Amazon API Gateway 支援 Canary Release 了

Amazon API Gateway 支援 Canary Release 了:「Amazon API Gateway Supports Canary Release Deployments」。

Canary Release 重點在於逐步轉移,而不是直接硬切,大致上可以分成三個階段。

首先是一開始的情況:

切到一半的情境:

最後完全使用新版本:

這個方法可以避免新的 code 有效能問題,造成後端壓力過大... 不過這樣就要確定新舊版本的程式碼可以同時跑 (像是後端資料庫的 schema 必須相容這兩個版本)。

前幾天提到的「AWS CodeDeploy 支援在 AWS Lambda 上跑更多奇怪花樣」算是相關的功能,讓 AWS CodeDeploy 參與其中做出各種變化。

AWS 推出新的 Cost Explorer API,不過 API 不是重點啦...

AWS 的「New – Interactive AWS Cost Explorer API」這篇文章在一開頭就提到了 Cost Explorer API 的情況,所以他們要推出新的 API 改進:

We launched the AWS Cost Explorer a couple of years ago in order to allow you to track, allocate, and manage your AWS costs. The response to that launch, and to additions that we have made since then, has been very positive. However our customers are, as Jeff Bezos has said, “beautifully, wonderfully, dissatisfied.”

不過讓我笑出來的是選圖啊... 大概是 Jeff Barr 夠硬的關係,直接選了這張:

我喜歡這張 XD (尤其配合著出現在官方 blog 上的時候)

Stream 對 .io 的感冒

Stream 的人寫了一篇「Why Stream Stopped Using .IO Domain Names for Production Traffic」表達他們對 .io 的感冒...

主要是因為 9/20 爛掉的情況不太妙。第一個是 .io 爛掉了兩個小時 (以月來算 SLA 就等於直接掉了 0.2% uptime,變成不到 99.8%),第二個是爛掉時 server 傳回的不是 SERVFAIL,而是 NXDOMAIN

The outage lasted for almost 2 hours, during which 1/5th of DNS queries for any .getstream.io record would fail.

他們的解法是改到 .com 上,畢竟影響的時候應該會修得比較快。另外文章裡也有延伸提到 Amazon Route 53 爛掉時要怎麼辦,如果他們真的決定要解決的話,應該是會拿出像「StackOverflow 對於多 DNS 商的同步方式...」或是「GitHub 也自己搞了一套管理多家 DNS 的程式...」的搞法吧。

不過這的確是當初選 .io 沒預料到的...

一票在 AWS Lambda 上預先編好的套件

ryfeus/lambda-packs 這邊有一票已經編好的套件,可以看出選出來的都是比較吃資源的東西,拆成 API 接出去比較划算 (以免 API overhead 佔太多):

  • Selenium PhantomJS
  • Pyresttest + WRK
  • Lxml + requests
  • Tensorflow
  • Sklearn
  • Skimage
  • OpenCV + PIL
  • Pandas
  • Tesseract
  • PDF generator + Microsoft office file generator (docx, xlsx, pptx) + image generator (jpg, png) + book generator (epub)
  • Satellite imagery processing (rasterio + OSGEO + pyproj + shapely + PIL)

有些套件光是要編就很麻煩,作者編好後讓人可以直接包進去 XD

AWS PrivateLink

AWS 計畫把先前設計的 VPC Endpoint 都併到 AWS PrivateLink 裡,統一管理:「New – AWS PrivateLink for AWS Services: Kinesis, Service Catalog, EC2 Systems Manager, Amazon EC2 APIs, and ELB APIs in your VPC」。

Today we are announcing AWS PrivateLink, the newest generation of VPC Endpoints which is designed for customers to access AWS services in a highly available and scalable manner, while keeping all the traffic within the AWS network. Kinesis, Service Catalog, Amazon EC2, EC2 Systems Manager (SSM), and Elastic Load Balancing (ELB) APIs are now available to use inside your VPC, with support for more services coming soon such as Key Management Service (KMS) and Amazon Cloudwatch.

這樣就不用弄 proxy server 然後在上面管一堆 policy 了... (先不講自己搞 HA 的麻煩事,光是有些程式還得 patch 才能支援 proxy 就會想翻桌了 XD)

microG 的進展...

留在 tab 上的東西,忘記在哪看到的... microG 發佈了新的專案:「LineageOS for microG」。

microG 是 AndroidGoogle 服務 API 的重新實作 (所以 open source),不像 Open GApps 還是屬於 proprietary software。

這次的事情是 microG 的人 fork 了 LineageOS 專案,因為 LineageOS 專案拒絕 microG 的 signature spoofing patch:

Why do we need a custom build of LineageOS to have microG? Can't I install microG on the official LineageOS?

MicroG requires a patch called "signature spoofing", which allows the microG's apps to spoof themselves as Google Apps. LineageOS' developers refused (multiple times) to include the patch, forcing us to fork their project.

另外也提到了他們覺得拒絕的原因很鳥:

Wait, on their FAQ page I see that they don't want to include the patch for security reasons. Is this ROM unsafe?

No. LineageOS' developers hide behind the "security reasons" shield, but in reality they don't care enough about the freedom of their users to risk to upset Google by giving them an alternative to the Play Services.
The signature spoofing could be an unsafe feature only if the user blindly gives any permission to any app, as this permission can't be obtained automatically by the apps.

Moreover, to further strengthen the security of our ROM, we modified the signature spoofing permission so that only system privileged apps can obtain it, and no security threat is posed to our users.

於是就 fork 了新的專案... 就觀察看看吧。

Amazon API Gateway 可以獨立運作了...

Amazon API Gateway 先前一定要跟 Amazon CloudFront 綁在一起 (而且還是很奇怪的 distribution,不是 Price Class 裡面任何一種分類),現在總算可以獨立自己運作了:「Amazon API Gateway Supports Regional API Endpoints」。

A regional API endpoint is a new type of endpoint that is accessed from the same AWS region in which your REST API is deployed. This helps you reduce request latency when API requests originate from the same region as your REST API.

而且這樣一來,如果還是要用 Amazon CloudFront 擋在前面的話,可以自己選擇 Price Class:

Additionally, you can now choose to associate your own Amazon CloudFront distribution with the regional API endpoint.

以前用起來頗莫名其妙的 XDDD

HTTP/2 時代的 API 設計

在「Let’s Stop Building APIs Around a Network Hack」這邊提到了以前為了解決 HTTP/1.1 的問題而發展出來的 workaround,在 2015 年發展出來的 HTTP/2 從底層直接解了不少問題,加上很快被許多瀏覽器支援 (就算不支援 HTTP/2 也只是降到 HTTP/1.1 跑,比較慢而已):

Guess what else was released in May 2015? RFC 7540, otherwise known as HTTP/2. In retrospect this seems highly poetic, as HTTP/2 kinda makes the compound document aspect of JSON-API a little bit pointless, and compound documents to me go hand in hand with what JSON-API is as a standard.

2012 年在 MOPCON 第一屆講的「API Design Optimized for Mobile Platform」剛好就是這個主題:

有種懷念感... XD