Alex headshot

AlBlue’s Blog

Macs, Modularity and More

Java's 25th Anniversary

2020, java

On this day, 25 years ago, Java was released as beta to great fanfare across the world. (Java 1.0 itself wouldn’t be released until 23rd January 1996). The key aspect of its appeal was the fact that programs could be created in a simple text editor, such as NotePad or vi, and then compiled into ‘bytecode’ which could then be loaded remotely into web browsers such as Netscape Navigator which had only been out for 6 months at the time, and was bundled by default with the release of 2.0 (along with its on-again, off-again nemesis JavaScript).

The fact that programs could be written, compiled on your own computer, and then hosted in a web page through the use of the (now deprecated) <applet> tag, was a massive step change in the utility of the web at the time. These days, it doesn’t seem so groundbreaking – as the web has become dominated by JavaScript and derivatives for interactivity. Of course, many demos can now be hosted with animated gifs. In fact, for your viewing pleasure, here’s what the Java 1.1 release with demos looked like:

Java Sorting Demo

The above demo content can be found in a Java 8 download in the SortDemo directory.

What’s particularly fascinating is that when Java was first released, Windows had a near monopoly on computing, with few Apple Macs clinging on for dear life, and Solaris already on its way out on the desktop. (There was NeXT, which died shortly after Java’s release, only to be reborn as Apple – that story played out a lot better than Sun’s did.)

The idea of ‘write once, run anywhere’ was never known before Java came along; at least, not for compiled languages. (C had much fewer dialects back then, but still ran into incompatibilities and there weren’t good cross-platform compilers that supported Windows as well.) The idea that you could not only write portable code, but have it downloaded and executed on another computer across the globe without recompilation was a massive boost for the early adoption, and coupled with the rise of browsers and the internet, made Java an early darling in this era.

Unfortunately, the ‘write once, run anywhere’ didn’t always live up to expectations, especially when Microsoft stopped updating their Java 1.1.3 runtime in Internet Explorer, and started to add Microsoft specific classes instead. That lawsuit dragged on, by which time it may not have mattered any more.

The other key flaw was having a collection of security vulnerabilities in the browser thanks to Java’s ubiquitous presence and general ambivalence to being updated by the end user. By the time Applets became deprecated (and why you can’t run the example in the browser today) many CVEs had been raised against the humble Java runtime in the browser, a title taken over by Flash until its demise some decades later.

But Java’s early popularity and widespread adoption meant that it spread to the server, where it still reigns supreme today. We’ve gone from single-core, 32-bit systems running on Windows and (Classic) Mac, to multi-core, 64-bit systems running predominantly Linux and NeXT derivatives, all without missing a beat.

The majority of the language will still compile just as it did in the first 1.0 releases, and the majority of code written for those early days still runs fine on today’s beefy JVMs – except a lot, lot faster. (The sort demos still run at the same speed they were programmed to as there’s a Thread.sleep with a fixed time in the code; if they were running at full speed, you wouldn’t have seen the animation, even then.)

The language (and the bytecode) hasn’t remained static over the time though – we’ve had Swing (formerly Java Foundation Classes or JFC) introduced in 1.2, generics introduced in 1.5, the invokedynamic bytecode added in Java 7 and subsequently lambdas in Java 8, with modules and others added by Java 11. The GCs have grown as well, from the simple serial collector and mark-and-sweep, to concurrent versions and multi-gigabyte concurrent collectors (now reaching terabyte limits). Concurrent programming has become ever more pervasive, and new language technologies are being added to the language a rate not seen since the early days.

However, the thing that really makes Java shine is the fact that all of the language is available as open-source. Even in the beginning, the source was available for the core Java libraries (if not the JVM implementation) so you could debug into problems that occurred in your app without losing your place in a debugger. Now that the JVM has become fully open-sourced, many other companies are working on the Java language and the JVM runtime in order to make it bigger and better than before.

The last 25 years has brought a lot of joy to millions of developers and billions of users, including a formative part of my career. I started with Java’s early betas in 1995, helping a friend to learn the basics of object-orientation before it was cool (and perhaps subsequently, uncool). We wrote a crossword applet that allowed you to parse ASCII representations of a board and display them in a graphical manner, and allow you to type and fill in the crossword via a web page. Nowadays, of course every newspaper worth their reputation has got an on-line crossword with much the same thing; but this was in the days before Google and Wikipedia existed.

My career followed with becoming a Java developer, trainer and consultant; I started a business with a friend and rode the wave as people migrated from C++ to Java in their droves. (These days, everyone comes out of university already knowing Java and on-line tutorials and videos have made training a niche subject.) I then worked my way up and along Java, writing for InfoQ and many blog posts, as well as contributing to open-source projects like Apache and Eclipse. Indeed, my involvement with Eclipse goes back to the early days of working delivering IBM’s training OB73 and OB74 courses, and using Visual Age for Java followed by WebSphere Studio which was based on Visual Age’s technologies but made open-source in Eclipse in November 2001.

My Java career reached its zenith earlier this year when I became a Java Champion thanks to the support and kind votes of the other champions. It’s really not overblown to say that I owe my career and livelihood to a small language formerly called Oak or Green, and it will be fascinating to see what happens to it over the next 25 years of development. I’ve truly been Moved By Java.

Using dnsmasq to block DNS requests

2020

Recently I have noticed that there’s an uptick in spamvertising on my home network, and as such, I decided to spend some time investigating using a Raspberry Pi to host a DNS service which would filter such spam sites out.

I initially looked at Pi-Hole which provides a really simple out-of-the-box experience for doing DNS blocking, with a nifty user interface for adding black or whitelist hosts on the fly, and a report of how well the DNS is working. For those with limited technical experience, it’s an easy-to-use experience and I can recommend it on those points. Version 5 has just been released as I write this, so you may want to look at that.

Pi-Hole

Pi-Hole has some advantages – for example, it doesn’t just run on a Raspberry PI – and it has some built-in lists that it uses to do ad blocking, which is a good start.

However, after using it for a while, it became clear to me that in essence it’s a soft fork of dnsmasq which is available on many upstream repositories already. The Pi-Hole fork of dnsmasq is called pihole-FTL and is, in essence, a dnsmasq process running inside something with a network front end for doing querying and dynamic reloading of data.

The other problem with Pi-Hole is that it is, in essence, a bunch of PHP web pages (potentially running as root) in a server and communicating via a binary protocol to the local daemon, so there’s a lot of potential places where security issues could occur. It also fires up a lightweight HTTP server running on the host (there’s a configuration option to turn it off) which again increases the chance of something going wrong.

Dnsmasq

As a result, I decided to move away from the Pi-Hole configuration, and use a vanilla dnsmasq implementation instead; which has the following advantages:

  • Less custom code running in dnsmasq, so less potential for security issues
  • Supported by upstream repositories natively, rather than an add-on
  • All of the hard work by Pi-Hole is actually handled by dnsmasq anyway
  • Less maintenance to worry about in the future

There are of course disadvantages – it doesn’t provide a helpful webpage which says “This domain is blocked; click here to unblock it”, but I didn’t want that anyway. The other minor disadvantage is that the hosts parsing format supports a missing address, which is parsed as NXDOMAIN – this doesn’t apply to the vanilla dnsmasq daemon.

Configuration

The default configuration for dnsmasq is pretty well commented, and there’s a great manpage with all the configuration options defined in there. However, I thought I would split it up into different sections that you could enable or customise what you want, and I’ve made it available on GitHub.

Despite the name, dnsmasq also handles TFTP, PXE and DHCP operations on both IPv6 and IPv4 addresses. I have customised mine to allow for DHCP and DNS on both IPv4 and IPv6 at the moment, but I’m going to investigate the boot options at a later stage.

Some of the defaults have been updated to allow sensible values in place; they are all commented in the individual files which you can pick-and-choose from. For example, there are multiple options for the DNS server:

Recently, Cloudflare has announced “Cloudflare for Families” which builds on the 1.1.1.1 name server with a 1.1.1.2 name server that blocks malware attempts, and a 1.1.1.3 that also blocks porn. These may be useful for families, and over time, I expect the range of blocks to grow rather than fade – which will be especially useful for fast-moving targets like those trying to fool you into handing over your Apple/Facebook logins. I’ve set up a configuration file for those as well.

The idea is that you can clone the example repository, adjust it for your local environment, and then run it in your /etc/dnsmasq.d/ directory.

Blocking hosts

The main reason I did this was to block hosts. In dnsmasq, the syntax for blocking a host is:

address=/example.com/

which roughly translated means ‘For domains ending in example.com, send the result to NXDOMAIN. You can also specify a particular address; other block hosts use 0.0.0.0 as a host:

address=/example.com/0.0.0.0

Secondly, there’s a form that can read in a hosts file (man 5 hosts) that can be used to serve 0.0.0.0 addresses (but not NXDOMAIN).

addn-hosts=/path/to/blocked.hosts

The advantage of an additional hosts file is that a SIGHUP will ask the dnsmasq daemon to reload the hosts file dynamically without stopping and starting the service.

If you want to ensure that a local domain doesn’t get forwarded out, or you have an alternative server, then you can use the server option instead:

server=/mynet/192.168.1.1

This will delegate all mynet domains to the 192.168.1.1 server, but then cache the results and serve them to clients quicker.

Finally, if you want to blackhole entire TLDs, you can do so with either the local directive (i.e. make the machine responsible for the domain) or with the address=/.biz/ directive. Many newer TLDs are full of spam sites, and countries that you don’t regularly visit or shop from could be on this list.

DHCP

Dnsmasq provides a DHCP service for you, in case you want to use it to allocate your hosts on demand. One advantage of having this wired into the server is that it will give you a mapping between the DHCP allocated hosts and DNS names for free, so you only have to have them in one place.

The DHCP hosts have a range that you can specify along with a lease time:

dhcp-range=192.168.0.50,192.168.0.150,12h

You can configure the DHCP server to send out its address for the router, for both IPv4 and IPv6, which means that hosts using DHCP will automatically pick up the host:

dhcp-option=option:router,192.168.1.1
dhcp-option=option6:dns-server,[::]

You can specify the host-record for binding a particular name, and a dhcp-host for setting a machine based on its mac address:

host-record=dns.example.com,192.168.1.1
dhcp-host=aa:bb:cc:dd:ee:ff,192.168.1.1,dns.example.com

It is also possible to have a cname record, but only for those hosts that are already known to dnsmasq … so it’s not possible, for example, to have a cname pointing to a host elsewhere.

cname=ns.example.com,dns.example.com

There are other configuration options, such as setting an auth-server and auth-zone along with an auth-soa which will synthesise records for the SOA name type; these are left to the reader’s investigation. For those using zeroconf/bonjour/mDNS or SPF, you can also add generic SRV and TXT records to the DNS zones hosted. These are left as an exercise for the reader.

Summary

Pi-Hole is a great out-of-the-box experience, but has a wider security attack area and drags in interpreted languages, which may not be appropriate on a DMZ hosts. Using dnsmasq is perfectly capable, provided that you can curate your own blacklists for domains, or write scripts that do that for you. (An older version of Pi-Hole used native dnsmasq, but was replaced to give stats that could otherwise be grepped from the lookup logs.)

Hopefully the partitioned configuration files in https://github.com/alblue/dnsmasq-example will give you a start point to run your own DNS/DHCP server, optionally with blocking capabilities.

Understanding CPU Microarchitecture for performance

2020

I recently gave a talk at QCon London entitled “Understanding CPU Microarchitecture for Performance” on the details of CPU internals and how they affect the speed of programs that run on them.

I’ve given this talk twice recently; once at QCon London, and a further virtual event for the London Java Community (LJC). Although both of the presentations are similar content, I marginally updated the slides for the LJC event to include a new release of one version of the software that I recommended, and for a new project that wasn’t open-sourced at the time.

The QCon London presentation has the advantage that there’s a transcript, and synchronised slides, so depending on which form you find more useful it’s up to you. Here are the links:

The abstract for both is the same:

Microprocessors have evolved over decades to eke out performance from existing code. But the microarchitecture of the CPU leaks into the assumptions of a flat memory model, with the result that equivalent code can run significantly faster by working with, rather than fighting against, the microarchitecture of the CPU.

This talk, given for the (QCon London| London Java Community) in 2020, presents the microarchitecture of modern CPUs, showing how misaligned data can cause cache line false sharing, how branch prediction works and when it fails, how to read CPU specific performance monitoring counters and use that in conjunction with tools like perf and toplev to discover where bottlenecks in CPU heavy code live. We’ll use these facts to revisit performance advice on general code patterns and the things to look out for in executing systems. The talk will be language agnostic, although it will be based on the Linux/x86-64 architecture.

If you have any comments or questions, feel free to reach out to me via Twitter, e-mail or any other means you have at your disposal.