Canonical Voices

What Julian Edwards talks about

bigjools

Why?

I recently had cause to try to get federated logins working on Openstack, using Kerberos as an identity provider. I couldn’t find anything on the Internet that described this in a simple way that is understandable by a relative newbie to Openstack, so this post is attempting to do that, because it has taken me a long time to find and digest all the info scattered around. Unfortunately the actual Openstack docs are a little incoherent at the moment.

Assumptions

  • I’ve tried to get this working on older versions of Openstack but the reality is that unless you’re using Kilo or above it is going to be an uphill task, as the various parts (changes in Keystone and Horizon) don’t really come together until that release.
  • I’m only covering the case of getting this working in devstack.
  • I’m assuming you know a little about Kerberos, but not too much :)
  • I’m assuming you already have a fairly vanilla installation of Kilo devstack in a separate VM or container.
  • I use Ubuntu server. Some things will almost certainly need tweaking for other OSes.

Overview

The federated logins in Openstack work by using Apache modules to provide a remote user ID, rather than credentials in Keystone. This allows for a lot of flexibility but also provides a lot of pain points as there is a huge amount of configuration. The changes described below show how to configure Apache, Horizon and Keystone to do all of this.

Important! Follow these instructions very carefully. Kerberos is extremely fussy, and the configuration in Openstack is rather convoluted.

Pre-requisites

If you don’t already have a Kerberos server, you can install one by following https://help.ubuntu.com/community/Kerberos

The Kerberos server needs a service principal for Apache so that Apache can connect. You need to generate a keytab for Apache, and to do that you need to know the hostname for the container/VM where you are running devstack and Apache. Assuming it’s simply called ‘devstackhost':

$ kadmin -p <your admin principal>
kadmin: addprinc -randkey HTTP/devstackhost
kadmin: ktadd -k keytab.devstackhost HTTP/devstackhost

This will write a file called keytab.devstackhost, you need to copy it to your devstack host under /etc/apache2/auth/

You can test that this works with:

$ kinit -k -t /etc/apache2/auth/keytab.devstackhost HTTP/devstackhost

You may need to install the krb5-user package to get kinit. If there is no problem then the command prompt just reappears with no error. If it fails then check that you got the keytab filename right and that the principal name is correct. You can also try using kinit with a known user to see if the underlying Kerberos install is right (the realm and the key server must have been configured correctly, installing any kerberos package usually prompts to set these up).

Finally, the keytab file must be owned by www-data and read/write only by that user:

$ sudo chown www-data /etc/apache2/auth/keytab.devstackhost
$ sudo chmod 0600 /etc/apache2/auth/keytab.devstackhost

Apache Configuration

Install the Apache Kerberos module:

$ sudo apt-get install libapache2-mod-auth-kerb

Edit the /etc/apache2/sites-enabled/keystone.conf file. You need to make sure the mod_auth_kerb module is installed, and add extra Kerberos config.

LoadModule auth_kerb_module modules/mod_auth_kerb.so

<VirtualHost *:5000>

 ...

 # KERB_ID must match the IdP set in Openstack.
 SetEnv KERB_ID KERB_ID
 
 <Location ~ "kerberos" >
 AuthType Kerberos
 AuthName "Kerberos Login"
 KrbMethodNegotiate on
 KrbServiceName HTTP
 KrbSaveCredentials on
 KrbLocalUserMapping on
 KrbAuthRealms MY-REALM.COM
 Krb5Keytab /etc/apache2/auth/keytab.devstackhost
 KrbMethodK5Passwd on #optional-- if 'off' makes GSSAPI SPNEGO a requirement
 Require valid-user
 </Location>

Note:

  • Don’t forget to edit the KrbAuthRealms setting to your own realm.
  • Don’t forget to edit Krb5Keytab to match your keytab filename
  • Pretty much all browsers don’t support SPNEGO out of the box, so KrbMethodK5Passwd is enabled here which will make the browser pop up one of its own dialogs prompting for credentials (more on that later). If this is off, the browser must support SPNEGO which will fetch the Kerberos credentials from your user environment, assuming the user is already authenticated.
  • If you are using Apache 2.2 (used on Ubuntu 12.04) then KrbServiceName must be configured as HTTP/devstackhost (change devstackhost to match your own host name). This config is so that Apache uses the service principal name that we set up in the Kerberos server above.

Keystone configuration

Federation must be explicitly enabled in the keystone config.
http://docs.openstack.org/developer/keystone/extensions/federation.html explains this, but to summarise:

Edit /etc/keystone/keystone.conf and add the driver:

[federation]
driver = keystone.contrib.federation.backends.sql.Federation
trusted_dashboard = http://devstackhost/auth/websso
sso_callback_template = /etc/keystone/sso_callback_template.html

(Change “devstackhost” again)

Copy the callback template to the right place:

$ cp /opt/stack/keystone/etc/sso_callback_template.html /etc/keystone/

Enable kerberos in the auth section of /etc/keystone/keystone.conf :

[auth]
methods = external,password,token,saml2,kerberos
kerberos = keystone.auth.plugins.mapped.Mapped

Set the remote_id_attribute, which tells Openstack which IdP was used:

[kerberos]
remote_id_attribute = KERB_ID

Add the middleware to keystone-paste.conf. ‘federation_extension’ should be the second last entry in the pipeline:api_v3 entry:

[pipeline:api_v3]
pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension service_v3

Now we have to create the database tables for federation:

$ keystone-manage db_sync --extension federation

Openstack Configuration

Federation must use the v3 API in Keystone. Get the Openstack RC file from the API access tab of Access & Security and then source it to get the shell API credentials set up. Then:

$ export OS_AUTH_URL=http://$HOSTNAME:5000/v3
$ export OS_IDENTITY_API_VERSION=3
$ export OS_USERNAME=admin

Test this by trying something like:

$ openstack project list

Now we have to set up the mapping between remote and local users. I’m going to add a new local group and map all remote users to that group. The mapping is defined with a blob of json and it’s currently very badly documented (although if you delve into the keystone unit tests you’ll see a bunch of examples). Start by making a file called add-mapping.json:

[
    {
        "local": [
            {
                "user": {
                    "name": "{0}",
                    "domain": {"name": "Default"}
                }
            },
            {
                "group": {
                    "id": "GROUP_ID"
                    }
            }
        ],
        "remote": [
            {
                "type": "REMOTE_USER"
            }
        ]
    }
]

Now we need to add this mapping using the openstack shell.

openstack group create krbusers
openstack role add --project demo --group krbusers member
openstack identity provider create kerb group_id=`openstack group list|grep krbusers|awk '{print $2}'`
cat add-mapping.json|sed s^GROUP_ID^$group_id^ > /tmp/mapping.json
openstack mapping create --rules /tmp/mapping.json kerberos_mapping
openstack federation protocol create --identity-provider kerb --mapping kerberos_mapping kerberos
openstack identity provider set --remote-id KERB_ID kerb

(I’ve left out the command prompt so you can copy and paste this directly)

What did we just do there?

In my investigations, the part above took me the longest to figure out due to the current poor state of the docs. But basically:

  • Create a group krbusers to which all federated users will map
  • Make sure the group is in the demo project
  • Create a new identity provider which is linked to the group we just created (the API frustratingly needs the ID, not the name, hence the shell machinations)
  • Create the new mapping, then link it to a new “protocol” called kerberos which connects the mapping to the identity provider.
  • Finally, make sure the remote ID coming from Apache is linked to the identity provider. This makes sure that any requests from Apache are routed to the correct mapping. (Remember above in the Apache configuration that we set KERB_ID in the request environment? This is an arbitrary label but they need to match.)

After all this, we have a new group in Keystone called krbusers that will contain any user provided by Kerberos.

Ok, we’re nearly there! Onwards to …

Horizon Configuration

Web SSO must be enabled in Horizon. Edit the config at /opt/stack/horizon/openstack_dashboard/local/local_settings.py and make sure the following settings are set at the bottom:

WEBSSO_ENABLED = True

WEBSSO_CHOICES = (
("credentials", _("Keystone Credentials")),
("kerberos", _("Kerberos")),
)

WEBSSO_INITIAL_CHOICE="kerberos"

COMPRESS_OFFLINE=True

OPENSTACK_KEYSTONE_DEFAULT_ROLE="Member"

OPENSTACK_HOST="$HOSTNAME"

OPENSTACK_API_VERSIONS = {
"identity": 3
}

OPENSTACK_KEYSTONE_URL="http://$HOSTNAME:5000/v3"

Make sure $HOSTNAME is actually the host name for your devstack instance.

Now, restart apache

$ sudo service apache2 restart

and you should be able to test that the federation part of Keystone is working by visiting this URL

http://$HOSTNAME:5000/v3/OS-FEDERATION/identity_providers/kerb/protocols/kerberos/auth

You’ll get a load of json back if it worked OK.

You can now test the websso part of Horizon by going here:

http://$HOSTNAME:5000/v3/auth/OS-FEDERATION/websso/kerberos?origin=http://$HOSTNAME/auth/websso/

You should get a browser dialog which asks for Kerberos credentials, and if you get through this OK you’ll see the sso_callback_template returned to the browser.

Trying it out!

If you don’t have any users in your Kerberos realm, it’s easy to add one:

$ ktadmin
ktadmin: addprinc -randkey <NEW USER NAME>
ktadmin: cpw -pw <NEW PASSWORD> <NEW USER NAME>

Now visit your Openstack dashboard and you should see something like this:

kerblogin

Click “Connect” and log in and you should be all set.


Read more
bigjools

New MAAS features in 1.7.0

MAAS 1.7.0 is close to its release date, which is set to coincide with Ubuntu 14.10’s release.

The development team has been hard at work and knocked out some amazing new features and improvements. Let me take you through some of them!

UI-based boot image imports

Previously, MAAS used to require admins to configure (well, hand-hack) a yaml file on each cluster controller that specified precisely which OSes, release and architectures to import. This has all been replaced with a very smooth new API that lets you simply click and go.

New image import configuration page

Click for bigger version

The different images available are driven by a “simplestreams” data feed maintained by Canonical. What you see here is a representation of what’s available and supported.

Any previously-imported images also show on this page, and you can see how much space they are taking up, and how many nodes got deployed using each image. All the imported images are automatically synced across the cluster controllers.

image-import

Once a new selection is clicked, “Apply changes” kicks off the import. You can see that the progress is tracked right here.

(There’s a little more work left for us to do to track the percentage downloaded.)

Robustness and event logs

MAAS now monitors nodes as they are deploying and lets you know exactly what’s going on by showing you an event log that contains all the important events during the deployment cycle.

node-start-log

You can see here that this node has been allocated to a user and started up.

Previously, MAAS would have said “okay, over to you, I don’t care any more” at this point, which was pretty useless when things start going wrong (and it’s not just hardware that goes wrong, preseeds often fail).

So now, the node’s status shows “Deploying” and you can see the new event log at the bottom of the node page that shows these actions starting to take place.

After a while, more events arrive and are logged:

node-start-log2

And eventually it’s completely deployed and ready to use:

node-start-log3

You’ll notice how quick this process is nowadays.  Awesome!

More network support

MAAS has nascent support for tracking networks/subnets and attached devices. Changes in this release add a couple of neat things: Cluster interfaces automatically have their networks registered in the Networks tab (“master-eth0″ in the image), and any node network interfaces known to be attached to any of these networks are automatically linked (see the “attached nodes” column).  This makes even less work for admins to set up things, and easier for users to rely on networking constraints when allocating nodes over the API.

networks

Power monitoring

MAAS is now tracking whether the power is applied or not to your nodes, right in the node listing.  Black means off, green means on, and red means there was an error trying to find out.

powermon

Bugs squashed!

With well over 100 bugs squashed, this will be a well-received release.  I’ll post again when it’s out.


Read more
bigjools

While setting up my new NUCs to use with MAAS as a development deployment tool, I got very, very frustrated with the initial experience so I thought I’d write up some key things here so that others may benefit — especially if you are using MAAS.

First hurdle — when you hit ctrl-P at the boot screen it is likely to not work. This is because you need to disable the num lock.

Second hurdle — when you go and enable the AMT features it asks for a new password, but doesn’t tell you that it needs to contain upper case, lower case, numbers AND punctuation.

Third hurdle — if you want to use it headless like me, it’s a good idea to enable the VNC server.  You can do that with this script:

AMT_PASSWORD=<fill me in>
VNC_PASSWORD=<fill me in>
IP=N.N.N.N
wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h ${IP} -P 16992 -u admin -p ${AMT_PASSWORD} -k RFBPassword=${VNC_PASSWORD} &&\
wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h ${IP} -P 16992 -u admin -p ${AMT_PASSWORD} -k Is5900PortEnabled=true &&\
wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h ${IP} -P 16992 -u admin -p ${AMT_PASSWORD} -k OptInPolicy=false &&\
wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h ${IP} -P 16992 -u admin -p ${AMT_PASSWORD} -k SessionTimeout=0 &&\
wsman invoke -a RequestStateChange http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_KVMRedirectionSAP -h ${IP} -P 16992 -u admin -p ${AMT_PASSWORD} -k RequestedState=2

(wsman comes from the wsmancli package)

But there is yet another gotcha!  The VNC_PASSWORD must be no more than 8 characters and still meet the same requirements as the AMT password.

Once this is all done you should be all set to use this very fast machine with MAAS.


Read more
bigjools

Relapsed again

It seemed too good to be true after my last post, and it was.  Within days I had relapsed after finishing the last course of Bactrim my symptoms were back, worse than ever.  So bad, that I had a trip to hospital courtesy of an ambulance which had to be called because I was in so much pain.  Oh sweet, sweet morphine, you are a cruel mistress.

The Bactrim was only holding the Bartonella at bay, it seems. My LLMD has now put me on a month’s worth of Ciprofloxacin, after verifying that a sore tendon was not too damaged.  Why do that?  Well, Cipro screws up tendons and ligaments if you take it too long so I had to verify that things were OK to start with.  I also have to take it easy and not exert myself too much in case I damage weakened tendons.

The one piece of good news is that a recent endoscopy showed no fungal infection from all the antibiotics I’ve been taking.  Unfortunately an echo test on my heart still shows a lot of fluid in the pericardial sac and I still have a huge amount of pain there which keeps me awake at night.

Because of all this, I am sad to be missing a work function in Austin this week, but it would have been foolish to travel with the tendon risk (moving my luggage would be a problem), my high levels of fatigue, and not to mention the pericardial fluid can become life-threatening at any time.


Read more
bigjools

My Road Through Hell

 

Hell

I’ve now been on treatment for Lyme disease for a little over twelve months.  Without a doubt, this has been the worst twelve months of my entire life.  It’s almost impossible to convey the range of pain that I have endured, the mental anguish, and the struggle to find the will to live.

Six months ago I was about at rock bottom.  I was going trough herxes from hell, suffering from heart complications including cardiac pauses (my heart would stop for several seconds at a time), and headaches that felt like someone was driving a pick axe into my skull. Then there was the brain fog; the confusion and memory loss that left me feeling stupid and helpless in front of people who just didn’t understand how I could not remember simple things I had talked about with them only a few hours ago.

On top of that, I had extreme fatigue that left me unable to climb the stairs at home without stopping every few steps to get my strength back in my legs.  Many of my days have been spent as a quivering mess on the floor, unable to speak, move or do anything because I was in so much pain and close to passing out.

In short, I was pretty fucked and thought I was about to die at any time.

Then I discovered an antibiotic that was actually making a difference to my heart symptoms—it’s called Bactrim (or Trimethoprim/sulfamethoxazole to give it its full name).  I started taking it in late December and two weeks later I was heart symptom free!  The course of drugs then ran out (I had 4 weeks’ worth) and ten days later I had relapsed and was getting chest pains and palpitations again.  I started another month’s course and felt better again after a couple of weeks, so it was clear that this drug was doing something to help me with my Bartonella infection.

It struck me that I have been so ill for a long time that I hadn’t really noticed that I was slowly getting better lately.  At least I hope I am getting better — I’m now at a “wait and see” stage after having stopped the Bactrim for a second time and hoping to hell that I don’t have another relapse.  I’m probably about 50% better than I was a year ago, I now have to wait for the last remnants of the Lyme and Bartonella bacteria to be driven out of my system.


Read more
bigjools

True Words

Originally posted on My Color Is Lyme:

True Words

Wake up call

View original


Read more
bigjools

In utero

My 2nd son (6 years old) tested positive on the Western Blot for Lyme.  I was always a bit suspicious and now my fears are confirmed.  He had a few signs, like dark circles around his eyes, a raging thirst all the time, and behavioural problems.

He is most likely to have got it in utero, which also probably means that my wife and our youngest two twins have it (they have dark circles under their eyes too).  Thankfully my eldest seems asymptomatic.

Under advice from my doctor, I’m trying number two out with some Samento and Banderol. He says we should see an improvement in behaviour in 4-6 weeks and then we can consider moving on to antibiotics.

As for the wife – once I am stable we’ll try her out with some doxycycline to see if she herxes.  We don’t want her debilitated by treatment at the same time as me…


Read more
bigjools

I have had a reasonable amount of success with the Rifampicin.  My heart palpitations pretty much stopped over the course of a couple of weeks and stayed away until the end of that prescription.  My doctor put me on a doubled dose for another 6 weeks so let’s see how that goes…

In the meantime, the palpitations came back a little.  I’m not sure whether this is because I had a 4 day gap between courses or whether it’s part of a herx or otherwise caused by the increased dose.

I’m committed to flying across the Pacific at the weekend (I’m going to San Francisco for a week) — I hope I don’t get an attack on the plane :(


Read more
bigjools

Rifampicin

Just started a new antibiotic called rifampicin. Getting an immediate and very powerful herx from it. Looking forward to another two week headache… :-/


Read more
bigjools

Rifampicin

Just started a new antibiotic called rifampicin. Getting an immediate and very powerful herx from it. Looking forward to another two week headache… :-/


Read more
bigjools

Unscheduled hospital visits…

… yeah, so I had some really bad heart palpitations 2 nights ago and ended up calling an ambulance at 1am.  This has been happening quite a lot in the evenings lately, but this time it was unbearably painful.

Long story short, seems like the bartonella is causing huge ectopic beats as it interferes with electrical impulses in the body.  I’ll be seeing a specialist next week to see if I can find a way of minimising problems before starting rifampicin.


Read more
bigjools

The daily grind

image


Read more
bigjools

It’s obvious from talking to a few people that hardly anyone understands what having chronic Lyme disease means.  This is not surprising as I barely knew myself until a few months ago — but I have educated myself through a lot of research and speaking to my specialist doctor.

I’m going to try to attempt to describe what this is all about and what I am going through, in the hope of spreading understanding.  Make no mistake, I am not looking for sympathy, just for people to understand.

What it is

Lyme is an evil and clever bacteria called Borrelia.  It uses resist and evasion tactics that any SWAT team would be proud of by hiding in muscles, bone, cartilage and crosses the blood-brain-barrier to hide deep in brain tissue.  It also changes form when under attack and builds itself a wall to resist antibiotics.

This is NOT a 30 day antibiotic course disease, it takes months and often years to eradicate.

What it does

Lyme is often called The Great Imitator.  It has so many symptoms that unless they are taken as a whole it’s incredibly easy to misdiagnose.  And sadly that is what is happening across the world.  I recently heard that 80% of patients diagnosed with M.E. who had a test for Lyme were positive for it.

Here’s a selection of my particular symptoms, but this is by no means exhaustive:

  • Extreme fatigue, with aching muscles and no energy
  • Bone and joint pain with stiffness, often misdiagnosed as arthritis
  • Many, many neurological symptoms: forgetfulness (I sometimes fail to recall the name of someone I’ve known most of my life), poor concentration levels, massive headaches, nausea, faintness, anxiety, depression, impulsiveness, mood swings
  • Insomnia
  • Tinnitus
  • Muscle twitching
  • Blurry vision and “floaters”
  • Pink eye

What is a co-infection

Almost everyone who has Lyme also has a co-infection. This is additional bacteria that are contracted in the same tick bite that delivers the Lyme.  I have something called Bartonella which is responsible for some very nasty symptoms, one of which is life-threatening:

  • Burning in feet and foot pain (often misdiagnosed as plantar fasciitis)
  • Swollen, painful lymph nodes
  • Skin rashes
  • Heart problems, pericarditis

The last of these is one of my biggest problems and the reason I am not travelling for work right now.  Pericarditis is a swelling of the pericardium, the sac around the heart. It also traps fluid which is known as a pericardial effusion.  This is a serious issue – if the fluid becomes too much it prevents the heart from beating efficiently and eventually makes it stop.

This condition is responsible for missed beats, palpitations and extreme pain.  When I say extreme, I’m talking nothing like I have experienced before.  The pain and palpitations will come and go at random and when it kicks off I feel the blood draining from my head and I have to lie still for anything from 15 minutes to 4 hours or more, before it goes away.

What is the treatment

There are many strains of the bacteria and treatment is somewhat of an art as much as it is a science.  As I previously mentioned, the Borellia will shift form.  Its main form is a spirochete but it also takes a non-cell wall form (cell walls are what antibiotics work on) and a dormant cyst form.  All of these forms have to be taken care of to ensure it doesn’t come back.

The treatment I am on is a variety of anti-malarial, antibiotic and herbal supplements.

The treatment is worse than the disease

That’s right – the treatment makes everything worse.  Much worse.  As the bacteria die off, they dump endotoxins into your blood stream which triggers many things:

  • Exacerbation of existing symptoms
  • Flu-like symptoms with huge headaches
  • Pain, pain and more pain

This is called a herxheimer reaction, or herx for short.

I have to cope with this by constant detoxing.  I take a few different detoxing supplements and have to drink in the region of 4 litres of water a day to flush my system out.  I have learned that when I am experiencing a herx, I become a zombie and cannot function at all.

In addition, I am completely intolerant to alcohol, I will get an awful headache within 5 minutes of a drink.  Life and soul of the party, me!

Outlook

I am hopeful that I will resolve everything eventually but I know it will take me personally another year or two before I am better.  In the meantime, I feel like something is stealing my life away from me, but I have to remain strong.  I have a family to take care of.


Read more
bigjools

A few years ago I wrote a contrib script for Launchpad’s launchpadlib called ‘close-my-bugs.py’ which attempted to close (aka mark them ‘fix released’) all of your bugs in a project that were targeted to a particular milestone.

For various reasons it grew out of date and when I needed to use it recently, it didn’t work!  Long story short, I just fixed it up and added a couple of new features:

  • You can optionally close just your own bugs, or all the bugs in the milestone
  • You can search for bugtasks targeted against a series in your project (these are not normally picked up when searching in a project’s milestone)

You can grab the code here:

bzr branch lp:launchpadlib

contrib/close-my-bugs.py

Read more
bigjools

An update on my progress.  I’m now taking all of Plaquenil (hydroxychloroquine), Akamin (minocycline) and Bactrim (sulfamethoxazole and trimethoprim).  The latter one is relatively new and is to treat the Bartonella co-infection that I have.

I’m not sure if it’s the drugs, the disease or a new herx, but my pericarditis pain is now at new levels and is accompanied with extreme light-headedness to the point of almost losing consciousness.

In addition, I am getting some peeling skin as a side-effect from the Bactrim so I need to reduce its dose.

This disease sucks.


Read more
bigjools

Co-Infection

It turns out I have a co-infection of Bartonella which is most likely to be the thing responsible for the pericarditis.  I get to start on Bactrim this week.  Lovely.

In other news, I have a second herx starting. :(


Read more
bigjools

Herx Force One

ImageI appear to be having a major “herx” reaction to my meds. This is apparently “good” because it means the drugs are working.

Basically, it’s a result of the bacteria dying and spilling their guts into my blood stream – their guts are basically endotoxins to which my immune system suddenly goes “WOOOOAAA!” and kicks off a massive street fight in my body. The symptoms of that are basically huge headaches, mental confusion, fatigue and insomnia. I can say without reservation, yes, they are the fucking symptoms.


Read more
bigjools

Error handling in Go

There’s been a debate raging in some corners of the internet lately about how superior Go‘s error handling is to other languages.  I am going to address some of the points made, here:

Claim 1: It’s impossible to ignore errors in Go, they are “in your face”

This is patently false.  Take this example:

fmt.Println("Hello world")

Pretty innocuous wouldn’t you say?  Well let’s take a look at the language documentation for fmt.Println:

// Println formats using the default formats for its operands and writes to standard output.
// Spaces are always added between operands and a newline is appended.
// It returns the number of bytes written and any write error encountered.
func Println(a ...interface{}) (n int, err error)

So Println can return an error!  Where did we check it?  Well, we didn’t.  Any other claims that it’s OK to ignore it in this case further strengthen my argument.

Some will say that it’s a deliberate choice to ignore the error and I deserve all I get. Well, was it? I didn’t even know that Println returned an error until I looked at the documentation (and who is going to do that for Println?). And that’s the point, if I need to look at the documentation to see that it can return an error, then if I am using a language that raises exceptions I will have also seen its documentation about how it deals with errors.

You could even argue that an exception is superior in this case.  With Go, the code will march on regardless, oblivious to the fact that Println failed.  With exceptions, it’ll fail and show you exactly where it failed.

The language will error at compile time if you try to ignore an error returned as a second value and you only take the first.  But this is trivially bypassed by assigning it to _, which when reading code is easily missed compared to the exception style of “catching then dropping”, because Go itself encourages this style of assigning to _ with its own range statement as a deliberate way of ignoring things that the language is trying to force you to see.

So really in both cases, ignoring the error doesn’t really stand out as wrong.

Here’s a concrete example in Go I was recently shown:

w := bufio.NewWriter(os.Stdout)
for _, name := range ListAll(conf) {
    fmt.Fprintln(w, name)
}
w.Flush()
return

As you can see, the caller completely forgot to check the error returned from Fprintln and Flush and there would be no compiler warning about it.

Claim 2: Exceptions teach developers to not care about errors

Citing an example where someone didn’t catch an exception and the code consequently blew up is really not a good example of this claim.  It’s a bug, for sure and you get a full traceback of your error in the resulting exception, which is handy.  You go away and fix it quickly based on that info.

If I am in the same situation with Go and I ignore a returned error from a function, at some point (which is likely to be nowhere near the place where the error occurred) my code will blow up.  I’ll have to run up the debugger to try and find out where it really occurred though.

Because unused variables in Go are a compile-time error, it’s actively discouraging you from assigning the result of the function to a variable (or you can deal with it, of course).  For anyone who’s not read the full documentation for a function call or missed its return value (we’re all human) as I said above – you’re not even going to notice that you missed it.

Based on this, I can see no difference at all that suggests one way or the other teaches developers to not care about errors.  Developers do care about errors, really, but bugs creep in however careful you are.  And when they do, I’d rather have a decent indication of where the bug is.

Other parts of error handling that I dislike

When you look at the average Go program, you will see a lot of this:

if err != nil {
  return nil, err

This is the recommended way of error handling in in Go.  But this is not error handling, it’s error propagation.  In nearly all languages there will arise situations where in well-factored code you have a low-level error that you need to pass right back up to the entry point for the caller. That means you need this error propagation code in every single place where you check for errors.  There’s no syntactic sugar, just the same three lines everywhere.

For me, this vastly decreases the readability of the code. This is where exceptions excel because inside my own library I can factor the bejeesus out of it into many small functions and if I need to return an error, I just catch a lower-level exception in the top-level function and return something else.  You can do this in Go with a panic(), but it seems to be discouraged.  Panic() feels almost exactly like using exceptions, only the syntax is worse. If Go’s style is to encourage people to handle errors like this, it needs the sugar.

Conclusion

Many people might think that I completely hate Go’s error handling from this post.  That’s not strictly true – I don’t hate it, I just think it can be improved.  I challenge assumptions that I see which state that Go’s error handling is superior in some way, when as far as I can see it’s not that different from other languages in terms of usefulness.

Go is clearly in its infancy.  Most languages will have started out with youthful enthusiasm and realised that some change was needed.  These languages are the successful ones where developers enjoy coding in it and feel productive.  I hope that Go embraces change as it matures and attracts more developers.

I welcome comments on this post – unlike some people I won’t censor them or delete ones I can’t argue with (unless they are outright abusive and use foul language, this is a family blog!).


Read more
bigjools

Headaches

I’ve been experiencing bad headaches all week and today’s is awful.  I don’t know if it’s the drugs starting to work and causing a herx or if I just have a headache from the disease. 400mg of Ibuprofen 2.5 hours ago hasn’t helped much :(


Read more