Ir al contenido principal

Ralsina.Me — El sitio web de Roberto Alsina

Sandra Pitta diciendo pavadas, volumen 53

Acá es­tá el vi­deo, des­pués lo trans­cri­bo y char­la­mo­s.

... pa­ra po­der co­mu­ni­car­no­s, pa­ra po­der en­ten­der­nos en­tre no­so­tro­s.

Es­e, es­a, ese con­sen­so, esa con­ven­ción es fun­da­men­tal cuan­do uno en­se­ña por­que pa­ra trans­mi­tir co­no­ci­mien­to con cla­ri­dad ehhh que esa con­ven­ción tie­ne que ser res­pe­ta­da, no?

El len­gua­je co­mo he­rra­mien­ta de co­mu­ni­ca­ción la usan am­bas par­tes. Si una de las par­tes se rehú­sa a adap­tar su ma­ne­ra de ha­blar por­que "es la co­rrec­ta" le es­tá dan­do prio­ri­dad a su au­to­ri­dad an­tes que a la co­mu­ni­ca­ció­n. Los alum­nos ce­den en su len­gua­je TO­DO EL TIEM­PO, jus­ta­men­te por­que no tie­nen la au­to­ri­da­d.

Eh, a mi me pa­re­ce que eh, jus­ta­men­te ese ti­po de eh, de si­tua­ción es muy im­por­tan­te -- es­pe­cial­men­te en los ni­ve­les ini­cia­les de la edu­ca­ción -- que es­ta con­ven­ció­n, que es­tas con­ven­cio­nes tie­nen que ser res­pe­ta­da­s.

Los bue­nos do­cen­tes, en cam­bio, pre­fie­ren co­mu­ni­car­se con sus alum­no­s, por­que pre­fie­ren usar el len­gua­je co­mo he­rra­mien­ta de co­mu­ni­ca­ción y no co­mo he­rra­mien­ta de im­po­si­ción de au­to­ri­da­d.

No­so­tros es­ta­mos atra­ve­san­do en es­te mo­men­to lo que yo con­si­de­ro que es una de las ma­yo­res tra­ge­dias edu­ca­ti­vas que vi­vi­mos en la Ar­gen­ti­na y no po­de­mos dar­nos el lu­jo de, eh, in­tro­du­cir cam­bios mor­fo­ló­gi­co­s, arte­fac­tos que sus cu­yas con­se­cuen­cias no co­no­ce­mo­s.

Co­no­ce­mos las con­se­cuen­cias de ne­gar­se a acep­tar los cam­bios que su­ce­den en el len­gua­je? Bue­no, sí. Una de las con­se­cuen­cias son do­cen­tes con un len­gua­je im­pos­ta­do, que di­cen "pa­la­bras alu­si­va­s" en el "so­lem­ne ac­to" por el "na­ta­li­cio del ge­ne­ra­l".

Otra es la fal­ta de co­ne­xión en­tre los alum­nos y el con­te­ni­do que se les en­se­ña.

Lo di­go des­de mi po­si­ción de le­go que nun­ca dió cla­ses en ni­vel ini­cia­l, la mis­ma que tie­ne la far­ma­céu­ti­ca Pi­tta, que ja­más lo hi­zo tam­po­co.

Lo que no­so­tros te­ne­mos que ha­cer es eh, real­men­te ga­ran­ti­zar la me­jor edu­ca­ción po­si­ble pa­ra pa­ra los ni­ño­s, pa­ra las ni­ña­s, pa­ra los ado­les­cen­tes, pa­ra que esa edu­ca­ción los ha­bi­li­te a ellos a de­fen­der en el fu­tu­ro sus de­re­cho­s.

Por ejem­plo el de­re­cho a que se res­pe­te su ma­ne­ra de ha­blar y no se los tra­te co­mo ciu­da­da­nos de se­gun­da? Ok.

Aho­ra, hay dos pun­to­s, bue­no, hay un pun­to que a mí me afec­ta fun­da­men­tal­men­te que es eso de que -- a ve­r, yo en­tien­do per­fec­ta­men­te bien que los cam­bios en, que los idio­mas no son in­mu­ta­ble­s, que los idio­mas son di­ná­mi­co­s, que hay cam­bio­s, pe­ro esos cam­bios nun­ca se dan de arri­ba ha­cia aba­jo. Los cam­bios que son de arri­ba ha­cia aba­jo son au­to­ri­ta­rio­s.

Y por eso pro­po­ne que ha­ya una re­gla de que no se use len­gua­je in­clu­si­vo en las es­cue­la­s, re­gla que se­rá im­pues­ta por el go­bierno a tra­vés de las au­to­ri­da­des edu­ca­ti­vas y que en ca­so de no ser cum­pli­da ten­drá las san­cio­nes co­rres­pon­dien­tes.

Epa.

Si us­te­den han leí­do, es­te, la no­ve­la de 1984 de Orwe­ll [i­nin­te­li­gi­ble] la Neo­len­gua ca­sual­men­te se re­fie­re a eso, no? A tra­tar de con­tro­lar el pen­sa­mien­to a tra­vés de una Neo­len­gua. Los cam­bios se dan na­tu­ral­men­te en la so­cie­da­d.

Sí, pe­ro cuan­do se te cru­za un cam­bio vos que­rés man­te­ner el sta­tus quo. Ten­go que ad­mi­tir que a Orwe­ll no se le ocu­rrió el con­cep­to de una len­gua que NO cam­bia pa­ra man­te­ner una so­cie­dad an­qui­lo­sa­da e in­mu­ta­ble.

Y esos cam­bio­s, eh, si si son va­li­da­dos mis­mo por la so­cie­dad son in­cor­po­ra­dos y son des­pués acep­ta­do­s, bue­no, ya co­no­ce­mos to­do ese pro­ce­di­mien­to en­ton­ces to­do lo que ven­ga de arri­ba ha­cia aba­jo, a mi en­ten­der es au­to­ri­ta­rio y no de­be­ría­mos acep­tar­lo.

¿En­ton­ces por qué quie­re que ha­ya una nor­ma "de arri­ba ha­cia aba­jo" prohi­bien­do el len­gua­je in­clu­si­vo? Ah, por­que so­lo es au­to­ri­ta­rio cuan­do lo ha­ce otro.

Y, eh, quie­ro re­fe­rir­me a al­go que pa­só, bue­no, el día ese que no pu­di­mos ha­blar jus­ta­men­te eh, a mi me ha­bía lla­ma­do mu­cho la aten­ción al­go que es­ta­ba pa­san­do en Irán, y lo trai­go por al­go en par­ti­cu­la­r. Ese día ha­bían sali­do las mu­je­res en Irán a sa­car­se el [hi­ja­b] que es una, es un, es al­go que las opri­me, es eh, real­men­te es una so­cie­dad que, que, que pe­na­li­za in­clu­si­ve ser mu­je­r, la co­mu­ni­dad LGBT no pue­de salir a pro­tes­tar en Irán.

Mas allá de que ese pá­rra­fo es, sin­ce­ra­men­te, una en­sa­la­da ... en twi­tter ex­pli­có que lo di­jo por­que en Irán los pro­nom­bres no tie­nen gé­ne­ro y de to­das for­mas no hay igual­dad de gé­ne­ro.

Des­em­pa­que­te­mos esa pe­lo­tu­dez gi­gan­te así ve­mos las pe­lo­tu­de­ces mas chi­qui­tas de las que es­tá cons­truí­da.

1) En Irán no hay pro­nom­bres con gé­ne­ro.

Bue­no, en far­si no los ha­y. No es lo mis­mo el país que el idio­ma, Pi­tta. Pe­ro no los hay en far­si mo­derno.

¡En far­si an­ti­guo sí! Por­que jus­ta­men­te la pér­di­da del gé­ne­ro en los pro­nom­bres es un pro­ce­so muy co­mún en los len­gua­je­s.

Pro­ce­so que sos­pe­cho, es­ta­mos em­pe­zan­do a pre­sen­ciar en el cas­te­llano.

2) No te­ner pro­nom­bres con gé­ne­ro no evi­ta la opre­sión

Na­die di­jo que así fue­ra. Hay tan­tos pro­ble­mas ló­gi­cos en esa afir­ma­ción que va a lle­var un par de pá­rra­fo­s.

Al ser una so­cie­dad más igua­li­ta­ria, hay gru­pos de per­so­nas que pi­den que esa igual­dad se re­fle­je en el len­gua­je.

Es de­ci­r: igual­dad => pro­nom­bres sin gé­ne­ro, no al re­vé­s.

Al afir­mar que "co­mo en Irán no tie­nen pro­nom­bres con gé­ne­ro y de to­das for­mas hay opre­sió­n" eso tie­ne al­gu­na re­le­van­cia en la si­tua­ción lo­cal en Ar­gen­ti­na es­tá co­me­tien­do una bru­ta afir­ma­ción del con­se­cuen­te.

Fi­nal­men­te ... si leen to­do lo que di­jo. Al­guien me ex­pli­ca cuál era el "pun­to que [a ella la] afec­ta fun­da­men­tal­men­te"?

PD: Al­guien que en una pre­sen­ta­ción en un ám­bi­to for­ma­l, pu­dien­do lee­r, es así de im­pro­vi­sa­da e in­co­he­ren­te ... ver­güen­za aje­na.

VMs in small ARM servers

Background (I swear I get to VMs later)

I have been run­ning a per­son­al serv­er at my of­fice for a lit­tle while (See 1 and 2) where I run a num­ber of con­tainer­ized ser­vices.

Since I had it, I want­ed to add a way to eas­i­ly de­ploy my own ex­per­i­men­tal code so I can do quick "server­s" for things I am play­ing with.

I could just cre­ate my code as, say, a flask app and cre­ate con­tain­ers for them and de­ploy them that way, and then add ingress rules in my gate­way and ... it gets ex­haust­ing pret­ty fast.

What I want­ed was a way to run my own Heroku, sor­ta. Just write a bit of code, run a com­mand, have it be avail­able.

Af­ter googling I found a so­lu­tion that did­n't re­quire me to im­ple­ment a k8s clus­ter: faasd. The prom­ise is:

  • Run a shell script to in­stall faasd
  • Write your code as a func­tion
  • Run a com­mand to de­ploy
  • It all runs out of a sin­gle ingress path (ex­cept CORS of course)

So, min­i­mal con­fig, ease of de­ploy­men­t, no need to con­stant tweak­ing of my gate­way. All good!

Ex­cept ... faasd does­n't play along with Dock­er. Both use con­tain­erd and cni and oth­er things as their back­end, and faasd says that re­al­ly, they like spe­cif­ic ver­sions so they should in­stall them, not the sys­tem, and then run­ning dock­er gets pret­ty dicey.

So, I could just get a sec­ond serv­er. It's not like I don't have more small com­put­er­s.

But my serv­er has spare ca­pac­i­ty! So I don't WAN­NA START A SEC­OND SERVER!

Al­so, this is go­ing to of­ten be toy code I have not care­ful­ly vet­ted for se­cu­ri­ty, so it would be bet­ter if it ran in iso­la­tion.

So? I need­ed a VM.

Really, a VM inside a tiny ARM computer

My serv­er is a Radxa Ze­ro. It's small­er than a cred­it card. It has, how­ev­er, 4 cores, and 4GB of RAM, so sure­ly there must be a way to run a VM in it that can iso­late Faasd and let it run its wonky ver­sions of things while the rest of the sys­tem does­n´t care.

And yes, there is!

Fire­crack­er claims that you can start a VM fast, that it has over­head com­pa­ra­ble to a con­tain­er, and that it pro­vides iso­la­tion! It's what Ama­zon us­es for Lamb­da, so it should be enough for me.

On the oth­er hand, Fire­crack­er is a pain if you aren't a freak­ing Ama­zon SRE, which I am re­al­ly not, but ...

Ig­nite is a VM man­ag­er that has a "con­tain­er UX" and can man­age VMs declar­a­tive­ly!

So I set out to run ig­nite on my serv­er. And guess what? It work­s!

It's pack­aged for Arch, which is what I am us­ing, so I just in­stalled it, run a cou­ple of scripts to cre­ate a VM:

[ralsina@pinky faas]$ cat build.sh
#!/bin/sh -x
# Create and configure a VM with faasd in it
set -e

NAME=faas

waitport() {
    while ! nc -z $1 $2 ; do sleep 1 ; done
}

sudo ignite create weaveworks/ignite-ubuntu \
        --cpus 2 \
        --memory 1GB \
        --size 10GB \
        --ssh=id_rsa.pub \
        -p 8082:8081 \
        --name $NAME

sudo ignite vm start $NAME

IP=$(sudo ignite vm ls | grep faas | cut -f9 -d\        )
waitport $IP 22

ssh -o "StrictHostKeyChecking no" root@$IP mkdir -p /var/lib/faasd/secrets
ssh root@$IP "echo $(pass faas.ralsina.me) > /var/lib/faasd/secrets/basic-auth-password"
scp setup.sh root@$IP:
ssh root@$IP sh setup.sh

# Login
export OPENFAAS_URL=http://localhost:8082
ssh root@$IP cat /var/lib/faasd/secrets/basic-auth-password | faas-cli login --password-stdin

# Setup test function
faas-cli store deploy figlet

echo 'Success!' | faas-cli invoke figlet
[ralsina@pinky faas]$ cat setup.sh
#!/bin/sh -x

set -e
apt update
apt upgrade -y
apt install -y git

git clone https://github.com/openfaas/faasd
cd faasd
./hack/install.sh

If you run build.sh it will create a ubuntu-based VM with Faasd installed, start it, map a port to it, setup SSH keys so you can ssh into it, and configure authentication for Faasd so you can log into that too.

Does it work?

In­deed it does!

Are there any problems?

There is one and it's pret­ty bad.

If the server closes badly (and that means: without explicitly shutting down the VM), the VM gets corrupted, every time. It either ends in a "Running" state in ignite while it's dead in containerd, or the network allocation is somehow duplicated and denied, or one of half a dozen other failure states at which point it's easier to remove everything in /var/lib/firecracker and recreate it.

Is it easy to deploy stuff?

You betcha! Here's an example from https://nombres.ralsina.me, if I run build.sh it builds it, deploy.sh deploys it, the actual code is in the busqueda/ and historico/ folders.

It's very sim­ple to write code, and it's very sim­ple to de­ploy.

If I found a bet­ter way to han­dle the VMs I would con­sid­er this fin­ished.

CORS config for FaaS

Be­cause I want to be able to de­ploy ran­dom python code eas­i­ly to my own server, I have set­up a "Func­tion as a Ser­vice" thing, called faasd (think of it as poor peo­ple's AWS lamb­da). More de­tails on how, why and how it turned out will come in the fu­ture. BUT: this ex­plains how to fix the un­avoid­able headache CORS will give you.

Sit­u­a­tion:

  • The Faasd serv­er runs in some ma­chine, which is prox­­ied by a Ng­inx serv­er avail­able at http­s://­­faas­d.ral­si­­na.me

  • Apps are just HTML pages some­where in­­­side ei­ther http­s://ral­si­­na.me or some oth­­er sim­i­lar do­­main.

What will happen?

You will set­up your func­tion, test it out us­ing curl, be hap­py it work­s, then set it up in your web app and get an er­ror in the con­sole about how CORS is not al­low­ing the re­quest.

What is CORS and why is it annoying me?

CORS is a way for a ser­vice liv­ing in a cer­tain URL to say which oth­er URLs are al­lowed to call it. So, if the app are in, say, http­s://nom­bres.ralsi­na.me and the func­tion lives in http­s://­faas.ralsi­na.me then the ORI­GIN for the app is not the same as the ORI­GIN for the func­tion, so this is a "Cross Ori­gin Re­quest" and you are try­ing to do "Cross Ori­gin Re­source Shar­ing" (CORS) and the brows­er won't let you.

How do I fix it?

There are a num­ber of fix­es you can try, but they all come down to the same two ba­sic ap­proach­es:

Option 1

Make it so the re­quest is not cross-­source. To do that, move the func­tion some­how in­to the same URL as the page, and bob's your un­cle.

So, just change the proxy con­fig so nom­bres.ralsi­na.me/­func­tions is prox­ied to the faasd server's /func­tions and change the page to use a re­quest that is not cross-o­rig­in, and that's fixed.

I don't want to do this be­cause I don't want to have to set­up the proxy dif­fer­ent­ly for each ap­p.

Option 2

Have the func­tion re­turn a head­er that says "Ac­cess-­Con­trol-Al­low-O­rig­in: some­thing". That "some­thing" should be the ori­gin of the re­quest (in our ex­am­ple nom­bres.ralsi­na.me) or "*" to say "I don't care".

So, you may say "Fine, I'll just add that head­er in my re­sponse and it will work!". Oh sweet sum­mer child. That will NOT work (at least not in the case of Faas­d)

Why?

Be­cause web browsers don't just make the re­quest they want and then look at the head­er­s. They do a spe­cial pre­flight re­quest, which is some­thing like "Hey, server, if I were to ask you to give me /func­tion­s/what­ev­er from this orig­in, would you give me a CORS per­mis­sion or not?"

That re­quest is done us­ing the OP­TIONS HTTP method, and Faasd (and, to be hon­est, most web frame­work­s) will not process those by pass­ing them to your code.

So, even if your func­tion says CORS is al­lowed, you still will get CORS er­rors.

You can see this if you ex­am­ine your browser's HTTP traf­fic us­ing the de­vel­op­er tool­s. There will be an OP­TIONS pre­flight re­quest, and that one does­n't have the head­er.

So, the eas­i­est thing is to add those in the proxy.

So, in my case, in the prox­y's ng­inx.­con­f, I had to add this in "the right place":

  add_header 'Access-Control-Allow-Origin' '*';

What is the right place will vary de­pend­ing on how you have con­fig­ured things. But hey, there you go.


Contents © 2000-2023 Roberto Alsina