <code>gitlab.rb</code> file with the new password.</li> <li> Restart the container to apply the new configuration: <code>docker stop gitlab &amp;&amp; docker start gitlab</code>. I had encountered a problem with just using <code>docker restart gitlab</code> </li> </ol> <h3> 5.1.1. (Optional) Verifying Your SMTP Setup </h3> <p>Now that you have your Gmail App Password configured, you can directly test GitLab's email functionality from within the container.</p> <ol> <li> <p>First, open a "Rails console" session inside your running GitLab container. This command will drop you into an interactive Ruby prompt:<br> </p> <pre class="highlight shell"><code><span class="nb">sudo </span>docker <span class="nb">exec</span> <span class="nt">-it</span> gitlab gitlab-rails console </code></pre> <p><em>(Note: It is normal for this to take 30-60 seconds to load.)</em></p> </li> <li> <p>Once you see the <code>irb(main):001:0&gt;</code> prompt, type the following command, replacing the email address with your own. The <code>.deliver_now</code> is crucial as it forces the email to be sent immediately:<br> </p> <pre class="highlight ruby"><code><span class="no">Notify</span><span class="p">.</span><span class="nf">test_email</span><span class="p">(</span><span class="s1">'your_email@gmail.com'</span><span class="p">,</span> <span class="s1">'GitLab Test Email'</span><span class="p">,</span> <span class="s1">'This is a test message from your GitLab instance.'</span><span class="p">).</span><span class="nf">deliver_now</span> </code></pre> </li> <li><p>After a few seconds, you should see a large object output (the email object) and then a <code>=&gt;</code> line.</p></li> <li><p>Type <code>exit</code> to leave the console.</p></li> </ol> <p>Within a minute, you should receive the test email in your Gmail inbox. If you do, your SMTP is configured perfectly. If not, double-check your <code>GMAIL_APP_PASSWORD</code> in <code>cicd.env</code> and your <code>smtp_user_name</code> in <code>gitlab.rb</code>.</p> <h2> 5.2. UI Guide: Creating Our Groups </h2> <p>As we discussed in <strong>Chapter 1</strong>, GitLab's key architectural advantage is its hierarchical <strong>"Group"</strong> system. A "Group" is like a "University Campus" or a top-level organization. It can contain both projects and even <em>sub-groups</em> (like "departments").</p> <p>We will create two top-level "Groups" to properly organize all our projects:</p> <ol> <li> <strong><code>CICD-Stack</code></strong>: This will house test projects specific to our CI/CD pipeline, like the <code>hello-world</code> project we'll create later.</li> <li> <strong><code>Articles</code></strong>: This will be the new home for all the projects we've built in previous articles, like <code>0004_std_lib_http_client</code>.</li> </ol> <p>Let's create both now.</p> <ol> <li> From the GitLab dashboard, click the <strong>plus icon (<code>+</code>)</strong> in the top-left area of the navigation sidebar (it's to the left of your user avatar).</li> <li> A dropdown menu will appear. Select <strong>"New group"</strong>.</li> <li> On the next page, you'll be asked what you want to create. Click the large <strong>"Create group"</strong> tile or button.</li> <li> This brings you to the "Create group" form: <ul> <li> <strong>Group name:</strong> Type <code>CICD-Stack</code>.</li> <li> <strong>Group URL:</strong> This will auto-populate based on the name.</li> <li> <strong>Visibility level:</strong> Select <strong>"Private"</strong>. This ensures only logged-in members of your instance can see this group and its projects.</li> <li>(Optional) You can skip the "personalize" questions for now.</li> </ul> </li> <li> Click the blue <strong>"Create group"</strong> button at the bottom-left of the page.</li> </ol> <p>You will be taken to the new group's page. Now, let's repeat this exact process for our <code>Articles</code> group.</p> <ol> <li> Click the <strong>plus icon (<code>+</code>)</strong> in the top-left sidebar again.</li> <li> Select <strong>"New group"</strong>.</li> <li> Click the <strong>"Create group"</strong> tile.</li> <li> On the "Create group" form: <ul> <li> <strong>Group name:</strong> Type <code>Articles</code>.</li> <li> <strong>Visibility level:</strong> Select <strong>"Private"</strong>.</li> </ul> </li> <li>Click the <strong>"Create group"</strong> button.</li> </ol> <p>We now have our two top-level namespaces. This structure keeps our work organized and allows us to set permissions at the group level, which all projects inside will automatically inherit.</p> <h2> 5.3. UI Guide: Fixing the Root Admin's Email </h2> <p>When GitLab first starts, it assigns a "dummy" email address to the <code>root</code> user (e.g., <code>gitlab_admin_0537fd@example.com</code>). If you've just tested your SMTP settings as we did in 5.1.1, you may have seen a bounce-back email in your Gmail inbox, because this default email address is not real.</p> <blockquote> <p><strong>Example Bounce-back Error:</strong></p> <pre class="highlight plaintext"><code>Address not found </code></pre> <p>Your message wasn't delivered to gitlab_admin_<a href="mailto:0537fd@example.com">0537fd@example.com</a> because the domain example.com couldn't be found. Check for typos or unnecessary spaces and try again.<br> ...<br> The domain example.com doesn't receive email...</p> <pre class="highlight plaintext"><code></code></pre> </blockquote> <p>We must fix this by assigning your <em>real</em> email address to the <code>root</code> account. This involves a critical "gotcha" where we must manually fix a confirmation link.</p> <p>Here is the full process:</p> <ol> <li> <strong>Add Your New Email:</strong> </li> </ol> <ul> <li>Click your <code>root</code> user avatar (top-left corner).</li> <li>Select <strong>"Preferences"</strong>.</li> <li>In the left-hand navigation menu, click <strong>"Emails"</strong>.</li> <li>In the "Add email address" box, type your real email address (e.g., <code>your.name@gmail.com</code>) and click the <strong>"Add email address"</strong> button.</li> </ul> <ol> <li> <strong>Find the Confirmation Email:</strong> </li> </ol> <ul> <li>GitLab will send a confirmation link to your inbox. Open the email (Subject: "Administrator, confirm your email address now!").</li> </ul> <ol> <li> <strong>Fix the Confirmation Link (The "Gotcha"):</strong> </li> </ol> <ul> <li> <strong>Do not click the link directly.</strong> The link in the email will be broken. It will point to the <em>internal</em> container address (e.g., <code>https://gitlab/...</code>), which your host browser cannot resolve.</li> <li> <p>You must manually copy the link and replace the <code>https://gitlab.cicd.local:10300</code> portion with our host-accessible address: <code>https://127.0.0.1:10300</code>.</p> <blockquote> <p><strong>Example:</strong></p> <p><strong>Broken Link (from email):</strong><br> <code>https://gitlab.cicd.local:10300/-/profile/emails/confirmation?confirmation_token=zFoxv_5xPMRiEjfgzR-E</code></p> <p><strong>Corrected Link (to paste in browser):</strong><br> <code>https://127.0.0.1:10300/-/profile/emails/confirmation?confirmation_token=zFoxv_5xPMRiEjfgzR-E</code></p> </blockquote> </li> </ul> <ol> <li><p>Paste the <strong>corrected link</strong> into your browser and hit Enter. Your email address will now be confirmed.</p></li> <li><p><strong>Change Your Primary Email:</strong></p></li> </ol> <ul> <li>Now, you must make this new, confirmed email your primary address.</li> <li>Navigate back to your profile: <strong>Avatar &gt; Preferences</strong>. You will land on the <strong>"Profile"</strong> page.</li> <li>Change the <strong>"Email"</strong> field from the fake <code>example.com</code> address to your new, confirmed email.</li> <li>Change the <strong>"Commit email"</strong> field to your new, confirmed email as well.</li> <li>Click the <strong>"Update profile settings"</strong> button at the bottom.</li> </ul> <ol> <li> <strong>Clean Up the Old Email:</strong> </li> </ol> <ul> <li>Finally, let's remove the old, fake email.</li> <li>Go back to the <strong>"Emails"</strong> settings page (left-hand navigation).</li> <li>You will now see your new email listed as "Primary." Click the <strong>"Delete"</strong> (trash can) icon next to the old <code>gitlab_admin_..._@example.com</code> address to remove it.</li> </ul> <p>Your <code>root</code> account is now fully configured with a valid, working email address for all notifications.</p> <h2> 5.4. UI Guide: Creating Access Tokens </h2> <p>Our GitLab instance is now fully configured, but to automate it (our ultimate goal), we need to interact with its API. To do this securely, we will create <strong>Access Tokens</strong>. These are the "keys" that our scripts and external services (like Jenkins) will use to authenticate with GitLab.</p> <p>We will create two different types of tokens to understand the options available. Note: You might want to do section 5.4.3 first.</p> <ol> <li> <strong>Personal Access Token (PAT):</strong> This token is tied directly to a <em>user account</em> (in this case, our <code>root</code> admin). It's a "master key" that grants permissions <em>as that user</em>. It can do anything the <code>root</code> user can do.</li> <li> <strong>Group Access Token (GAT):</strong> This is a more modern, secure "bot" token. It is tied to a <em>Group</em> (e.g., our <code>CICD-Stack</code> group) instead of a human user. This is the best practice for CI/CD, as the token's permissions are limited <em>only</em> to that group, and it's not tied to a person who might leave the company.</li> </ol> <p>For our verification scripts, we will create and use a <strong>Personal Access Token</strong> for our <code>root</code> user, as it's the most powerful and straightforward to use for our "master plan" of creating projects in multiple groups.</p> <h3> 5.4.1. Creating a Personal Access Token (PAT) </h3> <ol> <li> In the top-left corner of the sidebar, click your <code>root</code> user avatar.</li> <li> From the dropdown menu, select <strong>"Preferences"</strong>.</li> <li> In the left-hand navigation menu of the Preferences page, click <strong>"Personal Access Tokens"</strong>.</li> <li> You will see the "Add a personal access token" form: <ul> <li> <strong>Token name:</strong> Give it a descriptive name, like <code>cicd-admin-token</code>.</li> <li> <strong>Expiration date:</strong> For now, you can leave it blank (it will not expire). For a real production system, you would set a strict expiration date and rotate the key.</li> <li> <strong>Select scopes:</strong> Check the box for <strong><code>api</code></strong>. This is the master scope that grants the token full read/write access to the entire API, which we need to create groups and projects.</li> </ul> </li> <li> Click the <strong>"Create personal access token"</strong> button.</li> </ol> <p>GitLab will immediately display your new token (e.g., <code>glpat-xxxxxxxxxxxx</code>). <strong>This is the only time you will ever see this token.</strong></p> <p>Copy this token immediately and save it in our secrets file, <code>~/cicd_stack/cicd.env</code>. Add it as a new line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="py">GITLAB_API_TOKEN</span><span class="p">=</span><span class="s">"glpat-xxxxxxxxxxxx"</span> </code></pre> </div> <p>Our Python scripts in the next chapter will read this variable to authenticate.</p> <h3> 5.4.2. Creating a Group Access Token (GAT) </h3> <p>Now, let's create a Group Access Token for our <code>CICD-Stack</code> group. This is the more modern, "best-practice" way to create a token for automation <em>within</em> a specific group.</p> <ol> <li> In the top-left sidebar, click the <strong>"Groups"</strong> icon and select <strong>"Your groups"</strong>.</li> <li> Click on the <strong><code>CICD-Stack</code></strong> group.</li> <li> In the group's left-hand sidebar, hover over <strong>"Settings"</strong> and then click <strong>"Access Tokens"</strong>.</li> <li> Click the <strong>"Add new token"</strong> button.</li> <li> Fill out the form: <ul> <li> <strong>Token name:</strong> Give it a descriptive name, like <code>cicd-stack-bot-token</code>.</li> <li> <strong>Role:</strong> Select <strong>"Owner"</strong>. This is the highest permission <em>within the group</em> and will allow this token to create new projects <em>inside</em> the <code>CICD-Stack</code> group.</li> <li> <strong>Select scopes:</strong> Check the <strong><code>api</code></strong> scope.</li> </ul> </li> <li> Click the <strong>"Create group access token"</strong> button.</li> </ol> <p>Just like the PAT, this token will be displayed only once. You don't need to save it for our next steps (as we'll be using the PAT), but it's crucial to understand this is the more secure, preferred method for production CI/CD automation.</p> <h3> 5.4.3. The "Split-Horizon" Fix: Resolving CORS Errors </h3> <p>As you attempted to create an Access Token, you likely ran into a critical error. The page failed to load, and your browser's developer console showed a <strong><code>Cross-Origin Request Blocked</code> (CORS)</strong> error.</p> <p>This is a classic "split-horizon" DNS problem, and it's the final major "gotcha" in our setup.</p> <h4> The Problem </h4> <p>The error occurred because our browser and our application had two different ideas of "home":</p> <ol> <li> <strong>The Browser:</strong> We were accessing the UI from <code>https://127.0.0.1:10300</code>.</li> <li> <strong>The Application:</strong> GitLab's <code>external_url</code> was set to <code>https://gitlab.cicd.local:10300</code>.</li> </ol> <p>When the UI (loaded from <code>127.0.0.1</code>) tried to make an API call, its JavaScript (which was configured by <code>external_url</code>) tried to contact <code>https://gitlab.cicd.local:10300</code>. The browser saw that <code>127.0.0.1:10300</code> and <code>gitlab.cicd.local</code> were two different "origins" and blocked the request for security.</p> <h4> The Solution </h4> <p>To fix this, we must make the URL we type in the browser <strong>exactly match</strong> the <code>external_url</code> in the GitLab configuration. This requires a three-part fix.</p> <p><strong>Step 1. Teach Your Host What <code>gitlab.cicd.local</code> Means</strong></p> <p>First, we must edit the <code>hosts</code> file on our <strong>host machine</strong> (not the dev-container) to resolve <code>gitlab.cicd.local</code> to our <code>localhost</code> IP.</p> <ul> <li>Open your hosts file with <code>sudo</code>: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">sudo </span>nano /etc/hosts </code></pre> </div> <ul> <li>Add this line to the bottom of the file: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> 127.0.0.1 gitlab.cicd.local </code></pre> </div> <ul> <li>Save and close the file. Your host machine now knows that <code>gitlab.cicd.local</code> points to <code>127.0.0.1</code>.</li> </ul> <p><strong>Step 2. Update <code>01-initial-setup.sh</code> (The <code>external_url</code>)</strong></p> <p>Next, we must tell GitLab to include our custom port in its <code>external_url</code>. This tells the application to generate all its internal links with the correct port, solving the CORS mismatch.</p> <ul> <li>Open <code>01-initial-setup.sh</code> and find this line in the <code>gitlab.rb</code> section: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="c1"># --- Main GitLab URL ---</span> <span class="n">external_url</span> <span class="s1">'https://gitlab.cicd.local'</span> </code></pre> </div> <ul> <li>Change it to include our port: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="c1"># --- Main GitLab URL ---</span> <span class="c1"># This sets the public URL AND configures the internal NGINX</span> <span class="c1"># to listen on this port (e.g., 10300).</span> <span class="n">external_url</span> <span class="s1">'https://gitlab.cicd.local:10300'</span> </code></pre> </div> <ul> <li> <strong>The "Gotcha":</strong> We discovered that changing this <code>external_url</code> <em>also</em> changes the internal port that GitLab's NGINX service listens on. It will no longer listen on <code>443</code>; it will now listen on <code>10300</code>.</li> </ul> <p><strong>Step 3. Update <code>02-create-docker.sh</code> (The Port Mapping)</strong></p> <p>Finally, because the container's internal port is now <code>10300</code>, we must update our <code>docker run</code> command to match.</p> <ul> <li>Open <code>02-create-docker.sh</code> and find this line: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nt">--publish</span> 127.0.0.1:10300:443 <span class="se">\</span> </code></pre> </div> <ul> <li>Change it to map <code>10300</code> on the host to <code>10300</code> in the container: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nt">--publish</span> 127.0.0.1:10300:10300 <span class="se">\</span> </code></pre> </div> <p><strong>Step 4. Relaunch and Access by Name</strong></p> <p>To apply these changes, you <strong>do not need to delete your data</strong>. Simply re-run the scripts.</p> <ol> <li> <p><strong>Stop and remove the old container.</strong> This is required to apply the new <code>--publish</code> flag.<br> </p> <pre class="highlight shell"><code>docker stop gitlab <span class="o">&amp;&amp;</span> docker <span class="nb">rm </span>gitlab </code></pre> </li> <li> <p><strong>Re-run the setup script.</strong> This will update the <code>gitlab.rb</code> file on your host.<br> </p> <pre class="highlight shell"><code>./01-initial-setup.sh </code></pre> </li> <li> <p><strong>Re-run the deployment script.</strong> This will create a new container with the correct port mapping, which will then read your updated <code>gitlab.rb</code> file and reconfigure itself.<br> </p> <pre class="highlight shell"><code>./02-create-docker.sh </code></pre> </li> </ol> <p>After waiting a few minutes for the container to start, clear your browser cache (or use a private window). From now on, to access the UI, you <strong>must</strong> use the new, correct URL in your browser:</p> <p><strong><a href="https://gitlab.cicd.local:10300" rel="noopener noreferrer">https://gitlab.cicd.local:10300</a></strong></p> <p>When you do, the "origin" will match (<code>https, gitlab, 10300</code>), the CORS errors will be gone, and all UI features will now work perfectly. You can now proceed with creating your Access Tokens.</p> <blockquote> <p>NOTE<br> The scripts will be fixed by the time you read this, so all you really need to do is edit your hosts file.</p> </blockquote> <h2> 5.5. The "Workflow" Pain Point (Enforcing MRs) </h2> <p>Our GitLab instance is now fully configured, but it has a major <strong>workflow problem</strong>. By default, any developer with access to a project can commit and push <em>directly</em> to the <code>main</code> branch.</p> <blockquote> <p><strong>The Analogy:</strong> This is like letting any engineer walk into the "Central Library" and scribble directly on the "master blueprint" <em>without</em> a review.</p> </blockquote> <p>This "pain point" defeats the entire purpose of our CI/CD pipeline. We <em>want</em> every change to be a "proposal" (a Merge Request) that can be reviewed, tested, and scanned <em>before</em> it's merged into our "single source of truth."</p> <p>The solution is to apply a <strong>Branch Rule</strong>. This feature allows us to lock the <code>main</code> branch and enforce our Merge Request workflow.</p> <p>Based on the documentation, there is a key distinction between the Free and Premium tiers:</p> <ul> <li> <strong>GitLab Free (Our Version):</strong> We can control <em>who</em> is allowed to push or merge to a branch. This is the core functionality we need.</li> <li> <strong>GitLab Premium/Ultimate:</strong> This adds <em>required approvals</em> (e.g., "requires 2 approvals") and status checks.</li> </ul> <p>We will now use the Free tier's "Branch rule" capability to set our core push/merge permissions.</p> <h2> 5.6. Action (UI): Configuring a Branch Rule </h2> <p>We will now enforce our workflow. We'll create a "hello-world" project and apply the "Branch rule," but this time, we'll ensure the <code>main</code> branch exists <em>first</em>.</p> <ol> <li> First, let's create the project. Navigate to the <strong><code>CICD-Stack</code></strong> Group you created.</li> <li> Click the <strong>"New project"</strong> button (top-right).</li> <li> Select <strong>"Create blank project"</strong>.</li> <li> <strong>Project name:</strong> <code>hello-world</code> </li> <li> <strong>Visibility Level:</strong> <code>Private</code>.</li> <li> <strong>✅ Check the box for "Initialize repository with a README."</strong> This is the crucial step. It creates the project <em>with</em> a <code>main</code> branch and a single, initial commit.</li> <li> Click <strong>"Create project"</strong>.</li> </ol> <p>You will be taken to the new project's main page, and you will see the <code>README.md</code> file is already there. The <code>main</code> branch now officially exists.</p> <p><em>Now</em> we can protect it.</p> <ol> <li> In the project's left-hand navigation sidebar, go to <strong>Settings &gt; Repository</strong>.</li> <li> Find the <strong>"Branch rules"</strong> section and click the <strong>"Expand"</strong> button.</li> <li>Click the <strong>"Add branch rule"</strong> button.</li> <li>You will be prompted to choose a target. Select <strong>"Branch name or pattern"</strong>.</li> <li>From the dropdown, select <code>main</code>.</li> <li>Click the <strong>"Create branch rule"</strong> button.</li> </ol> <p>This will create the rule and take you to the <strong>Branch rule details</strong> page.</p> <ol> <li>On this details page, find the <strong>"Protected branch"</strong> section. <ul> <li> <strong>Allowed to merge:</strong> In the dropdown, select <strong>"Maintainers"</strong>.</li> <li> <strong>Allowed to push and merge:</strong> In the dropdown, select <strong>"No one"</strong>.</li> </ul> </li> </ol> <p>You can now save these changes. The <code>main</code> branch is now "locked."</p> <p>From this point forward, no one can push directly to <code>main</code>. The only way to update it is to push a new feature branch and open a Merge Request, which is exactly the professional workflow we want.</p> <h2> 6.1. Verification (Part 1): The "API-First" Test (Project Creation) </h2> <p>Our first test will be to use the <strong>Personal Access Token (PAT)</strong> we created in Chapter 5. This test will prove that our API is accessible, our token is working, and our Python environment on our <strong>host machine</strong> can successfully talk to our container.</p> <p>This test is the <strong>ultimate payoff for Article 2</strong>. We will not be manually loading any CA files. We will use Python's standard <code>ssl.create_default_context()</code>, which now automatically uses our host's system trust store (where our Local CA was installed).</p> <p>Create the following Python script on your host machine. You can save it as <code>verify_gitlab.py</code> inside your <code>~/cicd_stack</code> directory.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">ssl</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">urllib.request</span> <span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="c1"># --- Configuration --- </span><span class="n">ENV_FILE_PATH</span> <span class="o">=</span> <span class="n">Path</span><span class="p">.</span><span class="nf">home</span><span class="p">()</span> <span class="o">/</span> <span class="sh">"</span><span class="s">cicd_stack</span><span class="sh">"</span> <span class="o">/</span> <span class="sh">"</span><span class="s">cicd.env</span><span class="sh">"</span> <span class="n">GITLAB_URL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://gitlab.cicd.local:10300</span><span class="sh">"</span> <span class="c1"># Our host-accessible URL </span><span class="n">GROUP_NAME</span> <span class="o">=</span> <span class="sh">"</span><span class="s">Articles</span><span class="sh">"</span> <span class="c1"># The group we created in 5.2 </span> <span class="c1"># --- Standard Library .env parser --- </span><span class="k">def</span> <span class="nf">load_env</span><span class="p">(</span><span class="n">env_path</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Reads a .env file and loads its variables into os.environ. No third-party packages needed. </span><span class="sh">"""</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Loading environment from: </span><span class="si">{</span><span class="n">env_path</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">env_path</span><span class="p">.</span><span class="nf">exists</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">⛔ ERROR: Environment file not found at </span><span class="si">{</span><span class="n">env_path</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">env_path</span><span class="p">,</span> <span class="sh">'</span><span class="s">r</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">f</span><span class="p">:</span> <span class="n">line</span> <span class="o">=</span> <span class="n">line</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="k">if</span> <span class="n">line</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">line</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">'</span><span class="s">#</span><span class="sh">'</span><span class="p">)</span> <span class="ow">and</span> <span class="sh">'</span><span class="s">=</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">line</span><span class="p">:</span> <span class="n">key</span><span class="p">,</span> <span class="n">value</span> <span class="o">=</span> <span class="n">line</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="n">key</span> <span class="o">=</span> <span class="n">key</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="n">value</span> <span class="o">=</span> <span class="n">value</span><span class="p">.</span><span class="nf">strip</span><span class="p">().</span><span class="nf">strip</span><span class="p">(</span><span class="sh">'"</span><span class="se">\'</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Remove quotes </span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="n">key</span><span class="p">]</span> <span class="o">=</span> <span class="n">value</span> <span class="k">return</span> <span class="bp">True</span> <span class="c1"># --- Find the Group ID --- # We must find the numeric ID for our "Articles" group </span><span class="k">def</span> <span class="nf">get_group_id</span><span class="p">(</span><span class="n">group_name</span><span class="p">,</span> <span class="n">token</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Searching for Group ID for: </span><span class="si">{</span><span class="n">group_name</span><span class="si">}</span><span class="s">...</span><span class="sh">"</span><span class="p">)</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">PRIVATE-TOKEN</span><span class="sh">"</span><span class="p">:</span> <span class="n">token</span><span class="p">}</span> <span class="n">url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">GITLAB_URL</span><span class="si">}</span><span class="s">/api/v4/groups?search=</span><span class="si">{</span><span class="n">group_name</span><span class="si">}</span><span class="sh">"</span> <span class="n">req</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nc">Request</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">context</span><span class="o">=</span><span class="n">context</span><span class="p">)</span> <span class="k">as</span> <span class="n">response</span><span class="p">:</span> <span class="n">groups</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">())</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">groups</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error: Group </span><span class="sh">'</span><span class="si">{</span><span class="n">group_name</span><span class="si">}</span><span class="sh">'</span><span class="s"> not found.</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">None</span> <span class="c1"># Find the exact match </span> <span class="k">for</span> <span class="n">group</span> <span class="ow">in</span> <span class="n">groups</span><span class="p">:</span> <span class="k">if</span> <span class="n">group</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="n">group_name</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Found Group ID: </span><span class="si">{</span><span class="n">group</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">group</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">]</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error: No exact match for </span><span class="sh">'</span><span class="si">{</span><span class="n">group_name</span><span class="si">}</span><span class="sh">'</span><span class="s"> found.</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">An error occurred: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">None</span> <span class="c1"># --- Create the Project --- </span><span class="k">def</span> <span class="nf">create_project</span><span class="p">(</span><span class="n">group_id</span><span class="p">,</span> <span class="n">project_name</span><span class="p">,</span> <span class="n">token</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Creating project </span><span class="sh">'</span><span class="si">{</span><span class="n">project_name</span><span class="si">}</span><span class="sh">'</span><span class="s"> in Group ID </span><span class="si">{</span><span class="n">group_id</span><span class="si">}</span><span class="s">...</span><span class="sh">"</span><span class="p">)</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">PRIVATE-TOKEN</span><span class="sh">"</span><span class="p">:</span> <span class="n">token</span><span class="p">,</span> <span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span> <span class="p">}</span> <span class="n">url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">GITLAB_URL</span><span class="si">}</span><span class="s">/api/v4/projects</span><span class="sh">"</span> <span class="c1"># We will create the project from our 0004 article </span> <span class="n">payload</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="n">project_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">namespace_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">group_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">visibility</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">private</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">initialize_with_readme</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span> <span class="p">}).</span><span class="nf">encode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)</span> <span class="n">req</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nc">Request</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">payload</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">method</span><span class="o">=</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">context</span><span class="o">=</span><span class="n">context</span><span class="p">)</span> <span class="k">as</span> <span class="n">response</span><span class="p">:</span> <span class="n">project</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">())</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">✅ Success! Project created.</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ID: </span><span class="si">{</span><span class="n">project</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> URL: </span><span class="si">{</span><span class="n">project</span><span class="p">[</span><span class="sh">'</span><span class="s">web_url</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">An error occurred creating project: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="nf">hasattr</span><span class="p">(</span><span class="n">e</span><span class="p">,</span> <span class="sh">'</span><span class="s">read</span><span class="sh">'</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Response: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># --- Main --- </span><span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">load_env</span><span class="p">(</span><span class="n">ENV_FILE_PATH</span><span class="p">):</span> <span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">GITLAB_TOKEN</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">GITLAB_API_TOKEN</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">GITLAB_TOKEN</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Error: GITLAB_API_TOKEN not found in cicd.env</span><span class="sh">"</span><span class="p">)</span> <span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># This is the payoff from Article 2! </span> <span class="c1"># We just create the default context. Python will </span> <span class="c1"># automatically use the system trust store, which </span> <span class="c1"># now contains our Local CA. </span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Creating default SSL context...</span><span class="sh">"</span><span class="p">)</span> <span class="n">context</span> <span class="o">=</span> <span class="n">ssl</span><span class="p">.</span><span class="nf">create_default_context</span><span class="p">()</span> <span class="n">group_id</span> <span class="o">=</span> <span class="nf">get_group_id</span><span class="p">(</span><span class="n">GROUP_NAME</span><span class="p">,</span> <span class="n">GITLAB_TOKEN</span><span class="p">,</span> <span class="n">context</span><span class="p">)</span> <span class="k">if</span> <span class="n">group_id</span><span class="p">:</span> <span class="nf">create_project</span><span class="p">(</span><span class="n">group_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">0004_std_lib_http_client</span><span class="sh">"</span><span class="p">,</span> <span class="n">GITLAB_TOKEN</span><span class="p">,</span> <span class="n">context</span><span class="p">)</span> </code></pre> </div> <h3> Running the Verification </h3> <ol> <li> <p><strong>Run the Script (No Dependencies Required):</strong><br> </p> <pre class="highlight shell"><code>python3 verify_gitlab.py </code></pre> </li> </ol> <p><strong>The Payoff:</strong><br> You should see the following output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Loading environment from: /home/your_user/cicd_stack/cicd.env Creating default SSL context... Searching for Group ID for: Articles... Found Group ID: 2 Creating project '0004_std_lib_http_client' in Group ID 2... ✅ Success! Project created. ID: 3 URL: https://gitlab.cicd.local:10300/Articles/0004_std_lib_http_client </code></pre> </div> <p>This simple, dependency-free script verifies a massive amount of our architecture:</p> <ol> <li> Our <code>/etc/hosts</code> file is working (it found <code>gitlab</code>).</li> <li> Our Docker port mapping is correct (it reached <code>10300</code>).</li> <li> Our <strong>host's system trust store is working perfectly</strong> (the SSL connection succeeded with <code>ssl.create_default_context()</code> and no other arguments).</li> <li> Our <code>gitlab.rb</code> SSL config is working.</li> <li> Our Personal Access Token is valid and has <code>api</code> scope.</li> <li> Our <code>Articles</code> group is set up and accessible.</li> </ol> <p>Go to the GitLab UI (<code>https://gitlab.cicd.local:10300</code>). You will now see your new <strong><code>0004_std_lib_http_client</code></strong> project, complete without a <code>README.md</code>, inside the <code>Articles</code> group.</p> <h2> 6.2. Verification (Part 2): The "Internal Push" &amp; Webhook Test </h2> <p>This is the full-stack test of our <code>cicd-net</code> architecture. We will simulate our entire CI/CD pipeline. Our <code>dev-container</code> will act as a developer pushing a change <em>and</em> as the "Jenkins" server receiving the webhook.</p> <p>This test will prove:</p> <ul> <li> <strong>Internal DNS:</strong> The dev-container can resolve <code>gitlab</code>.</li> <li> <strong>GitLab's CA Trust:</strong> GitLab (as a client) trusts our internal services.</li> <li> <strong>Webhook Mechanism:</strong> GitLab correctly fires a webhook on a push.</li> </ul> <h3> Action 1 (Admin UI): The "SSRF" Gotcha - Allowing Local Webhooks </h3> <p>Before we can set up the webhook, we must first get past the <code>Invalid url given</code> error. We need to tell GitLab that it's allowed to send requests to our internal <code>dev-container</code>.</p> <ol> <li> As your <code>root</code> user, go to the <strong>Main menu</strong> (top-left waffle icon) and click <strong>"Admin"</strong> (the wrench icon).</li> <li> In the Admin Area's left-hand sidebar, navigate to <strong>Settings &gt; Network</strong>.</li> <li> Find the <strong>"Outbound requests"</strong> section and click the <strong>"Expand"</strong> button.</li> <li> Find the checkbox labeled <strong>"Allow requests to the local network from web hooks and services"</strong>.</li> <li> <strong>Check</strong> this box.</li> <li> (Optional but Recommended) For a more secure setup, you can leave the box <em>unchecked</em> and instead add <code>dev-container</code> (and later, <code>jenkins</code>) to the allowlist in the "Local IP addresses and domain names that hooks and integrations can access" text box. For our purposes, checking the main "Allow" box is the simplest solution.</li> <li> Click the <strong>"Save changes"</strong> button at the bottom of the section.</li> </ol> <p>Now that we've told GitLab to trust our local network, the <code>Invalid url given</code> error will be gone.</p> <h3> Action 2 (UI): Set Up the Webhook </h3> <p>Now, let's try this step again.</p> <ol> <li> In the GitLab UI, navigate to your <strong><code>hello-world</code></strong> project (inside the <code>CICD-Stack</code> group).</li> <li> In the project's left-hand sidebar, go to <strong>Settings &gt; Webhooks</strong>.</li> <li> Fill out the webhook form: <ul> <li> <strong>URL:</strong> <code>https://dev-container:10400</code> </li> <li> <strong>Secret token:</strong> Create a simple secret, for example, <code>my-super-secret-token</code>. We will use this to verify the request.</li> <li> <strong>Trigger:</strong> Uncheck everything <em>except</em> <strong>"Push events"</strong>.</li> <li> <strong>SSL verification:</strong> Make sure <strong>"Enable SSL verification"</strong> is <strong>CHECKED</strong>. This is the whole point of the test.</li> </ul> </li> <li> Click <strong>"Add webhook"</strong>.</li> </ol> <p>This time, it will work. GitLab will send a test event, which will still fail (with a "Hook execution failed" error) because our <code>webhook_receiver.py</code> isn't running yet. This is expected.</p> <h3> Action 3 (Host): Generate and Stage the <code>dev-container</code> Certificate </h3> <p>Before we can run our server, we must give it a valid "passport." We'll use our Article 2 CA scripts from our <strong>host machine</strong> to generate a new certificate for the hostname <code>dev-container</code>.</p> <p>Then, we'll copy those new certs into the <code>~/Documents/FromFirstPrinciples/data</code> directory, which is mounted inside our dev container as <code>~/data</code>.</p> <ol> <li><p>Open a terminal on your <strong>host machine</strong> (not the dev-container).</p></li> <li> <p>Navigate to your Article 2 script directory:<br> </p> <pre class="highlight shell"><code><span class="c"># (On your HOST machine)</span> <span class="nb">cd</span> ~/Documents/FromFirstPrinciples/articles/0006_cicd_part02_certificate_authority </code></pre> </li> <li> <p>Run the <code>02-issue-service-cert.sh</code> script from here, passing <code>dev-container</code> as the name. This script is smart enough to operate on the <code>~/cicd_stack/ca</code> directory.<br> </p> <pre class="highlight shell"><code>./02-issue-service-cert.sh dev-container </code></pre> <p>This will create the new certs in <code>~/cicd_stack/ca/pki/services/dev-container/</code>.</p> </li> <li> <p><strong>Copy the new certs</strong> to the dev container's shared data volume (which, as you noted, already exists):<br> </p> <pre class="highlight shell"><code><span class="c"># (On your HOST machine)</span> <span class="nv">DATA_DIR</span><span class="o">=</span>~/Documents/FromFirstPrinciples/data <span class="nv">CERT_SOURCE_DIR</span><span class="o">=</span>~/cicd_stack/ca/pki/services/dev-container <span class="nb">cp</span> <span class="nv">$CERT_SOURCE_DIR</span>/dev-container.crt.pem <span class="nv">$DATA_DIR</span>/ <span class="nb">cp</span> <span class="nv">$CERT_SOURCE_DIR</span>/dev-container.key.pem <span class="nv">$DATA_DIR</span>/ </code></pre> </li> </ol> <h3> Action 4 (Dev Container): The "Jenkins" Simulator </h3> <p>Now, let's go back to your <strong>dev container</strong>. We will create the simple Python server that will act as our "Jenkins" instance, placing it in the correct article directory. It will listen on port <code>10400</code> and use the <code>dev-container</code> certificate we just staged in the <code>~/data</code> directory.</p> <ol> <li> <p><strong>Create the server script:</strong><br> Navigate to your article directory and create the new Python file.<br> </p> <pre class="highlight shell"><code><span class="c"># (Inside the dev container)</span> <span class="nb">cd</span> ~/articles/0007_cicd_part03_gitlab nano webhook_receiver.py </code></pre> </li> <li> <p><strong>Paste in the following code.</strong> Note the updated certificate paths pointing to <code>~/data</code>.<br> </p> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">http.server</span> <span class="kn">import</span> <span class="n">ssl</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">os</span> <span class="c1"># --- CONFIGURATION --- </span><span class="n">LISTEN_HOST</span> <span class="o">=</span> <span class="sh">'</span><span class="s">0.0.0.0</span><span class="sh">'</span> <span class="n">LISTEN_PORT</span> <span class="o">=</span> <span class="mi">10400</span> <span class="n">SECRET_TOKEN</span> <span class="o">=</span> <span class="sh">'</span><span class="s">my-super-secret-token</span><span class="sh">'</span> <span class="c1"># Must match your GitLab webhook </span> <span class="c1"># Paths to our *new* dev-container certs in the ~/data mount </span><span class="n">CERT_DIR</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">expanduser</span><span class="p">(</span><span class="sh">'</span><span class="s">~/data</span><span class="sh">'</span><span class="p">)</span> <span class="n">CERT_FILE</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">CERT_DIR</span><span class="p">,</span> <span class="sh">'</span><span class="s">dev-container.crt.pem</span><span class="sh">'</span><span class="p">)</span> <span class="n">KEY_FILE</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">CERT_DIR</span><span class="p">,</span> <span class="sh">'</span><span class="s">dev-container.key.pem</span><span class="sh">'</span><span class="p">)</span> <span class="k">class</span> <span class="nc">WebhookHandler</span><span class="p">(</span><span class="n">http</span><span class="p">.</span><span class="n">server</span><span class="p">.</span><span class="n">BaseHTTPRequestHandler</span><span class="p">):</span> <span class="k">def</span> <span class="nf">do_POST</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="c1"># 1. Verify the Secret Token </span> <span class="n">gitlab_token</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">X-Gitlab-Token</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">gitlab_token</span> <span class="o">!=</span> <span class="n">SECRET_TOKEN</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">⛔ ERROR: Invalid X-Gitlab-Token.</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_response</span><span class="p">(</span><span class="mi">403</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">end_headers</span><span class="p">()</span> <span class="k">return</span> <span class="c1"># 2. Read the JSON payload </span> <span class="n">content_length</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">headers</span><span class="p">[</span><span class="sh">'</span><span class="s">Content-Length</span><span class="sh">'</span><span class="p">])</span> <span class="n">body</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">rfile</span><span class="p">.</span><span class="nf">read</span><span class="p">(</span><span class="n">content_length</span><span class="p">)</span> <span class="c1"># 3. Print the relevant info </span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">--- ✅ WEBHOOK RECEIVED! ---</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">body</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Project: </span><span class="si">{</span><span class="n">payload</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="sh">'</span><span class="s">project</span><span class="sh">'</span><span class="p">,</span> <span class="si">{}</span><span class="p">).</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">path_with_namespace</span><span class="sh">'</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Pusher: </span><span class="si">{</span><span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">user_name</span><span class="sh">'</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Ref: </span><span class="si">{</span><span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">ref</span><span class="sh">'</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Print all commits in this push </span> <span class="k">for</span> <span class="n">commit</span> <span class="ow">in</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">commits</span><span class="sh">'</span><span class="p">,</span> <span class="p">[]):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> - Commit: </span><span class="si">{</span><span class="n">commit</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">)[</span><span class="si">:</span><span class="mi">8</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Author: </span><span class="si">{</span><span class="n">commit</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="sh">'</span><span class="s">author</span><span class="sh">'</span><span class="p">,</span> <span class="si">{}</span><span class="p">).</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Msg: </span><span class="si">{</span><span class="n">commit</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">message</span><span class="sh">'</span><span class="p">).</span><span class="nf">strip</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error parsing JSON: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 4. Send a 200 OK response </span> <span class="n">self</span><span class="p">.</span><span class="nf">send_response</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">end_headers</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">wfile</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">Webhook Received</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Starting HTTPS server on https://</span><span class="si">{</span><span class="n">LISTEN_HOST</span><span class="si">}</span><span class="s">:</span><span class="si">{</span><span class="n">LISTEN_PORT</span><span class="si">}</span><span class="s">...</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Create an SSL context using our "dev-container" certs </span> <span class="n">context</span> <span class="o">=</span> <span class="n">ssl</span><span class="p">.</span><span class="nf">create_default_context</span><span class="p">(</span><span class="n">ssl</span><span class="p">.</span><span class="n">Purpose</span><span class="p">.</span><span class="n">CLIENT_AUTH</span><span class="p">)</span> <span class="n">context</span><span class="p">.</span><span class="nf">load_cert_chain</span><span class="p">(</span><span class="n">certfile</span><span class="o">=</span><span class="n">CERT_FILE</span><span class="p">,</span> <span class="n">keyfile</span><span class="o">=</span><span class="n">KEY_FILE</span><span class="p">)</span> <span class="n">httpd</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="n">server</span><span class="p">.</span><span class="nc">HTTPServer</span><span class="p">((</span><span class="n">LISTEN_HOST</span><span class="p">,</span> <span class="n">LISTEN_PORT</span><span class="p">),</span> <span class="n">WebhookHandler</span><span class="p">)</span> <span class="n">httpd</span><span class="p">.</span><span class="n">socket</span> <span class="o">=</span> <span class="n">context</span><span class="p">.</span><span class="nf">wrap_socket</span><span class="p">(</span><span class="n">httpd</span><span class="p">.</span><span class="n">socket</span><span class="p">,</span> <span class="n">server_side</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">httpd</span><span class="p">.</span><span class="nf">serve_forever</span><span class="p">()</span> <span class="k">except</span> <span class="nb">KeyboardInterrupt</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">Shutting down server...</span><span class="sh">"</span><span class="p">)</span> <span class="n">httpd</span><span class="p">.</span><span class="nf">server_close</span><span class="p">()</span> </code></pre> </li> <li> <p><strong>Run the server:</strong><br> </p> <pre class="highlight shell"><code><span class="c"># (Inside the dev-container, from the 0007... directory)</span> python3 webhook_receiver.py </code></pre> <p>You should see: <code>Starting HTTPS server on https://0.0.0.0:10400...</code></p> </li> </ol> <p>Our "Jenkins" simulator is now running with a valid, matching certificate, waiting for a signal.</p> <h3> Action 5 (Dev Container): The Git Push </h3> <p>Finally, let's act as a developer. We'll open a <strong>second <code>dev-container</code> terminal</strong> (leave your <code>webhook_receiver.py</code> server running in the first one).</p> <p>We will clone the <code>hello-world</code> project, attempt to push to <code>main</code> (which will fail), and then successfully push a feature branch (which will trigger our webhook).</p> <h3> 1. Configure Git </h3> <p>Before your first push, you must tell Git who you are.</p> <blockquote> <p><strong>Note on Automation:</strong> Our dev container is set up to automatically source a Git configuration from <code>~/data/.gitconfig</code> at startup. For a fully automated setup, you could place your <code>.gitconfig</code> file in the <code>~/Documents/FromFirstPrinciples/data</code> directory on your host, and your container would pick it up on every boot.</p> </blockquote> <p>For now, we'll run the manual, one-time commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Inside the dev-container)</span> git config <span class="nt">--global</span> user.name <span class="s2">"Your Name"</span> git config <span class="nt">--global</span> user.email <span class="s2">"your.email@gmail.com"</span> </code></pre> </div> <p>(Use the email address you registered with GitLab in section 5.3).</p> <h3> 2. Clone the Repository </h3> <p>Navigate to your <code>repos</code> directory, where we'll clone the project.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Inside the dev-container)</span> <span class="nb">cd</span> ~/repos git clone https://gitlab.cicd.local:10300/CICD-Stack/hello-world.git </code></pre> </div> <p>You will now be prompted for credentials. This is the crucial step for Git-over-HTTPS:</p> <ul> <li> <strong>Username:</strong> <code>root</code> </li> <li> <strong>Password:</strong> <strong>Do NOT use your root password.</strong> Instead, copy and paste the <strong>Personal Access Token (PAT)</strong> (<code>glpat-...</code>) that you saved in your <code>cicd.env</code> file. This is the standard, secure way to authenticate Git clients.</li> </ul> <p>After you authenticate, Git will clone the repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Cloning into 'hello-world'... Username for 'https://gitlab.cicd.local:10300': root Password for 'https://root@gitlab.cicd.local:10300': remote: Enumerating objects: 3, done. remote: Counting objects: 100% (3/3), done. remote: Compressing objects: 100% (2/2), done. remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0) Receiving objects: 100% (3/3), done. </code></pre> </div> <p>Now, <code>cd</code> into the new project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>hello-world </code></pre> </div> <h3> 3. Create Our First Commit (The Failed Push) </h3> <p>Recall that we <em>protected</em> the <code>main</code> branch. This means our push to <code>main</code> <strong>must fail</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Inside the dev-container)</span> <span class="c"># We will just edit the README that was created when we made the project.</span> <span class="nb">echo</span> <span class="s2">"Hello World!"</span> <span class="o">&gt;&gt;</span> README.md git add <span class="nb">.</span> git commit <span class="nt">-m</span> <span class="s2">"Test commit to main"</span> <span class="c"># This push will be REJECTED by our branch rule</span> git push <span class="nt">-u</span> origin main </code></pre> </div> <p><strong>The Payoff (Part 1):</strong> You will see this error, proving our rule is working:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>remote: GitLab: You are not allowed to push code to protected branches on this project. ! [remote rejected] main -&gt; main (pre-receive hook declined) </code></pre> </div> <h3> 4. Push Correctly (The Successful Push) </h3> <p>Now, let's do it the <em>right</em> way by creating a feature branch.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Inside the dev-container)</span> git checkout <span class="nt">-b</span> feature/initial-commit <span class="c"># We already have the commit, so we just push the new branch</span> git push <span class="nt">-u</span> origin feature/initial-commit </code></pre> </div> <p>This push will <strong>succeed</strong>.</p> <h3> The Payoff (Part 2) </h3> <p>Now, look at your <em>first</em> dev-container terminal (the one running <code>webhook_receiver.py</code>). You will see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>--- ✅ WEBHOOK RECEIVED! --- Project: CICD-Stack/hello-world Pusher: Your Name Ref: refs/heads/feature/initial-commit - Commit: &lt;some_hash&gt; Author: Your Name Msg: Test commit to main </code></pre> </div> <p>This single test confirms our entire internal architecture is working perfectly:</p> <ol> <li> <strong>Internal DNS:</strong> <code>git clone https://gitlab.cicd.local:10300</code> worked.</li> <li> <strong>Authentication:</strong> Our Personal Access Token worked for Git authentication.</li> <li> <strong>Branch Rules:</strong> Our push to <code>main</code> was correctly <strong>rejected</strong>.</li> <li> <strong>Webhook Trigger:</strong> Our push to <code>feature/initial-commit</code> was successful and <strong>fired the webhook</strong>.</li> <li> <strong>GitLab CA Trust:</strong> GitLab (as a client) saw our <code>https://dev-container:10400</code> URL, validated its certificate (which has the correct hostname <code>dev-container</code>) against the <code>ca.pem</code> we mounted in <code>trusted-certs</code>, and successfully made the HTTPS request.</li> </ol> <p>We have now verified our setup from end to end.</p> <h2> 6.3. Verification (Part 3): The "External Push" (Practical Application) </h2> <p>We have successfully verified our <em>internal</em> network (dev-container to GitLab). This final test is the payoff for our <strong>host machine</strong> setup from Article 2. We will prove that our <em>external</em> (host-to-container) workflow is working just as smoothly.</p> <p>We will <code>cd</code> into our <em>existing</em> <code>0004_std_lib_http_client</code> repository on our host machine, add our new GitLab instance as a "remote," and push our code.</p> <p>This push will <strong>only succeed</strong> because:</p> <ol> <li> Our host's <code>/etc/hosts</code> file can resolve <code>gitlab.cicd.local</code> to <code>127.0.0.1</code>.</li> <li> Our <code>git</code> CLI (like our Python script) uses the <strong>system trust store</strong>, which we fixed in Article 2 to trust our Local CA.</li> </ol> <h3> Action 1 (Host): Add the New Remote </h3> <ol> <li> <p>On your <strong>host machine's terminal</strong>, navigate to the existing project directory from our previous article:<br> </p> <pre class="highlight shell"><code><span class="c"># (On your HOST machine)</span> <span class="nb">cd</span> ~/Documents/FromFirstPrinciples/articles/0004_std_lib_http_client </code></pre> </li> <li> <p>Add our new GitLab instance as a remote. We'll call it <code>gitlab</code>. We use the <code>https://gitlab.cicd.local:10300</code> URL that our host can now resolve.<br> </p> <pre class="highlight shell"><code>git remote add gitlab https://gitlab.cicd.local:10300/Articles/0004_std_lib_http_client.git </code></pre> </li> <li> <p>(Optional) Verify the new remote was added:<br> </p> <pre class="highlight shell"><code>git remote <span class="nt">-v</span> </code></pre> <p>You should see <code>gitlab</code> listed along with <code>origin</code> (which likely points to GitHub).</p> </li> </ol> <h3> Action 2 (Host): Push to GitLab </h3> <p>Now, let's push our <code>main</code> branch to the new <code>gitlab</code> remote.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (On your HOST machine)</span> git push <span class="nt">-u</span> gitlab main </code></pre> </div> <p>Just as you did in the dev container, you will be prompted for credentials:</p> <ul> <li> <strong>Username:</strong> <code>root</code> </li> <li> <strong>Password:</strong> (Paste your <strong>Personal Access Token</strong>, <code>glpat-...</code>)</li> </ul> <p><strong>The Payoff:</strong><br> The push will succeed without any SSL errors. <code>git</code> will not complain about an "untrusted certificate" because it's using your host's trust store.</p> <p>You have now:</p> <ol> <li> Created a project (<code>0004_std_lib_http_client</code>) via the API.</li> <li> Pushed your existing local code to it from your host machine.</li> </ol> <p>Go to the GitLab UI and look at your <code>0004_std_lib_http_client</code> project. It will no longer be empty. It will now contain all the code from your local repository, and its <code>main</code> branch is now populated.</p> <h1> Chapter 7: Conclusion </h1> <h2> 7.1. What We've Built: The "Central Library" is Open </h2> <p>Let's take a moment to appreciate what we have just accomplished. We have successfully deployed a fully-featured, secure, and production-ready <strong>GitLab</strong> instance entirely from first principles.</p> <p>This isn't just a container; it's the <strong>"Central Library"</strong> of our new CI/CD city, and it is built on a rock-solid, architecturally-sound foundation.</p> <ul> <li>It lives <strong>inside our private <code>cicd-net</code></strong>, able to communicate with our other services using internal DNS.</li> <li>It is <strong>fully secured with SSL</strong>, serving traffic over HTTPS using a certificate from our own Local Certificate Authority.</li> <li>It <strong>trusts our Local CA</strong>, allowing it to send secure webhooks to <em>other</em> internal services like our <code>dev-container</code> (and later, Jenkins).</li> <li>It is configured for <strong>professional team workflow</strong> using "Branch Rules" to protect <code>main</code> and enforce Merge Requests.</li> <li>It is <strong>fully automated</strong>, with a "baked-in" <code>gitlab.rb</code> file that handles everything from the root password to our SMTP settings, solving the complex "first-run" conflict.</li> <li>It is <strong>fully verifiable</strong>, proven to work from the API (Python script), the internal network (dev-container Git push), and the external host (host Git push).</li> </ul> <p>We have solved every "pain point" we set out to address: network isolation, data sovereignty, and the "paid feature" trap. We have built our library <em>inside</em> our city walls.</p> <h2> 7.2. The Next "Pain Point" </h2> <p>We have successfully built our "Central Library" (GitLab) and proven that our code (like <code>hello-world</code> and <code>0004_http_client</code>) is now safely stored inside, "on the shelf."</p> <p>This introduces our next, obvious "pain point."</p> <p>Our code is just <strong>sitting there</strong>.</p> <p>Our <code>dev-container</code> test was a simulation, but it revealed the truth: a webhook is firing, but it's just hitting a test server. We have no "factory" to <em>act</em> on this signal. We have no automated process to:</p> <ul> <li>Compile our code.</li> <li>Run our unit tests.</li> <li>Scan our code for quality or security vulnerabilities.</li> <li>Build our code into a Docker image.</li> <li>Publish our finished "product."</li> </ul> <p>Our "Central Library" is open, but the "Factory" next door is an empty lot.</p> <h2> 7.3. Next Steps </h2> <p>We must now build that factory. Our webhook signal needs a real target, an "Automation Foreman" that can receive the "new code" signal from GitLab and start a complex assembly line.</p> <p>In the next article, we will do exactly that. We will build the second "skyscraper" in our CI/CD city: <strong>Jenkins</strong>. We will deploy the Jenkins controller, connect it to our <code>cicd-net</code>, and configure it to receive the webhooks from GitLab, officially kicking off our automated pipeline.</p> <h2> Addendum: Best Practices - Creating a Daily User Account </h2> <p>We have successfully set up and verified our entire GitLab instance using the <code>root</code> administrator account. While this was necessary for the initial setup, using the <code>root</code> account for daily work or CI/CD integrations is a <strong>significant security risk</strong>.</p> <h3> Why You Shouldn't Use <code>root</code> </h3> <p>The <code>root</code> user is an "all-powerful" administrator. It can instantly delete all projects, change critical instance settings, or remove other users. If this account's credentials (or its Personal Access Token) were ever leaked, your entire "Central Library" would be compromised.</p> <p>We will now follow the <strong>Principle of Least Privilege</strong> by creating a regular user account for our daily work.</p> <h3> 1. Create Your Unprivileged User </h3> <ol> <li> As the <code>root</code> user, go to the <strong>Main menu</strong> (top-left waffle icon) and click <strong>"Admin"</strong> (the wrench icon).</li> <li> In the Admin Area's left-hand sidebar, navigate to <strong>Overview &gt; Users</strong>.</li> <li> Click the <strong>"New user"</strong> button in the top-right.</li> <li> Fill out the form for your new "daily driver" account: <ul> <li> <strong>Full name:</strong> (e.g., <code>Warren Jitsing</code>)</li> <li> <strong>Username:</strong> (e.g., <code>warren.jitsing</code>)</li> <li> <strong>Email:</strong> (e.g., <code>your.email@gmail.com</code>)</li> </ul> </li> <li> <strong>Password:</strong> The "Password" field is just a reset link. The new user will receive an email at the address you just provided, prompting them to set their own password.</li> <li> <strong>Access level:</strong> Leave this as <strong>"Regular"</strong>. This means they are a regular user, not an instance administrator.</li> <li> Click <strong>"Create user"</strong>.</li> </ol> <p>You will now need to log out of your <code>root</code> account, check your email, and follow the confirmation link to set the password for your new <code>warren.jitsing</code> user.</p> <h3> 2. Add Your User to Your Groups </h3> <p>After setting your new user's password, log out and log back in as your new, non-admin user (e.g., <code>warren.jitsing</code>). You will notice you can't see any of your projects. This is because your new user has not been granted any permissions.</p> <p>We must now add this user to our Groups as a <strong>Maintainer</strong>.</p> <ol> <li> Log out of your new user and log <em>back in</em> as <code>root</code>.</li> <li> Navigate to your groups: <strong>Main menu &gt; Groups &gt; Your groups</strong>.</li> <li> Click on the <strong><code>CICD-Stack</code></strong> group.</li> <li> In the group's left-hand sidebar, navigate to <strong>Manage &gt; Members</strong>.</li> <li> Click the <strong>"Invite members"</strong> button.</li> <li> In the "GitLab member or email address" box, type the username of your new user (e.g., <code>warren.jitsing</code>) and select them.</li> <li> <strong>Select a role:</strong> Choose <strong>"Maintainer"</strong>. This gives the user high-level access <em>within the group</em> (like creating new projects and managing branch rules) without making them an instance administrator.</li> <li> Click <strong>"Invite"</strong>.</li> <li> Repeat this entire process for your <strong><code>Articles</code></strong> group.</li> </ol> <h3> Next Steps: Moving Away from <code>root</code> </h3> <p>You can now log out as <code>root</code> and log in as your new "Maintainer" user. You will have full access to both groups and their projects.</p> <p>From this point forward, we will stop using the <code>root</code> account and its Personal Access Token (PAT). In the next article, when we configure Jenkins, we will explore more secure authentication methods, such as using <strong>Group Access Tokens</strong> or <strong>Project Access Tokens</strong>, which are not tied to any human user and are the best practice for CI/CD automation.</p> gitlab devops cicd git Warren Jitsing Tue, 16 Dec 2025 05:05:13 +0000 https://dev.to/warren_jitsing_dd1c1d6fc6/building-a-sovereign-software-factory-the-local-root-ca-trust-chains-1igf https://dev.to/warren_jitsing_dd1c1d6fc6/building-a-sovereign-software-factory-the-local-root-ca-trust-chains-1igf <p>GitHub: <a href="https://github.com/InfiniteConsult/0006_cicd_part02_certificate_authority" rel="noopener noreferrer">https://github.com/InfiniteConsult/0006_cicd_part02_certificate_authority</a></p> <p><strong>TL;DR:</strong> In this installment, we solve the "Trust Gap" inherent in self-hosted infrastructure. We reject the insecurity of HTTP and the limitations of public CAs (Let's Encrypt) by building our own <strong>Local Certificate Authority</strong>. We use <code>openssl</code> to mint a Root CA, automate the issuance of SAN-compliant certificates for every service, and manually inject trust into the fragmented keystores of our Host OS, Browsers, and Java applications to eliminate SSL handshake failures.</p> <p><strong>The Sovereign Software Factory Series:</strong></p> <ol> <li> <strong>Part 01:</strong> Building a Sovereign Software Factory: Docker Networking &amp; Persistence</li> <li> <strong>Part 02: Building a Sovereign Software Factory: The Local Root CA &amp; Trust Chains</strong> (You are here)</li> <li> <strong>Part 03:</strong> Building a Sovereign Software Factory: Self-Hosted GitLab &amp; Secrets Management</li> <li> <strong>Part 04:</strong> Building a Sovereign Software Factory: Jenkins Configuration as Code (JCasC)</li> <li> <strong>Part 05:</strong> Building a Sovereign Software Factory: Artifactory &amp; The "Strict TLS" Trap</li> <li> <strong>Part 06:</strong> Building a Sovereign Software Factory: SonarQube Quality Gates</li> <li> <strong>Part 07:</strong> Building a Sovereign Software Factory: ChatOps with Mattermost</li> <li> <strong>Part 08:</strong> Building a Sovereign Software Factory: Observability with the ELK Stack</li> <li> <strong>Part 09:</strong> Building a Sovereign Software Factory: Monitoring with Prometheus &amp; Grafana</li> <li> <strong>Part 10:</strong> Building a Sovereign Software Factory: The Python API Package (Capstone)</li> </ol> <h1> Chapter 1: The "HTTPS Everywhere" Mandate </h1> <h2> 1.1 The Problem: The "Not Secure" Pain Point </h2> <p>We have successfully built our foundational "city". We have a "Control Center" (DooD), "roads" (<code>cicd-net</code>), and "foundations" (our hybrid persistence model).</p> <p>But we have a new, critical "pain point." Our services can communicate, but they do so over unencrypted <code>http</code>. This is insecure, unprofessional, and does not emulate a real-world environment.</p> <h3> Pedagogical Failure (Browsers) </h3> <p>If we were to deploy GitLab right now on <code>http://gitlab.cicd.local</code>, our browsers would immediately betray the problem. We would be faced with a "Not Secure" warning in the address bar. This breaks user trust and, for many modern web features, can block functionality entirely.</p> <p>If we tried to use a "magic" self-signed certificate (which we will deconstruct later), the problem gets <em>worse</em>. The browser would present a full-page, "Your connection is not private" interstitial error (like <code>NET::ERR_CERT_AUTHORITY_INVALID</code> or <code>ERR_INSECURE_RESPONSE</code>). This is a hard stop for most users.</p> <h3> Pedagogical Failure (Tools) </h3> <p>This "pain point" is not just cosmetic. It's a functional "stack killer" for our specific set of tools.</p> <ul> <li> <strong><code>curl</code></strong>: Any script using <code>curl</code> to access an HTTPS service with a bad certificate will fail with a hard error: <code>curl: (60) SSL certificate problem: unable to get local issuer certificate</code>. The only way around this is to use the <code>--insecure</code> flag, which is a terrible security practice.</li> <li> <strong>The "Java Gotcha"</strong>: This is the most critical failure for our stack. Jenkins, Artifactory, and SonarQube are all Java applications. When our Jenkins container tries to make an API call or receive a webhook from our <code>https://gitlab.cicd.local</code> server, the Java Virtual Machine (JVM) will reject the untrusted certificate and throw a fatal <code>javax.net.ssl.SSLHandshakeException</code>.</li> </ul> <p>This single Java exception will bring our entire automated pipeline to a grinding halt.</p> <h3> The Goal </h3> <p>Our goal is not just to "get rid of the warning." It is to build a professional, secure, and trusted internal ecosystem. To do this, we must become our own "passport office."</p> <h1> Chapter 2: A "First Principles" Guide to PKI and Trust </h1> <h2> 2.1 The Solution: Public Key Infrastructure (PKI) </h2> <p>To solve our "Not Secure" problem, we must adopt the same solution the entire internet uses: <strong>HTTPS</strong>.</p> <p>HTTPS is not a single thing; it's a combination of two: <code>http</code> (the protocol we already know) layered on top of <strong>SSL/TLS</strong> (Secure Sockets Layer/Transport Layer Security). This secure layer provides two fundamental guarantees:</p> <ol> <li> <strong>Encryption</strong>: It creates a secure, private "tunnel" between the client and the server. Any data sent through this tunnel (passwords, API keys, source code) is scrambled and unreadable to eavesdroppers.</li> <li> <strong>Identity</strong>: This is the more complex and crucial part. How does your browser <em>know</em> it's talking to the real <code>gitlab</code> and not an imposter? The server must present a form of identification.</li> </ol> <p>This system of identification is called <strong>Public Key Infrastructure (PKI)</strong>.</p> <blockquote> <p><strong>The Analogy: "The Passport Office"</strong></p> <p>PKI works exactly like the international passport system.</p> <ol> <li> <strong>A Server Certificate is a "Passport"</strong>: It's a digital file that proves a server's identity (e.g., "I am <code>gitlab</code>").</li> <li> <strong>A Certificate Authority (CA) is a "Passport Office"</strong>: It's a trusted entity (like a government) that issues and signs the "passport," attesting to its validity.</li> <li> <strong>A Trust Store is a "List of Trusted Governments"</strong>: Your browser and operating system come with a pre-installed "trust store" that contains a list of all the major, legitimate "passport offices" (like Let's Encrypt, DigiCert, etc.) in the world.</li> </ol> <p>When your browser connects to a server, it looks at the "passport" (the certificate) and checks the "signature" on it. If it was signed by a "passport office" (CA) in its trusted list, it grants access. If not, it blocks the connection.</p> </blockquote> <h2> 2.2 Deconstructing Our Options </h2> <p>We need a "passport" (a certificate) for our services. We have three options for getting one.</p> <h3> Option 1: A Public CA (e.g., Let's Encrypt) </h3> <p>This is the standard for all public websites. Let's Encrypt is a globally trusted "passport office." Your browser and OS already have it in their trust store.</p> <p><strong>Why we <em>can't</em> use it:</strong> Let's Encrypt must <em>validate</em> that you own a domain before issuing a certificate for it. It does this by connecting to your domain over the public internet. This process (Domain Validation or DV) is impossible for our local stack. The CA's servers cannot reach <code>localhost</code> or our container's hostname (<code>gitlab</code>). We cannot prove we "own" these private names, so the public CA will refuse to issue a certificate.</p> <h3> Option 2: A Simple Self-Signed Certificate </h3> <p>This is the "quick and dirty" method. A self-signed certificate is one that is signed by itself.</p> <p><strong>Why it fails:</strong> This is the equivalent of a <strong>"hand-drawn passport"</strong>. You are telling the browser, "I am <code>gitlab</code>, and I vouch for myself." The browser, acting as the security guard, has no reason to trust you. It checks its list of "trusted passport offices" (the trust store) and finds no match. It correctly throws a full-page security warning (<code>NET::ERR_CERT_AUTHORITY_INVALID</code>) to protect you from a potential man-in-the-middle attack. This is the very <code>SSLHandshakeException</code> that will break our Java-based tools.</p> <h3> Option 3: Our Private/Local CA (The Solution) </h3> <p>This is the professional solution that balances our two problems. We will build our <em>own</em> "passport office".</p> <ol> <li> We will become our own <strong>Certificate Authority (CA)</strong> by creating a <strong>Root CA certificate</strong>. This is our "passport office's business license."</li> <li> We will then use our new CA to issue "passports" (service certificates) for <code>gitlab</code>, <code>jenkins</code>, and all our other services.</li> <li> Finally, we will solve the "trust" problem by manually telling our local computers and containers: "This new 'passport office' is an official, trusted authority."</li> </ol> <p>From that point on, <em>any</em> passport (certificate) issued by our office will be automatically trusted by our local tools, browsers, and services.</p> <h1> Chapter 3: The "Hard Way" - Building Our CA with <code>openssl</code> </h1> <h2> 3.1 Why We Use <code>openssl</code> (The "First Principles") </h2> <p>We will begin by creating our Certificate Authority using the <code>openssl</code> command-line tool directly. This is the "hard way."</p> <p>We are doing this for a specific pedagogical reason. We could use a simpler tool like <code>easyrsa</code>, but <code>easyrsa</code> is just a <strong>shell script wrapper</strong> that hides all the complexity. It automates all the tedious, "first principles" steps that a real CA must perform.</p> <p>By using <code>openssl</code> directly, we are forced to deconstruct those steps. We will have to manually:</p> <ol> <li> <strong>Build the CA's "Blueprint"</strong>: We will create an <code>openssl.cnf</code> configuration file that defines the rules and policies of our "passport office."</li> <li> <strong>Create the "CA Database"</strong>: We will manually create the <code>index.txt</code> "master ledger" and the <code>serial</code> "ticket number dispenser" that <code>openssl</code> needs to track the certificates it issues.</li> <li> <strong>Manage the "Keys"</strong>: We will build the secure directory structure to protect our CA's "master stamp" (its private key).</li> </ol> <p>By doing this "hard way" first, you will understand what is <em>actually</em> happening under the hood. Only then will we introduce the "easy way" (<code>easyrsa</code>) as the automation tool it is.</p> <p>We will build our entire PKI (Public Key Infrastructure) inside the <code>~/cicd_stack/ca</code> directory we created on our <strong>host machine</strong>.</p> <h2> 3.2 The "CA Blueprint": <code>openssl.cnf</code> </h2> <p>Our first step is to create the "blueprint" for our new "passport office." This is a configuration file, <code>openssl.cnf</code>, that tells <code>openssl</code> all of its rules. It defines the file locations, the default policies, and, most importantly, the <em>extensions</em> that make our root certificate a <strong>Certificate Authority</strong>.</p> <p>Create this file on your <strong>host machine</strong> at <code>~/cicd_stack/ca/openssl.cnf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[ ca ]</span> <span class="py">default_ca</span> <span class="p">=</span> <span class="s">CA_default</span> <span class="nn">[ CA_default ]</span> <span class="c"># --- Directory and file locations --- </span><span class="py">dir</span> <span class="p">=</span> <span class="s">./pki</span> <span class="py">certs</span> <span class="p">=</span> <span class="s">$dir/certs</span> <span class="py">crl_dir</span> <span class="p">=</span> <span class="s">$dir/crl</span> <span class="py">new_certs_dir</span> <span class="p">=</span> <span class="s">$dir/newcerts</span> <span class="py">database</span> <span class="p">=</span> <span class="s">$dir/index.txt</span> <span class="py">serial</span> <span class="p">=</span> <span class="s">$dir/serial</span> <span class="py">RANDFILE</span> <span class="p">=</span> <span class="s">$dir/private/.rand</span> <span class="c"># --- CA Key and Certificate --- </span><span class="py">private_key</span> <span class="p">=</span> <span class="s">$dir/private/ca.key</span> <span class="py">certificate</span> <span class="p">=</span> <span class="s">$dir/certs/ca.pem</span> <span class="c"># --- Policy &amp; Extensions --- </span><span class="py">default_md</span> <span class="p">=</span> <span class="s">sha256</span> <span class="py">default_days</span> <span class="p">=</span> <span class="s">3650 # 10 years</span> <span class="py">policy</span> <span class="p">=</span> <span class="s">policy_strict</span> <span class="py">x509_extensions</span> <span class="p">=</span> <span class="s">v3_ca</span> <span class="nn">[ policy_strict ]</span> <span class="c"># Rules for signing: which fields must match the CA </span><span class="py">countryName</span> <span class="p">=</span> <span class="s">match</span> <span class="py">stateOrProvinceName</span> <span class="p">=</span> <span class="s">match</span> <span class="py">organizationName</span> <span class="p">=</span> <span class="s">match</span> <span class="py">organizationalUnitName</span> <span class="p">=</span> <span class="s">optional</span> <span class="py">commonName</span> <span class="p">=</span> <span class="s">supplied</span> <span class="py">emailAddress</span> <span class="p">=</span> <span class="s">optional</span> <span class="nn">[ req ]</span> <span class="c"># This section is used by the 'openssl req' command </span><span class="py">default_bits</span> <span class="p">=</span> <span class="s">4096</span> <span class="py">distinguished_name</span> <span class="p">=</span> <span class="s">req_distinguished_name</span> <span class="py">string_mask</span> <span class="p">=</span> <span class="s">utf8only</span> <span class="py">default_md</span> <span class="p">=</span> <span class="s">sha256</span> <span class="c"># Tell 'openssl req -x509' to use our 'v3_ca' extensions </span><span class="py">x509_extensions</span> <span class="p">=</span> <span class="s">v3_ca</span> <span class="nn">[ req_distinguished_name ]</span> <span class="c"># These are the DN fields it will prompt you for </span><span class="py">countryName</span> <span class="p">=</span> <span class="s">Country Name (2 letter code)</span> <span class="py">stateOrProvinceName</span> <span class="p">=</span> <span class="s">State or Province Name</span> <span class="py">localityName</span> <span class="p">=</span> <span class="s">Locality Name (eg, city)</span> <span class="py">organizationName</span> <span class="p">=</span> <span class="s">Organization Name</span> <span class="py">organizationalUnitName</span> <span class="p">=</span> <span class="s">Organizational Unit Name (eg, section)</span> <span class="py">commonName</span> <span class="p">=</span> <span class="s">Common Name (e.g. server FQDN or YOUR name)</span> <span class="py">emailAddress</span> <span class="p">=</span> <span class="s">Email Address</span> <span class="nn">[ v3_ca ]</span> <span class="c"># --- Extensions for the Root CA certificate itself --- </span><span class="py">subjectKeyIdentifier</span> <span class="p">=</span> <span class="s">hash</span> <span class="py">authorityKeyIdentifier</span> <span class="p">=</span> <span class="s">keyid:always,issuer</span> <span class="py">basicConstraints</span> <span class="p">=</span> <span class="s">critical, CA:TRUE, pathlen:0</span> <span class="py">keyUsage</span> <span class="p">=</span> <span class="s">critical, digitalSignature, cRLSign, keyCertSign</span> </code></pre> </div> <h3> Deconstruction </h3> <ul> <li> <code>[ CA_default ]</code>: This block defines our working directory and file structure. We are telling <code>openssl</code> to look for its database in the <code>pki</code> directory (<code>dir = ./pki</code>), to find its "ledger" at <code>pki/index.txt</code>, and its "ticket dispenser" at <code>pki/serial</code>.</li> <li> <code>[ policy_strict ]</code>: This defines the rules for signing. We are telling our CA that it's allowed to sign certificates for other organizations (as long as <code>organizationName</code> matches) and they must supply their own <code>commonName</code>.</li> <li> <code>[ v3_ca ]</code>: This is the most important section. It defines the <em>powers</em> of our Root CA. <ul> <li> <strong><code>basicConstraints = critical, CA:TRUE</code></strong>: This is the master switch. It tells the world this certificate is a <strong>Certificate Authority</strong> (a "passport office") and has the power to sign other certificates.</li> <li> <strong><code>keyUsage = ... keyCertSign, cRLSign</code></strong>: This specifies <em>what</em> the key can be used for. <code>keyCertSign</code> is the specific permission that allows it to "sign other certificates." <code>cRLSign</code> allows it to sign a "revocation list" (a list of "stolen passports").</li> </ul> </li> </ul> <h2> 3.3 The "CA Database" </h2> <p>Now that we have our "blueprint" (<code>openssl.cnf</code>), we must create the physical "office" and "filing system" that <code>openssl</code> will use. This is the "database" that our CA will use to track every "passport" it ever issues.</p> <p>This is the second "first principles" component that wrappers like <code>easyrsa</code> automate and hide from you. Our <code>openssl.cnf</code> file told <code>openssl</code> to <em>look for</em> these files in the <code>./pki</code> directory; now, we must create them.</p> <ul> <li> <code>pki/private/</code>: This will be our "vault." It will hold our CA's highly-sensitive private key.</li> <li> <code>pki/certs/</code>: This will be our "public filing cabinet" for public-facing certificates, like our main CA certificate.</li> <li> <code>pki/newcerts/</code>: This will be the "output tray" where <code>openssl</code> places all the new service certificates it signs.</li> <li> <code>pki/index.txt</code>: This is the CA's "master ledger." It's a simple text file that <code>openssl</code> uses to keep a database of every certificate it has signed, noting whether it's "valid," "revoked," or "expired."</li> <li> <code>pki/serial</code>: This is the "ticket number dispenser." It's a file that contains the <em>next</em> unique serial number (in hexadecimal) to be issued. <code>openssl</code> will read this file, assign the number, and then increment the file, ensuring no two certificates ever get the same serial number.</li> </ul> <h3> Action Plan: Creating the CA Directory </h3> <p>We will now create this entire structure using our first script, <code>01-create-ca.sh</code>. This script will also generate our private key and our root certificate, completing our CA setup in one go.</p> <p>Here is the code for <code>01-create-ca.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c"># This script creates the CA directory structure, database,</span> <span class="c"># and generates the Root CA private key and certificate.</span> <span class="nb">cd</span> ~/cicd_stack/ca <span class="o">||</span> <span class="o">(</span><span class="nb">echo</span> <span class="s2">"no CICD directory present"</span> <span class="o">&amp;&amp;</span> <span class="nb">exit</span><span class="o">)</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"openssl.cnf"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"openssl.cnf not found in ~/cicd_stack/ca. Please create it before proceeding"</span> <span class="nb">exit </span><span class="k">fi</span> <span class="c"># --- Configuration ---</span> <span class="c"># The password for your new Root CA private key.</span> <span class="c"># IMPORTANT: Change this to a strong, secure password.</span> <span class="nv">CA_PASSWORD</span><span class="o">=</span><span class="s2">"your_secure_password"</span> <span class="c"># The Distinguished Name (DN) for your Root CA.</span> <span class="c"># Customize these values for your organization.</span> <span class="nv">COUNTRY</span><span class="o">=</span><span class="s2">"ZA"</span> <span class="nv">STATE</span><span class="o">=</span><span class="s2">"Gauteng"</span> <span class="nv">LOCALITY</span><span class="o">=</span><span class="s2">"Johannesburg"</span> <span class="nv">ORG_NAME</span><span class="o">=</span><span class="s2">"Local CICD Stack"</span> <span class="nv">CA_CN</span><span class="o">=</span><span class="s2">"Local CICD Root CA"</span> <span class="c"># --- Setup ---</span> <span class="nb">echo</span> <span class="s2">"--- Creating PKI directory structure ---"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> pki/<span class="o">{</span>private,certs,newcerts,crl<span class="o">}</span> <span class="c"># Set correct permissions for the "vault"</span> <span class="nb">chmod </span>700 pki/private <span class="nb">echo</span> <span class="s2">"--- Creating CA database ---"</span> <span class="nb">touch </span>pki/index.txt <span class="nb">echo</span> <span class="s2">"1000"</span> <span class="o">&gt;</span> pki/serial <span class="c"># --- Generate Root CA ---</span> <span class="nb">echo</span> <span class="s2">"--- 1. Generating Root CA Private Key (ca.key) ---"</span> <span class="c"># Use -passout to provide the password non-interactively</span> openssl genrsa <span class="nt">-aes256</span> <span class="nt">-passout</span> pass:<span class="nv">$CA_PASSWORD</span> <span class="se">\</span> <span class="nt">-out</span> pki/private/ca.key 4096 <span class="c"># Secure the key</span> <span class="nb">chmod </span>400 pki/private/ca.key <span class="nb">echo</span> <span class="s2">"--- 2. Generating Root CA Certificate (ca.pem) ---"</span> <span class="c"># Use the '-subj' flag to pass DN info non-interactively</span> openssl req <span class="nt">-config</span> openssl.cnf <span class="se">\</span> <span class="nt">-key</span> pki/private/ca.key <span class="se">\</span> <span class="nt">-passin</span> pass:<span class="nv">$CA_PASSWORD</span> <span class="se">\</span> <span class="nt">-new</span> <span class="nt">-x509</span> <span class="nt">-days</span> 3650 <span class="nt">-sha256</span> <span class="nt">-extensions</span> v3_ca <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/C=</span><span class="nv">$COUNTRY</span><span class="s2">/ST=</span><span class="nv">$STATE</span><span class="s2">/L=</span><span class="nv">$LOCALITY</span><span class="s2">/O=</span><span class="nv">$ORG_NAME</span><span class="s2">/CN=</span><span class="nv">$CA_CN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-out</span> pki/certs/ca.pem <span class="nb">echo</span> <span class="s2">"--- CA creation complete ---"</span> <span class="nb">echo</span> <span class="s2">"CA Private Key: pki/private/ca.key"</span> <span class="nb">echo</span> <span class="s2">"CA Certificate: pki/certs/ca.pem"</span> </code></pre> </div> <h3> Deconstruction </h3> <p>Let's deconstruct the "Action" part of this script:</p> <ul> <li> <code>mkdir -p ...</code> &amp; <code>chmod 700 ...</code>: We create our directory structure and immediately secure the "vault" (<code>pki/private</code>). We give it <code>700</code> (<code>rwx------</code>) permissions, which means only the owner (our user) can read, write, or enter it. This is the fix for the <code>Permission denied</code> error we discovered during our testing.</li> <li> <code>touch pki/index.txt</code> &amp; <code>echo "1000" &gt; pki/serial</code>: We create the "ledger" and "ticket dispenser" files.</li> <li> <code>openssl genrsa -aes256 ...</code>: This is <strong>Step 1: Create the CA Private Key</strong> (the "master stamp"). <ul> <li> <code>-aes256</code>: We encrypt the key with a strong cipher.</li> <li> <code>-passout pass:$CA_PASSWORD</code>: We provide the password non-interactively from our variable.</li> <li> <code>-out pki/private/ca.key</code>: We save the key directly into our secure "vault."</li> </ul> </li> <li> <code>chmod 400 pki/private/ca.key</code>: We immediately set the key file itself to be <strong>read-only</strong> (<code>r--------</code>) for the owner, protecting it from accidental modification.</li> <li> <code>openssl req -x509 ...</code>: This is <strong>Step 2: Create the CA Certificate</strong> (the "business license"). <ul> <li> <code>-key pki/private/ca.key</code> &amp; <code>-passin ...</code>: We specify our new "master stamp" and provide its password.</li> <li> <code>-x509</code>: This is a critical flag. It tells <code>openssl</code> to <em>not</em> create a "signing request" (a CSR) but to create a <strong>self-signed public certificate</strong>. This is what makes it a "Root" CA.</li> <li> <code>-extensions v3_ca</code>: This is the most important part. It tells <code>openssl</code> to look at our <code>openssl.cnf</code> file and apply the extensions from the <code>[ v3_ca ]</code> section. This is what flips the switch and embeds the <code>CA:TRUE</code> "power" into our certificate.</li> <li> <code>-subj "..."</code>: This provides all the "passport office" details (Country, Organization, etc.) non-interactively.</li> </ul> </li> </ul> <h3> Action </h3> <p>Place the <code>openssl.cnf</code> file and the <code>01-create-ca.sh</code> script in your <code>~/cicd_stack/ca</code> directory on your host machine.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Run on HOST, inside ~/cicd_stack/ca)</span> <span class="c"># 1. Make the script executable</span> <span class="nb">chmod</span> +x 01-create-ca.sh <span class="c"># 2. Run the script</span> ./01-create-ca.sh </code></pre> </div> <p><strong>Result:</strong><br> The script will run non-interactively. When it finishes, you will have a fully functional Certificate Authority.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>--- Creating PKI directory structure --- --- Creating CA database --- --- 1. Generating Root CA Private Key (ca.key) --- --- 2. Generating Root CA Certificate (ca.pem) --- --- CA creation complete --- CA Private Key: pki/private/ca.key CA Certificate: pki/certs/ca.pem </code></pre> </div> <h1> Chapter 4: Issuing Service Certificates (The SAN "Gotcha") </h1> <h2> 4.1 The Goal: Creating Reusable "Passports" </h2> <p>We have successfully built our "passport office" (our Root CA). We have a secure "vault" for our <code>ca.key</code> and a public "business license" (<code>ca.pem</code>).</p> <p>Now, we must start issuing "passports" (service certificates) for each of our 10 services. We could do this one by one, but that would be a tedious and error-prone manual process. Instead, we will immediately automate this.</p> <p>We will create a single, reusable script named <code>02-issue-service-cert.sh</code>. This script will be our "passport printer." We will be able to run <code>./02-issue-service-cert.sh gitlab</code> or <code>./02-issue-service-cert.sh jenkins.cicd.local</code>, and it will automatically:</p> <ol> <li> Create a secure, isolated directory for the service.</li> <li> Generate a new private key for that service.</li> <li> Generate a Certificate Signing Request (CSR) with the correct "first principles" configuration.</li> <li> Use our Root CA to sign the request and issue a valid, trusted "passport."</li> </ol> <h2> 4.2 Action Plan: <code>02-issue-service-cert.sh</code> </h2> <p>Here is the code for our "passport printer" script. Create this file on your <strong>host machine</strong> at <code>~/cicd_stack/ca/02-issue-service-cert.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c"># This script issues a new, signed certificate for a service.</span> <span class="c">#</span> <span class="c"># USAGE: ./02-issue-service-cert.sh &lt;service_name_or_path&gt;</span> <span class="c">#</span> <span class="c"># EXAMPLE: ./02-issue-service-cert.sh gitlab</span> <span class="c"># EXAMPLE: ./02-issue-service-cert.sh elk/elasticsearch</span> <span class="c">#</span> <span class="c"># This will create a new directory 'pki/services/gitlab'</span> <span class="c"># containing 'gitlab.key.pem' and 'gitlab.crt.pem'.</span> <span class="nb">cd</span> ~/cicd_stack/ca <span class="o">||</span> <span class="o">(</span><span class="nb">echo</span> <span class="s2">"no CICD directory present"</span> <span class="o">&amp;&amp;</span> <span class="nb">exit</span><span class="o">)</span> <span class="c"># --- Configuration ---</span> <span class="c"># This MUST match the password you used in '01-create-ca.sh'</span> <span class="nv">CA_PASSWORD</span><span class="o">=</span><span class="s2">"your_secure_password"</span> <span class="c"># --- Script ---</span> <span class="nv">SERVICE_NAME</span><span class="o">=</span><span class="nv">$1</span> <span class="nv">CERT_NAME</span><span class="o">=</span><span class="si">$(</span><span class="nb">basename</span> <span class="s2">"</span><span class="nv">$SERVICE_NAME</span><span class="s2">"</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$SERVICE_NAME</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: No service name provided."</span> <span class="nb">echo</span> <span class="s2">"USAGE: ./02-issue-service-cert.sh &lt;service_name_or_path&gt;"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"--- Preparing environment for service: </span><span class="nv">$SERVICE_NAME</span><span class="s2"> ---"</span> <span class="nb">echo</span> <span class="s2">"--- Certificate simple name will be: </span><span class="nv">$CERT_NAME</span><span class="s2"> ---"</span> <span class="c"># 1. Define all file paths</span> <span class="nv">SERVICE_DIR</span><span class="o">=</span><span class="s2">"pki/services/</span><span class="nv">$SERVICE_NAME</span><span class="s2">"</span> <span class="nv">KEY_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$SERVICE_DIR</span><span class="s2">/</span><span class="nv">$CERT_NAME</span><span class="s2">.key.pem"</span> <span class="nv">CSR_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$SERVICE_DIR</span><span class="s2">/</span><span class="nv">$CERT_NAME</span><span class="s2">.csr"</span> <span class="nv">CERT_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$SERVICE_DIR</span><span class="s2">/</span><span class="nv">$CERT_NAME</span><span class="s2">.crt.pem"</span> <span class="nv">EXT_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$SERVICE_DIR</span><span class="s2">/v3.ext"</span> <span class="c"># 2. Create the service's private directory</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="nv">$SERVICE_DIR</span> <span class="nb">chmod </span>700 <span class="nv">$SERVICE_DIR</span> <span class="c"># 3. Generate the service's Private Key</span> <span class="nb">echo</span> <span class="s2">"--- 1. Generating Private Key (</span><span class="nv">$CERT_NAME</span><span class="s2">.key.pem) ---"</span> openssl genrsa <span class="nt">-out</span> <span class="nv">$KEY_FILE</span> 4096 <span class="nb">chmod </span>400 <span class="nv">$KEY_FILE</span> <span class="c"># 4. Create the SAN (Subject Alternative Name) config file</span> <span class="c"># This is critical for modern browser compatibility.</span> <span class="nb">echo</span> <span class="s2">"--- 2. Creating SAN config file (v3.ext) ---"</span> <span class="nb">cat</span> <span class="o">&gt;</span> <span class="nv">$EXT_FILE</span> <span class="o">&lt;&lt;-</span> <span class="no">EOM</span><span class="sh"> [ v3_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = </span><span class="nv">$CERT_NAME</span><span class="sh"> DNS.2 = localhost IP.1 = 127.0.0.1 </span><span class="no">EOM </span><span class="c"># 5. Generate a Certificate Signing Request (CSR)</span> <span class="nb">echo</span> <span class="s2">"--- 3. Generating Certificate Signing Request (</span><span class="nv">$CERT_NAME</span><span class="s2">.csr) ---"</span> openssl req <span class="nt">-new</span> <span class="nt">-sha256</span> <span class="se">\</span> <span class="nt">-key</span> <span class="nv">$KEY_FILE</span> <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/C=ZA/ST=Gauteng/L=Johannesburg/O=Local CICD Stack/CN=</span><span class="nv">$CERT_NAME</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-out</span> <span class="nv">$CSR_FILE</span> <span class="c"># 6. Sign the CSR with our Root CA</span> <span class="nb">echo</span> <span class="s2">"--- 4. Signing the certificate with our Root CA ---"</span> openssl ca <span class="nt">-config</span> openssl.cnf <span class="se">\</span> <span class="nt">-extensions</span> v3_ext <span class="nt">-extfile</span> <span class="nv">$EXT_FILE</span> <span class="se">\</span> <span class="nt">-days</span> 365 <span class="nt">-notext</span> <span class="nt">-md</span> sha256 <span class="se">\</span> <span class="nt">-passin</span> pass:<span class="nv">$CA_PASSWORD</span> <span class="se">\</span> <span class="nt">-in</span> <span class="nv">$CSR_FILE</span> <span class="se">\</span> <span class="nt">-out</span> <span class="nv">$CERT_FILE</span> <span class="se">\</span> <span class="nt">-batch</span> <span class="c"># Use non-interactive "batch" mode</span> <span class="c"># 7. Clean up temporary files</span> <span class="nb">rm</span> <span class="nv">$CSR_FILE</span> <span class="nb">rm</span> <span class="nv">$EXT_FILE</span> <span class="nb">echo</span> <span class="s2">"--- Successfully issued certificate for </span><span class="nv">$SERVICE_NAME</span><span class="s2"> ---"</span> <span class="nb">echo</span> <span class="s2">"Certificate: </span><span class="nv">$CERT_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Verifying SANs..."</span> <span class="c"># 8. Verify the certificate's SANs</span> openssl x509 <span class="nt">-in</span> <span class="nv">$CERT_FILE</span> <span class="nt">-noout</span> <span class="nt">-text</span> | <span class="nb">grep</span> <span class="nt">-A1</span> <span class="s2">"Subject Alternative Name"</span> </code></pre> </div> <h2> 4.3 Deconstruction (The SAN "Gotcha") </h2> <p>This script is the heart of our PKI, and it contains two critical, "first principles" lessons that we discovered during our testing.</p> <h3> Lesson 1: The "SAN Gotcha" (Why <code>CN</code> is Deprecated) </h3> <p>The most important part of this script is <strong>Step 4</strong>. We don't just generate a CSR; we first create a temporary config file called <code>v3.ext</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Inside 02-issue-service-cert.sh)</span> <span class="nb">cat</span> <span class="o">&gt;</span> <span class="nv">$EXT_FILE</span> <span class="o">&lt;&lt;-</span> <span class="no">EOM</span><span class="sh"> [ v3_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = </span><span class="nv">$CERT_NAME</span><span class="sh"> DNS.2 = localhost IP.1 = 127.0.0.1 </span><span class="no">EOM </span></code></pre> </div> <p>This is the <strong>Subject Alternative Name (SAN)</strong> field. In the early days of the internet, browsers only checked the <strong>Common Name (CN)</strong> (which we set in Step 5 with <code>-subj "/CN=..."</code>).</p> <p>However, this <code>CN</code> field was ambiguous and is now <strong>deprecated</strong>. All modern browsers and tools (including Java) <strong>ignore the CN field</strong> and <em>only</em> validate the SAN list.</p> <p>Our script fixes this by:</p> <ol> <li> Creating a <code>v3.ext</code> file that defines the SAN extension (<code>subjectAltName = @alt_names</code>).</li> <li> Populating the <code>[alt_names]</code> list with all the names this certificate should be valid for.</li> <li> Telling <code>openssl ca</code> to use these extensions with the <code>-extensions v3_ext -extfile $EXT_FILE</code> flags.</li> </ol> <p>We include three entries for maximum compatibility:</p> <ul> <li> <code>DNS.1 = $CERT_NAME</code>: (e.g., <code>DNS:gitlab</code>) For <strong>container-to-container</strong> communication on <code>cicd-net</code>.</li> <li> <code>DNS.2 = localhost</code>: For us to access the UI from our host browser via <code>https://localhost</code>.</li> <li> <code>IP.1 = 127.0.0.1</code>: To fix the <code>curl https://127.0.0.1</code> error we discovered.</li> </ul> <h3> Lesson 2: The "Nested Path Gotcha" (Using <code>basename</code>) </h3> <p>The second "pain point" we discovered was when we tried to issue a certificate for <code>elk/elasticsearch.cicd.local</code>. Our script failed because it tried to create a file named <code>.../elk/elasticsearch.cicd.local/elk/elasticsearch.cicd.local.key.pem</code>, which is redundant and wrong.</p> <p>The solution is the <code>basename</code> command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Inside 02-issue-service-cert.sh)</span> <span class="nv">SERVICE_NAME</span><span class="o">=</span><span class="nv">$1</span> <span class="nv">CERT_NAME</span><span class="o">=</span><span class="si">$(</span><span class="nb">basename</span> <span class="s2">"</span><span class="nv">$SERVICE_NAME</span><span class="s2">"</span><span class="si">)</span> </code></pre> </div> <p>This command is a standard Linux utility that strips the directory path from a string.</p> <ul> <li>If <code>$SERVICE_NAME</code> is <code>gitlab.cicd.local</code>, <code>basename</code> returns <code>gitlab.cicd.local</code>.</li> <li>If <code>$SERVICE_NAME</code> is <code>elk/elasticsearch.cicd.local</code>, <code>basename</code> returns <code>elasticsearch.cicd.local</code>.</li> </ul> <p>This allows us to use the full <code>$SERVICE_NAME</code> to create the <em>directory path</em> (<code>pki/services/elk/elasticsearch.cicd.local</code>) but use the clean <code>$CERT_NAME</code> for all the <em>filenames</em> (e.g., <code>elasticsearch.cicd.local.key.pem</code>).</p> <h3> Lesson 3: The <code>openssl ca</code> Command </h3> <p>The final command, <code>openssl ca</code>, is the "passport office" at work.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Inside 02-issue-service-cert.sh)</span> openssl ca <span class="nt">-config</span> openssl.cnf <span class="se">\</span> <span class="nt">-extensions</span> v3_ext <span class="nt">-extfile</span> <span class="nv">$EXT_FILE</span> <span class="se">\</span> <span class="nt">-days</span> 365 <span class="nt">-notext</span> <span class="nt">-md</span> sha256 <span class="se">\</span> <span class="nt">-passin</span> pass:<span class="nv">$CA_PASSWORD</span> <span class="se">\</span> <span class="nt">-in</span> <span class="nv">$CSR_FILE</span> <span class="se">\</span> <span class="nt">-out</span> <span class="nv">$CERT_FILE</span> <span class="se">\</span> <span class="nt">-batch</span> </code></pre> </div> <ul> <li> <code>-config openssl.cnf</code>: "Use our main 'blueprint'."</li> <li> <code>-passin pass:$CA_PASSWORD</code>: "Here is the password for the 'master stamp' (the CA key)."</li> <li> <code>-in $CSR_FILE</code>: "Here is the 'passport application' (the CSR) to be signed."</li> <li> <code>-extensions v3_ext -extfile $EXT_FILE</code>: "Apply the SANs from our temporary file."</li> <li> <code>-batch</code>: "Don't ask me any questions ('Sign this? y/n'). Just approve it."</li> <li> <code>-out $CERT_FILE</code>: "Put the final, signed 'passport' here."</li> </ul> <h2> 4.4 Action Plan: <code>03-issue-all-certs.sh</code> </h2> <p>Now that we have our powerful, reusable "passport printer" script, we can create a simple automation script to issue "passports" for all 10 of our services.</p> <p>Create this file on your <strong>host machine</strong> at <code>~/cicd_stack/ca/03-issue-all-certs.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c"># This script automates the issuance of certificates for all</span> <span class="c"># services in our 10-article CI/CD stack by looping</span> <span class="c"># over an array and calling our '02-issue-service-cert.sh' script.</span> <span class="c"># --- Configuration ---</span> <span class="c"># This array defines the service names. These names will be used</span> <span class="c"># for the certificate Common Name (CN) and the directory path</span> <span class="c"># inside 'pki/services/'.</span> <span class="c">#</span> <span class="c"># Note the nested paths for ELK, which our script handles automatically.</span> <span class="nv">SERVICES</span><span class="o">=(</span> <span class="s2">"gitlab.cicd.local"</span> <span class="s2">"jenkins.cicd.local"</span> <span class="s2">"artifactory.cicd.local"</span> <span class="s2">"sonarqube.cicd.local"</span> <span class="s2">"mattermost.cicd.local"</span> <span class="s2">"elk/elasticsearch.cicd.local"</span> <span class="s2">"elk/logstash.cicd.local"</span> <span class="s2">"elk/kibana.cicd.local"</span> <span class="s2">"prometheus.cicd.local"</span> <span class="s2">"grafana.cicd.local"</span> <span class="o">)</span> <span class="nv">ISSUER_SCRIPT</span><span class="o">=</span><span class="s2">"./02-issue-service-cert.sh"</span> <span class="c"># --- Pre-run Checks ---</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$ISSUER_SCRIPT</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Issuer script '</span><span class="nv">$ISSUER_SCRIPT</span><span class="s2">' not found."</span> <span class="nb">echo</span> <span class="s2">"Please ensure you are in the '~/cicd_stack/ca' directory."</span> <span class="nb">exit </span>1 <span class="k">fi if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-x</span> <span class="s2">"</span><span class="nv">$ISSUER_SCRIPT</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Issuer script '</span><span class="nv">$ISSUER_SCRIPT</span><span class="s2">' is not executable."</span> <span class="nb">echo</span> <span class="s2">"Please run: chmod +x </span><span class="nv">$ISSUER_SCRIPT</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"---=== Issuing all service certificates ===---"</span> <span class="nb">echo</span> <span class="s2">"This will use the CA password hardcoded in '</span><span class="nv">$ISSUER_SCRIPT</span><span class="s2">'."</span> <span class="c"># --- Main Loop ---</span> <span class="k">for </span>service <span class="k">in</span> <span class="s2">"</span><span class="k">${</span><span class="nv">SERVICES</span><span class="p">[@]</span><span class="k">}</span><span class="s2">"</span><span class="p">;</span> <span class="k">do </span><span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"------------------------------------------------"</span> <span class="nb">echo</span> <span class="s2">"Issuing certificate for: </span><span class="nv">$service</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"------------------------------------------------"</span> <span class="c"># Call the issuer script with the service name</span> ./<span class="nv">$ISSUER_SCRIPT</span> <span class="s2">"</span><span class="nv">$service</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[</span> <span class="nv">$?</span> <span class="nt">-ne</span> 0 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Failed to issue certificate for </span><span class="nv">$service</span><span class="s2">. Aborting."</span> <span class="nb">exit </span>1 <span class="k">fi done </span><span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"------------------------------------------------"</span> <span class="nb">echo</span> <span class="s2">"---=== All service certificates issued successfully ===---"</span> <span class="nb">echo</span> <span class="s2">"You can view the new directory structure:"</span> <span class="nb">ls</span> <span class="nt">-lR</span> ~/cicd_stack/ca/pki/services/ </code></pre> </div> <h3> Action </h3> <p>From your <strong>host machine</strong> (inside <code>~/cicd_stack/ca</code>), make both scripts executable, then run the automation script.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Run on HOST, inside ~/cicd_stack/ca)</span> <span class="nb">chmod</span> +x 02-issue-service-cert.sh <span class="nb">chmod</span> +x 03-issue-all-certs.sh ./03-issue-all-certs.sh </code></pre> </div> <p><strong>Verification:</strong><br> The script will loop through all 10 services. The final <code>ls -lR</code> command will display the complete, organized directory structure you've created, with each service's key and certificate in its own isolated folder (e.g., <code>pki/services/gitlab/</code>, <code>pki/services/elk/elasticsearch/</code>, etc.).</p> <h1> Chapter 5: The <em>New</em> "Pain Point" - Establishing Trust </h1> <h2> 5.1 The "Failure First": The "Untrusted Issuer" </h2> <p>We have successfully built our "passport office" and printed a full set of valid "passports" for all our services. Our <code>pki/services</code> directory is full of certificates that are cryptographically perfect, have a valid date range, and contain the correct <strong>Subject Alternative Names (SANs)</strong>.</p> <p>This leads us to a new, critical "pain point."</p> <p>If we were to deploy a service right now using our new <code>gitlab.cicd.local.key.pem</code> certificate, our browsers would <em>still</em> show a full-page security warning.</p> <p>However, the error would be different. It would no longer be <code>NET::ERR_CERT_COMMON_NAME_INVALID</code> (which our SANs fixed). Instead, it would be <strong><code>NET::ERR_CERT_AUTHORITY_INVALID</code></strong>.</p> <blockquote> <p><strong>The Analogy: The "Untrusted Passport Office"</strong></p> <p>This new error is a crucial distinction. The browser is no longer complaining about the "passport" itself (<code>gitlab.cicd.local.crt.pem</code>). It's complaining about the <em>issuer</em>.</p> <p>The browser is acting as the border agent, looking at our valid "passport" and saying:</p> <p>"This passport looks perfectly filled out. The photo matches, the name is correct, and it's not expired. But I've never heard of the 'passport office' (our 'Local CICD Root CA') that issued this. For all I know, you built that office in your garage. I don't trust it."</p> <p>We have created a valid certificate from an untrusted authority. Our next and final step is to establish that trust.</p> </blockquote> <h2> 5.2 The "Disjointed Trust Stores" Principle </h2> <p>To solve this new "untrusted" pain point, we must understand a critical, "first principles" concept: there is <strong>no single "trust" button</strong> on a modern operating system.</p> <p>When we ran our <code>04-trust-ca-host.sh</code> script, we discovered that <code>curl</code> was fixed, but Chrome and Firefox were not. This is because our "government" (the host OS) is fragmented, and different applications pledge allegiance to different "lists of trusted passport offices" (Trust Stores).</p> <p>To fix this, we must <em>manually</em> add our <code>ca-cert.pem</code> to several independent trust stores:</p> <ol> <li> <strong>The OpenSSL System Trust Store</strong>: This is the main list for the operating system, located at <code>/etc/ssl/certs/</code>. It is used by most command-line tools like <code>curl</code>, <code>wget</code>, <code>git</code>, and <code>apt</code>. We already fixed this with <code>sudo update-ca-certificates</code>.</li> <li> <strong>The Firefox NSS Trust Store</strong>: Firefox, by design, ignores the system trust store. It maintains its own private, isolated database (a file named <code>cert9.db</code>) inside your user's profile directory.</li> <li> <strong>The System-wide NSS Trust Store</strong>: Google Chrome <em>also</em> uses the NSS (Network Security Services) database, but it looks at a different, system-wide one (often <code>~/.pki/nssdb/</code>). This is why fixing the OS store didn't fix Chrome.</li> <li> <strong>The "Java Gotcha" (<code>cacerts</code>)</strong>: This is the most important "gotcha" for our stack. The Java Virtual Machine (JVM) <strong>ignores all system trust stores</strong>. Java has its <em>own</em> separate, single-file database called <code>cacerts</code>. When we deploy Jenkins, Artifactory, and SonarQube, we <em>must</em> manually import our CA into this specific file, or they will all fail with <code>SSLHandshakeException</code>.</li> </ol> <p>Our "Action Plan" must therefore be a multi-pronged attack, targeting each of these trust stores individually.</p> <h2> 5.3 Action Plan: Trusting Our CA on the Host </h2> <p>Now that we understand the problem, we will execute the solution. Our script <code>04-trust-ca-host.sh</code> is a precision tool designed to inject our <code>ca.pem</code> file into all three "disjointed trust stores" on our host machine.</p> <p>Here is the code for <code>04-trust-ca-host.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c"># This script trusts our Root CA on the host machine.</span> <span class="c"># It will prompt for your password for 'sudo' commands.</span> <span class="c">#</span> <span class="c"># It trusts the CA in THREE places:</span> <span class="c"># 1. The Host OS (for curl, apt, git, etc.)</span> <span class="c"># 2. The system-wide NSS database (for Chrome/Chromium)</span> <span class="c"># 3. The Firefox browser (which uses its own private store)</span> <span class="nb">echo</span> <span class="s2">"--- Navigating to CA directory ---"</span> <span class="c"># Navigate to the CA directory to find the certs</span> <span class="nb">cd</span> ~/cicd_stack/ca <span class="o">||</span> <span class="o">(</span><span class="nb">echo</span> <span class="s2">"ERROR: ~/cicd_stack/ca directory not found."</span> <span class="o">&amp;&amp;</span> <span class="nb">exit</span><span class="o">)</span> <span class="nv">CA_CERT_NAME</span><span class="o">=</span><span class="s2">"cicd-stack-ca.crt"</span> <span class="nv">CA_CERT_PATH</span><span class="o">=</span><span class="s2">"pki/certs/ca.pem"</span> <span class="nv">CA_NICKNAME</span><span class="o">=</span><span class="s2">"Local CICD Root CA"</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$CA_CERT_PATH</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: Root CA certificate not found at </span><span class="nv">$CA_CERT_PATH</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># --- 0. Install Prerequisites (NSS Tools) ---</span> <span class="nb">echo</span> <span class="s2">"--- Installing 'libnss3-tools' (for certutil) ---"</span> <span class="nb">sudo </span>apt-get update <span class="nt">-qq</span> <span class="o">&amp;&amp;</span> <span class="nb">sudo </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">-qq</span> libnss3-tools <span class="c"># --- 1. Trust CA in Host OS (for curl, Chrome, ...) ---</span> <span class="nb">echo</span> <span class="s2">"--- 1. Trusting CA in Host OS (OpenSSL store) ---"</span> <span class="nb">sudo cp</span> <span class="nv">$CA_CERT_PATH</span> /usr/local/share/ca-certificates/<span class="nv">$CA_CERT_NAME</span> <span class="nb">sudo </span>update-ca-certificates <span class="c"># --- 2. Trust CA in System-wide NSS DB (for Chrome) ---</span> <span class="nb">echo</span> <span class="s2">"--- 2. Trusting CA in NSS DB (for Chrome) ---"</span> <span class="c"># Create the NSS database directory if it doesn't exist</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="nv">$HOME</span>/.pki/nssdb <span class="c"># Add the certificate to the NSS database</span> <span class="c"># -d sql:$HOME/.pki/nssdb : Specifies the database path</span> <span class="c"># -A : Add a certificate</span> <span class="c"># -n : Nickname</span> <span class="c"># -t "C,T,C" : Set trust attributes (C=SSL Client, T=SSL Server, C=Email)</span> certutil <span class="nt">-A</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$CA_NICKNAME</span><span class="s2">"</span> <span class="nt">-t</span> <span class="s2">"C,T,C"</span> <span class="nt">-i</span> <span class="nv">$CA_CERT_PATH</span> <span class="nt">-d</span> sql:<span class="nv">$HOME</span>/.pki/nssdb <span class="c"># --- 3. Trusting CA in Firefox ---</span> <span class="nb">echo</span> <span class="s2">"--- 3. Trusting CA in Firefox (private store) ---"</span> <span class="c"># Find all Firefox profile databases (cert9.db)</span> <span class="nv">FF_PROFILES_DB</span><span class="o">=</span><span class="si">$(</span>find <span class="nv">$HOME</span>/.mozilla/firefox <span class="nt">-name</span> <span class="s2">"cert9.db"</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$FF_PROFILES_DB</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"WARNING: Could not find Firefox cert9.db. Skipping Firefox trust."</span> <span class="nb">echo</span> <span class="s2">"You may need to add the CA manually via Firefox settings."</span> <span class="k">else for </span>db <span class="k">in</span> <span class="nv">$FF_PROFILES_DB</span><span class="p">;</span> <span class="k">do </span><span class="nv">PROFILE_PATH</span><span class="o">=</span><span class="si">$(</span><span class="nb">dirname</span> <span class="nv">$db</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"--- Found Firefox profile, adding CA to: </span><span class="nv">$PROFILE_PATH</span><span class="s2"> ---"</span> <span class="c"># Add the CA to the Firefox NSS database</span> certutil <span class="nt">-A</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$CA_NICKNAME</span><span class="s2">"</span> <span class="nt">-t</span> <span class="s2">"C,T,C"</span> <span class="nt">-i</span> <span class="nv">$CA_CERT_PATH</span> <span class="nt">-d</span> sql:<span class="nv">$PROFILE_PATH</span> <span class="k">done fi </span><span class="nb">echo</span> <span class="s2">"--- Host trust setup complete ---"</span> <span class="nb">echo</span> <span class="s2">"IMPORTANT: Please restart Google Chrome for changes to take effect."</span> </code></pre> </div> <h3> Deconstruction </h3> <p>This script is a perfect example of our "first principles" approach, as it surgically targets each trust store:</p> <ul> <li> <strong>Step 0: Install <code>libnss3-tools</code></strong>: We first install the <code>certutil</code> command, which is the "first principles" tool for managing both the Chrome and Firefox NSS databases.</li> <li> <strong>Step 1: Host OS (OpenSSL)</strong>: <ul> <li> <code>sudo cp ... /usr/local/share/ca-certificates/</code>: This copies our "passport office license" into the system's "pending applications" directory.</li> <li> <code>sudo update-ca-certificates</code>: This is the system command that processes that directory, rebuilds the master trust file (<code>/etc/ssl/certs/ca-certificates.crt</code>), and officially trusts our CA. This fixes <code>curl</code>, <code>git</code>, <code>apt</code>, and other system tools.</li> </ul> </li> <li> <strong>Step 2: Chrome (NSS System Store)</strong>: <ul> <li> <code>mkdir -p $HOME/.pki/nssdb</code>: We ensure the "filing cabinet" for Chrome's trust store exists.</li> <li> <code>certutil -A ... -d sql:$HOME/.pki/nssdb</code>: We use <code>certutil</code> to add our CA to this <em>specific</em> database, fixing the <code>net::ERR_CERT_AUTHORITY_INVALID</code> error in Chrome.</li> </ul> </li> <li> <strong>Step 3: Firefox (NSS Profile Store)</strong>: <ul> <li> <code>find $HOME/.mozilla/firefox -name "cert9.db"</code>: We find the <em>separate, private</em> "filing cabinet" that Firefox maintains for your user profile.</li> <li> <code>certutil -A ... -d sql:$PROFILE_PATH</code>: We run the <em>same</em> <code>certutil</code> command, but this time we target the Firefox-specific database path, fixing trust for Firefox.</li> </ul> </li> </ul> <h3> Action </h3> <p>From your <strong>host machine</strong> (inside your <code>0006_cicd_part02_certificate_authority</code> directory), make the script executable and run it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Run on HOST)</span> <span class="nb">chmod</span> +x 04-trust-ca-host.sh ./04-trust-ca-host.sh </code></pre> </div> <p><strong>Result:</strong><br> The script will prompt for your <code>sudo</code> password, then proceed to install the tools and update all three trust stores. You will see output like "1 added, 0 removed; done." from <code>update-ca-certificates</code> and confirmation from <code>certutil</code>.</p> <h2> 5.4 Action Plan: Trusting the "Control Center" (<code>dev-container</code>) </h2> <p>We have successfully taught our <strong>host machine</strong> to trust our CA. Now we must do the same for our <strong><code>dev-container</code></strong>.</p> <p>This is a critical step. Our <code>dev-container</code> is our "Control Center." Its tools (<code>curl</code>, <code>git</code>, and most importantly, our future Python API scripts) must be able to make secure HTTPS connections to our new services. If our container doesn't trust our CA, our entire automation plan will fail with the same <code>SSLHandshakeException</code> and <code>certificate problem</code> errors.</p> <h3> The "No-Rebuild" Solution </h3> <p>We will use the flexible architecture we built in Article 1 to solve this without rebuilding our container image.</p> <ol> <li> <strong>The <code>data/</code> Mount</strong>: Our <code>dev-container.sh</code> script mounts our host's <code>data/</code> directory into the container.</li> <li> <strong>The <code>entrypoint.sh</code> Mount</strong>: Our <code>dev-container.sh</code> script <em>also</em> mounts our host's <code>entrypoint.sh</code> script, which runs <em>every time</em> the container starts.</li> </ol> <p>We will copy our public CA certificate into the host's <code>data/</code> directory. Then, we will edit our <code>entrypoint.sh</code> script to automatically install this certificate <em>at startup</em>.</p> <h3> Action 1: Copy the CA Certificate </h3> <p>From your <strong>host machine</strong>, copy your public "business license" (<code>ca.pem</code>) into the <code>data/</code> directory of your <code>FromFirstPrinciples</code> project.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Run on HOST, from your 0006_cicd... directory)</span> <span class="c"># This copies our CA cert into the shared data folder</span> <span class="nb">cp</span> ~/cicd_stack/ca/pki/certs/ca.pem ~/Documents/FromFirstPrinciples/data/ca-cert.pem </code></pre> </div> <h3> Action 2: Edit <code>entrypoint.sh</code> </h3> <p>Now, open your <code>entrypoint.sh</code> file (in your <code>FromFirstPrinciples</code> directory) with your text editor. Add the following block of code directly after the <code>sudo service ssh restart</code> line.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/sh</span> <span class="nb">sudo </span>service ssh restart <span class="c"># --- ADD THIS BLOCK TO TRUST THE LOCAL CA ---</span> <span class="nv">CA_CERT_PATH</span><span class="o">=</span><span class="s2">"data/ca-cert.pem"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$CA_CERT_PATH</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"--- Found Local CA certificate, installing to system trust store ---"</span> <span class="c"># Copy the CA cert into the system's trust store</span> <span class="nb">sudo cp</span> <span class="s2">"</span><span class="nv">$CA_CERT_PATH</span><span class="s2">"</span> /usr/local/share/ca-certificates/cicd-stack-ca.crt <span class="c"># Update the system's CA list</span> <span class="nb">sudo </span>update-ca-certificates <span class="k">else </span><span class="nb">echo</span> <span class="s2">"--- No Local CA certificate found at </span><span class="nv">$CA_CERT_PATH</span><span class="s2">, skipping system trust ---"</span> <span class="k">fi</span> <span class="c"># --- END OF BLOCK ---</span> <span class="c"># Check for GPG key and gitconfig on the persistent data volume</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-e</span> data/private.pgp <span class="o">]</span><span class="p">;</span> <span class="k">then </span>gpg <span class="nt">--import</span> data/private.pgp <span class="k">fi</span> ... </code></pre> </div> <p><em>(The rest of your <code>entrypoint.sh</code> file remains the same.)</em></p> <h3> Deconstruction </h3> <p>This logic is simple and powerful:</p> <ol> <li> It checks if the <code>data/ca-cert.pem</code> file (which we just copied) is present.</li> <li> If it is, it copies it into the container's system trust directory (<code>/usr/local/share/ca-certificates/</code>).</li> <li> It runs <code>sudo update-ca-certificates</code> <em>inside the container</em> to make its system tools (like <code>curl</code> and <code>git</code>) trust our CA.</li> </ol> <h3> Action 3: Recreate the <code>dev-container</code> </h3> <p>Because we just changed the <code>entrypoint.sh</code> script (which is bind-mounted), we don't need to <em>rebuild</em> the image, but we do need to <em>recreate</em> the container to run the new script.</p> <p>As we've noted, your <code>entrypoint.sh</code> script also handles your GPG key, which requires an interactive prompt. Therefore, we must use our <code>docker stop/rm</code> and <code>./dev-container.sh</code> flow.</p> <p>From your <strong>host machine</strong> (in the <code>FromFirstPrinciples</code> directory):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Run on HOST)</span> <span class="c"># 1. Stop and remove the old container</span> docker stop dev-container <span class="o">&amp;&amp;</span> docker <span class="nb">rm </span>dev-container <span class="c"># 2. Run the new container (which will use the modified entrypoint)</span> ./dev-container.sh </code></pre> </div> <p><strong>Result:</strong><br> As the container starts, you will see our new messages in the log output, culminating in:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>--- Found Local CA certificate, installing to system trust store --- Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done. </code></pre> </div> <p>This confirms our "Control Center" now also trusts our CA.</p> <h2> 5.5 Verification: The "Success Second" (Python HTTPS Server) </h2> <p>We have now executed three complex, "first principles" operations:</p> <ol> <li> We created a Root CA and a full set of service certificates, solving the "SAN Gotcha" and "Nested Path Gotcha."</li> <li> We manually configured our <strong>Host OS</strong> to trust our CA, fixing <code>curl</code>, Chrome, and Firefox.</li> <li> We configured our <strong><code>dev-container</code></strong> to trust our CA by modifying its <code>entrypoint.sh</code>.</li> </ol> <p>The plan is complete, but we must <em>verify</em> it. We will now run a simple, local HTTPS server <em>on our host machine</em> using one of the "passports" we just printed (our <code>gitlab.cicd.local</code> certificate). We will then test if our browsers and our <code>dev-container</code> trust it.</p> <h3> Action 1: The Python Test Server </h3> <p>Here is the code for <code>05-verify-trust.py</code>. This script is a simple, standard-library-only HTTPS server.</p> <p>Create this file on your <strong>host machine</strong> at <code>~/Documents/FromFirstPrinciples/articles/0006_cicd_part02_certificate_authority/05-verify-trust.py</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">import</span> <span class="n">http.server</span> <span class="kn">import</span> <span class="n">ssl</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="c1"># --- Configuration --- # This is the "simple name" of the certificate we want to use. # It must match one of the subdirectories we created in pki/services/ # We will use 'gitlab' as our test certificate. </span><span class="n">CERT_NAME</span> <span class="o">=</span> <span class="sh">"</span><span class="s">gitlab.cicd.local</span><span class="sh">"</span> <span class="c1"># Find the '~/cicd_stack/ca' directory from the user's home </span><span class="n">HOME_DIR</span> <span class="o">=</span> <span class="n">Path</span><span class="p">.</span><span class="nf">home</span><span class="p">()</span> <span class="n">CA_DIR</span> <span class="o">=</span> <span class="n">HOME_DIR</span> <span class="o">/</span> <span class="sh">"</span><span class="s">cicd_stack</span><span class="sh">"</span> <span class="o">/</span> <span class="sh">"</span><span class="s">ca</span><span class="sh">"</span> <span class="n">PKI_DIR</span> <span class="o">=</span> <span class="n">CA_DIR</span> <span class="o">/</span> <span class="sh">"</span><span class="s">pki</span><span class="sh">"</span> <span class="n">CERT_DIR</span> <span class="o">=</span> <span class="n">PKI_DIR</span> <span class="o">/</span> <span class="sh">"</span><span class="s">services</span><span class="sh">"</span> <span class="o">/</span> <span class="n">CERT_NAME</span> <span class="c1"># Paths to the certificate and private key files </span><span class="n">CERT_FILE</span> <span class="o">=</span> <span class="n">CERT_DIR</span> <span class="o">/</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">CERT_NAME</span><span class="si">}</span><span class="s">.crt.pem</span><span class="sh">"</span> <span class="n">KEY_FILE</span> <span class="o">=</span> <span class="n">CERT_DIR</span> <span class="o">/</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">CERT_NAME</span><span class="si">}</span><span class="s">.key.pem</span><span class="sh">"</span> <span class="c1"># Server configuration </span><span class="n">HOST</span> <span class="o">=</span> <span class="sh">"</span><span class="s">localhost</span><span class="sh">"</span> <span class="n">PORT</span> <span class="o">=</span> <span class="mi">8443</span> <span class="c1"># --- Validation --- </span><span class="k">if</span> <span class="ow">not</span> <span class="n">PKI_DIR</span><span class="p">.</span><span class="nf">exists</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">--- ERROR ---</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Could not find CA directory at: </span><span class="si">{</span><span class="n">CA_DIR</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Please ensure you have run </span><span class="sh">'</span><span class="s">01-create-ca.sh</span><span class="sh">'</span><span class="s"> successfully.</span><span class="sh">"</span><span class="p">)</span> <span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">CERT_FILE</span><span class="p">.</span><span class="nf">exists</span><span class="p">()</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">KEY_FILE</span><span class="p">.</span><span class="nf">exists</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">--- ERROR ---</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Could not find certificate files for </span><span class="sh">'</span><span class="si">{</span><span class="n">CERT_NAME</span><span class="si">}</span><span class="sh">'</span><span class="s">.</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Expected cert at: </span><span class="si">{</span><span class="n">CERT_FILE</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Expected key at: </span><span class="si">{</span><span class="n">KEY_FILE</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Please run </span><span class="sh">'</span><span class="s">./03-issue-all-certs.sh</span><span class="sh">'</span><span class="s"> first.</span><span class="sh">"</span><span class="p">)</span> <span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># --- Server Setup --- </span><span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">--- Starting HTTPS server on https://</span><span class="si">{</span><span class="n">HOST</span><span class="si">}</span><span class="s">:</span><span class="si">{</span><span class="n">PORT</span><span class="si">}</span><span class="s"> ---</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Loading certificate: </span><span class="si">{</span><span class="n">CERT_FILE</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Loading private key: </span><span class="si">{</span><span class="n">KEY_FILE</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Create a standard TCP server </span><span class="n">httpd</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="n">server</span><span class="p">.</span><span class="nc">HTTPServer</span><span class="p">(</span> <span class="p">(</span><span class="n">HOST</span><span class="p">,</span> <span class="n">PORT</span><span class="p">),</span> <span class="n">http</span><span class="p">.</span><span class="n">server</span><span class="p">.</span><span class="n">SimpleHTTPRequestHandler</span> <span class="p">)</span> <span class="c1"># Create an SSL context </span><span class="n">context</span> <span class="o">=</span> <span class="n">ssl</span><span class="p">.</span><span class="nc">SSLContext</span><span class="p">(</span><span class="n">ssl</span><span class="p">.</span><span class="n">PROTOCOL_TLS_SERVER</span><span class="p">)</span> <span class="n">context</span><span class="p">.</span><span class="nf">load_cert_chain</span><span class="p">(</span><span class="n">certfile</span><span class="o">=</span><span class="n">CERT_FILE</span><span class="p">,</span> <span class="n">keyfile</span><span class="o">=</span><span class="n">KEY_FILE</span><span class="p">)</span> <span class="c1"># Wrap the server socket with our new SSL context </span><span class="n">httpd</span><span class="p">.</span><span class="n">socket</span> <span class="o">=</span> <span class="n">context</span><span class="p">.</span><span class="nf">wrap_socket</span><span class="p">(</span><span class="n">httpd</span><span class="p">.</span><span class="n">socket</span><span class="p">,</span> <span class="n">server_side</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">--- Server is running. Open https://</span><span class="si">{</span><span class="n">HOST</span><span class="si">}</span><span class="s">:</span><span class="si">{</span><span class="n">PORT</span><span class="si">}</span><span class="s"> in your browser. ---</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Press Ctrl+C to stop.</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">httpd</span><span class="p">.</span><span class="nf">serve_forever</span><span class="p">()</span> <span class="k">except</span> <span class="nb">KeyboardInterrupt</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">--- Server stopped. ---</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> Deconstruction </h3> <ul> <li> <code>CERT_DIR = HOME_DIR / "cicd_stack" / "ca" ...</code>: This Python code robustly finds the certificates we created by looking in our <code>~/cicd_stack/ca</code> directory.</li> <li> <code>context = ssl.SSLContext(...)</code>: This creates the secure SSL/TLS context for our server.</li> <li> <code>context.load_cert_chain(...)</code>: This is the key line. It loads our service "passport" (<code>gitlab.cicd.local.crt.pem</code>) and its corresponding "passport key" (<code>gitlab.cicd.local.key.pem</code>).</li> <li> <code>httpd.socket = context.wrap_socket(...)</code>: This "wraps" our standard HTTP server in the secure SSL context, upgrading it to HTTPS.</li> </ul> <h3> Action 2: Run the Server and Verify </h3> <p>From your <strong>host machine</strong> (inside your <code>0006_cicd_part02_certificate_authority</code> directory), make the script executable and run it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Run on HOST)</span> <span class="nb">chmod</span> +x 05-verify-trust.py ./05-verify-trust.py </code></pre> </div> <p>The server is now running on <code>https://localhost:8443</code>.</p> <h3> Verification Step 1: Browsers (Host) </h3> <ol> <li> Open <strong>Google Chrome</strong> (in an Incognito window to be safe) and go to <code>https://localhost:8443</code>.</li> <li> Open <strong>Firefox</strong> and go to <code>https://localhost:8443</code>.</li> </ol> <p><strong>Result</strong>: Both browsers should <strong>show a secure padlock icon 🔒</strong>. They will <em>not</em> show a "Your connection is not private" warning. This proves that our <code>04-trust-ca-host.sh</code> script worked and successfully configured all three trust stores.</p> <h3> Verification Step 2: <code>curl</code> (Host) </h3> <p>Open a <em>new</em> host terminal (leaving the server running) and test with <code>curl</code> using both the name and the IP address.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Run on HOST)</span> <span class="c"># Test 1: By hostname</span> curl https://localhost:8443 <span class="c"># Test 2: By IP address</span> curl https://127.0.0.1:8443 </code></pre> </div> <p><strong>Result</strong>: Both commands will succeed and print the HTML for a directory listing. They will <em>not</em> fail with an "SSL certificate problem." This proves our host's OpenSSL trust store is fixed <em>and</em> our SAN <code>IP:127.0.0.1</code> entry is working.</p> <h3> Verification Step 3: <code>curl</code> (Container) </h3> <p>This is the final and most important test. We must prove that our <code>dev-container</code>—our "Control Center"—also trusts our new CA. We will do this by running our Python test server <em>inside</em> the container and then, from a <em>second</em> container shell, trying to <code>curl</code> it.</p> <p>This is a perfect, hermetic test of the container's internal trust store.</p> <p><strong>Action 1 (Host): Copy Certs into the "Dropbox"</strong><br> Our test server, <code>05-verify-trust.py</code>, is configured to find certificates at <code>~/cicd_stack/ca/pki/services/...</code>. This path doesn't exist inside our container, so we must first get the <code>gitlab</code> certificate folder into the container. We will use our mounted <code>data/</code> directory as the "dropbox."</p> <p>From your <strong>host machine</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Run on HOST)</span> <span class="c"># Copy the gitlab certs/key folder into the 'data' directory</span> <span class="nb">cp</span> <span class="nt">-r</span> ~/cicd_stack/ca/pki/services/gitlab.cicd.local/ ~/Documents/FromFirstPrinciples/data/ </code></pre> </div> <p><strong>Action 2 (Container): Run the Server</strong><br> Now, we'll enter our <code>dev-container</code> and set up the test. This requires two terminals.</p> <p><strong>Terminal 1 (dev-container shell 1):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Run on HOST)</span> docker <span class="nb">exec</span> <span class="nt">-it</span> dev-container bash <span class="c"># (Inside dev-container - Terminal 1)</span> <span class="c"># 1. Re-create the path structure the script expects</span> <span class="nb">mkdir</span> <span class="nt">-p</span> ~/cicd_stack/ca/pki/services/ <span class="c"># 2. Copy the certs from our 'dropbox' to the expected path</span> <span class="nb">cp</span> <span class="nt">-r</span> ~/data/gitlab.cicd.local/ ~/cicd_stack/ca/pki/services/ <span class="c"># 3. Navigate to the article directory</span> <span class="nb">cd</span> ~/articles/0006_cicd_part02_certificate_authority/ <span class="c"># 4. Run the Python server</span> python3 05-verify-trust.py </code></pre> </div> <p><strong>Result:</strong><br> The server will start successfully inside the container, as it can now find its certificates.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>--- Starting HTTPS server on https://localhost:8443 --- Loading certificate: /home/warren_jitsing/cicd_stack/ca/pki/services/gitlab.cicd.local/gitlab.cicd.local.crt.pem Loading private key: /home/warren_jitsing/cicd_stack/ca/pki/services/gitlab.cicd.local/gitlab.cicd.local.key.pem --- Server is running. Open https://localhost:8443 in your browser. --- Press Ctrl+C to stop. </code></pre> </div> <p><strong>Terminal 2 (dev-container shell 2):</strong><br> While the server is running in the first terminal, open a <em>second</em> host terminal and get another shell inside the <code>dev-container</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Run on HOST - Terminal 2)</span> docker <span class="nb">exec</span> <span class="nt">-it</span> dev-container bash </code></pre> </div> <p>Now, from this second shell, we will run <code>curl</code> to connect to the server running in our <em>first</em> shell.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Inside dev-container - Terminal 2)</span> <span class="c"># 5. Test connection to localhost</span> curl https://localhost:8443 <span class="c"># 6. Test connection to 127.0.0.1</span> curl https://127.0.0.1:8443 </code></pre> </div> <p><strong>Result:</strong><br> Both commands will succeed, returning the HTML of the directory listing.</p> <p><strong>Explanation:</strong><br> This is the ultimate verification. <code>curl</code> (running inside the container) is using the container's system trust store. This test proves that:</p> <ol> <li> Our <code>entrypoint.sh</code> script successfully ran at startup.</li> <li> It correctly found <code>data/ca-cert.pem</code> and ran <code>sudo update-ca-certificates</code>.</li> <li> The container's trust store is now fixed, and all tools inside our "Control Center" (like <code>curl</code>, <code>git</code>, and our future Python scripts) will fully trust our new CA.</li> </ol> <p><strong>Cleanup (Terminal 1):</strong><br> You can now stop the Python server with <code>Ctrl+C</code> and remove the temporary certificate directory.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Inside dev-container - Terminal 1)</span> <span class="nb">rm</span> <span class="nt">-rf</span> ~/cicd_stack/ <span class="nb">rm</span> <span class="nt">-rf</span> ~/data/gitlab.cicd.local/ </code></pre> </div> <h1> Chapter 6: The "Easy Way" - Automating with <code>easyrsa</code> </h1> <h2> 6.1 The "Why": Appreciating Automation </h2> <p>In the previous chapters, we built a fully functional, secure Certificate Authority "the hard way." We meticulously crafted our <code>openssl.cnf</code>, built our PKI directory structure, and manually managed our "ledger" (<code>index.txt</code>) and "ticket dispenser" (<code>serial</code>). We deconstructed the complex <code>openssl ca</code> command and learned, through failure, that we must manually build and pass a <code>v3.ext</code> file to handle the critical <strong>Subject Alternative Name (SAN)</strong> requirement.</p> <p>This was an essential "first principles" exercise. Now that we have done the hard work and understand every moving part, we can appreciate the "easy button."</p> <p>We will now introduce <strong><code>easyrsa</code></strong>, a tool whose sole purpose is to automate every tedious step we just learned.</p> <h2> 6.2 The "What": <code>easyrsa</code> is a Wrapper </h2> <p><code>easyrsa</code> is not a <em>replacement</em> for <code>openssl</code>. It is a <strong>shell script wrapper</strong> <em>around</em> <code>openssl</code>. It was developed by the OpenVPN project to simplify the creation of a PKI.</p> <p>It is our "automated passport office clerk." It takes our simple, high-level commands (like "make a CA" or "make a server certificate") and, behind the scenes, runs the same complex <code>openssl</code> commands we just did, automatically managing the <code>index.txt</code>, <code>serial</code> file, and configuration templates for us.</p> <p>We will now run a self-contained demo to prove this.</p> <h2> 6.3 Action Plan: <code>06-run-easyrsa-demo.sh</code> </h2> <p>Here is the code for <code>06-run-easyrsa-demo.sh</code>. This script will install <code>easyrsa</code> by cloning its Git repository (as it is not available in the default Debian repositories), and then use it to build a <em>second</em>, separate "demo" CA.</p> <p>Create this file on your <strong>host machine</strong> at <code>~/Documents/FromFirstPrinciples/articles/0006_cicd_part02_certificate_authority/06-run-easyrsa-demo.sh</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c"># This script demonstrates the "easy way" to create a CA</span> <span class="c"># and issue a certificate using the 'easyrsa' wrapper.</span> <span class="c">#</span> <span class="c"># It is for demonstration only and does not use our</span> <span class="c"># main '~/cicd_stack/ca' directory.</span> <span class="nv">DEMO_DIR</span><span class="o">=</span><span class="s2">"easyrsa-demo"</span> <span class="nv">REPO_URL</span><span class="o">=</span><span class="s2">"https://github.com/OpenVPN/easy-rsa.git"</span> <span class="nv">REPO_BRANCH</span><span class="o">=</span><span class="s2">"v3.2.4"</span> <span class="nv">SERVICE_NAME</span><span class="o">=</span><span class="s2">"gitlab-demo"</span> <span class="c"># --- 1. Installation (via Git) ---</span> <span class="nb">echo</span> <span class="s2">"--- 1. Installing 'git' (prerequisite) ---"</span> <span class="nb">sudo </span>apt-get update <span class="nt">-qq</span> <span class="o">&amp;&amp;</span> <span class="nb">sudo </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">-qq</span> git <span class="c"># --- 2. Setup ---</span> <span class="nb">echo</span> <span class="s2">"--- 2. Cloning easyrsa branch '</span><span class="nv">$REPO_BRANCH</span><span class="s2">' into demo directory: </span><span class="nv">$DEMO_DIR</span><span class="s2"> ---"</span> <span class="nb">rm</span> <span class="nt">-rf</span> <span class="nv">$DEMO_DIR</span> git clone <span class="nt">--depth</span><span class="o">=</span>1 <span class="nt">-b</span> <span class="nv">$REPO_BRANCH</span> <span class="nv">$REPO_URL</span> <span class="nv">$DEMO_DIR</span> <span class="c"># Navigate into the new demo directory</span> <span class="nb">cd</span> <span class="nv">$DEMO_DIR</span> <span class="o">||</span> <span class="o">(</span><span class="nb">echo</span> <span class="s2">"Failed to clone easyrsa. Aborting."</span> <span class="o">&amp;&amp;</span> <span class="nb">exit </span>1<span class="o">)</span> <span class="c"># Navigate into the easyrsa3 directory where the executable is</span> <span class="nb">cd </span>easyrsa3 <span class="o">||</span> <span class="o">(</span><span class="nb">echo</span> <span class="s2">"Failed to find 'easyrsa3' directory. Aborting."</span> <span class="o">&amp;&amp;</span> <span class="nb">exit </span>1<span class="o">)</span> <span class="c"># --- 3. Create the PKI and Root CA ---</span> <span class="nb">echo</span> <span class="s2">"--- 3. Initializing PKI and building Root CA ---"</span> <span class="c"># Initialize the PKI (creates 'pki' dir, index, serial, etc.)</span> ./easyrsa init-pki <span class="c"># Build the CA, 'nopass' = no password on the private key</span> <span class="c"># 'batch' = use defaults for the DN (Country, Org, etc.)</span> ./easyrsa <span class="nt">--batch</span> build-ca nopass <span class="c"># --- 4. Issue a Service Certificate ---</span> <span class="nb">echo</span> <span class="s2">"--- 4. Issuing service certificate for '</span><span class="nv">$SERVICE_NAME</span><span class="s2">' (with SANs) ---"</span> <span class="c"># We MUST explicitly pass the SANs. We will add the service name,</span> <span class="c"># localhost, and 127.0.0.1, just like our "hard way" script.</span> <span class="nv">SANS</span><span class="o">=</span><span class="s2">"DNS:</span><span class="nv">$SERVICE_NAME</span><span class="s2">,DNS:localhost,IP:127.0.0.1"</span> <span class="nb">echo</span> <span class="s2">"--- Using SANs: </span><span class="nv">$SANS</span><span class="s2"> ---"</span> ./easyrsa <span class="nt">--batch</span> <span class="nt">--san</span><span class="o">=</span><span class="s2">"</span><span class="nv">$SANS</span><span class="s2">"</span> build-server-full <span class="nv">$SERVICE_NAME</span> nopass <span class="c"># --- 5. Verification ---</span> <span class="nb">echo</span> <span class="s2">"--- Demo complete. Verifying generated files: ---"</span> <span class="nb">echo</span> <span class="s2">"1. CA Certificate:"</span> <span class="nb">ls</span> <span class="nt">-l</span> pki/ca.crt <span class="nb">echo</span> <span class="s2">"2. Service Private Key:"</span> <span class="nb">ls</span> <span class="nt">-l</span> pki/private/<span class="nv">$SERVICE_NAME</span>.key <span class="nb">echo</span> <span class="s2">"3. Service Certificate:"</span> <span class="nb">ls</span> <span class="nt">-l</span> pki/issued/<span class="nv">$SERVICE_NAME</span>.crt <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"--- Verifying SANs in the 'easyrsa' generated cert: ---"</span> openssl x509 <span class="nt">-in</span> pki/issued/<span class="nv">$SERVICE_NAME</span>.crt <span class="nt">-noout</span> <span class="nt">-text</span> | <span class="nb">grep</span> <span class="nt">-A1</span> <span class="s2">"Subject Alternative Name"</span> <span class="c"># Clean up by returning to the original directory</span> <span class="nb">cd</span> ../.. </code></pre> </div> <h3> Deconstruction </h3> <p>This script automates the entire process, perfectly illustrating <em>why</em> <code>openssl</code> is so complex.</p> <ul> <li> <strong><code>git clone ...</code></strong>: First, we install <code>git</code> and clone the <code>easyrsa</code> repository, as it's not available in the default Debian package manager. We check out a specific, stable version (<code>v3.2.4</code>).</li> <li> <strong><code>./easyrsa init-pki</code></strong>: This single command does what took us several steps in Chapter 3. It creates the <em>entire</em> PKI directory structure (<code>pki/</code>), including the <code>index.txt</code> "ledger" and the <code>serial</code> "ticket dispenser".</li> <li> <strong><code>./easyrsa --batch build-ca nopass</code></strong>: This one command replaces our <code>01-create-ca.sh</code> script. It generates the <code>ca.key</code> and <code>ca.pem</code>, automatically applying the correct <code>CA:TRUE</code> extensions from its own internal <code>openssl.cnf</code> template.</li> <li> <strong><code>./easyrsa --batch --san="..." build-server-full ...</code></strong>: This is the most powerful command. It replaces our entire <code>02-issue-service-cert.sh</code> script. It automatically handles the key generation, CSR, and signing.</li> <li> <strong>The <code>--san</code> Flag</strong>: This is the most critical lesson. Even this "easy" tool, when run in non-interactive <code>batch</code> mode, <em>still</em> required us to <strong>explicitly pass the SANs</strong>. This proves that our "first principles" lesson was correct: in modern PKI, SANs are non-negotiable.</li> <li> <strong>Final Verification</strong>: We use our "hard way" <code>openssl</code> command at the end to "check the work" of the "easy way" wrapper. The output <code>DNS:gitlab-demo, DNS:localhost, IP Address:127.0.0.1</code> proves that <code>easyrsa</code> is just a powerful, convenient shell script running the same <code>openssl</code> logic we already learned.</li> </ul> <h3> Action </h3> <p>From your <strong>host machine</strong> (inside your <code>0006_cicd_part02_certificate_authority</code> directory), make this new script executable and run it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (Run on HOST)</span> <span class="nb">chmod</span> +x 06-run-easyrsa-demo.sh ./06-run-easyrsa-demo.sh </code></pre> </div> <p><strong>Result:</strong><br> The script will install <code>git</code>, clone the <code>easyrsa</code> repository, and then run the simplified workflow. The final <code>openssl</code> command will print the SAN field, proving that <code>easyrsa</code> is just an automated wrapper around the same "first principles" we learned.</p> <h1> Chapter 7: Conclusion and Next Steps </h1> <h2> 7.1 What We've Built </h2> <p>We have successfully built a complete, local Public Key Infrastructure (PKI) from "first principles." We started with the "pain point" of insecure <code>http</code> and browser errors and deconstructed the entire chain of trust.</p> <p>We rejected the "magic" of simple, self-signed certificates and instead built our own "passport office"—a full Certificate Authority. We did it the "hard way" with <code>openssl</code> to understand every moving part:</p> <ul> <li>We created a secure <code>openssl.cnf</code> "blueprint."</li> <li>We manually built the CA's "filing system" (<code>index.txt</code>, <code>serial</code>).</li> <li>We solved the critical "SAN Gotcha" by creating a <code>v3.ext</code> file to issue modern, compliant certificates.</li> <li>We solved the "Nested Path Gotcha" using <code>basename</code> to make our issuer script reusable.</li> </ul> <p>We then solved the "new pain point" of trust by deconstructing the "disjointed trust stores" on our host. We surgically added our CA to the <strong>OpenSSL store</strong> (for <code>curl</code>), the <strong>NSS store</strong> (for Chrome), and the <strong>Firefox store</strong> (for Firefox) using our <code>04-trust-ca-host.sh</code> script.</p> <p>Finally, we verified our entire setup end-to-end, proving that both our host machine and our <code>dev-container</code> now fully trust our new "passport office."</p> <h2> 7.2 Next Steps </h2> <p>Our "city" is finally ready.</p> <ul> <li>We have a "Control Center" (DooD).</li> <li>We have our "roads" (<code>cicd-net</code>).</li> <li>We have our "foundations" (volumes and bind mounts).</li> <li>And now, we have our "security system" (our trusted CA).</li> </ul> <p>We are <em>finally</em> ready to build our first "skyscraper." In the next article, we will deploy <strong>GitLab</strong>, the "Central Library" for our source code. We will use the <code>docker run</code> command to deploy it onto our foundation and use the <code>gitlab.crt.pem</code> and <code>gitlab.key.pem</code> files we just created to make it fully secure with HTTPS from the moment it starts.</p> security devops containers tls