Jonathan Lalou's Blog

Archive for the ‘en-US’ Category

Lecturer

Himanshu Verma leads the Worldwide Security Identity and Governance Specialist team at AWS, guiding enterprises through detection engineering, incident response, and security orchestration. His organization designs reference architectures that unify AWS security services into cohesive outcomes.

Abstract

The session presents an integrated detection and response framework leveraging AWS native services—GuardDuty, Security Hub, Security Lake, and Detective—to achieve centralized visibility, automated remediation, and AI-augmented analysis. It establishes architectural patterns for scaling threat detection across multi-account environments while reducing operational overhead.

Unified Security Data Plane with Security Lake

Amazon Security Lake normalizes logs into Open Cybersecurity Schema Framework (OCSF), eliminating parsing complexity:

-- Query across CloudTrail, VPC Flow, GuardDuty in single table
SELECT source_ip, finding_type, count(*)
FROM security_lake.occsf_v1
WHERE event_time > current_date - interval '7' day
GROUP BY 1, 2 HAVING count(*) > 100

Supported sources include 50+ AWS services and partner feeds. Storage in customer-controlled S3 buckets with lifecycle policies enables cost-effective retention (hot: 7 days, warm: 90 days, cold: 7 years).

Centralized Findings Management via Security Hub

Security Hub aggregates findings from:

• AWS native detectors (GuardDuty, Macie, Inspector)
• Partner solutions (CrowdStrike, Palo Alto)
• Custom insights via EventBridge

New capabilities include:

• Automated remediation: Lambda functions triggered by ASFF severity
• Cross-account delegation: Central security account manages 1000+ accounts
• Generative AI summaries: Natural language explanations of complex findings

{
  "Findings": [
    {
      "Id": "guardduty/123",
      "Title": "CryptoMining detected on EC2",
      "Remediation": {
        "Recommendation": "Isolate instance and scan for malware",
        "AI_Summary": "Unusual network traffic to known mining pool from i-1234567890"
      }
    }
  ]
}

Threat Detection Evolution

GuardDuty expands coverage:

• EKS Runtime Monitoring: Container process execution, privilege escalation
• RDS Protection: Suspicious login patterns, SQL injection
• Malware Protection: S3 object scanning with 99.9% efficacy

Machine learning models refresh daily using global threat intelligence, detecting zero-day variants without signature updates.

Investigation and Response Acceleration

Amazon Detective constructs entity relationship graphs:

User → API Call → S3 Bucket → Object → Exfiltrated Data
    → EC2 Instance → C2 Domain

Pre-built investigations for common scenarios (credential abuse, crypto mining) reduce MTTD from hours to minutes. Integration with Security Incident Response service provides 24/7 expert augmentation.

Generative AI for Security Operations

Security Hub introduces AI-powered features:

• Finding prioritization: Risk scores combining severity, asset value, exploitability
• Natural language querying: “Show me all admin actions from external IPs last week”
• Playbook generation: Auto-create response runbooks from finding patterns

These capabilities embed expertise into the platform, enabling junior analysts to operate at senior level.

Multi-Account Security Architecture

Reference pattern for 1000+ accounts:

1. Central Security Account: Security Lake, Security Hub, Detective
2. Delegated Administration: Member accounts send findings via EventBridge
3. Automated Guardrail Enforcement: SCPs + Config Rules + Lambda
4. Incident Response Orchestration: Step Functions with human approval gates

This design achieves single-pane-of-glass visibility while maintaining account isolation.

Conclusion: From Silos to Security Fabric

The convergence of Security Lake, Hub, and Detective creates a security data fabric that scales with cloud adoption. Organizations move beyond fragmented tools to an integrated platform where detection, investigation, and response operate as a unified workflow. Generative AI amplifies human expertise, while native integrations eliminate context switching. Security becomes not a separate practice, but the operating system for cloud governance.

Links:

• Lecture Video

Lecturer

The keynote features Spring leadership: Juergen Hoeller (Framework Lead), Rossen Stoyanchev (Web), Ana Maria Mihalceanu (AI), Moritz Halbritter (Boot), Mark Paluch (Data), Josh Long (Advocate), Mark Pollack (Messaging). Collectively, they steer the Spring portfolio’s technical direction and community engagement.

• Juergen Hoeller on LinkedIn
• Josh Long on LinkedIn

Abstract

The keynote unveils Spring Framework 7.0 and Boot 4.0, establishing JDK 21 and Jakarta EE 11 as baselines while advancing AOT compilation, virtual threads, structured concurrency, and AI integration. Live demonstrations and roadmap disclosures illustrate how these enhancements—combined with refined observability, web capabilities, and data access—position Spring as the preeminent platform for cloud-native Java development.

Baseline Evolution: JDK 21 and Jakarta EE 11

Spring Framework 7.0 mandates JDK 21, embracing virtual threads for lightweight concurrency and records for immutable data carriers. Jakarta EE 11 introduces the Core Profile and CDI Lite, trimming enterprise bloat. The demonstration showcases a virtual thread-per-request web handler processing 100,000 concurrent connections with minimal heap, contrasting traditional thread pools. This baseline shift enables native image compilation via Spring AOT, reducing startup to milliseconds and memory footprint by 90%.

AOT and Native Image Optimization

Spring Boot 4.0 refines AOT processing through Project Leyden integration, pre-computing bean definitions and proxy classes at build time. Native executables startup in under 50ms, suitable for serverless platforms. The live demo compiles a Kafka Streams application to GraalVM native image, achieving sub-second cold starts and 15MB RSS—transforming deployment economics for event-driven microservices.

AI Integration and Modern Web Capabilities

Spring AI matures with function calling, tool integration, and vector database support. A live-coded agent retrieves beans from a running context to answer natural language queries about application metrics. WebFlux enhances structured concurrency with Schedulers.boundedElastic() replacement via virtual threads, simplifying reactive code. The demonstration contrasts traditional Mono/Flux composition with straightforward sequential logic executing on virtual threads, preserving backpressure while improving readability.

Data, Messaging, and Observability Advancements

Spring Data advances R2DBC connection pooling and Redis Cluster native support. Spring for Apache Kafka 4.0 introduces configurable retry templates and Micrometer metrics out-of-the-box. Unified observability aggregates metrics, traces, and logs: Prometheus exposes 200+ Kafka client metrics, OpenTelemetry correlates spans across HTTP and Kafka, and structured logging propagates MDC context. A Grafana dashboard visualizes end-to-end latency from REST ingress to database commit, enabling proactive incident response.

Community and Future Trajectory

The keynote celebrates Spring’s global community, highlighting contributions to null-safety (JSpecify), virtual thread testing, and AOT hint generation. Planned enhancements include JDK 23 support, Project Panama integration for native memory access, and AI-driven configuration validation. The vision positions Spring as the substrate for the next decade of Java innovation, balancing cutting-edge capabilities with backward compatibility.

Links:

• Lecture Video
• Juergen Hoeller on LinkedIn
• Josh Long on LinkedIn

At DevoxxUK2025, Heinz Kabutz, a renowned Java expert, delivered an engaging session on the intricacies of thread-safe programming using java.util.concurrent. Drawing from his extensive experience, Heinz explored the subtleties of concurrency bugs, using the Vector class as a cautionary tale of hidden race conditions and deadlocks. Through live coding and detailed analysis, he showcased advanced techniques like lock striping in LongAdder, lock splitting in LinkedBlockingQueue, weakly consistent iteration in ArrayBlockingQueue, and check-then-act in CopyOnWriteArrayList. His interactive approach, starting with audience questions, provided practical insights into writing robust concurrent code, emphasizing the importance of using well-tested library classes over custom synchronizers.

The Perils of Concurrency Bugs

Heinz began with the Vector class, often assumed to be thread-safe due to its synchronized methods. However, he revealed its historical flaws: in Java 1.0, unsynchronized methods like size() caused visibility issues, and Java 1.1 introduced a race condition during serialization. By Java 1.4, fixes for these issues inadvertently added a deadlock risk when two vectors referenced each other during serialization. Heinz emphasized that concurrency bugs are elusive, often requiring specific conditions to manifest, making testing challenging. He recommended studying java.util.concurrent classes to understand robust concurrency patterns and avoid such pitfalls.

Choosing Reliable Concurrent Classes

Addressing an audience question about classes to avoid, Heinz advised against writing custom synchronizers, as recommended by Brian Goetz in Java Concurrency in Practice. Instead, use well-tested classes like ConcurrentHashMap and LinkedBlockingQueue, which are widely used in the JDK and have fewer reported bugs. For example, ConcurrentHashMap evolved from using ReentrantLock in Java 5 to synchronized blocks and red-black trees in Java 8, improving performance. In contrast, less-used classes like ConcurrentSkipListMap and LinkedBlockingDeque have known issues, making them riskier choices unless thoroughly tested.

Lock Striping with LongAdder

Heinz demonstrated the power of lock striping using LongAdder, which outperforms AtomicLong in high-contention scenarios. In a live demo, incrementing a counter 100 million times took 4.5 seconds with AtomicLong but only 84 milliseconds with LongAdder. This efficiency comes from LongAdder’s Striped64 base class, which uses a volatile long base and dynamically allocates cells (128 bytes each) to distribute contention across threads. Using a thread-local random probe, it minimizes clashes, capping at 16 cells to balance memory usage, making it ideal for high-throughput counters.

Lock Splitting in LinkedBlockingQueue

Exploring LinkedBlockingQueue, Heinz highlighted its use of lock splitting, employing separate locks for putting and taking operations to enable simultaneous producer-consumer actions. This design boosts throughput in single-producer, single-consumer scenarios, using an AtomicInteger to ensure visibility across locks. In a demo, LinkedBlockingQueue processed 10 million puts and takes in about 1 second, slightly outperforming LinkedBlockingDeque, which uses a single lock. However, in multi-consumer scenarios, contention between consumers can slow LinkedBlockingQueue, as shown in a two-consumer test taking 320 milliseconds.

Weakly Consistent Iteration in ArrayBlockingQueue

Heinz explained the unique iteration behavior of ArrayBlockingQueue, which uses a circular array and supports weakly consistent iteration. Unlike linked structures, its fixed array can overwrite data, complicating iteration. A demo showed an iterator caching the next item, continuing correctly even after modifications, thanks to weak references tracking iterators to prevent memory leaks. This design avoids ConcurrentModificationException but requires careful handling, as iterating past the array’s end can yield unexpected results, highlighting the complexity of seemingly simple concurrent structures.

Check-Then-Act in CopyOnWriteArrayList

Delving into CopyOnWriteArrayList, Heinz showcased its check-then-act pattern to minimize locking. When removing an item, it checks the array snapshot without locking, only synchronizing if the item is found, reducing contention. A surprising discovery was a labeled if statement, a rare Java construct used to retry operations if the array changes, optimizing for the HotSpot compiler. Heinz noted this deliberate complexity underscores the expertise behind java.util.concurrent, encouraging developers to study these classes for better concurrency practices.

Virtual Threads and Modern Concurrency

Answering an audience question about virtual threads, Heinz noted that Java 24 improved compatibility with wait and notify, reducing concerns compared to Java 21. However, he cautioned about pinning carrier threads in older versions, particularly in ConcurrentHashMap’s computeIfAbsent, which could exhaust thread pools. With Java 24, these issues are mitigated, making java.util.concurrent classes safer for virtual threads, though developers should remain vigilant about potential contention in high-thread scenarios.

Links:

• Java Specialists Newsletter
• Java Concurrency in Practice Book
• JDK Documentation

Firebase evolves as Google’s app development platform, now deeply integrated with generative AI. Frank van Puffelen, Rich Hyndman, and Marina Coelho presented updates that streamline building, deploying, and optimizing AI-enhanced applications across platforms.

Branding Refresh and AI Accessibility

Frank introduced Firebase’s rebranding, reflecting its AI focus. The new logo symbolizes transformation, aligning with tools that make AI accessible for millions of developers.

Rich emphasized gen AI’s flexibility, enabling dynamic experiences like personalized travel suggestions. Vertex AI, Google Cloud’s enterprise platform, offers global access to models like Gemini 1.5 Pro, with SDKs for Firebase simplifying integration.

Marina showcased Vertex AI’s SDKs for Android, iOS, and web, supporting languages like Kotlin, Swift, and JavaScript. These, available since May 2024, facilitate on-device and cloud-based AI, with features like content moderation.

Frameworks for Production-Ready AI Apps

Genkit, an open-source framework, aids in developing, deploying, and monitoring AI features. It supports RAG patterns, integrating with vector databases like Pinecone.

Data Connect introduces PostgreSQL-backed databases with GraphQL APIs, ensuring type-safe queries and offline support via Firestore. In preview as of May 2024, it enhances data management for AI apps.

App Check’s integration with reCAPTCHA Enterprise prevents unauthorized AI access, bolstering security.

Optimization and Monitoring Tools

Crashlytics leverages Gemini for crash analysis, providing actionable insights. Remote Config’s personalization, powered by Vertex AI, tailors experiences based on user data.

Release Monitoring automates post-release checks, integrating with analytics for safe rollouts. These 2024 features ensure reliable AI deployments.

Platform-Specific Enhancements

iOS updates include Swift-first SDKs and Vision OS support. Android gains automated testing and device streaming. Web improvements ease SSR framework hosting on Google Cloud.

These advancements position Firebase as a comprehensive AI app platform.

Links:

• Frank van Puffelen on LinkedIn
• Rich Hyndman on LinkedIn
• Marina Coelho on LinkedIn

Olivier Poncet captivated the Riviera DEV 2025 audience with a detailed dissection of the XZ Utils attack, a sophisticated supply chain assault revealed on March 29, 2024. Through a forensic analysis, Olivier explored the attack’s two-year timeline, its blend of social and technical engineering, and its near-catastrophic implications for global server security. His presentation underscored the fragility of open-source software supply chains, urging developers to adopt rigorous practices to safeguard their systems.

The XZ Utils Attack: A Coordinated Threat

Olivier introduced the XZ Utils attack, centered on the CVE-2024-3094 vulnerability, which scored a critical 10/10 severity. XZ Utils, a widely used compression library integral to Linux distributions and kernel boot processes, was compromised with malicious code embedded in its upstream tarballs. Discovered fortuitously by Andres Freund, a PostgreSQL engineer at Microsoft, the attack aimed to weaken the SSH daemon, potentially granting attackers access to countless exposed servers. Olivier highlighted the serendipitous nature of the discovery, as Andres stumbled upon the issue during routine benchmarking, revealing suspicious behavior that led to a deeper investigation.

The attack’s objectives were threefold: corrupt the software supply chain, undermine SSH security, and achieve widespread system compromise. Olivier emphasized that this was not a mere flaw but a meticulously planned operation, exploiting the trust inherent in open-source ecosystems.

Social and Technical Engineering Tactics

The XZ Utils attack leveraged a blend of social and technical manipulation. Olivier detailed how the attacker, over two years, used social engineering to infiltrate the project’s community, likely posing as a trusted contributor to introduce malicious code. This included pressuring maintainers and exploiting the project’s reliance on a small, often unpaid, team. Technically, the attack involved injecting backdoors into the tarballs, which were then distributed to Linux distributions, bypassing standard security checks.

Olivier’s analysis, conducted through extensive virtual machine testing post-discovery, revealed the attack’s complexity, including obfuscated code designed to evade detection. He stressed that the human element—overworked maintainers and community trust—was the weakest link, highlighting the need for robust governance in open-source projects.

Supply Chain Vulnerabilities in Open Source

A key focus of Olivier’s talk was the broader vulnerability of open-source supply chains. He cited examples like the npm package “is-odd,” unnecessarily downloaded millions of times, and the “colors” package, whose maintainer intentionally broke builds worldwide by introducing malicious code. These incidents illustrate how transitive dependencies and unverified packages can introduce risks. Olivier also referenced a recent Hacker News report about over 200 malicious GitHub repositories targeting developers, underscoring the growing threat of supply chain attacks.

He warned that modern infrastructures, heavily reliant on open-source software, are only as strong as their weakest link—often a single maintainer. Tools like Docker Hub, npm, and pip, while convenient, can introduce unvetted dependencies, amplifying risks. Olivier advocated for heightened scrutiny of external repositories and dependencies to mitigate these threats.

Mitigating Risks Through Best Practices

To counter supply chain vulnerabilities, Olivier proposed practical measures. He recommended using artifact repositories like Artifactory to locally store and verify dependencies, ensuring cryptographic integrity through hash checks. While acknowledging the additional effort required, he argued that such practices significantly enhance security by reducing reliance on external sources. Auditing direct and transitive dependencies, questioning their necessity, and reimplementing simple functions locally were also advised to minimize exposure.

Olivier concluded with a call to action, urging developers to treat supply chain security as a priority. By fostering a culture of vigilance and investing in secure practices, organizations can protect their systems from sophisticated attacks like XZ Utils, preserving the integrity of the open-source ecosystem.

Links:

• Olivier Poncet on GitHub
• Olivier Poncet on Twitter/X

Has this ever happened to you? You’re excited to run a new piece of software—maybe it’s your first time executing an image manipulation with Image Magick, or perhaps launching a new video game—and instead of success, you get a cryptic pop-up: “The program can’t start because vcomp140.dll is missing from your computer.”

Panic sets in. While this issue popped up for us specifically when running Image Magick, it’s a common problem for almost any application built using Microsoft’s development tools. Fortunately, the fix is straightforward and highly reliable.

What is vcomp140.dll, Anyway?

This file is a core component of the Microsoft Visual C++ Redistributable for Visual Studio 2015-2022. Think of it as a crucial library of instructions that certain programs need to run. If this specific file is missing, corrupted, or not properly registered, the program (like Image Magick) simply cannot initialize.

Here are the three definitive steps to get your software running again.

The 3-Step Solution: Bring Back Your Missing DLL

1. Install or Repair the Official Visual C++ Redistributable (The Best Fix)

This is the most effective solution and the one that works almost every time. We need to install the official package that contains this missing file.

1. Navigate to the Microsoft Download Center: Search online for the “Visual C++ Redistributable latest supported downloads” on the official Microsoft website.
2. Download BOTH Versions: This is the critical step. Even if you have a 64-bit operating system, the problematic application (like Image Magick) might be a 32-bit program. You need to install both:
   • vc_redist.x86.exe (32-bit)
   • vc_redist.x64.exe (64-bit)
3. Install and Reboot: Run both installation files. If the package is already partially installed, the installer may offer a “Repair” option—take it! Once both installations are complete, reboot your computer. This allows the operating system to fully register the new or repaired files.

2. Run the System File Checker (SFC)

If the DLL error persists after Step 1, other related system files might be corrupted. The Windows System File Checker (SFC) tool can fix these deep-rooted issues.

1. Open Command Prompt as Administrator: Search for CMD in the Start Menu, right-click, and choose “Run as administrator.”
2. Execute the Command: Type the following command and press Enter:sfc /scannow
3. Wait for the Scan: The process takes several minutes. It will scan all protected system files and replace any corrupted files with cached copies.

3. Reinstall the Problematic Application

If the error specifically occurs with one program (like Image Magick), the problem might be with that application’s installer, not Windows itself.

1. Uninstall: Go to Windows Settings > Apps and uninstall the application completely.
2. Reinstall: Download and run the latest installer for the application. Many installers check for and include the necessary Visual C++ Redistributable package, ensuring the dependencies are handled correctly this time.

🛑 A Crucial Warning: Avoid Third-Party DLL Sites

Please, never download vcomp140.dll (or any other DLL) from non-official “DLL download” websites.

These files are often:

• Outdated and won’t solve the problem.
• Corrupted or bundled with malware, posing a security risk.
• Simply copying the file into a system folder rarely works, as the files need proper registration by the Microsoft installer.

Stick to the official Microsoft download source in Step 1 for a clean and secure fix!

I hope this guide gets you back to manipulating images with Image Magick (or whatever application was giving you trouble) in no time! Let me know in the comments if this worked for you.

Lecturer

Cameron Jenkins acts as a Managing Director in the Mainframe Modernization group at Accenture, overseeing sales, marketing, and technology products with decades of experience in legacy system transformations. Shri Kai occupies a senior role at T. Rowe Price, serving as the executive sponsor for modernization initiatives, with prior successes at Experian and CoreLogic. Joel Rosenberger functions as the AWS Mainframe Modernization Lead and Chief Architect at Accenture, strengthening partnerships and architecting programs like Go Big for large-scale migrations.

Abstract

This in-depth analysis scrutinizes the strategic value of mainframe modernization in financial services, focusing on T. Rowe Price’s migration to Amazon Web Services facilitated by Accenture’s refactoring and generative artificial intelligence tools. It dissects the methodologies for automating legacy code analysis, generating artifacts, and enhancing decision-making, while considering contextual drivers like agility and cost savings. The article evaluates implications for business users, risk mitigation, and future patterns, advocating a hybrid approach combining deterministic tools with emerging AI capabilities.

Strategic Drivers and Organizational Support

Mainframe modernization in finance yields enhanced flexibility, superior client interactions, and reduced expenses. At T. Rowe Price, the decision to decommission the mainframe and relocate core applications stems from these benefits, supported by executive buy-in from the CEO, CTO, COO, and CDO. This high-level endorsement mitigates risks associated with legacy systems, aligning technology with business objectives.

The initiative transcends cost reduction, positioning technology as a competitive advantage. Historical projects lacking such support often faltered, emphasizing the need for strategic alignment. AWS was selected due to its leadership in cloud services and proximity advantages, facilitating seamless integration.

Methodological Approaches to Code Transformation

Accenture’s tools automate analysis of legacy languages like COBOL, Assembler, and PL/1, producing technical and business documentation. Generative AI augments this by creating artifacts valuable to IT architects and business stakeholders, fostering collaboration and informed decisions.

Patterns include refactoring for twelve applications, with some sunsetting pre-migration. Post-migration flexibility allows microservices development, end-of-life planning, or incremental enhancements, tailored to business needs.

Testing remains pivotal for confidence-building, with AI generating test suites to address outdated data, reducing risks.

Code sample for basic COBOL to Java refactoring simulation in Python:

“`

Steve Flanders, a veteran in observability, delivered a 13-minute talk at Devoxx Greece 2025, outlining five reasons why OpenTelemetry (OTel) is poised to dominate observability.

Unified Data Collection

Flanders began by addressing a common pain point: managing multiple libraries for traces, metrics, and logs. OpenTelemetry, a CNCF project second only to Kubernetes in activity, offers a single, open-standard library for all telemetry signals, including profiling and real user monitoring. Supporting standards like W3C Trace Context, Zipkin, and Prometheus, OTel allows developers to instrument applications once, regardless of backend. This eliminates the need for proprietary libraries, simplifying integration and reducing rework when switching vendors.

Flexible Data Control

The OpenTelemetry Collector, deployable as an agent or gateway, provides robust data processing. Flanders highlighted its ability to filter sensitive data, like personally identifiable information, before export. Developers can send full datasets to internal data lakes while sharing subsets with vendors, offering unmatched flexibility. OTel’s modularity means you can use its instrumentation, collector, or neither, integrating with existing systems. This vendor-agnostic approach ensures data portability, as switching backends requires only configuration changes, not re-instrumentation.

Enhanced Problem Resolution

OTel’s context and correlation features link traces, metrics, and logs, accelerating issue resolution. Flanders showcased a service map visualizing errors and latency, enriched with resource metadata (e.g., Kubernetes pod, cloud provider). This allows pinpointing issues, like a faulty pod causing currency service errors, reducing mean-time-to-resolution. With broad adoption by vendors, users, and projects, and stable support for core signals, OTel is a production-ready standard reshaping observability.

Links

• OpenTelemetry
• Devoxx Greece

For many developers and DevOps engineers, creating and managing Dockerfiles can feel like a tedious chore. Ensuring best practices, optimizing image layers, and keeping up with security standards often add friction to the containerization process. Thomas DA ROCHA from Lenra, in his presentation, introduced Dofigen as an open-source command-line tool designed to simplify this. He demonstrated how Dofigen allows users to generate optimized and secure Dockerfiles from a simple YAML or JSON description, making containerization quicker, easier, and less error-prone, even without deep Dockerfile expertise.

The Pain Points of Dockerfiles

Thomas began by highlighting the common frustrations associated with writing and maintaining Dockerfiles. These include:
– Complexity: Writing effective Dockerfiles requires understanding various instructions, their order, and how they impact caching and layer size.
– Time Consumption: Manually writing and optimizing Dockerfiles for different projects can be time-consuming.
– Security Concerns: Ensuring that images are built securely, minimizing attack surface, and adhering to security standards can be challenging without expert knowledge.
– Lack of Reproducibility: Small changes or inconsistencies in the build environment can sometimes lead to non-reproducible images.

These challenges can slow down development cycles and increase the risk of deploying insecure or inefficient containers.

Introducing Dofigen: Dockerfile Generation Simplified

Dofigen aims to abstract away the complexities of Dockerfile creation. Thomas explained that instead of writing a Dockerfile directly, users provide a simplified description of their application and its requirements in a YAML or JSON file. This description includes information such as the base image, application files, dependencies, ports, and desired security configurations. Dofigen then takes this description and automatically generates an optimized and standards-compliant Dockerfile. This approach allows developers to focus on defining their application’s needs rather than the intricacies of Dockerfile syntax and best practices. Thomas showed a live coding demo, transforming a simple application description into a functional Dockerfile using Dofigen.

Built-in Best Practices and Security Standards

A key advantage of Dofigen is its ability to embed best practices and security standards into the generated Dockerfiles automatically. Thomas highlighted that Dofigen incorporates knowledge about efficient layering, reducing image size, and minimizing the attack surface by following recommended guidelines. This means users don’t need to be experts in Dockerfile optimization or security to create robust images. The tool handles these aspects automatically based on the provided high-level description. Thomas might have demonstrated how Dofigen helps in creating multi-stage builds or incorporating user and permission best practices, which are crucial for building secure production-ready images. By simplifying the process and baking in expertise, Dofigen empowers developers to containerize their applications quickly and confidently, ensuring that the resulting images are not only functional but also optimized and secure. The open-source nature of Dofigen also allows the community to contribute to improving its capabilities and keeping up with evolving best practices and security recommendations.

Links:

• Thomas DA ROCHA: https://www.linkedin.com/in/thomasdarocha/
• Lenra: https://www.lenra.io/
• Dofigen on GitHub: https://github.com/lenra-io/dofigen
• Devoxx France LinkedIn: https://www.linkedin.com/company/devoxx-france/
• Devoxx France Bluesky: https://bsky.app/profile/devoxx.fr
• Devoxx France Website: https://www.devoxx.fr/

Orchestrating Complex Systems with Rust

In the realm of industrial automation, managing fleets of autonomous mobile robots (AMRs) demands precision and reliability. At OxidizeConf2024, Andy Brinkmeyer from Arculus shared his experience developing a deterministic fleet management system using Rust, orchestrating over 100 robots in warehouse and manufacturing environments. Andy’s presentation highlighted how Rust’s performance, safety, and expressive type system enabled Arculus to tackle order coordination, route planning, and traffic management with a robust, maintainable codebase.

Arculus’s fleet management system handles the intricate task of transporting goods in confined spaces like distribution centers. Andy explained how Rust’s ecosystem facilitated a re-simulation framework, allowing developers to replay recorded logs to debug and validate system behavior. By combining synchronous deterministic components with an async I/O runtime, Arculus created a mockable system design that ensures consistent outcomes, critical for mission-critical applications where predictability is non-negotiable.

Leveraging Rust’s Concurrency Primitives

Rust’s concurrency model played a pivotal role in Arculus’s system. Andy detailed the use of synchronous components for core logic, processing fixed-size input messages to advance the system state. This deterministic approach eliminates the need for async within the main event loop, simplifying the architecture. However, async I/O was employed for external communication, using Rust’s tokio runtime to handle network interactions efficiently. This hybrid design balances performance with flexibility, enabling re-simulation without altering core logic.

When questioned about intra-task async operations, Andy noted that Arculus found no need for such complexity, as the deterministic state machine sufficed for their use case. The system’s ability to mock I/O components during re-simulation allows developers to isolate issues, though Andy acknowledged challenges in replaying new messages due to state dependencies. This approach underscores Rust’s ability to support complex industrial systems with clear, maintainable code.

Enhancing Maintainability with Procedural Macros

Procedural macros were a cornerstone of Arculus’s development process, enhancing code readability and maintainability. Andy described how macros derived state representations for complex types, reducing boilerplate and ensuring consistency across the fleet manager’s modules. This approach streamlined debugging and integration testing, with a Rust-based test framework enabling developers to recreate issues efficiently. By stepping into problematic states with a debugger, Arculus could pinpoint errors without simulating the entire system.

The talk also addressed limitations, such as the inability to fully replay new messages due to circular dependencies with robot communications. Andy suggested that future work could explore vehicle simulation to address this, though current methods—leveraging integration tests and deterministic logs—prove effective. Rust’s ecosystem, including tools like cargo, empowered Arculus to build a scalable, reliable system, setting a benchmark for industrial automation.

Links:

• Arculus company website