Forem: Pete Freitag

How I cut AWS Lambda Java Cold Start Times in Half

Pete Freitag — Tue, 12 Apr 2022 19:56:00 +0000

It is rare that a simple JVM argument change can have a dramatic impact on execution times, but in the case of AWS Lambda adjusting the Tiered Complication settings can have a really big impact on performance in many (but not all) cases.

The change I made was to add the JVM arguments:

-XX:+TieredCompilation -XX:TieredStopAtLevel=1

On AWS Lambda you can do this by simply adding the environment variable:

JAVA_TOOL_OPTIONS = -XX:+TieredCompilation -XX:TieredStopAtLevel=1

This chart below shows the average execution time of a Java (more specifically written in CFML and using FuseLess) Lambda Function over the course of two days. I've annotated where I made the change and you can see average execution times cut in half, cold start times also cut in half (though the chart doesn't show that).

Note that this particular java lambda function that I used for testing does have some highly intensive invocations that might take up to 30 seconds to execute, after the change I didn't see any executions going above 15 seconds.

What is `TieredCompilation` and what is `TieredStopAtLevel`?

That graph is probably leading you to wonder what is TieredCompilation in java. As you may know the JVM translates your bytecode (class files) into machine code at runtime. This step can take a lot of resources if the compiler wants to make it optimal, it might add counters so it can figure out where the hot spots are and then do further optimizations. This works great and leads to awesome performance on the JVM when your server is running for a long time. In a way the JVM self tunes itself over time, at runtime.

When you are running on a serverless environment like AWS Lambda your runtime will only survive for a short period of time (as little as a few minutes, but no more than a few hours) before being destroyed. The assumption that the JVM default configuration makes is servers will run for a long time, and it should optimize the parts of the code that run the most over time. By setting the TieredStopAtLevel flag to 1 we are telling the JVM not to insert profiling code that is used for runtime measurements and optimizations. In essence we are telling the JVM, don't get try to be too smart, just execute the code, and in the process we are saving CPU cycles and yielding faster execution.

I learned about this technique from AWS, so it makes me wonder why don't they just enable it by default on all Java Lambda Functions? I think all Java Lambda functions could see a lower cold start time with these flags set, but possibly not a lower overall average execution time like I saw. It really depends on if the code can be optimized by the jvm, and how many executions run before the lambda container is recycled. It is certainly worth your time to experiment and see if this flag will improve your Java Lambda Cold Start and Average Duration execution times. Such large performance gains are often not so easily found.

While my experience was specific to AWS Lambda running Java, I'm sure if you are running Azure Cloud Functions on Java, or Google Cloud Functions on Java you could use the same tip to cut your cold start times and hopefully your average duration as well.

Replacing Twitter Share / Follow Widget Buttons with CSS

Pete Freitag — Fri, 03 Sep 2021 15:22:00 +0000

While looking at the PageSpeed Insights for my blog I noticed that the Twitter widgets I was using to display a twitter follow button and a tweet / share button were causing some page speed issues. Specifically the TBT (Total Blocking Time), LCB (Largest Contentful Paint) saw an impact. Overall it was taking about 151 KiB and blocking the main thread for 56ms.

Here's an example of what I was using:


<a href="https://twitter.com/pfreitag" class="twitter-follow-button" data-show-count="true" data-size="large">Follow @pfreitag</a>
<script async src="https://platform.twitter.com/widgets.js"></script>

That loads the following button:

Follow @pfreitag

Note this doesn't show up on dev.to, but you can see it if you go to my blog directly.

Taking a look at this script, it replaces the button with an iframe, it's just quite simply overkill for what it does.

Replacing the Twitter button with pure CSS

It should be easy enough to replace this button with a pure css implementation. First, we should replace https://twitter.com/pfreitag with a twitter intent to follow url, for example: https://twitter.com/intent/follow?screen_name=pfreitag. We can also get rid of data-show-count="true" data-size="large" in the link. One thing our new solution won't have is that nice follower count, but I can live without it. It would be possible to add that back in again, perhaps using a hard coded count to keep it efficient.

Finally here's the css we are using to make the button look similar to the twitter follow button:


.twitter-follow-button, .twitter-follow-button:visited {
    background-color: #1b95e0;
    color: #fff;
    border-radius: 4px;
    height: 28px;
    font-weight: 500;
    font-size: 13px;
    line-height: 26px;
    padding: 8px 8px 8px 30px;
    text-decoration: none;
    background-image: url('/images/twitter.png');
    background-repeat: no-repeat;
    background-size: 16px 13px;
    background-position: 8px 10px;
}
.twitter-follow-button:hover {
    background-color: #0c7abf;
}

One thing you'll note is that we are using an image for the twitter logo, but you don't have to do that. If you have an icon pack like font-awesome you may have a twitter logo you can use, or you can even create the twitter logo in pure css.

If you want to make the button even more efficient to load just omit the button and use something like this:


.twitter-follow-button, .twitter-follow-button:visited {
    background-color: #1b95e0;
    color: #fff;
    border-radius: 4px;
    height: 28px;
    font-weight: 500;
    font-size: 13px;
    line-height: 26px;
    padding: 8px;
    text-decoration: none;
}
.twitter-follow-button:hover {
    background-color: #0c7abf;
}

Another good reason to remove the twitter JavaScript is that it also makes the Content-Security-Policy for twitter buttons much easier to implement.

To see an example of the pure CSS button take a look below the end of this entry (go to my blog directly).

Bash Script to log file modifications with osquery

Pete Freitag — Sat, 10 Apr 2021 00:58:00 +0000

Here's a bash script that uses osquery to log which files in a specific folder have been modified over a 15 minute period. My use case here wasn't file integrity monitoring, for that you would want to use file events.

Here's the script:


#!/bin/bash

WORKSPACE_DIR=`echo ~/workspace`
LOG_DIR=`echo ~/Documents/Logs/osquery_file_logs/`
AGO_TIMESTAMP=`date -v-15M "+%s"`
LOG_FOLDER_NAME=`date "+%Y-%m"`
LOG_FILE_NAME=`date "+%Y-%m-%d"`
LOG_FILE="$LOG_DIR/$LOG_FOLDER_NAME/$LOG_FILE_NAME.txt"

mkdir -p "$LOG_DIR/$LOG_FOLDER_NAME"

touch $LOG_FILE

/usr/local/bin/osqueryi --csv --header=false "SELECT datetime(mtime,'unixepoch') AS file_last_modified_time, path FROM file WHERE path LIKE '$WORKSPACE_DIR/%%' AND type != 'directory' AND mtime > $AGO_TIMESTAMP ORDER BY mtime ASC;" >> $LOG_FILE

I tested this bash script on a Mac, but I think it would work just the same on linux. You'll need to install osquery first. If you set this up in a cron job running every 15 minutes, you'll have a nice log of what files where changed when.

A better way?

It has occurred to me that using osquery here is probably a bit overkill for this task, I think you could create a more rudimentary version of this script like this:


find $WORKSPACE_DIR -type f -newer $LOG_DIR/timestamp >> $LOG_FILE
touch $LOG_DIR/timestamp

Using the -newer flag of the find command it will return all files newer than our $LOG_DIR/timestamp, and because we touch that file after the script runs, the next time it runs it will show all files changed since it was last run.

That doesn't include the last modified dates in the log file, but it is possible to do with a little more work.

One liner to download a Browser with PowerShell on Windows Server

Pete Freitag — Tue, 20 Oct 2020 23:28:00 +0000

It would be nice if Windows Server 2019 came with Microsoft Edge Browser, but it still comes with ~~good~~ old IE 11, and on a Windows Server, you have to jump through hoops to let IE download anything due to its default security settings.

First I tried downloading Microsoft Edge Browser with IE on Windows Server 2019. I got the following prompt: Do you want to allow this website to open an app on your computer?, then when I click Allow it says:

You'll need a new app to open this microsoft-edge

Yes IE, I know!

My next attempt was to download Chrome on Windows Server 2019 using IE, it tells me:

Your current security settings do not allow this file to be downloaded.

Now I realize I could just make IE's security settings more lax, but I'd rather not do that on a server.

Finally before event attempting to download Firefox on Windows Server using IE, I though maybe I can just write a powershell script to download it, and bypass IE all together. It turns out this was quite a simple and successful endeavor. Just open up a new PowerShell session and run:

Invoke-WebRequest -Uri "https://download.mozilla.org/?product=firefox-msi-latest-ssl&os=win64&lang=en-US" -OutFile firefox.msi

This powershell command will download the latest Firefox web browser and save it as firefox.msi in the current directory. You can then just run firefox.msi and you'll be on your way with a legit browser.

You could use the same technique to download Chrome or Edge on Windows Server 2019, you would just need a URL to download it first. Then swap the URL in the powershell script to point to the browser you want to use. No need to even open Internet Explorer on Windows Server.

SameSite cookies with Apache

Pete Freitag — Wed, 01 Apr 2020 11:47:00 +0000

Almost two years ago I wrote about how you can enable SameSite cookies with IIS on cookies that do not have the ability to be written as SameSite. Today I was helping a client on Apache do the same thing, here's how we can add SameSite=lax to a JSESSIONID cookie for example:

Header edit Set-Cookie ^(JSESSIONID.\*)$ $1;SameSite=lax

But suppose you just wanted to make all cookies set by your web app SameSite, you can just do this:

Header edit Set-Cookie ^(.\*)$ $1;SameSite=lax

This works by appending ;SameSite=lax to the end of all Set-Cookie http response headers.

Do you ¿ UTF-8? It's easier than you think

Pete Freitag — Wed, 04 Mar 2020 21:19:00 +0000

Understanding how UTF-8 works is one of those things that most programmers are a little fuzzy on. I know I often have to look up specific on it when dealing with a problem. One of the most common UTF-8 related issues that I see has to do with MySQL's support for UTF-8. Also known as how do I insert emoji into mysql?

The TLDR answer to that question is that you have to use the utf8mb4 encoding, because MySQL's utf8 encoding won't hold an emoji. But the longer answer is sort of of interesting and not as hard as you might think to understand.

So UTF-8 can take 3 or 4 bytes to store?

Encoding a character with UTF-8 may take, 1, 2, 3, or 4 bytes (early versions of the spec went up to 6 bytes, but was later changed to 4).

What’s cool about UTF8 is that if you are only using basic ASCII characters (eg, character codes 0-127) then it only uses 1 byte. Here’s a handy table that shows how many bytes it takes to encode a given character code in UTF8:

Character Code (decimal)	Bytes Used
0-127	1 byte
128-2047	2 bytes
2048-65535	3 bytes
65536-1114111	4 bytes

So hopefully that helps you 😍 UFT8. BTW that emoji is 1F60D in hex, or 128525 in decimal, which means it takes 4 bytes to store in unicode.

So why can't MySQL uft8 store an emoji?

The utf8 encoding in MySQL can only hold up to 3 bytes UTF-8 characters, and UTF-8 actually supports up to 4 bytes. I don’t know why they choose to limit utf-8 to 3 bytes, but I will speculate that they probably added support while uft8 was still not officially standardized, and assumed that 3 bytes will be plenty big enough.

So to get the real UTF-8 in MySQL you need to use utf8mb4 encoding. Which can store all 4 bytes of a Unicode character, including emoji.

UTF-8 != Unicode

I've probably mistakenly used the terms UTF-8 and Unicode interchangeably in the past, it's a common mistake, so let's clarify the difference.

Unicode is a character set standard, it specifies what character a given character code maps to. In Unicode parlance they call the character codes code points. This is probably just to confuse you. There are many ways to encode a unicode string into binary, and this is where the different encodings come in to play: UTF-8, UTF-16, etc.

UTF-8 is a way of encoding the characters into bytes. Now if they decided to use 4 bytes for every character, it would have wasted a lot of space (since the most commonly used characters (at least in the english) can be represented using only 1 byte. Although UTF-8 is defined by Unicode and was designed for Unicode, you could invent another character mapping standard and use UTF-8 to store it.

Searching for files by file name on Mac or Linux

Pete Freitag — Tue, 07 Jan 2020 22:42:00 +0000

Have you ever had to find a file by a file name or file extension? Sure you have! Here's how I locate a file when I'm using a Mac or Linux shell.

The find command

The find command is really handy because it will list every file in the current directory and all sub directories. You can also give it a path, so if you want to search just your home directory (and it is not your current working directory) you can just run:

find ~

And that will list every single file in your home directory (The ~ is a shortcut for home directory).

The find command will be installed by default on your Mac, and just about every linux distribution.

While that is handy, it might list out thousands of files, so our next step is to search the results for the file name we are looking for.

The grep command

The grep command can be used to search the output of another command by using the | pipe operator. For example if I run:

find ~ | grep log

I can search my home directory for any file with log in the file name (or directory name).

Since grep supports regular expressions, if I just want to search file files ending in .log I can do that like this:

find | grep '\.log$'

Searching by file name using find

After my initial thought to use grep, I realized that the find command also has a lot of builtin options you can leverage, so we can simplify this by using:

find -name '\*.log'

There are a bunch of options you might find handy, run man find to see them all.

Some of you might say that you can just use Finder on a Mac to search for files by name, and you'd be correct, that also works, but this is much faster and more flexible.

Running PostgreSQL in Docker for local dev

Pete Freitag — Wed, 18 Dec 2019 01:50:00 +0000

Recently I blogged about how I'm running SQL Server on Mac with Docker and Oracle on a Mac with Docker, so here's how you can run PostgreSQL locally using Docker... more specifically docker-compose.

To start, you'll need to download and install docker, you can check that you have it installed by running docker-compose -v on the command line and it should output a version number.

An example docker-compose.yml for postgres

Create a file docker-compose.yml with the following:

version: '3.7'
services: 
  pg: 
    image: postgres:9.5.20 
    ports: 
      - "5432:5432" 
    volumes: 
      - ./pg:/docker-entrypoint-initdb.d/ 
    environment: 
      - "POSTGRES\_PASSWORD=${DB\_PASS}"

In this case I am exposing port 5432 (the default postgres port) locally, so I'll be able to connect to it via localhost on port 5432.

Running an initialization SQL or sh script

You can initialize this database by creating some files in a folder under your docker-compose.yml file called pg. The docker initialization scripts will run any .sql file or any .sh file it finds in there during startup. So you can create database users or create table schema by placing files in those directories.

The default username will be postgres and the password for that user is defined in the environment variable POSTGRES_PASSWORD which I am defining to be the value of my computers environment variable named DB_PASS. You could hard code it instead if you really wanted to.

Finally the version of PostgreSQL that is used can be tweaked by changing the line image: postgres:9.5.20 to use a different version number.

Once you have customized it as necessary, then you can run the following command to bring up the database server:

docker-compose up

During initialization it will run your scripts in your pg folder to create the database. If you need to re-run the initialization scripts you'll need to remove the docker container (hint: use docker container ls and docker container rm commands)

Everything I know about Markdown Bullet Lists

Pete Freitag — Fri, 22 Nov 2019 13:47:00 +0000

My goal here is to create a quick guide to creating bullet lists, also known as ul lists or unordered lists with Markdown.

TLDR use * or -

As long as you start the line with a * or a - markdown will interpret that as a list item. So the following markdown:

* One 
* Two

Will produce a bullet list like this:

As already mentioned we can use a - to start an unordered list in Markdown as well:

- One
- Two

Will produce the same list as above.

What about nested bullet lists?

To create a nested UL list just indent the line with a tab or 3-4 spaces. For example the following markdown:

* One 
* Two 
    * Three 
        * Four

Will render as the following:

One
Two
- Three
  - Four

Can you Mix * and -?

You certainly can, the following will render the same list nested bullet list as above:

- One 
- Two 
    * Three 
        * Four

What about Numbered Lists?

You can do numbered lists by prefixing each line with incrementing numbers followed by a period. For example:

1. One 
2. Two

Results in an ordered list (OL):

That's pretty much all I know about markdown lists, did I miss anything?

How to run Oracle DB on a Mac with Docker

Pete Freitag — Tue, 05 Nov 2019 02:08:00 +0000

Oracle puts out a Windows and Linux binary for their Oracle Database servers, but what if you want to run it on a Mac? The solution for a while was to use a VM and boot up the linux version. Nowadays using Docker is a little bit easier.

I will say that running Oracle DB on docker is not quite as easy as running SQL Server on Docker, but it is also not too difficult.

Download the Oracle Database Linux Binary

Your first step is to download the Download the Oracle Express Edition version 18c (xe) Linux rpm from oracle.com. Oracle's docker files do support other editions, but the Express Edition is sufficient for getting started.

Clone the Oracle Dockerfile Repo

Oracle has a GitHub repo with all its Dockerfiles, you can clone it (download it) by running:

git clone https://github.com/oracle/docker-images.git

Copy Binary to Dockerfiles dir

Within the git repository you just cloned, go to the OracleDatabase dockerfiles folder:

cd ./OracleDatabase/SingleInstance/dockerfiles

Copy the binary you downloaded in step 1 to the 18.4.0 folder within the dockerfiles folder:

cp ~/Downloads/oracle-database-xe-18c-1.0-1.x86\_64.rpm ./18.4.0

Build a Docker Image

Run the script:

./buildDockerImage.sh -x -v 18.4.0

The -x tells the script that you are installing the express edition, and the -v 18.4.0 tells it which version you are installing.

This step will take a few minutes.

Look for local docker image

You should now have a docker image named oracle/database:18.4.0-xe which you can start using docker. Run docker images from Terminal to look for it and make sure it is there. The total size of the image will be around 8-9GB.

Start an Oracle Database Using docker-compose

Finally we'll create a docker-compose.yml file so we can easily startup the db whenever we need it:

version: "3" 
services: 
  oracle: 
    image: oracle/database:18.4.0-xe 
    ports: 
      - "11521:1521" 
    environment: 
      - ORACLE\_PWD=testing12345

Now we can start up our container by running:

docker-compose up

If you omit the ORACLE_PWD environment variable it will just generate a presumably random password and output it during startup. The startup takes a few minutes to initialize.

After it starts up you will have an oracle database that is accessible on your local machine on port 11521.

Timing Attacks and the Timing-Allow-Origin Header

Pete Freitag — Thu, 24 Oct 2019 01:57:00 +0000

I've always found Timing Attacks to be an interesting type of web application vulnerability. You need to understand timing attacks before you can understand how to use the Timing-Allow-Origin http response header.

What is a Timing Attack?

Timing attacks can happen when attackers use timing to ascertain information, or perhaps better put, when performance is a bug!

Here is a common timing attack I see often in real code:

if ( isValidUser(username) ) { 
  if ( isValidPassword( username, password ) ) { 
    return { authenticated: true };
  }
} 
return { authenticated: false };

In the above case an attacker use the response time to determine what usernames are valid. If an invalid username is passed it fails fast. This works well because isValidPassword is probably doing an expensive operation to compute the entered password's hash, and it will take notable amount of time. By comparing the response time of a valid username and an invalid username the attacker can form a list of valid user names.

Other real world timing attacks have taken place that have allowed attackers to figure out the identity (see Twitter Silhouette Attack). On Facebook, it was possible to create a page that had age restrictions setup such that only a 32 year old could view it, by creating a page for each age, and then requesting each one it was possible for another site to tell how old you are.

Mathias Bynens has a great talk on this subject that will help you further understand this topic.

The Timing-Allow-Origin Header

This is a new header, that according to Can I Use has only been around for about a month (September 2019).

The Timing-Allow-Origin header allows you to specify what origins can view the timing data, it needs to be an exact match, so if you want to share the timing data with https://example.com you can specify:

Timing-Allow-Origin: https://example.com

The spec also allows you to specify a wildcard here:

Timing-Allow-Origin: \*

Hopefully you can understand that specifying the * wildcard for the Timing-Allow-Origin is not a good idea, and can open yourself up to cross site timing attacks via the Web Resource Timing API.

Counting IP Addresses in a Log File

Pete Freitag — Fri, 11 Oct 2019 23:00:00 +0000

I've been using grep to search through files on linux / mac for years, but one flag I didn't use much until recently is the -o flag. This tells grep to only output the matched pattern (instead of lines that mach the pattern).

This feature turns out to be pretty handy, lets say you want to find all the IP addresses in a file. You just need to come up with a regular expression to match an IP, I'll use this: "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+" it's not perfect, but it will work.

grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+" httpd.log

What if I want to see just unique IPs

We can use the uniq command to remove duplicate ip addresses, but uniq needs a sorted input. We can do that with the sort command, like so:

grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+" httpd.log | sort | uniq

Show me the number of times each IP shows up in the log

Now we can use the -c flag for uniq to display counts:

grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+" httpd.log | sort | uniq -c

This will output something like:

    7 10.0.0.30 
    1 10.0.0.80 
    3 10.0.0.70

The counts are not in order, so we can pass our results through sort again, this time with the -n flag to use a numeric sort.

grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+" httpd.log | sort | uniq -c | sort -n

The above will put them in order from least to greatest, you can pipe the result to tail if you only want to see the top N IP addresses!

Pretty handy right?