Raising money for Leukaemia Research

June 18, 2008
bikeathon, charity, events, leukaemia
Leave a Comment

Right now I have a whole pile of blog articles backed up that I’m in the middle of writing. This post jumped the queue because it is by far the most important.

Leukaemia and other blood cancers are the main cause of cancer death in the under 35s (a demographic of which I am sadly no longer a member, but some of my best friends are under 35). Leukaemia itself is the most common form of cancer in children in the UK.

On 13th July – only three weeks away – I will be taking part in the 2008 London Bikeathon, cycling 26 miles (about 42km – coincidence? I think not) through East London and out the other side. And back.

Please sponsor me – as much as you can spare, or as little as you can find. If you are in the UK, tick the appropriate boxes and our fine tax officials will donate an extra 25% on top of your donation.

Thank you.

Hacked!

May 25, 2008
exploit, hacking, security, vulnerability, wordpress
Leave a Comment

If you are reading this with Internet Explorer 6 you are at risk

Ok, first things first. If you read this blog using IE6, you should check your machine for malware using Microsoft’s anti-malware tool or your favourite anti-virus suite. You should also consider installing Firefox with its ad-blocking goodness and lack-of-ActiveX-ness.

For several weeks I’ve been unsuspectingly handing out evil in the form of a hidden <iframe> tag, as well as having loads of poker-related links hidden in another article. According to my friend Joe Walnes, the iframe exploit installs a tiny “zombie” service through vulnerable IE6 browsers that hides in your Windows machine awaiting instructions.

I am hugely grateful to “noreply” at Google who mailed me to tell me this was the case – I really had no idea. It turns out Google were prefixing any search results to my site with a big sign saying “this man is a cheesy purveyor of malware”. Good for them – I was! And doubly good for them, they told me. Also thanks to a chap called David who pointed out the poker links.

You can never be too careful

I like to think I run a reasonably tight ship in terms of security. My server is sitting behind a firewall, running a solid Linux distribution with /bin/su disabled (in favour of the more secure sudo), which you can only log into as a non-root user with an ssh key. In other words I could give you the root password and it would be pretty much useless unless you were sitting at the console. I upgrade WordPress whenever they produce a new version. I use mercurial to allow me to roll forward or backward across upgrades, because, well, why wouldn’t you?

However it seems some evil pondscum used an exploit in a file called xmlrpc.php to inject hidden badness into the body of a number of blog posts. I’ve now disabled xmlrpc.php, but anyone using WordPress should be aware that there are lots of exploits some of which are still unresolved, and should lock down their installation accordingly. Naturally something as popular as WordPress is going to be a target for hackers. I certainly learned a lesson about being over-confident.

Better Best Practices at ExpertZone Stockholm

April 1, 2008
best-practices, events, learning, talks
6 Comments

Next week I’ll be talking about Best Practices, a current favourite topic, at the ExpertZone Developer Summit in Stockholm. Last year I ran a half-day workshop about SOA and gave a keynote with Erik Dörnenburg about simplicity in software, and this year I wanted to do something a little different. So when I heard there was a track called called “People Matters Too” I was keen to get involved.

This talk will be completely non-technical, aimed at anyone interested in how we learn and why we rebel when faced with Yet Another Change Programme.

BDD and DDD at Stockholm Javaforum

As an added bonus – for me at least – I’m going to be talking to the Stockholm Javaforum on Tuesday 8th April at 7pm. When I initially agreed to this I thought it would be a handful of geeks hanging out and talking about Java. It turns out they regularly draw around 200 people. And they’ve sold out. Yikes.

I’ve got an hour to talk about the relationship between Domain-Driven Design and Behaviour-Driven Development. I have no idea how I’ll be able to limit that to one hour but I’m going to try my best. This is timely because I am also working on an article explaining my take on DDD and BDD. Honest.

Better Best Practices

March 23, 2008
articles, best-practices, infoq, learning, oredev, talks
4 Comments

Last October I was privileged to give a keynote talk at the Øredev conference in Malmö, Sweden. It was a late substitution. The original speaker, testing guru James Bach, had to cancel at the last minute for personal reasons. I felt pretty intimidated stepping into his shoes, especially since the other keynote presenters were Joel Spolsky and Andy Hunt, but I figured since no-one had heard of me I’d probably slip under the radar.

James was planning to talk about best practices, and it seems we have similar opinions about them. I would encourage you to read his wonderful blog article where he rigourously deconstructs the phrase1, and then just as eloquently picks apart the arguments of anyone who disagrees. So I thought I would do something around the same topic.

I wrote it up as an article and the kind folks at InfoQ published it, and the Øredev team has put up a video of the talk. (For some reason I can’t get it to work in firefox on ubuntu, but I’m pretty sure the guy on the left is me).

1. I didn’t realise until long after Øredev that he was the author of that article. It made me very happy when I found out.

Awesome Acceptance Testing at SPA 2008

February 22, 2008
agile, events, spa, talks, tdd, testing
4 Comments

I’ve been pretty slack at letting people know about upcoming talks. I could blame workload or burnout or any number of other plausible-sounding reasons, but a lot of it is just down to not prioritising very well. I should fix that.

A couple of years ago Joe Walnes and I gave a talk at an XP Day entitled “Awesome Acceptance Testing” (blame Joe for the title). We looked at motivations for acceptance testing and discussed various strategies, tools and techniques. But mostly it was an opportunity to get a bunch of people in a room and find out what they thought and what they were up to in the acceptance testing space.

If you didn’t get to see it and it sounds like fun, we’ll be rerunning the session at SPA 2008 in March. I hope to see you there.

Goal-oriented vocabulary – saying what you mean

February 12, 2008
agile, bdd, design, language, problem-solving
13 Comments

I was in a hotel in Stockholm recently and I noticed a bottle opener attached to the wall in the bathroom. There was a bilingual sign under it which got me thinking about the term “bottle opener” itself. (I was giving a talk about BDD the next day so I was already thinking about how language is used.)

It occurred to me that “bottle opener” is a great example of goal-oriented vocabulary. The device itself is actually a cap remover, and it only works on one particular design of metal cap. The reason I use it, however, is to enable me to get to the beer in the bottle. Hence “bottle opener” rather than “cap remover”.

The task is just detail

There is more to this than just linguistic curiosity. If you use task-oriented vocabulary it can cause you to focus on the means rather than the goal, which in turn can limit your options. My favourite example of this is the term “search engine”. Searching is the activity I have to do because I’ve misplaced my keys and I’m locked outside. What I want is a find engine!

Google realises this. When I type something into Google, it guesses what I’m likely to be trying to find, not what I happen to be typing into the box. If I type in “Stockholm map”, I’m likely to be looking for a map of Stockholm (first three results are actual maps – presented as pictures) or some information about the town itself. If I type “hotels Stockholm” I’m probably planning a trip there and voila! lots of useful results for the traveller. Other “search” engines do just that – they search, and produce lists of results. It’s then down to me to sift out the ones I care about to get me closer to my goal.

“Blur” on a problem

We talk about “focusing on a problem” in order to solve it. This is a task-oriented phrase. An alternative would be to stand far enough back that you see the problem in its proper perspective. If anything you are “blurring” on the problem – deliberately losing focus on the detail to see if any larger-scale structure emerges.

I often describe BDD as outside-in development. You start at the outside with an automated scenario, and work inwards, discovering services and collaborators as you go, until you’re done. With a legacy application it can be difficult to remain outside enough, or to get a good enough frame of reference for “done”. Blurring can help with this.

For the last six months I’ve been involved in restructuring and re-architecting a legacy code base. It’s been quite a major undertaking, and has involved a number of false starts and dead ends. (I’m planning to write it up as an experience report at some point, but given my current throughput of things I plan to write, don’t expect it any time soon.) During this project, I’ve often found myself struggling to choose between alternative strategies, or unsure of where to go next. In these situations I’ve found that stepping back and “blurring” gives me enough perspective for one of the alternatives to become “obvious”. In fact a couple of my teammates have picked up on this and will actually suggest it as an activity when we are pairing. “We’re thrashing here – let’s step back and start from the outside again.”

It could be as simple as asking “whose responsibility is this feature?” or “who is the actual client of this method call?”. You don’t need to know the answers – just verbalising the questions can give you enough “blur” to gain a better perspective.

Blur on time as well as space

Linus Torvalds recently gave a talk where he said the problem with source control isn’t branching, it’s merging. Again, by taking a broader perspective – in this case temporal rather than spatial – his insight is that the goal is a successful merge some time in the future, not the task of branching now.

As a final thought, while I was thinking about this I realised the term “behaviour-driven” contrasts with “test-driven” in a similar way. My goal as a developer is to deliver a system that behaves in a particular way. Whether or not it has tests is an interesting metric, but not the core purpose. “Test-driven” development will cause me to have lots of tests, but it won’t necessarily get me nearer the goal of delivering business value through software. So you can use goal-oriented vocabulary in your development process as well as your code to help maintain perspective on what you are trying to achieve.

_Props to James Lewis for helping me formulate these ideas. And for being really good at perspective._

Debian breaks on Virtuozzo VPS

December 14, 2007
debian, linux, sysadmin, virtual, vps
1 Comment

Apologies if you are looking for any articles or trying to post a comment and you are getting 404 errors, or if you wondered where jbehave.org or behaviour-driven.org had gone. Over the last few days I’ve managed to completely hose my server running Debian “testing” distribution, and I’ve had to downgrade to Debian “stable”. This involved some rsync backups and a complete reinstall of the virtual server.

Apologies especially to the lovely people whose blogs I host and who have been extremely patient with me over the last few days.

Because stable is about a year out of date, it is several versions behind fast-moving projects like WordPress, so I have some more fiddling to do before permalinks or comments will be working again.

If you are running Debian/testing in a Virtuozzo VPS, check your kernel version. It seems Virtuozzo uses a broken RedHat 2.6.9 kernel which simply doesn’t work with current Debian/testing packages. If your VPS provider uses a broken kernel, DO NOT UPGRADE libc6 to the current version (2.7) otherwise your system will simply die on its feet. It’s incredible – /bin/ls stops working, so does ssh (so you can’t log in to fix it!) – in fact it seems a huge weakness in the Debian setup. I would have expected the core admin packages and system binaries to be statically linked to avoid exactly this problem. A statically-linked busybox helped me enormously here while I monkey-patched it enough to get it to boot.

For the record, here’s my experience so far:

Places to back up

  • /etc (all the system settings)
  • /home (also contains /home/vmail where all the virtual mailboxes live
  • /var/lib/mysql (lots of WordPress databases)
  • /usr/share/wordpress/wp-content (mostly for themes and plugins)
  • /var/www (wikis)

I’m quite pleased things were this well organised. I thought I might be looking for files all over the place.

Things that worked

  • openssh with my existing config and keys. Hurrah!
  • postfix and dovecot. Although that’s hardly surprising – they are both rock solid and quite stable. I just rsync’ed the mail directories and settings back and they both started working. After a recommendation by Steve Purcell I’ve been using dovecot as my imap server and authentication daemon with postfix and they are a joy.
  • apache2. Enough said.
  • mysql 5. I’m really starting to like mysql.
  • moinmoin. Needed some love. Actually I needed to clear out all the caches before it would work, and install packages moinmoin-common and python-moinmoin, and of course libapache2-mod-python.

Things that don’t work

  • Apache2 mod-fcgi. I was having problems with this before which went away when I upgraded to Debian/testing, so I’m assuming it just doesn’t work properly in Debian/stable.
  • Apache2 mod-svn. It just doesn’t exist in stable, and neither does mod_dav, so I can’t do funky internet filesystem things for my Windows friends.

Things I’m still struggling with

  • Links in WordPress. This is bound to be something really obvious that I’ll work out after a good night’s sleep. It seems ok for some blogs and not for others, so it might be to do with the themes. Update: it turns out I needed a @/usr/share/wordpress/.htaccess@ owned by the apache user with the appropriate rewrite rules in it – thanks Ben Coleman for sorting that out.

So far my VPS hosting company, Solar VPS, have been great with any support requests I’ve made. I really hope they come through with an up-to-date kernel so I can dist-upgrade everything back to Debian/testing. _Update: Virtuozzo has no plans to upgrade the kernel before its next major release, so I’m stuck with Debian Stable (Etch)._

Empty rooms

October 9, 2007
agile, bdd, events, oopsla, tutorials
7 Comments

It’s now about two weeks to OOPSLA, where Liz Keogh and I will be presenting a workshop on behaviour-driven development using JBehave. This will be along similar lines to the workshop I co-presented at RailsConf Europe last month.

At RailsConf we presented to nearly 200 people, which was about a quarter of the conference attendees. At JAOO last year Niclas Nilsson and I presented BDD to well over 100 people. So far at OOPSLA only a handful of people have signed up for the workshop. I’m curious. Is it that the people attending OOPSLA aren’t interested in behaviour-driven development? Is it JBehave? Is it that we haven’t marketed it very well? Is it simply the cost?

RSpec, the ruby equivalent of JBehave, is comparatively much more popular. It has been embraced by the Rails crowd and by rubyists in general in a way that JBehave doesn’t seem to have been in java. Perhaps JUnit and JMock were already so pervasive in the agile java community that there wasn’t room for JBehave, or perhaps it wasn’t seen as different enough to be worth trying – its early incarnations were as just another TDD and mocking tool.

Since I started writing JBehave back in 2003, BDD – and JBehave itself – has broadened in scope, covering user stories right the way through to tested, deployed code, and the OOPSLA workshop will explore this bigger picture. It will be of interest to anyone looking to understand behaviour-driven development, regardless of the technology stack or toolset you use.

On a related theme, java is trailing behind ruby and even C# in terms of customer-friendly executable documentation. JBehave might just be the tool to follow through on the promise of FIT, to define executable acceptance criteria that can be authored by testers or analysts.

So to anyone going to OOPSLA, if you aren’t coming to the BDD session I would be very keen to hear why so I can pitch it better next time. Is it that you aren’t using JBehave so you don’t think the session is relevant? Are you simply not interested in BDD? Is there too much other good stuff on at the same time? Or did you just not notice but now you have you’ll be signing up? I hope to see you in Canada!

Upcoming events

September 10, 2007
agile, bdd, coaching, events, programming, ruby, talks
5 Comments

So it’s that time of year again. I’ve got a number of conferences and workshops coming up, ranging over all sorts of topics. I just popped over to Martin Fowler’s site (I’m doing a talk with him this week) and noticed that he has a much more organised setup than me. All his events are in a sidebar and there is a handy link if you want more details. Another idea to go on my to-do pile.

ThoughtWorks Quarterly Technology Briefing

  • Manchester – 12 September 2007
  • London – 20 September 2007

This is the second instalment in ThoughtWorks series of informal sessions aimed at technologists across the spectrum. Although calling it a technology briefing is a bit inaccurate because the title for this one is “How to Sell Agile to your Organisation”, which has far more to do with the themes of people, risk and change than with anything technological.

This is the talk I’ll be presenting with Martin so I can guarantee a lively session. In his own words: “As I detest selling anything to anyone it will be interesting to see how this talk works out.”

Details and registration info are on the ThoughtWorks website.

RailsConf Europe

  • Berlin – 17-19 September 2007

A lot of Ruby folk seem to have taken to behaviour-driven development. This is almost entirely due to the success of the rspec project, which is in turn due to the enthusiasm and dedication of its developers and the community they have established.

A while back I wrote a story-level BDD framework for Ruby called rbehave which has since been integrated into the rspec project.

I’ll be helping rspec project leads David Chelimsky and Aslak Hellesoy present a workshop entitled A half-day of behaviour-driven development on Rails, where we’ll be demonstrating how rspec helps you write software that is focused on achieving an outcome. It’s at 8:30am on the Monday morning, so make sure you’re there first thing.

Expo-C Roadshow

  • Växjö – 15-16 October 2007
  • Karlskrona – 17-18 October 2007

Expo-C is one of my favourite events. It’s a small conference in south-east Sweden and it seems to attract an audience that really cares about what they are doing. I’ve done two of them now, on very different topics, and on both occasions I was very impressed with the quality of the attendees and the calibre of the other speakers. (I’m usually the only one there who hasn’t written a book.)

This time they are doing two mini-conferences back to back, in Växjö and then Karlskrona, with a tutorial day and a seminar day (six sessions) in each location. I’ll be running full-day tutorials on BDD in Växjö, and Coaching, Communication and Change in Karlskrona. For the seminar I’ll be talking about bridging the communication gap, based on a keynote I gave with Martin Fowler at QCon earlier this year.

I will also be learning how to pronounce “Växjö”.

OOPSLA

  • Montreal – 21-25 October 2007

This will be my first OOPSLA. I’ve heard a lot about it and I’m a bit intimidated. By reputation it seems a bit more “cerebral” than most conferences. It will also be the first time I’ve ever presented JBehave at a conference. No mean feat considering I started writing it at the end of 2003! There’s perpetual beta for you.

My co-presenter is my ThoughtWorks colleague, friend and cybergoth Liz Keogh, the person responsible for getting JBehave to 1.0. I have huge respect for Liz; she manages to combine software with poetry. This isn’t a pretentious metaphor – she actually does combine software with poetry. She ran a haiku workshop at a previous ThoughtWorks away day that many of the attendees nominated as the highlight of their day. She also writes inspiring and inspired blog articles.

I’m only going because I want to see what Liz does when she’s let loose on a roomful of developers. I reckon we’ll end up writing haiku acceptance criteria.

And some others…

There are another couple of events in the pipeline that I will blog about nearer the time (January and February next year). After that I’m going to have a bit of a lie down.

Correction: I got the dates wrong for OOPSLA. Thanks Joshua Graham for putting me straight.
_Another correction: My Swedish geography is appalling. Thanks Morgan Persson._

Virtual mailboxes with courier-imap and postfix

September 9, 2007
courier, email, imap, linux, postfix, smtp, sysadmin
25 Comments

This is the first of an occasional series of posts about Linux systems administration. I’ve been an on-off Linux sysadmin for about, well, my first Linux was Slackware on a stack of 3.5″ floppies. Every now and then I do something “fiddly” and I want to capture these episodes in case I ever need to do it again, or in case someone else wants to and they find this useful.

I run Debian Testing on kenny, the server that hosts http://dannorth.net, http://behaviour-driven.org and a bunch of other websites, blogs and wikis. (Random plug: it’s hosted by the fine folks at SolarVPS. I have no affiliation with them but they rock.) It seems a good balance between Debian Stable – which is rock solid but always about a year out of date – and Unstable, which requires updating far too often and hosed my old server (cartman – can you see a theme here?).

Mostly it Just Works. In particular WordPress and MoinMoin are a joy to configure and use. I get change out of about 10 minutes to add a new blog.

I also use it as a mail server, using postfix for sending and receiving mail and courier-imap for reading it. I tried a number of mail servers and settled on postfix after dismissing sendmail and qmail as just too complicated and exim after staring at the impenetrable documentation one time too many.

I found it pretty easy to set up secure SMTP over TLS and secure IMAP over SSL, but I stumbled at setting up virtual mail addresses. This article is about how to do that using postfix and courier-imap. It’s pretty straightforward once you know where all the moving parts are, but they were less than obvious to me.

Virtual mail addresses

Mostly you send email to bob@address.com and it turns up in bob’s mailbox in bob’s login account. Sometimes you don’t want this. For instance, I host about 20 domain names on kenny, and addresses like info@blah.com or sales@blah.com need to go to specific people. That’s the first type of virtual addressing, known as virtual alias domains.

The second case is “more” virtual – the user doesn’t even need to exist on the server with a regular login account. Postfix puts the mail into a special directory, and courier-imap presents that directory as the mailbox when the user “logs in” over IMAP. This is where all the moving parts come in. This is known as virtual mailbox domains.

Setting up postfix for virtual alias domains

This is the easier of the two, since the mail ends up in a real email address, so there is no corresponding configuration on the courier-imap side. This information came from the Postfix Virtual Domain Hosting Howto.

In /etc/postfix/main.cf add the following lines:

    virtual_alias_domains = dannorth.net
    virtual_alias_maps = hash:/etc/postfix/virtual

This says that postfix will treat the name dannorth.net as a virtual alias domain and will use the file /etc/postfix/virtual to do the mappings. Your /etc/postfix/virtual might look like this:

    # deliver to local account
    dan@dannorth.net dan

    # forward to another mail address
    example@dannorth.net dan@example.com

Once you have this file configured, run the command:

    # postmap /etc/postfix/virtual

to create the hash database that postfix will use, then run:

    # postfix reload

to update the configuration.

Setting up virtual mailbox domains

Ok, there are several moving parts here. We need:

  • a directory to deliver the mail to
  • to tell postfix to deliver it there
  • to enable virtual users in courier
  • to tell courier where the virtual users’ mail lives

In this example, I’ll set up two virtual users, fred and barney, at example.com.

System accounts and directories

The virtual users’ files need to be owned by someone, so we’ll create a “fake” user and group. I’m using vmail for both the user and group names, with uid and gid both set to 5000.

From a root prompt:

    # groupadd -g 5000 vmail
    # useradd -g vmail -u 5000 vmail
    # mkdir -p /home/vhosts/example.com
    # chown vmail:vmail /home/vhosts/example.com

Configuring postfix for virtual mailbox domains

In /etc/postfix/main.cf

    virtual_mailbox_domains = example.com
    virtual_mailbox_base = /home/vhosts
    virtual_mailbox_maps = hash:/etc/postfix/vmailbox
    virtual_minimum_uid = 100
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000

This is pretty self-explanatory. It says example.com is a magic virtual mailbox domain, all users and groups map to a fixed number (you can get cleverer than this but I’m not worried about it for now), and that all the interesting stuff is in /etc/postfix/vmailbox. The minimum uid is postfix’s safety measure in case I do something stupid. It means I can’t accidentally let someone have access to system files.

Now let’s look at /etc/postfix/vmailbox:

    fred@example.com example.com/fred/
    barney@example.com example.com/barney/

The magic here is the / at the end of each line. This says to use maildir format (the format courier-imap is expecting) rather than clunky old mbox format. Postfix will create the appropriate directory structure for fred and barney,

Again we create a hash of this for postfix:

    # postmap /etc/postfix/vmailbox
    # postfix reload

Phew! That’s the postfix side done. Now stop for a cup of tea.

Configuring courier-imap for virtual mailboxes

On Debian, courier imap runs as three executables, each with separate init.d scripts. courier-imap and courier-imap-ssl are the imap servers themselves (I run courier-imap bound to localhost for webmail). courier-authdaemon is the chap that does all the authentication. That’s the one we’re interested in.

Firstly, we need to enable virtual users. In the file /etc/courier/authdaemonrc you need to make sure your authmodulelist setting contains authuserdb as one of its authentication mechanisms. Mine looks like this:

    authmodulelist="authuserdb authpam"

Don’t forget to tell the auth daemon you’ve made a change:

    # invoke-rc.d courier-authdaemon reload

Courier uses a file called /etc/courier/userdb to store virtual user mappings, but you don’t usually edit this file yourself. It has an arcane format (using tabs and pipes as delimiters) and should be left well alone. Instead, courier provides you with some command line tools to manipulate it.

To create an entry for fred, we do this:

    # userdb fred set uid=vmail gid=vmail home=/home/vhosts/example.com/fred mail=/home/vhosts/example.com/fred

(That should all be on one line – your browser might wrap it.) Then set a password for fred:

    # userdbpw -md5 | userdb fred set systempw

Do the same for barney. Finally we build the hashed user database that courier will actually use:

    # makeuserdb

Note: don’t forget to run makeuserdb after making any changes to the virtual user data otherwise courier won’t know.

Testing the configuration

Firstly, try sending an email to the virtual user. Postfix should create the maildir structure under example.com/fred. Then try connecting to courier to read the mail. If you find you are getting authentication problems from the courier side, you can try setting DEBUG_LOGIN=1 in /etc/courier/authdaemonrc and restarting the auth daemon. Don’t forget to switch it off again once it’s working.

Follow

Get every new post delivered to your Inbox.

Join 197 other followers