Web Excursions 2021-04-10
đ [Post of The Day] Docker without Docker
Whatâs An OCI Image?
OCI is the standardized container format used by Docker
An OCI image is just a stack of tarballs.
A useful way to look at a Dockerfile is as a series of shell commands, each generating a tarball; we call these âlayersâ. To rehydrate a container from its image, we just start the the first layer and unpack one on top of the next.
You can write a shell script to pull a Docker container from its registry
Unpack the tarballs in order and youâve got the filesystem layout the container expects to run in.
Pull the âconfigâ JSON and youâve got the entrypoint to run for the container; you could, I guess, pull and run a Docker container with nothing but a shell script
Unix tar is problematic.
tar isnât well standardized,
can be unpredictable,
and is bad at random access and incremental updates.
OCI containers share a security footgun with git repositories: itâs easy to accidentally build a secret into a public container, and then inadvertently hide it with an update in a later image.
Multi-Tenant Repositories
We host a Docker registry our users push to.
Running an instance of the Docker registry is very easy. You can do it right now;Â
docker pull registry && docker run registry
Our users drive Fly.io with a command line utility calledÂ
flyctl
.On the server-side,
we started out simple: we ran an instance of the standard Docker registry with an authorizing proxy in front of it.
What we do now: instead of running a vanilla Docker registry, we built a custom repository server.
Our custom server isnât architecturally that different from the vanilla registry/proxy system we had before.
We wrap the Docker registry API handlers with authorizer middleware that checks tokens, references, and rewrites repository names.
Building And Running VMs
A container image is just a stack of tarballs and a blob of configuration (we layer additional configuration in as well).
The tarballs expand to a directory tree for the VM to run in,
and the configuration tells us what binary in that filesystem to run when the VM starts.
What Firecracker wants is a set of block devices that Linux will mount as it boots up.
How we used to do things.
Take a directory tree and turn it into a block device: create a file-backed loop device, and copy the directory tree into it.
This system worked, but wasn't especially fast.
A big problem for us was caching
What we do now is
Run, on each of our servers, an instance ofÂ
containerd
.containerd
 does a whole bunch of stuff, but we use it as as a cache.
Sometime over the last 20 years, the block device layer in Linux got interesting.
LVM2 can pool raw block devices and create synthetic block devices on top of them.
It can treat block device sizes as an abstraction,
chopping a 1TB block device into 1,000 5GB synthetic devices
(so long as you don't actually use 5GB on all those devices!).
And it can create snapshots,
preserving the blocks on a device in another synthetic device,
and sharing those blocks among related devices with copy-on-write semantics.
containerd
 knows how to drive all this LVM2 stuff
Conclusion
That's about half the idea behind Fly.io.
We run server hardware in racks around the world; those servers are tied together with an orchestration system that plugs into our API.
Our CLI,Â
flyctl
, uses Docker's tooling to push OCI images to us.Our orchestration system sends messages to servers to convert those OCI images to VMs.
The other "half" of Fly is our Anycast network, which is a CDN built in Rust that uses BGP4 Anycast routing to direct traffic to the nearest instance of your application.
Why uBlock Origin works best on Firefox
CNAME-uncloaking: Ability to uncloak 3rd-party servers disguised as 1st-party through the use of CNAME record. The effect of this is to make uBO on Firefox the most efficient at blocking 3rd-party trackers relative to other other browser/blocker pairs
HTML filtering: ability to filter the response body of HTML documents before it is parsed by the browser.
Blocking at browser launch: especially important for whoever uses default-deny mode for 3rd-party resources and/or JavaScript.
This is not the case with Chromium-based browsers
Pre-fetching, which is disabled by default in uBO, is reliably prevented in Firefox, while this is not the case in Chromium-based browsers.
WebAssembly code for core filtering code paths.
This is not the case with Chromium-based browsers
because this would require an extra permission in the extension manifest
which could cause friction when publishing the extension in the Chrome Web Store.
LZ4 compression by default to store raw filter lists, compiled list data, and memory snapshots to disk storage.
Why Keyboard Shortcuts don't work on non-US Layouts and how Devs could fix it
Do you use an international keyboard layout? Then you already know what I am talking about.
You probably have had some issues typing keyboard shortcuts such as alt+/, or cmd+[.
Examples of Broken Apps
web applications are becoming increasingly complex, and they are rapidly replacing desktop applications, making this problem bigger by the day.
A very common shortcut is / for accessing search functionality. Unfortunately, there is no /-key on most international layouts.
Similarly painful is when Electron apps use [ and ] for navigating backwards and forwards.
For some reason, Google manages to handle international layouts correctly in Gmail, but fails to do so in any of its other applications.
Another, almost funny examply is Figma, the popular web-based vector-graphics editor.
So many people complained that there is now a dedicated site with workarounds for different layouts.
This complaint in the Asana forums is funny too.
They made some specific adjustments for some layouts,
only to give up in the end and say that they will still not support more exotic layouts.
There are also plenty of complaints for Notion
Why is this happening?
the underlying technical issues are rather trivial
Web applications use JavaScript to process keyboard shortcuts.
To do that, they listen to keyboard events that are emitted by your browser whenever your press a key. Thatâs where it gets a little messy
three different events are associated with a single button press:Â
keydownkeypresskeyup
.Most applications use a Javascript library that handles all these things for them, primarily HotKeys.js or Mousetrap.
all three properties are deprecated
These event properties are simply not suited for finding out which character was pressed, at least when used withÂ
keydown
 orÂkeyup
.
To cite the MDN web docs:
Web developers shouldnât use the keyCode attribute for printable characters when handling keydown and keyup events.
keyCode
 attribute is not useful for printable characters, especially those input with the Shift or Alt key pressed.When implementing a shortcut key handler, theÂ
keypress
 event is usually better.
If you want to see which button presses produce which event properties, you can use this neat little web tool:Â https://w3c.github.io/uievents/tools/key-event-viewer.html
the keypress event usually produces the correct code on any layout.
Unfortunately, this event is deprecated as a whole and comes with its own problems.
How you can do better
Simple Workarounds
Do not use special characters for your keyboard shortcuts.
Provide Alternatives
if you have / as you shortcut for focusing the search field because your US users are accustomed to this behavior, just add alt+s as an alternative for international users.
Some US users might welcome this change as well
can be typed with just the left hand while / reqiures people to take their hand of the mouse.
Technical Fixes
Actually make the shortcuts work with any keyboard layout.
when the key combination is alt+/, the shortcut should be triggered when a german layout user presses alt+shift+7.
With Mousetrap, all you need to do is listen to the keypress events instead of keydown.
minor downside
make some shortcuts tedious to type on some layouts
potential for shortcut conflicts
staying away from the Shift modifier when defining your bindings.
use the key attribute, or even play around with the experimentalÂ
keyboard.getLayoutMap
 API.Allow users to change the default key bindings.
store them in your database, pull them out when a user logs in, and pass them to your shortcut processing library.
Why Students Are Logging In to Class From 7,000 Miles Away - The New York Times
In the midst of the pandemic, in a year when almost nothing about school has been normal, administrators and teachers are grappling with a fresh layer of complexity: students accessing virtual classes from outside the United States.
Faced with pandemic-related financial strain at home or the health needs of relatives abroad, some students in immigrant communities are logging in to school from thousands of miles away.
Some families said they took advantage of the newfound mobility afforded by remote instruction to plan extended visits with relatives they had not seen in years.
Others have temporarily left the country to care for sick relatives,
and some have told principals and teachers that they sent their children abroad because they needed help with child care to continue working at jobs that cannot be done from home.
if theyâve gone someplace where they need to log in at 2 a.m., that doesnât seem ideal.
States have residency rules that require students to live in the district where they attend school.
But offering flexibility related to a childâs physical location during virtual instruction is appropriate and legal,
so long as the child has a residence in the district and plans to return
In New York City, officials said it was possible for students to log in from anywhere in the world without special clearance.
after a series of âZoom bombsâ â interruptions by strangers who hacked into several online classes â Carteret, N.J. began blocking access from IP addresses outside the United States in mid-March
The New Saturday Night
Thatâs the thing about Saturday night â itâs a time of mythic potential and mundane reality. Itâs a fantasy space that only opens at the height of the weekend. Nestled protectively between two days free from work, it represents the fleeting opportunity for pure self-fulfillment. Itâs the night when we can make ourselves believe that anything could happen, even though it hardly ever does.