This easy one cloud trick is in DANGER. Why?

Port problem, captain: Microservices to the event horizon

Legacy, or technical debt – call it what you will – has always been a major challenge to techies looking to move forward and never more so than now, as you're being asked to shift data centre software to the cloud.

Possibly the biggest challenge in dealing with legacy is identifying who “owned” an application when it was created – when they'll almost certainly no longer be present.

Any documentation left behind - often many years ago - by the implementation team will almost certainly leave a little (a lot) to be desired.

That’s a problem, because you need to know the dependencies that have built up over time and which would impact any at migration.

You need to start a process of mapping and discovery.

On far too many occasions, the job of deriving meaningful maps of legacy data centres has fallen to me. Thankfully there is a cheap clue, that even the sands of time cannot erase, that is present in network monitoring data: the communication ports on which traffic starts and finishes.

Comms traffic is relatively cheap to obtain – modern routers will report on traffic, and this measurement approach does not require coverage of all the distinct VMs or IPS, just the routers. Equally, it is very difficult for any element of an application in a DC to hide; if it’s doing anything, it’s communicating, and using specific ports.

Finally, it is very unusual for developers to change default ports, the combination of IP (DNS name if lucky) and port is usually unique, so there is little need to change the port. A modest bit of Googling and you can get default port allocations in pretty much your favourite data format, a key clue in unravelling what’s going on.

As an example in the diagram below are the four stages of simplification – a map of a synthetic data centre. In order of complexity (mushiness) are:

  1. the complete original traffic pattern between distinct IP addresses;
  2. the pattern after port numbers are used to take away DHCP traffic;
  3. after removing DNS traffic by filtering out those port numbers;
  4. and finally, backup traffic, again identified by its relevant port numbers.

At the end of this process the communication structure is considerably clearer – although possibly not in the pattern that would be widely anticipated:

The four stages of simplification – a map of a synthetic data centre

This filtering process can continue further, using other filters, again simply based on port numbers.

The importance of ports to the process of data centre archaeology – and the useful laziness of developers who do not change defaults – cannot be overstated. Without this information, the task may well prove impossible.

Reverse engineering

Unfortunately an emerging approach to the design of large-scale IT systems is a major threat to our ability to tease them apart in the future. The micro-service approach usually exploits the http(s) stack and will by default communicate on the default ports of 80 and 443.

For the future data centre archaeologist confronted with a poorly documented (probably cloud) based system, the comprehension task may well prove impossible, without manual inspection of the code on every server. Presented with a group of IPs all communicating on 80 will be challenge enough, but at least packet inspection may give a clue as to the APIs in play. However, on 443 even that will be impossible.

Currently, the number of micro services systems in deployment is relatively low so this issue is one for the deep future (about five years in IT space). Indeed, as micro services are often in the continuous care of a DevOps team, it might be claimed that the immediate support/dev team (love) will never go away.

Over time, however, reality is likely to bite and the systems will move into stable maintain – no Dev, maybe some Ops. For these systems in the medium term future, if no attempt is made to distinguish traffic at port level, then attempts to decompose the system - and hence understand it again once it enters its inevitable legacy phase - may well prove impossible.

At this point dev/null may be the only valid destination for these systems, hidden by the micro-service event horizon... from which no system can return. ®

Other stories you might like

  • DigitalOcean tries to take sting out of price hike with $4 VM
    Cloud biz says it is reacting to customer mix largely shifting from lone devs to SMEs

    DigitalOcean attempted to lessen the sting of higher prices this week by announcing a cut-rate instance aimed at developers and hobbyists.

    The $4-a-month droplet — what the infrastructure-as-a-service outfit calls its virtual machines — pairs a single virtual CPU with 512 MB of memory, 10 GB of SSD storage, and 500 GB a month in network bandwidth.

    The launch comes as DigitalOcean plans a sweeping price hike across much of its product portfolio, effective July 1. On the low-end, most instances will see pricing increase between $1 and $16 a month, but on the high-end, some products will see increases of as much as $120 in the case of DigitalOceans’ top-tier storage-optimized virtual machines.

    Continue reading
  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading

Biting the hand that feeds IT © 1998–2022