I did write some software which I use every day: a Docker registry wrapper with e-commerce features (I’m not sure I highly recommend using it, as I won’t find time to maintain it), a video game which needs much more time spent on it, and continued work on my radio software for my art project, 24 Hours of Radio.

I started my sabbatical in June, and whilst I was away from work a massive AI-aided software development revolution took place. The registry wrapper that took me months could be done in hours when vibe coded. My return to work has been fun, but having to pick up this tech quite quickly has left me with a bit of shock. With senior leadership and Tech Leads remarking, “in a couple years no one will be writing code”. And weirdly, I believe them. I needed a weather widget for another project, and instead of it taking a weekend to put together, Cursor did it for me in two hours. I feel some guilt about that, but I don’t wash my clothes by hand anymore either.

This post isn’t about AI, by the way.

Journalism

Filling the silence on 24 Hours of Radio isn’t going at any particular rate. In fact, on some days it will be less than the day before because I’ve ended up doing a daily show that I replace each day.

The Morning Briefing started at the end of December as a Radio exclusive, where I spoke about the weather for cycling, an event in Nottingham, and some tech news. The tech news would later turn into Nottingham news, as I realised investigating Bitcoin and hacked social networks wasn’t all that interesting to me.

Since then, it felt a bit of a shame to not have that content so ethemeral, so I’ve been working on www.morningbriefing.org.

Over the past week or so, I’ve tried to merge the event and the news item so I end up with more traditional articles with one topic. Still an event but the “news” for the Briefing is trying to find an angle for the event that’s highly relevant to Nottingham. Even if you’re not going, you’ve still learnt something about your home.

I started that project at the end of my sabbatical, over Christmas. If I had started it in June, I imagine my life would be quite different right now.

Journalism - even the kind of event and civic news I’m doing - takes a lot of work. Take today’s Briefing as an example: a comedy event in Nottingham. Yesterday was an especially busy day which found me still writing that Briefing at midnight. (For context, I’m usually in bed by 11.) Due to that, I didn’t have enough time to find a strong enough hook. I did mention the Nottingham Comedy Festival, but it would have been nice to call them and ask more about them.

The investigation is very, very fun. There’s the same kind of problem solving that you find in software development. I’ve had to dig around masses of data to find part of the story I need, where the data isn’t code by a freedom of information request about bicycle thefts. Digging for a hook is quite fun - that’s very much “what does the end user need from this?”.

I’ve been able to speak to lots of people that I’d never have the opportunity to in a normal day-to-day routine. People who run charities, community clubs, business owners, and musicians. Turns out, given an excuse, people love talking about their thing. And it’s fun hearing it.

There are proper, civic, news stories around Nottingham that need covering. Nottinghamshire County Council recently signed off on a report deciding how the council should use AI, but skipped over all the “risks” the report mentioned. Nottingham Police recently told me that “they prefer education over action” when it comes to unlawful e-scooters on the roads (and pavements), despite there being three quite serious incidents involving them including a death recently. Nottingham City are making life very difficult for the people of Victoria Market, in an attempt to force them out of their lease. The War Memorial cemetery is literally falling apart, with subsided graves and toppled headstones. Just today, someone emailed me with concerns that the City Council is reluctant to give a statement on a particular matter - a story of genuine civic importance.

None of these stories are covered well enough by Reach PLC, the only mass market journalistic organisation around.

They all require time to investigate, on top of the daily Briefing. I can cram them in at weekends, but not enough to do them justice (literally, in some cases).

It’s just frustrating because I’m quite enjoying it, I genuinely think it’s a worthwhile project for Nottingham, but I have not enough time.

There are solutions I’m thinking on, but none which aren’t seismic in nature. At this point, I feel it would but stupid, rather than brave, to go all in on this. Maybe I’m wrong on that.

Double checking there actually is a bug is the first thing to do here. Are there actually multiple tags for that image? Lets force some to make sure.

shane@macbook tollport/ (main) % docker build . --tag localhost:5500/tollport:latest --tag localhost:5500/tollport:foobar
[... succesful build]
shane@macbook tollport/ (main) % docker image ls | grep "localhost:5500/tollport"
localhost:5500/tollport                         foobar            e56d8f086145   41 seconds ago   996MB
localhost:5500/tollport                         latest            e56d8f086145   41 seconds ago   996MB
shane@macbook tollport/ (main) % docker push localhost:5500/tollport --all-tags
The push refers to repository [localhost:5500/tollport]
4ce9944a219f: Pushed
[...]
foobar: digest: sha256:5ad2945213f1dbfea3d478bf7e27704c5e7e71a4779c3675ce280a6e71878e03 size: 2422
4ce9944a219f: Pushed
[...]
latest: digest: sha256:5ad2945213f1dbfea3d478bf7e27704c5e7e71a4779c3675ce280a6e71878e03 size: 2422

Definitely two tags there now. How’s that dropdown looking? → Still just the default ‘latest’ value in there. That confirms our bug.

How am I expecting that dropdown list to get populated?

  # app/controllers/repositories_controller.rb
  def show
    tags = Distribution::RepositoryTags.new(repository, current_user).tags
    tags = [ "latest" ] if tags.empty?

    render :show, locals: {
      repository:,
      tags:
    }
  end
  
  # app/lib/distribution/repository_tags.rb
  ENDPOINT = "/v2/<name>/tags/list".freeze

  def tags
    tags_response = client.get(endpoint)

    tags_response.fetch("tags", [])
  end

Since we’re seeing the default “latest” value only, we can fairly assume that we’re hitting the second argument of that fetch: whatever the client is returning, it doesn’t have any tags in it. What is it actually returning? Some jiggery-pokery is required to see the request response, so excuse this.

shane@macbook tollport/ (main) % docker compose exec -it web bin/rails c
Loading development environment (Rails 8.1.1)
tollport(dev):001> repository = Repository.where(slug: 'tollport').first
tollport(dev):002> Distribution::RepositoryTags.new(repository, repository.maintainer).tags # whilst we're here, lets confirm...
[...]
=> [] # yep!
tollport(dev):003> Distribution::RepositoryTags.new(repository, repository.maintainer).send(:client).get("/v2/tollport/tags/list")
  PersonalAccessToken Create (1.7ms)  INSERT INTO "personal_access_tokens" ("user_id", "token", "created_at", "updated_at", "name", "blanket", "pull_access", "push_access") VALUES ($1, $2, $3, $4, $5, $6, $7, $8) RETURNING "id"  [["user_id", 1], ["token", "[FILTERED]"], ["created_at", "2025-12-13 20:58:37.615714"], ["updated_at", "2025-12-13 20:58:37.615714"], ["name", "Service token"], ["blanket", true], ["pull_access", "{}"], ["push_access", "{}"]]
  [... some loading of users and repositories]
🛳️ Authenticating with {:iss=>"tollport", :sub=>"1", :aud=>"tollport-registry", :exp=>1765663117, :nbf=>1765659517, :iat=>1765659517, :jti=>"4222bd92-41d8-4f9e-91ab-8dc1275f46bd", :access=>[{:type=>"repository", :name=>"tollport", :actions=>["pull", "push"]}]}
  PersonalAccessToken Destroy (1.6ms)  DELETE FROM "personal_access_tokens" WHERE "personal_access_tokens"."id" = $1  [["id", 82]]
=> {"errors"=>[{"code"=>"UNAUTHORIZED", "message"=>"authentication required", "detail"=>[{"Type"=>"repository", "Class"=>"", "Name"=>"tollport", "Action"=>"pull"}]}]}

Well, there we go. That answers a few questions. There certainly are no tags returned. Plus, we know that the auth has gone wrong somewhere.

This is a real heart sinking feeling because getting the auth working in the first place was tonnes of trying to understand how to implement JWTs. I guess at this point we have to recap how all that works. From memory for the moment. (A note from a few minutes in the future: writing this up was a struggle, which might be indicative of the bug and is certainly indicative that I’m not on solid ground here.)

• PersonalAccessTokens are a Tollport concept, much like an API key. Users create these keys and allow them to have push and/or pull access to specific repositories.
• The user logs into their docker client using their username and an API key.
• When docker CLI attempts an action, Tollport’s registry will send the PAT to Tollport, who returns a JWT with permissions detailed.

That flow (using docker CLI) is all working, as we saw I’m able to push images just fine. This flow, where the server is using the Distribution API rather than going via the CLI like a user would, is a little different.

1. A request is made to "/v2/<name>/tags/list", with an Authorization header.
   • The auth header is a JWT token, listing the permissions required. Specifically, the permission required is “type: registry, name: catalog”, with pull access to each of the relevant repositories.
   • As this is a special, internal call I do something sneaky: I create a “blanket” PAT token. I call these service tokens.
   • That’s a token where the user (or the system in this case) doesn’t care to define granular access and will just allow access to everything.
   • After it’s used, it gets deleted. - The registry then decodes the … (narrator: it is at this moment that Shane realised the bug) JWT and sends the PAT token across to the normal auth endpoint, just to double check it’s all kosher.
   • So, the token is generated by the Railsy bit of Tollport, and then sent to the registry, and then the registry confirms it with Tollport.

Here’s what I think the issue is: I delete the special service token before that cycle is finished using it.

Indeed take a look at this:

module Distribution
  class RepositoryTags
    [...]

    def tags
      tags_response = client.get(endpoint)

      tags_response.fetch("tags", [])
    end

    private

    def client
      @client ||= Client.new(ENV.fetch("TOLLPORT_REGISTRY_URI"), auth_token:)
    end

	[...]

    def auth_token
      user.with_service_token do |personal_access_token|
        AuthToken.new(personal_access_token:).token(repository.name)
      end
    end
  end
end

auth_token gets the service token from the User, and generates the JWT with it. Lets see what that does.

  def with_service_token
    token = personal_access_tokens.create(name: "Service token", blanket: true)

    yield token

    token.destroy
  end

Yikes! So before I get a chance to send it to the registry, the PAT required to authenticate the JWT has been deleted.

Lets confirm that by… not deleting the token for a moment.

Okay - that’s good news! Lets add back the destroy and move around the scope of the key.

shane@macbook tollport/ (main) % git diff
diff --git a/app/lib/distribution/repository_tags.rb b/app/lib/distribution/repository_tags.rb
index fd2fa65..4ff20af 100644
--- a/app/lib/distribution/repository_tags.rb
+++ b/app/lib/distribution/repository_tags.rb
@@ -18,17 +18,20 @@ module Distribution
     private

     def client
-      @client ||= Client.new(ENV.fetch("TOLLPORT_REGISTRY_URI"), auth_token:)
+      user.with_service_token do |personal_access_token|
+        Client.new(
+          ENV.fetch("TOLLPORT_REGISTRY_URI"),
+          auth_token: auth_token(personal_access_token:)
+        )
+      end
     end

     def endpoint
       ENDPOINT.gsub("<name>", repository.name)
     end

-    def auth_token
-      user.with_service_token do |personal_access_token|
-        AuthToken.new(personal_access_token:).token(repository.name)
-      end
+    def auth_token(personal_access_token:)
+      AuthToken.new(personal_access_token:).token(repository.name)
     end
   end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
index 66db028..c0e3304 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -27,9 +27,11 @@ class User < ApplicationRecord
   def with_service_token
     token = personal_access_tokens.create(name: "Service token", blanket: true)

-    yield token
+    result = yield token

     token.destroy
+
+    result
   end

Nice nice. That works.

Okay?

There’s no way that this particular bug will occur for someone else (or at least, no way someone searching for a solution will find this page). So the question of “why did I bother writing this?” is a good one. The lesson I’m hoping to spread here is that debugging is just about asking questions of your code.

Here’s my flow:

1. Prove to yourself the bug is real and that it hasn’t been misrepresented.
   • It feels dreadful for spend an hour debugging an issue that was reported only to realise… there’s no bug at all.
   • If you cannot prove to yourself that the bug is real, you also cannot be sure you’ve resolved the bug. - Ask a question of the code. - Find evidence to answer the question.
   • If you make an assumption, and skip finding evidence, there’s a Sod’s Law chance that that is exactly where your bug is. - Lead that answer to the next question. - Keep going until it’s clear what happened.

Sometimes, you’ll find yourself staring at the code. In these times (and you may not realise this at the time) you’re simply hoping that the bug will jump out at you. Unguided code reading is a waste of time. Debugging is an active activity, not a passive one.

Ask a question and answer that question.

I don’t expect this bug to end up being something world changing - it may well be a typo. It might also be fun for you to spot the issue before I do, like a murder mystery.

I’m trying to set up SolidQueue, adding it to my already-set-up Rails application. (ie. I don’t think there was any ActiveJob configuration before my work today.)

So let me show you exactly where we are right now, and I’ll fill in some details as we go both forwards and backwards in time:

shane@macbook tollport/ (activejob) % bundle exec rails db:prepare
Created database 'tollport_queues_development'
Created database 'tollport_queues_test'


shane@macbook tollport/ (activejob) % bin/jobs
/Users/shane/git/tollport/vendor/bundle/ruby/3.2.0/gems/activerecord-8.1.1/lib/active_record/connection_adapters/postgresql/database_statements.rb:167:in `exec': PG::UndefinedTable: ERROR:  relation "solid_queue_processes" does not exist (ActiveRecord::StatementInvalid)
LINE 10:  WHERE a.attrelid = '"solid_queue_processes"'::regclass
                             ^

        from /Users/shane/git/tollport/vendor/bundle/ruby/3.2.0/gems/activerecord-8.1.1/lib/active_record/connection_adapters/postgresql/database_statements.rb:167:in `perform_query'
        from /Users/shane/git/tollport/vendor/bundle/ruby/3.2.0/gems/activerecord-8.1.1/lib/active_record/connection_adapters/abstract/database_statements.rb:571:in `block (2 levels) in raw_execute'

We can see here that db:prepare creates a couple of new databases for us. It’s done this because when you run bin/rails solid_queue:install it’ll add some configuration as well as adding db/queue_schema.rb. That file is supposed to contain the database schema for SolidQueue. But…

It does not. In fact, it is just a copy of my normal schema.

shane@macbook tollport/ (activejob) % diff db/schema.rb db/queue_schema.rb | wc
       0       0       0

Well, that explains exactly why solid_queue_processes isn’t being created - it’s not defined anywhere.

How the heck did that happen though? I’m very willing to accept that I’ve done something funky to make this happen. I have a suspicion, and I’ll try to recreate that issue again in a second (because I think it might be an unfortunate Rails bug).

First, lets see if we can fix this issue by deleting the incorrect db/queue_schema.rb and running bin/rails solid_queue:install again.

Good news:

shane@macbook tollport/ (activejob) % grep 'create_table' db/queue_schema.rb
  create_table "solid_queue_blocked_executions", force: :cascade do |t|
  create_table "solid_queue_claimed_executions", force: :cascade do |t|
  create_table "solid_queue_failed_executions", force: :cascade do |t|
  create_table "solid_queue_jobs", force: :cascade do |t|
  create_table "solid_queue_pauses", force: :cascade do |t|
  create_table "solid_queue_processes", force: :cascade do |t|
  create_table "solid_queue_ready_executions", force: :cascade do |t|
  create_table "solid_queue_recurring_executions", force: :cascade do |t|
  create_table "solid_queue_recurring_tasks", force: :cascade do |t|
  create_table "solid_queue_scheduled_executions", force: :cascade do |t|
  create_table "solid_queue_semaphores", force: :cascade do |t|

Way better. Bad news:

shane@macbook tollport/ (activejob) % bin/jobs
/Users/shane/git/tollport/vendor/bundle/ruby/3.2.0/gems/activerecord-8.1.1/lib/active_record/connection_adapters/postgresql/database_statements.rb:167:in `exec': PG::UndefinedTable: ERROR:  relation "solid_queue_processes" does not exist (ActiveRecord::StatementInvalid)
LINE 10:  WHERE a.attrelid = '"solid_queue_processes"'::regclass
                             ^

Checking the table shows that it definitely has created the correct schema. And our “undefined” table is there.

shane@macbook tollport/ (activejob) % rails dbconsole --database queue
psql (13.1)
Type "help" for help.

tollport_queues_development=# \dt
                     List of relations
 Schema |               Name               | Type  | Owner
--------+----------------------------------+-------+-------
 public | ar_internal_metadata             | table | shane
 public | schema_migrations                | table | shane
 public | solid_queue_blocked_executions   | table | shane
 public | solid_queue_claimed_executions   | table | shane
 public | solid_queue_failed_executions    | table | shane
 public | solid_queue_jobs                 | table | shane
[...]
 public | solid_queue_processes            | table | shane
[...]
(13 rows)

Is SolidQueue using the write database?

Ah - well, this is telling of something. And not just about my potential bug. Running solid_queue:install only bothers to tell SolidQueue to run on this special database for ‘production’.

shane@macbook tollport/ (activejob) % grep -r 'solid_queue.connects_to' config/
config/environments/production.rb:  config.solid_queue.connects_to = { database: { writing: :queue } }

Whereas I have this new database set up for all environments, at least in config/database.yml. A lot of config is passed via the DATABASE_URL env var. More on that very shortly.

default: &default
  adapter: postgresql
  [...]

development:
  primary:
    <<: *default
    database: tollport_development
  queue:
    <<: *default
    database: tollport_queues_development
    migrations_paths: db/queue_migrate

[...]

production:
  primary:
    <<: *default
    database: tollport_production
  queue:
    <<: *default
    url: <%= ENV.fetch('QUEUE_DATABASE_URL', nil) %>
    database: tollport_queues_production # this does nothing as `url:` tasks precedence, leaving here as an example of what's in QUEUE_DATABASE_URL
    migrations_paths: db/queue_migrate

First, I want to quickly confirm my suspicion and answer the question at hand: is SolidQueue using the write database? Lets make all environments use this queue database. Moving the above SolidQueue config from config/environments/production.rb to config/application.rb gets us going again. bin/jobs works!

The “telling” aspect I mentioned earlier leads me to this: since solid_queue:install didn’t add that configuration to config/application.yml in the first place, the developers probably don’t intend you to have the two databases for dev and test. But, as it’s working, and I don’t really mind, I’ll let that particular issue be. When following the installation instructions, I assumed it wanted me to add the new ‘queue’ to each of the environments. The docs only mentions production though.

So, I had two issues:

1. SolidQueue’s schema, which db:prepare uses, was straight up wrong.
2. SolidQueue was not aware of the queue database whilst in dev.

By deleting the queue_schema.rb and re-installing Solid Queue, I fixed the first issue. But how did it happen in the first place?

Well, I’m guessing now because I no longer have the commit, but I believe I messed up my database.yml.

Before this activejob branch, my config looked more like this:

default: &default
  adapter: postgresql
  encoding: unicode

development:
  <<: *default
  database: tollport_development

This is a single database set up. The Rails magic here is that this single database is called primary. To make it a multi-database set up, you add in the database names:

development:
  primary:
    <<: *default
    database: tollport_development
  queue:
    <<: *default
    database: tollport_queues_development
    migrations_paths: db/queue_migrate

However, I believe I originally did something like this which is wrong:

development:
  <<: *default
  primary:
    database: tollport_development
  queue:
    database: tollport_queues_development
    migrations_paths: db/queue_migrate

And I can only imagine that that confused the heck out of Rails so much that my issue happened.

ah well, all working now.

Actually, I just checked my transactions to see when I first went: the first week of October, and since then I’ve been to at least a dozen sessions. It’s difficult for me to tell because two weeks I signed up for lessons, and after that point you get free public ice sessions, so I don’t have a record of those.

The Hackspace is definitely a place where hobbies accrue. You can be working on the laser cutter, and then someone mentions how similar it is to the embroidery machine, and then suddenly you’re combining the two. In this case, a bunch of people in unison (I can’t remember if it was me who instigated it) decided to try out a skating session. Five of us went along, including one very good skater. That was instrumental as he was able to give me starting advice which got me over the initial struggle that might have dissuaded me from going again.

After that, I went to a number of sessions on my own trying to get used to the forward momentum and movement. If there’s ever a sport where “practice makes perfect” is very clear, it’s this one. Each hour made me feel more confident.

Go more often than a normal person would, you notice who else is turning up an unusual amount, and you eventually get talking to them. I remember at many points in my life thinking “how on earth do adults make new friends?” Then after thinking that, I found a wonderful group of friends from Dungeons and Dragons, a brilliant group of friends in the Hackspace, and now a burgeoning group of “ice friends”, as I’ve been calling them. Turns out, all you have to do to make friends is go outside regularly.

Early on, there was a time where a three year old was almost certainly going to collide with me. At this point, I had no idea of how to stop or turn, so I began thinking of what I would say to his parents as I handed them his fingers back. But the little nipper just toe looped right around me.

Since then, I’ve learnt forward reasonably confidently, forward and backwards “lemons”, and I recently learnt backwards mostly. (I have not yet learnt how to stop.)

I’ve been going a bit more than my partner and friends, so I’ve been trying to offer advice to help them catch up. It’s incredibly hard to teach a physical skill. Take “lemons”, for instance. This is a beginner’s movement where you draw a lemon with your skates, a pointy ellipse. It’s essentially teaching the importance of the angle of your feet, and how you can use that angle to push yourself forwards. You can explain all that, but I’ve no idea how to explain which muscles to use to do it.

It’s just lots of practice, I guess.

I can’t remember why I started writing this. I had it in my drafts. I’m setting it free.

“Default branch”

Many are used to having master as the default branch in a repository, but it’s fallen out of favour recently. In around 2020, the community decided that staring at a word all day with so much loaded connotations probably wasn’t good for mental health, some more so than others. Some have noted that the term was never meant in a master-slave way, but rather a “master copy” way. However, either way, it’s not a technically correct word for it. We’ll see in this article that it’s often not the master copy, and is often lagging behind the state of the art. So, main has been taken on as a less inaccurate (and mercifully shorter) name. It doesn’t have to be your default branch though. Change it to whatever you like. git config --global init.defaultBranch main So, we’ll just go with calling it the default branch for now.

Working branches or the ‘GitHub flow’

I’d put money on this being the most common method of using a version control system. If you’re working on a team, or just working in parallel on different parts of the codebase, then it makes sense to have an area just for yourself: your own branch.

For each chunk of work, I’ll start off with git checkout -b banjo-12393-fix-issue-with-signup. Then in there, I’ll work away on fixing the issue.

Naming these branches is something to pay attention to. Finding the branch you’re working on can become difficult if you’re interrupted and have to look at something else for a while. So, many developers come up with their own system for these. My system is my team name, like a namespace to avoid bumping into anyone else, then the ticket number I’m working on, then a legible description of what of the problem being solved. It’s nice to do git branch and know what each of the branches are for. It’s also nice to be able to grep through git branch | grep 12393 to find the branch I’m working on.

In my experience, these branches aren’t often shared between developers. The main reason for that is that there comes a point where you step on their toes. Say you add another commit to Alice’s branch, and now she has to realise that somehow, hopefully before pushing their work and overriding yours or having to handle a rebase. Leave these kinds of branches to the developer that created them.

Once the work is complete, this workflow usually leads to a pull request.

“Pull request”

There’s not really any such thing in the core of Git itself that specifies pull requests. Initially, the intended method of sharing code was to send a diff (or a patch) to someone and have them apply it on their end. Git is designed to be distributed - easily clonable elsewhere - but not intended as a team collaboration tool. When Linus Torvolds was putting Git together, there was no plan for everyone to be able to make a branch and push to the Linux kernal as they wanted. He expected patches to be sent around. The idea of a “pull request” was created by the community. In fact, much of the community (like Gitlab), prefer the term “merge request” which shows how non-standard the whole idea is. We’ll see in a bit that Git is not designed to handle dozens of developers working in the same repository synchronously.

That is then reviewed. I imagine most of us are lucky enough that we have a team around us who review our code before we merge it into the default branch. That kind of accountability is not the only reason to use these branches though; even working solo it’s good to create a pull request and review the code yourself. Often, it’s the first time you’ll see the whole changeset. It’s a good habit to self-review your code before you ask anyone else to.

Once reviewed, it gets merged into the default branch. You can then clear away your local branch and the branch on the remote. Stay tidy.

You may have read this section thinking “this is what I call a feature branch”, and I’d fully agree with you. I’ve gone with “working branch” here for two reasons: 1) often it’s not features that we’re working on, day to day, and 2) to distinguish it from what we all agree is called a feature branch. (Not until writing this post did I realise that I’d been calling the two things the same name, without issue.)

Feature branches

In a sophisticated workflow that most engineers have come to expect, once your merge to the main branch, continuous integration will kick in and deploy to production automatically. At least, that’s the case in the web dev world. Outside of that, (say an iPhone app), I imagine that’s not always the case. However, when something lands in the default branch, it’s good behaviour for it to be shippable.

In working branches, discussed above, your work is reviewed and then deployed. That’s handy for releases of work that can be done in one ticket. Small features, bug fixes, and other discrete chunks of work.

There are times when you’re given a large amount of work, which is all expected to be moved to the main branch (and become shippable) at the same time.

It may not be feasible for you to do all the work yourself on this kind of ticket. Even if you are taking on the work yourself, raising a pull request with multiple ideas in it is bad practise. Work of this size can often be (and should be!) split up into small units of work. Usually, you’ll add some sort of subtasks. The work can also be parallelisable and worked on by multiple people.

But how do we overcome our twin problems of a) not stepping on the toes of another developer by pushing to a “shared” branch and b) releasing the work at the same time whilst also keeping changes discrete.

This is where feature branches shine.

It’s nothing sophisticated. Simply, you make a new branch for you’ll treat like your default branch for a while. Take a copy of the default branch and name it after your new feature. Then, you can raise pull requests against this new branch, rather than default.

Now, PRs can be small, single units of work that can be reviewed easily.

Once that feature branch is ready and safe to deploy, raise a PR from it to the default branch. Marvel a bit at all the changes you’ve made, though you may not need to review it strenuously as each piece has already been reviewed. Then, merge that and move your ticket to done. (Or “User test” or whatever.)

This workflow is not without it frustrating disadvantages.

The biggest of these is that the default branch will (all too quickly) deviate from the feature branch. You’ll need to stay on top of this by rebasing the feature branch frequently. These conflicts can get gnarly, and only get worse with time, so a feature branch should have a short life span.

This workflow has all but vanished from my workplace because of this issue. We end up spending more time handling conflicts than is worth it. Instead, a more correct solution is feature flags. In that case, you can stick to normal working branches.

Feature flags

Feature flags aren’t a git workflow thing, but since I already brought them up I shall explain them quickly. Instead of hiding your completed work in a feature branch, you want to merge it as soon as it’s ready. The way you can do that, without releasing it to be shipped, is by flagging the feature as unavailable. One way to do this is with a simple if param[:enable_payment_system] condition in your view, or controller, which skips over the whole feature by default. This may take some thinking about how to do cleanly, but I often find that this kind of thinking leads to cleaner code anyway even after you remove the feature flag.

”gitflow”

I’m unsure if anyone still bothers with this. I expect some do, likely more corporate places that like to follow operating procedures that show up in books from the 90s. It’s also very possible that this just isn’t popular in continuously delivered web development, but is still very useful in software houses that produce versioned software.

This is a whole system that consists of feature branches (like those above), develop branches (where code has been finished but isn’t ready for a release yet), release branches (for all the changes which will go into version 1.1 or version 1.2, which are both expected to be released at some point), hotfix branches (which jump over the previous kinds of branches), and then master once the code is ready to go into the latest branch to build on top of.

It’s all a bit much. I’ve never used this, and really hope not to.

Merging methodologies

Alongside the ways of using a git repo to work on your code, there are also different ways to getting your code merged.

Pushing straight to the default branch

Commit your work, then git push. Done.

This is a common way of working on personal projects, where you’re alone and not expecting a review of a team mate. It is essentially never done in any professional environment though.

There are two times that come to mind where I’ve seen this done at work.

First, when working on a “spike” that in a new repository. A spike is very quickly throwing together to come to validate an idea. This might not be done solo and can be done with others on the team too. It is useful when speed is important, and the code quality is not. Usually, the ultimate goal of these spikes to to throw the repo away and start again with the insights of the spike on a fresh repo, where normal processes are restarted.

The second is rarer still, and I think it’s not a point of pride, but rather a process that hasn’t fully been solidified yet. In Ruby packages, I’ve seen a new feature get added via a normal Pull Request methodology, but then the version bump of the library happening afterwards (often by the maintainer) who then just pushes the single commit. These commits are often automated, and a review wouldn’t be very helpful.

Opening a Pull Request straight to the default branch (and other branches, whilst we’re at it)

The vast majority of the time, pull requests are raised against the default branch to be reviewed by other developers. In every professional place I’ve worked code on the default branch gets automatically deployed to production. It’s a good, often hygienic, method of finishing off your work to make sure that code is never hanging around, going stale, and then surprising someone when it fails a few days later when someone gets around to manually deploying.

When working with feature branches, you’d of course be merging into other branches, but those would be pointing at the default branch. (If they’re not, the situation you’ve found yourself is a complicated one!)

I wrote earlier about how it’s often not considered polite to jump into someone else’s working branch and start making changes. There are occasions when you’d like to do that though. For instance, if you’re reviewing a PR and want to suggest a change to it. It might complicate things to do that by simply changing the code on the branch, but you could checkout their branch, make the change, and then push to a different branch. Raising your own pull requests against theirs, so they can see the changes you’re thinking of.

I have worked in one place where we had a ‘staging’ branch, which the gitflow people would call the ‘develop’ branch. The staging branch would get deployed to a staging environment so user acceptance testing could be done before merging everything from that branch into the default branch. Just like with gitflow, my feeling that this style is falling out of fashion. (Instead, see: feature flags.)

It’s your CI process that is protecting you from merging buggy code, so long as your code is well tested. A common practice with CI is halting the entire pipeline if something fails along the way. When this happens, most git hosts will stop you (or strongly persuade you away from) merging your pull request.

Continuous Integration

“CI” servers watch for changes to branches and do some build steps. These build steps might be

• Running the test suite
• Running linters which check the quality of the code changed
• Compile assets
• Generate and push Docker images
• Deploying the code to the server
• Sending notifications or kicking off other systems to begin their work
• Building a package and pushing to the package repository The CI server might do a better job at running all of the tests than you would locally - maybe faster or more reliably. The output of all of these are often visible on pull requests, which give reviewers confidence that the changes meet certain standards.

Usually, you can set up systems like GitHub and GitLab to now allow merging of a PR whilst the build is failing (one of the tasks has finished with an unexpected output).

When I started my career, we were using Jenkins, a self-hosted and open source CI server. The world has changed a lot since then, and CI has become Big Business. A lot of my experience is using CircleCI, which has been getting more and more expensive (and more and more fancy). GitHub also have a very good CI system now, which is nice to have it hooked straight into where your code is anyway. My expectation for the future is that these things will get prohibitively more expensive and we’ll end up going back to self-hosted solutions. Many of these third party providers already let you run your builds on your own servers (and they handle queueing and whatnot).

The key thing to note about this method is that once your CI build is green and you’re code has been signed off by a peer, when you hit that ‘Merge’ button, it goes straight into the default branch and is ready for everyone to git fetch and start working on top of it - for better or worse!

Merging strategies

Actually, the button you press is likely more complicated than just “Merge”. There are a few different ways of merging.

Fast forward merging

Whilst this is considered the ‘default’ method of merging by git, it is one I’ve rarely seen in the wild. Likely because it is not Github’s idea of the default.

A fast forward merge is the simplest of merges. They happen where there is no conflict between the two branches, and the commits from the new branch can be placed on top of the main branch, as simple moving main to the pointer of the merged branch.

The commits are all kept the same. There’s no tweaking the hash because the parent is different: the commits are always the same.

Non-fast forward merging

This is a very similar kind of merge as the above, except that it always adds a merge commit. This is what you’ll see by default in Github. It’s handy for a few reasons:

A bit more provenance. You can tell exactly where the commits came from: another branch. Probably a named branch that will give you a bit more context. The merge commit will group the new commits together forever.

Optionally, a lot more context for the group of commits. Github will add the PR description to the merge commit message (and of course you can do that yourself if manually merging). Whilst the individual commits should explain what change they’ve made, a merge commit is a good place for a proper description of why the change needs to be made.

Easy to revert the whole thing. With a fast forward merge, you’ll need to select commit-by-commit to revert the whole idea. That is a bit more faff than just reverting the merge commit.

“Squash and merge”

This is a destructive method of merging your code. Ultimately, it still does a non-fast forward merge, but Github/lab will force all of your code changes into the merge commit.

This way of working considers the individual commits as an artefact that’s only useful during development. Once merged, who cares. This is nice in some ways: you’ll end up with one commit per ticket, maybe. That’s kinda nice. On merge, there are fewer chances of multiple merge conflicts, as it’ll just be one commit that needs to be checked for conflicts rather than multiple (which might all hit the same conflict).

I dislike this way of working, even though it is how the majority of places I’ve worked at like to do their merging.

You don’t technically lose any commit messages - they’re all added into the merge commit. However, you do end up with that whole, bulky message being displayed in your git blame, rather than just the single commit that cleanly explained the change to that particular line of code.

“Rebase and merge”

This merging methodology does a git rebase original/base_branch and then pushes the base_branch. This is essentially doing a fast forward push, except if you were doing it on the command line you’d be able to handle conflicts interactively. On GitHub, it won’t let you use this option if it involves a conflict.

GitHub will rewrite all of your commits even if there’s no need (say, if the rebase is clean). It will change the author of the commit from your locally configured author, to your GitHub ‘verified’ user.

This is a critical issue for me with this merge method. There are some features, like git branch -d which will check if the branch you’re deleting has all of its commits somewhere else. Otherwise, it’ll warn you that you’re about to lose some work. That will always happen when the author has been changed (because all of the commits have changed!). So you’re forced to use the more dangerous -D because you’re not expecting -d to ever work.

Merge trains

Merge trains aim to avoid issues with merges in close proximity to each other. Say you have your work in cool-feature and a colleague has their work in their-feature. Both branches are pushed, they pass code review at roughly the same time, they have CI run against them and they’re both green builds.

So, hit merge on cool-feature and your colleague hits merge on their-feature. Then, something frustrating happens: despite there being no conflicts between the two, behaviour has changed enough now that some tests are failing.

You can revert one of the PRs but the whole thing is a frustrating mess.

The manual way to get around this safely is to rebase your code before merging it, always. In fact, there are Github settings where you can enforce that all PRs be sitting on top of the main branch. This is very annoying though - what if someone beats you to another merge? Then you have to rebase again and hope to catch it as the stars align when that build completes.

Instead, if merge trains were used, both merged PRs would go into a queue. CI would get cool-feature merged and start building it for deploy (or whatever). Then though, instead of merging their-feature straight away, it will automatically rebase that code and then run the tests again. If they pass this time, it merges it without any other intervention.

This magic automation has never sat right with me though. I don’t like my code going onto a production server At Some Point In The Future. So, as trendy as merge trains are, I think I’ll stick with more simpler methods of merging.

Though - this is almost always a team decision, and rarely be people align with me on this! It seems everyone has their opinions on git workflows.

Twitter had been going down hill for quite some time and Elon’s acquisition of it made it quite clear that it has become a source of World Suck. Staying on it, and seeing ads occasionally, was directly funding Trump’s eventual ascension and I wanted no part of that.

I did know of Mastodon before then, but the mass exodus from twitter and everyone redirecting their accounts to fediverse instances was what made me decide it was legit. I didn’t fancy joining one of the big servers though. So I ended up looking for a fun domain, and found d20.social.

My original intent was to make a TTRPG community on that server, but quickly changed my mind when I realised how un-fun moderation would be. There are only three accounts on d20.social: me, my partner, and some random person who signed up and made me realise I didn’t want the stress of moderating even just one person. (That person never actually posted, and I suspended them some time after.)

Bringing a small instance to life

Tiny instances is how I feel the fediverse should be maintained. The software isn’t entirely designed to be run with so few people though. The ‘Trending’ section is sorely lacking as it seems to only consider items from the local server. It’d be nice for that to be more useful, but it’s the only negative for me about running the server myself.

In the early days, my motive was to follow anyone and everyone that I came across who was posting about something I had an interest in. This works well!

Additionally, Mastodon supports “Relays”. These are endpoints on other servers you tell your own instance about. If the admin approves your relay request, it’ll send all the content it has on its server to your server. So, if I’m interested in everything on ruby.social, all messages will also get received by my server without me having to interact with them. They don’t appear in my timeline - they just end up in my Postgres database.

The beauty of that is that you can now benefit from following hashtags. I can follow the #ruby hashtag and they do all appear in my timeline. Great! I follow #ttrpg and #mychemicalromance.

The issue here is that it puts a bit more load on ruby.social, and @james@ruby.social probably doesn’t want to be paying for that. Their resources are best spent on their own users and not people off-instance. That’s reasonable. Good news though: someone else has taken on that burden. You can visit [https://relay.fedi.buzz/] to use them as a relay. Adding https://relay.fedi.buzz/instance/ruby.social as a relay (which is auto-accepted by relay.fedi.buzz) will then pipe all of ruby.social’s stuff to my server without the Tragedy of the Commons overloading ruby.social systems.

That’s also the place you can get relays for specific hashtags which will come from anywhere in the fediverse.

Social media is a dangerous drug

A constant stream of new and shiny messages is bad for your brain. Doom scrolling starts with a hunt for a dopamine hit, and ends with spiralling around a far-right pit of sadness.

Once I had my instance populated with lots of messages, I had to start pruning weeds.

I heavily use Filters in Mastodon for better mental health. Even when people are shouting opinions I agree with, I have to mute them out for fear of being overwhelmed. ‘Nazi’, ‘Elon’, ‘TERF’, ‘blockchain’, ‘covid’ and dozens more are all words I’ve restricted from posts that appear in my feed. “Titanic” is on the list for some reason.

Certain people on Mastodon love to compare it to Twitter. Or talking about Twitter’s demise. Add “twitter” and “xitter” to your filter list and you’ll have a better life.

Running mastodon

I originally ran Mastodon pretty well on a small instance on Digital Ocean. It wasn’t the $5/m one, but it was close to that.

For whatever reason, I was running it ‘by hand’. I had the git repo in a directory and was running it like a locally run Rails application. It doesn’t seem even a bit logical these days but I had a number of tabs in byobu running the webserver, the streaming server, and all the other bits.

Upgrading it was dreadful, because I would have to precompile the assets. That process used a lot more system resources than the small instance had, so I had to go up to $20/m for a few minutes whilst I did that.

It was dreadful. I really don’t know why I put up with it.

After some time I found that Hetzner did very cheap deals on quite good dedicated machines. So now I pay £30~/m for a very good machine. I moved Mastodon over to that, this time using the docker-compose set up. Definitely do this.

Upgrading Mastodon is simply now:

• Run a backup: docker exec mastodon-db-1 pg_dumpall -U postgres | gzip > postgres_backup_PREUPGRADE_date +’%Y%m%d’.sql.gz
• Edit the docker-compose.yml to point to the tagged version you want.
• docker compose up -d

Easy.

I will also occasionally run this slew of scripts from inside one the containers:

RAILS_ENV=production bin/tootctl accounts prune;
RAILS_ENV=production bin/tootctl statuses remove --days 4;
RAILS_ENV=production bin/tootctl media remove --days 4;
RAILS_ENV=production bin/tootctl media remove --remove-headers --include-follows --days 4;
RAILS_ENV=production bin/tootctl preview_cards remove --days 4;
RAILS_ENV=production bin/tootctl media remove-orphans;

These trim down the bulk of the saved assets and bloat from the database.

It’s quite an easy piece of software to be running.

Today

I find Mastodon to be one of the most exciting open source projects happening today. I’m still very eager to see what new features come with each patch and I’ll spend more time than I need to looking through the changelog each time.

It’s a very stable system that I find remarkable. It’s all basic Internet Stuff, but I love that I can message a friend on a different server and they can pipe back. Both of us using own infrastructure.

The fediverse movement is also a fun place to be at the moment. I was recently a part of the fediforum unconference and that was full of discussions and hope for the future. There’s a good mix of tech and non-techy people, so ideas aren’t constricted by what’s technically feasible, which is a hurdle devs often get bogged down by - we can worry about that later on after we’ve decided what we want.

It’s a movement that aligns itself very well with the indieweb. Mastodon feels like the old web to me, in a way that Facebook and Twitter do not. It feels like real communities who are invested in their environments, and not just content creators helping their overlords sell ad space.

Three years on, I’m still glad I started d20.social. At a time where the Internet seems to be in decay, I’m genuinely optimistic about the future of fediverse.

just-in-time.liq is a script which populates my Liquidsoap container with what tracks to be playing on my 24 Hours of Radio project. That’s all I really need for this part of the project.

The just-in-time.liq needs to be accessed by the liquidsoap instance, which I just pull straight down from image: savonet/liquidsoap:v2.3.3. The just-in-time.liq script is loaded as a volume.

services:
  liquidsoap:
    image: savonet/liquidsoap:v2.3.3
    command: liquidsoap /config/just-in-time.liq
    env_file: .env
    volumes:
      - ./liquidsoap/config:/config
      - media:/media

However, to get it onto the server, I’m having to copy and paste it. An easily forgotten deployment task.

There’s a strong argument to say that this should be handled by continuous integration, but that’s not really the root of my issue: that script shouldn’t be hanging around my server’s project-setup directory. That directory ideally contains a docker-compose.yml, a .env, and an nginx.conf. That’s all stored in a git repo. The liquidsoap script doesn’t feel like it should be in amongst that.

Tiny container?

How about if I build my own version of savonet/liquidsoap:v2.3.3 with that configuration script baked in? This felt very odd to me when I first thought of it, but it’s actually strikingly similar to what we do with Rails projects.

I was worried I’d end up with a bloated image, but in reality it’s just the size of the savonet/liquidsoap:v2.3.3 image I’m using anyway plus the size of the script. No big deal. And I already have distribution set up!

FROM savonet/liquidsoap:v2.3.3

COPY ./liquidsoap/just-in-time.liq /tmp/just-in-time.liq

CMD ["liquidsoap", "/tmp/just-in-time.liq"]

(I’m using the tmp folder here as it’s the only folder that the liquidsoap user has access to. The /config only worked when docker-compose pulled rank to create it with the right user. I don’t think there’s any auto-cleanup of tmp directories that I should be worried about.)

That’s it! I build this alongside my radio project and push both of them to the registry.

services:
  liquidsoap:
    build: .
    container_name: radio-liquidsoap
    env_file: .env
    volumes:
      - media:/media

The server’s docker-compose.yml changes just a little to support this: point the image to my own image rather than the official one.

I was rolling out a new version like this:

docker pull my-app
docker compose up -d

Docker compose then notices that my-app has changed. It turns off my-app and then restarts it, recreating with the new image. Even if this is very quick, it still leads to nginx not being able to route requests for that period.

This calls for blue-green deployments; we run two copies of the application (a BLUE and a GREEN), we attempt to roll out the new update to BLUE and check if it’s healthy, then tell nginx to send traffic to there for a bit, and then do the same roll out to GREEN, and send nginx back to GREEN. Whilst GREEN is down and being deployed, BLUE handles all the connections and requests.

Abdullah Obaid has a great tutorial that I followed, and might be suitable for you. However, my needs were a little different:

1. I have other services in my docker-compose which I needed to share. (No need to run two Postgres containers.)
2. I didn’t want to use systemctl to inject an environment variable. I want all my configuration to be in my ~/my-app directory, not hidden away elsewhere.
3. I have a different idea about how the health check and “switch” script should work.

Splitting services

My docker-compose.yml originally contained registry, web, database services.

I kind of want the registry and database to stick around and be shared between the two. It feels like I’ve wrangled this into working and I’d be interested to hear further thoughts. Here’s what I did.

1. Keep docker-compose.yml
   1. But remove web service
   2. Specify a project name to avoid relying on Docker’s autogenerated names: name: my_app. This will be used to scope our services, which we want to reference later on.
2. Create a docker-compose.blue.yml
   1. name: my_app_blue
3. Create a docker-compose.green.yml
   1. name: my_app_green
   2. Give web a different exposed port

docker-compose.yml defines a volume which I need access to in BLUE and GREEN. Same with the network too.

# in docker-compose.yml

volumes:
  registry_data:
  
networks:
  external_network:
  internal_network:
    internal: true
  
# in docker-compose.blue.yml

volumes:
  my_app_registry_data:
    external: true
    
networks:
  my_app_external_network:
    external: true
  my_app_internal_network:
    external: true
    internal: true

This is a little brittle for a couple of reasons. First, docker-compose.yml has to be loaded first to create those resources. Second, I’m relying on magically getting the name of the resources correctly. It’s the main reason why setting the name was so important.

This does work, however!

Then we can start up each in order (though, the order only matters once).

docker compose up --file docker-compose.yml -d
docker compose up --file docker-compose.blue.yml -d
docker compose up --file docker-compose.green.yml -d

docker ps will show you all of your services working. You can even rails c into your BLUE to change something in the database, then pop over to GREEN to see it correctly reflected.

Directing traffic with nginx

You’ll have an upstream defined in your nginx.conf somewhere. You’ll remove the existing upstream and define two new ones: one for BLUE and one for GREEN.

upstream my-app-blue {
  server 127.0.0.1:3845 fail_timeout=0;
}

upstream my-app-green {
  server 127.0.0.1:3844 fail_timeout=0;
}

We need to tell nginx which one to use though, and to do that we’ll make a new file, nginx-my-app-upstream.conf. The full contents of which should be:

set $my_app_upstream "my-app-green";

And then we include that file in our server directive:

server {
  include /root/my-app/nginx-my-app-upstream.conf;
  server_name my-app.shane.computer;

  location / {
    proxy_pass http://$my_app_upstream;

    # Preserve client headers for Rails
    proxy_set_header Host              $host;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
}

Now, whenever you run nginx -s reload, it’ll check our extra config file and set the variable to the upstream we want to serve.

So now, all we need is to smartly write to nginx-my-app-upstream.conf.

Toggling between upstreams

I’ve written a deploy-latest script (and chmod +x deploy-latest‘d it) whose job it is to:

1. Pull the latest tag again. Note that this doesn’t change GREEN or BLUE.
2. Start BLUE with that new tag
3. Check if it’s working, using our already working healthcheck (comes for free with Rails)
4. If yes, toggle the upstream
5. Start GREEN with the new tag
6. If it’s working, toggle nginx back
7. Optionally, you can shut down BLUE at this point

#!/usr/bin/env bash
set -euo pipefail

docker pull my_app.shane.computer:5500/my_app:latest
docker compose --file docker-compose.blue.yml up -d

wait_for_healthy() {
  local container=$1
  local max_attempts=${2:-15}
  local attempt=1

  while [ $attempt -le $max_attempts ]; do
    if docker ps --filter "name=$container" --format ' ' | grep -q "(healthy)"; then
      echo "$container is healthy!"
      return 0
    fi
    echo "[$container] attempt $attempt/$max_attempts: not healthy yet..."
    attempt=$(( attempt + 1 ))
    sleep 2
  done

  echo "[$container] did not become healthy in time"
  return 1
}

wait_for_healthy my_app_blue-web-1
echo "set \$my_app_upstream \"my_app_blue\";" > nginx-my-app-upstream.conf
nginx -s reload

docker compose --file docker-compose.green.yml up -d
wait_for_healthy my_app-green-web-1
echo "set \$my_app_upstream \"my_app_green\";" > nginx-my-app-upstream.conf
nginx -s reload

Deploy flow

1. On your development machine, build and push your new image.
2. On your production machine, run ./deploy-latest.

Done!

Some people will tell you to look into Kubernetes or Nomad to help orchestrate and deploy with a more robust blue-green methodology, but if this works, then it works! Bonus: you understand every line of it making debugging easier in the future.

Enjoy.

1. Add a DNS record to point to the server for the application. (Do this first to avoid propagation delays later on.)
2. Create a sample nginx.conf file with an ideal setup.
3. Create a sample docker-compose file with an ideal setup.
4. Add the non-sample version to .gitignore.
5. Push the application source code from my working machine to Github.
6. Pull that down on Hetzner.
7. Copy the two sample files and fill them with server related tweaks.
   1. Use docker ps to figure out which ports are available. After a few Rails projects on one server, you can’t rely on guessing a number in the 3000 range to be unique any more.
8. ln -s /home/shane/rails-project/nginx.conf /etc/nginx/sites-enabled/rails-project.shane.computer ; nginx -s reload to set up the project for nginx.
9. certbot to get the SSL cert set up for the domain.
10. docker compose up gets everything going.
11. Done!

My least favourite part

It bugs the heck out of me that I have the entire code base just hanging loose in a directory. There’s a few reasons for this.

1. Using git as a mechanism for transporting files you end up with a real working directory of files. You cannot push to this from elsewhere. It’s janky.
2. Configuration files, like those nginx.conf and docker-compose.yml are hidden away by .gitignore, since you don’t want those committed. At least not in the project codebase! I actually do want them version controlled though, like we saw in my set up of grafana.
3. I don’t need all of the project files. Just the files that make it work.
4. This forces a docker build of the project; although I’m quite pleased with my beefy server, it is rather slow at building images. My ancient intel macbook is faster.

The obvious, correct way of transporting applications like these are just passing around the docker image. For that you need a container repository.

distribution/distribution

If you host your container images with github you get very little storage space for images, even on a paid plan. On Docker Hub, it’ll run you $16 per month per user. It’s expensive with no real need to be. In fact - that seems to fall right into my sabbatical’s ethos of making SaaSs that are expensive and tailored to teams available for solo developers at a more affordable rate!

distribution/distribution is the open source software that github and docker hub both use to run that side of their business. You docker docker login to log into your own, private image repository and then can docker pull and docker push as normal. It can live on your own server, which you’re already paying for, so why not! Plus, it’s all private if you set it up correctly.

This month, I’ve been working on a Rails wrapper around that service which gives you a lovely interface to manage users, what images they can access and publish, and a few other nice features.

At the moment, it’s very roughly set up. (I’m now quite adept at implementing JWT!) But last night I got my software to deploy itself by using this private repository. So I can now:

1. Ditch the repo living on the server.
2. Build the image locally - fast!
3. Push the image.
4. docker pull on the server.
5. docker compose up to restart with the new code.

Exciting!

It’s a bit contagious, so I want to track some things around my studio. I don’t have much time to do this, so let’s get on with it.

To do this instantly, you could use Digital Ocean

I’m setting this up on a dedicated machine, but if you just want Grafana right now you can do so via their Marketplace, which gives you a VPS with it already set up. The instructions are on the Grafana Marketplace page. You can get $200 of credit by signing up with my link. You’ll be done in three minutes.

DNS

Do DNS first, since it can take some time to propagate; let it do that whilst we’re working on other things.

I’m going to be using graphs.shane.computer.

A    graphs    <whatever your IP address is>

Nginx

root access

I’m doing this all with root. If you’re seeing permission issues, double check what your user has access to.

I run a bunch of dockerised applications on this server, so I like to try and keep them tidy.

In my home directory (on my server) I have a directory with those projects. Let’s make a new one.

mkdir grafana
cd grafana
git init .
git commit --allow-empty -m 'Initial commit'

Then let’s start our nginx.conf.

upstream grafana {
    server 0.0.0.0:3112 fail_timeout=0;
}

# Needed for websocket support.
map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {
    server_name graphs.shane.computer;

    location / {
        proxy_set_header Host $host;
        proxy_pass http://grafana;
    }

    location /api/live/ {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host $host;
        proxy_pass http://grafana;
    }

    access_log /var/log/nginx/graphs.access.log;
}

The port number I’ve just picked at random. Since I have a bunch of projects running through this nginx server, it’s become a bit of whack-a-mole finding an available port.

Change the servername to the hostname you just set up via DNS.

git add nginx.conf
git commit -m 'Add simple nginx configuration'

Then we need to get nginx actually loading it.

cd /etc/nginx/sites-enabled
ln -s /root/grafana/nginx.conf graphs.shane.computer
nginx -s reload

SSL

Get certbot set up using their super handy tool.

certbot

Certbox is fantastic at guiding you through what needs to be done. You’ll see your new hostname (which comes via the nginx config we just setup). Select that and watch certbot automatically set up your SSL cert.

It’ll change the nginx config. Have a look through that and commit the changes.

docker compose

Docker compose will handle almost all the hassle here.

make a docker-compose.yml.

services:
  grafana:
    image: grafana/grafana-enterprise:latest
    container_name: grafana
    restart: unless-stopped
    ports:
      - "3112:3000"
    volumes:
      - grafana-storage:/var/lib/grafana

volumes:
  grafana-storage:

There’s that port number again, by the way. In "3112:3000", 3112 is the port that will be used locally. 3000 is the port inside the docker container, which should remain as 3000 as that’s where grafana will run by default.

Let’s give it a go.

docker compose up

Give it a minute to start up. But then you should be able to go to your host and see the login page for Grafana! Nice.

Use admin / admin to sign in. You have to immediately change the password.

Once you’re happy it’s working, we can get docker to run this in the background. Use ctrl+c to stop docker running in the foreground. Then use the --detach to run it in in the background.

docker composer up --detach

All done.

I felt the need to write this up because a) the Grafana docs are split across a few pages for an Nginx install and b) ChatGPT just made shit up. Good news though: it’ll, without permission, crawl this page and be fixed there shortly I expect.