Now, most Java developers are busy mitigating Apache Log4j2 Vulnerability (CVE-2021-44228 and CVE-2021-45046). Applications are literally on fire. Here, I have created a sample project using Spring Boot and Log4j2 to demonstrate (Video Demo) the vulnerability and possible remediation. Please take a look in case if you are curious.

What is the famous Apache Log4j2 Vulnerability?

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

Reproduce:

1. Create a Spring Boot project (Gradle) using https://start.spring.io/ or Spring STS IDE.
2. Exclude the default logging module and use spring-boot-starter-log4j2 in build.gradle file.

plugins {
	id 'org.springframework.boot' version '2.5.7'
	id 'io.spring.dependency-management' version '1.0.11.RELEASE'
	id 'java'
}

group = 'com.srccodes'
version = '0.0.1-SNAPSHOT'
sourceCompatibility = '1.8'

repositories {
	mavenCentral()
}

dependencies {
	implementation ('org.springframework.boot:spring-boot-starter-web') {
		exclude group: 'org.springframework.boot', module: 'spring-boot-starter-logging'
	}
	
	implementation 'org.springframework.boot:spring-boot-starter-log4j2:2.6.1'	
	testImplementation 'org.springframework.boot:spring-boot-starter-test'
}

test {
	useJUnitPlatform()
}

3. Sample code for SpringBootApplication

package com.srccodes.app;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class Log4jVulnApplication {

	public static void main(String[] args) {
		SpringApplication.run(Log4jVulnApplication.class, args);

	}

}

4. Sample code for RestController that exposes an endpoint (say /vuln) which takes input (say request parametr userInput) from end user.

package com.srccodes.app;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class TestController {
	private static final Logger LOGGER = LogManager.getLogger(TestController.class);
	
	@GetMapping("/vuln")
	public String test(@RequestParam("userInput") String userInput) {
		LOGGER.info("User Input:" + userInput);
		
		return "{}";
	}

}

5. Now, start the SpringBoot apllication and pass ${jndi:ldap://127.0.0.1:3089/} (URL Encoded: %24%7Bjndi%3Aldap%3A%2F%2F127.0.0.1%3A3089%2F%7D) to exploit the vulnerability. And you will see, it will try to connect to LDAP using JNDI look up ("...looking up JNDI resource [ldap://127.0.0.1:3089/]..."). And sure enough, it will fail as LDAP server is not running in my local.

2021-12-12 13:01:17.174  INFO 26872 --- [nio-8080-exec-1] o.a.c.c.C.[.[.[/]                        : Initializing Spring DispatcherServlet 'dispatcherServlet'
2021-12-12 13:01:17.175  INFO 26872 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet                : Initializing Servlet 'dispatcherServlet'
2021-12-12 13:01:17.176  INFO 26872 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet                : Completed initialization in 1 ms
2021-12-12 13:01:17,221 http-nio-8080-exec-1 WARN Error looking up JNDI resource [ldap://127.0.0.1:3089/]. javax.naming.CommunicationException: 127.0.0.1:3089 [Root exception is java.net.ConnectException: Connection refused: connect]
	at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:253)
	at java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
	at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1616)
	at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2848)
	at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348)
	at java.naming/com.sun.jndi.url.ldap.ldapURLContextFactory.getUsingURLIgnoreRootDN(ldapURLContextFactory.java:60)
	at java.naming/com.sun.jndi.url.ldap.ldapURLContext.getRootURLContext(ldapURLContext.java:61)
	at java.naming/com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:204)
	at java.naming/com.sun.jndi.url.ldap.ldapURLContext.lookup(ldapURLContext.java:94)
	at java.naming/javax.naming.InitialContext.lookup(InitialContext.java:409)
	at org.apache.logging.log4j.core.net.JndiManager.lookup(JndiManager.java:172)
	at org.apache.logging.log4j.core.lookup.JndiLookup.lookup(JndiLookup.java:56)
	at org.apache.logging.log4j.core.lookup.Interpolator.lookup(Interpolator.java:221)
	at org.apache.logging.log4j.core.lookup.StrSubstitutor.resolveVariable(StrSubstitutor.java:1110)
	at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1033)
	at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:912)
	at org.apache.logging.log4j.core.lookup.StrSubstitutor.replace(StrSubstitutor.java:467)
	at org.apache.logging.log4j.core.pattern.MessagePatternConverter.format(MessagePatternConverter.java:132)
	at org.apache.logging.log4j.core.pattern.PatternFormatter.format(PatternFormatter.java:38)
	at org.apache.logging.log4j.core.layout.PatternLayout$PatternSerializer.toSerializable(PatternLayout.java:344)
	at org.apache.logging.log4j.core.layout.PatternLayout.toText(PatternLayout.java:244)
	at org.apache.logging.log4j.core.layout.PatternLayout.encode(PatternLayout.java:229)
	at org.apache.logging.log4j.core.layout.PatternLayout.encode(PatternLayout.java:59)
	at org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender.directEncodeEvent(AbstractOutputStreamAppender.java:197)
	at org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender.tryAppend(AbstractOutputStreamAppender.java:190)
	at org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender.append(AbstractOutputStreamAppender.java:181)
	at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:156)
	at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:129)
	at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:120)
	at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:84)
	at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:540)
	at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:498)
	at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:481)
	at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:456)
	at org.apache.logging.log4j.core.config.AwaitCompletionReliabilityStrategy.log(AwaitCompletionReliabilityStrategy.java:82)
	at org.apache.logging.log4j.core.Logger.log(Logger.java:161)
	at org.apache.logging.log4j.spi.AbstractLogger.tryLogMessage(AbstractLogger.java:2205)
	at org.apache.logging.log4j.spi.AbstractLogger.logMessageTrackRecursion(AbstractLogger.java:2159)
	at org.apache.logging.log4j.spi.AbstractLogger.logMessageSafely(AbstractLogger.java:2142)
	at org.apache.logging.log4j.spi.AbstractLogger.logMessage(AbstractLogger.java:2017)
	at org.apache.logging.log4j.spi.AbstractLogger.logIfEnabled(AbstractLogger.java:1983)
	at org.apache.logging.log4j.spi.AbstractLogger.info(AbstractLogger.java:1320)
	at com.srccodes.app.TestController.test(TestController.java:15)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)
	at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:150)
	at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:117)
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:895)
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808)
	at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1067)
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
	at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:655)
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:895)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1722)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.net.ConnectException: Connection refused: connect
	at java.base/sun.nio.ch.Net.connect0(Native Method)
	at java.base/sun.nio.ch.Net.connect(Net.java:579)
	at java.base/sun.nio.ch.Net.connect(Net.java:568)
	at java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:588)
	at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:327)
	at java.base/java.net.Socket.connect(Socket.java:633)
	at java.base/java.net.Socket.connect(Socket.java:583)
	at java.base/java.net.Socket.<init>(Socket.java:507)
	at java.base/java.net.Socket.<init>(Socket.java:287)
	at java.naming/com.sun.jndi.ldap.Connection.createSocket(Connection.java:346)
	at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:232)
	... 92 more

2021-12-12 13:01:17.202  INFO 26872 --- [nio-8080-exec-1] c.s.a.TestController                     : User Input:${jndi:ldap://127.0.0.1:3089/}

Video Demo:

Mitigation:

No action is required for Log4j 1.x. It is not impacted by vulnerabilities CVE-2021-45046, CVE-2021-44228 and CVE-2021-45105.

For Log4j 2.x,

Implement one of the mitigation techniques below.

• Java 8 (or later) users should upgrade to release 2.17.0.

Alternatively, this can be mitigated in configuration:

• In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
• Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.

Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this.

Reference: https://logging.apache.org/log4j/2.x/security.html

References

• Apache Log4j2 Vulnerability | CVE-2021-44228 | JNDI Lookup | LDAP Server | Mitigation | Remediation
• CVE-2021-45105
• CVE-2021-44228
• CVE-2021-45046
• Apache Log4j Security Vulnerabilities

Windows Subsystem for Linux (WSL) is an awesome feature of Windows 10. No more VMware or Oracle VirtualBox is required to run Linux on Windows. WSL is faster and less resource consuming, zero or less configuration compared to any other traditional Virtual Machines (VM). Installation and setup of Linux Distribution is lightning-fast. Because of seamless integration between Windows Host OS and Linux Guest OS, no separate SSH client (e.g. Putty) or SCP client (e.g. WinSCP) is required.  Docker can run directly inside of WSL2 (a full Linux Kernel built by Microsoft). Easy to setup isolated AWS cloud development environment locally using Docker, LocalStack, AWS CLI, SAM CLI, VSCode etc. What else do we, developers need!

Prerequisite

For WSL2, Windows 10 has to be on

• Version 1903 or higher with Build 18362 or higher for x64 systems.
• Version 2004 or higher with Build 19041 or higher for ARM64 systems.

In case, if you are wondering how to verify this,
Open Windows Run command (Windows logo key + R), type winver and click "OK" button".

or, open Windows command prompt and type ver

c:\>ver
Microsoft Windows [Version 10.0.18363.1679]

Enable Windows Optional Feature

Next, we'll turn on following two windows feature

• Windows Subsystem for Linux
• Virtual Machine Platform

We can do it in two ways:
Option#1:

1. Open Windows Run command (Windows logo key + R)
2. Type optionalfeatures
3. Click "OK" button".
4. Select checkboxes for Windows Subsystem for Linux and Virtual Machine Platform features.

   

5. Click "OK" button to apply changes.
6. Once done, "Windows needs to reboot your PC to finish installing the requested changes". So, click "Restart now" button.

Option#2:

1. Open Windows PowerShell in "Run as Administrator".
2. Execute following command

PS C:\> Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux, VirtualMachinePlatform

Do you want to restart the computer to complete this operation now?
[Y] Yes  [N] No  [?] Help (default is "Y"): Y             

3. To apply this change, you need to restart the system. Therefore, enter "Y" when you will be asked to restart.

Reference: Enable-WindowsOptionalFeature

Enable-WindowsOptionalFeature
      -FeatureName <String[]>
      [-PackageName <String>]
      [-All]
      [-LimitAccess]
      [-Source <String[]>]
      [-NoRestart]
      [-Online]
      [-WindowsDirectory <String>]
      [-SystemDrive <String>]
      [-LogPath <String>]
      [-ScratchDirectory <String>]
      [-LogLevel <LogLevel>]
      [<CommonParameters>]

Description:

The Enable-WindowsOptionalFeature cmdlet enables or restores an optional feature in a Windows image.

Use the Online parameter to specify the running operating system on your local computer, or use the Path parameter to specify the location of a mounted Windows image.

The FeatureName parameter specifies the feature to add. You can specify more than one feature in the same package. Separate feature names with a comma.

Notes:
Get-WindowsOptionalFeature cmdlet gives all the features availble in the running operating system.

PS C:\> Get-WindowsOptionalFeature -Online

FeatureName : Printing-PrintToPDFServices-Features
State       : Enabled

FeatureName : Printing-XPSServices-Features
State       : Enabled

FeatureName : TelnetClient
State       : Disabled

FeatureName : TFTP
State       : Disabled

FeatureName : LegacyComponents
State       : Disabled

FeatureName : DirectPlay
State       : Disabled

FeatureName : Printing-Foundation-Features
State       : Enabled

FeatureName : Printing-Foundation-InternetPrinting-Client
State       : Enabled

FeatureName : Printing-Foundation-LPDPrintService
State       : Disabled

FeatureName : Printing-Foundation-LPRPortMonitor
State       : Disabled

FeatureName : SimpleTCP
State       : Disabled

FeatureName : Windows-Identity-Foundation
State       : Disabled

FeatureName : NetFx3
State       : DisabledWithPayloadRemoved

FeatureName : WCF-HTTP-Activation
State       : Disabled

FeatureName : WCF-NonHTTP-Activation
State       : Disabled

FeatureName : IIS-WebServerRole
State       : Disabled

FeatureName : IIS-WebServer
State       : Disabled

FeatureName : IIS-CommonHttpFeatures
State       : Disabled

FeatureName : IIS-HttpErrors
State       : Disabled

FeatureName : IIS-HttpRedirect
State       : Disabled

FeatureName : IIS-ApplicationDevelopment
State       : Disabled

FeatureName : IIS-Security
State       : Disabled

FeatureName : IIS-RequestFiltering
State       : Disabled

FeatureName : IIS-NetFxExtensibility
State       : Disabled

FeatureName : IIS-NetFxExtensibility45
State       : Disabled

FeatureName : IIS-HealthAndDiagnostics
State       : Disabled

FeatureName : IIS-HttpLogging
State       : Disabled

FeatureName : IIS-LoggingLibraries
State       : Disabled

FeatureName : IIS-RequestMonitor
State       : Disabled

FeatureName : IIS-HttpTracing
State       : Disabled

FeatureName : IIS-URLAuthorization
State       : Disabled

FeatureName : IIS-IPSecurity
State       : Disabled

FeatureName : IIS-Performance
State       : Disabled

FeatureName : IIS-HttpCompressionDynamic
State       : Disabled

FeatureName : IIS-WebServerManagementTools
State       : Disabled

FeatureName : IIS-ManagementScriptingTools
State       : Disabled

FeatureName : IIS-IIS6ManagementCompatibility
State       : Disabled

FeatureName : IIS-Metabase
State       : Disabled

FeatureName : WAS-WindowsActivationService
State       : Disabled

FeatureName : WAS-ProcessModel
State       : Disabled

FeatureName : WAS-NetFxEnvironment
State       : Disabled

FeatureName : WAS-ConfigurationAPI
State       : Disabled

FeatureName : IIS-HostableWebCore
State       : Disabled

FeatureName : WCF-Services45
State       : Enabled

FeatureName : WCF-HTTP-Activation45
State       : Disabled

FeatureName : WCF-TCP-Activation45
State       : Disabled

FeatureName : WCF-Pipe-Activation45
State       : Disabled

FeatureName : WCF-MSMQ-Activation45
State       : Disabled

FeatureName : WCF-TCP-PortSharing45
State       : Enabled

FeatureName : IIS-StaticContent
State       : Disabled

FeatureName : IIS-DefaultDocument
State       : Disabled

FeatureName : IIS-DirectoryBrowsing
State       : Disabled

FeatureName : IIS-WebDAV
State       : Disabled

FeatureName : IIS-WebSockets
State       : Disabled

FeatureName : IIS-ApplicationInit
State       : Disabled

FeatureName : IIS-ASPNET
State       : Disabled

FeatureName : IIS-ASPNET45
State       : Disabled

FeatureName : IIS-ASP
State       : Disabled

FeatureName : IIS-CGI
State       : Disabled

FeatureName : IIS-ISAPIExtensions
State       : Disabled

FeatureName : IIS-ISAPIFilter
State       : Disabled

FeatureName : IIS-ServerSideIncludes
State       : Disabled

FeatureName : IIS-CustomLogging
State       : Disabled

FeatureName : IIS-BasicAuthentication
State       : Disabled

FeatureName : IIS-HttpCompressionStatic
State       : Disabled

FeatureName : IIS-ManagementConsole
State       : Disabled

FeatureName : IIS-ManagementService
State       : Disabled

FeatureName : IIS-WMICompatibility
State       : Disabled

FeatureName : IIS-LegacyScripts
State       : Disabled

FeatureName : IIS-LegacySnapIn
State       : Disabled

FeatureName : IIS-FTPServer
State       : Disabled

FeatureName : IIS-FTPSvc
State       : Disabled

FeatureName : IIS-FTPExtensibility
State       : Disabled

FeatureName : MSMQ-Container
State       : Disabled

FeatureName : MSMQ-DCOMProxy
State       : Disabled

FeatureName : MSMQ-Server
State       : Disabled

FeatureName : MSMQ-ADIntegration
State       : Disabled

FeatureName : MSMQ-HTTP
State       : Disabled

FeatureName : MSMQ-Multicast
State       : Disabled

FeatureName : MSMQ-Triggers
State       : Disabled

FeatureName : IIS-CertProvider
State       : Disabled

FeatureName : IIS-WindowsAuthentication
State       : Disabled

FeatureName : IIS-DigestAuthentication
State       : Disabled

FeatureName : IIS-ClientCertificateMappingAuthentication
State       : Disabled

FeatureName : IIS-IISCertificateMappingAuthentication
State       : Disabled

FeatureName : IIS-ODBCLogging
State       : Disabled

FeatureName : MediaPlayback
State       : Enabled

FeatureName : WindowsMediaPlayer
State       : Enabled

FeatureName : DataCenterBridging
State       : Disabled

FeatureName : SmbDirect
State       : Enabled

FeatureName : HostGuardian
State       : Disabled

FeatureName : SMB1Protocol-Deprecation
State       : Disabled

FeatureName : MSRDC-Infrastructure
State       : Enabled

FeatureName : TIFFIFilter
State       : Disabled

FeatureName : NetFx4-AdvSrvs
State       : Enabled

FeatureName : NetFx4Extended-ASPNET45
State       : Disabled

FeatureName : MultiPoint-Connector
State       : Disabled

FeatureName : MultiPoint-Connector-Services
State       : Disabled

FeatureName : MultiPoint-Tools
State       : Disabled

FeatureName : Windows-Defender-Default-Definitions
State       : Disabled

FeatureName : SearchEngine-Client-Package
State       : Enabled

FeatureName : MicrosoftWindowsPowerShellV2Root
State       : Enabled

FeatureName : MicrosoftWindowsPowerShellV2
State       : Enabled

FeatureName : Client-DeviceLockdown
State       : Disabled

FeatureName : Client-EmbeddedShellLauncher
State       : Disabled

FeatureName : Client-EmbeddedBootExp
State       : Disabled

FeatureName : Client-EmbeddedLogon
State       : Disabled

FeatureName : Client-KeyboardFilter
State       : Disabled

FeatureName : Client-UnifiedWriteFilter
State       : Disabled

FeatureName : AppServerClient
State       : Disabled

FeatureName : WorkFolders-Client
State       : Enabled

FeatureName : Client-ProjFS
State       : Disabled

FeatureName : SMB1Protocol
State       : Disabled

FeatureName : SMB1Protocol-Client
State       : Disabled

FeatureName : SMB1Protocol-Server
State       : Disabled

FeatureName : Internet-Explorer-Optional-amd64
State       : Enabled

FeatureName : Microsoft-Windows-Subsystem-Linux
State       : Disabled

FeatureName : HypervisorPlatform
State       : Disabled

FeatureName : VirtualMachinePlatform
State       : Disabled

FeatureName : Containers-DisposableClientVM
State       : Enabled

FeatureName : Microsoft-Hyper-V-All
State       : Disabled

FeatureName : Microsoft-Hyper-V
State       : Disabled

FeatureName : Microsoft-Hyper-V-Tools-All
State       : Disabled

FeatureName : Microsoft-Hyper-V-Management-PowerShell
State       : Disabled

FeatureName : Microsoft-Hyper-V-Hypervisor
State       : Disabled

FeatureName : Microsoft-Hyper-V-Services
State       : Disabled

FeatureName : Microsoft-Hyper-V-Management-Clients
State       : Disabled

FeatureName : DirectoryServices-ADAM-Client
State       : Disabled

FeatureName : Windows-Defender-ApplicationGuard
State       : Disabled

FeatureName : ServicesForNFS-ClientOnly
State       : Disabled

FeatureName : ClientForNFS-Infrastructure
State       : Disabled

FeatureName : NFS-Administration
State       : Disabled

FeatureName : Containers
State       : Disabled

Download and Install Linux Kernel update package

Based on your System type download corresponding Linux Kernel update package.

• WSL2 Linux Kernel update package for x64-based PC
• WSL2 Linux Kernel update package for ARM64-based PC

Installation Steps:

1. Double click to run the downloaded Windows Installer Package.
2. In User Access Control Wizard, click "Yes" when it will ask "Do you want to allow this app to make changes to your device?"
3. Click "Finish" button to complete.

Set WSL default version to 2 (WSL2)

Run the below command in Windows Command Prompt or Windows PowerShell to change the default installation version for new Linux distribution.

C:\Users\Abhijit>wsl  --set-default-version 2
For information on key differences with WSL 2 please visit https://aka.ms/wsl2
The operation completed successfully.

Install Linux Distribution

Finally, we are good to install the preferred Linux distribution. We can do it in multiple ways.

Option#1:

1. Run the following command in Windows Command Prompt or Windows PowerShell to display a list of available distributions for installation with wsl --install

   C:\Users\Abhijit>wsl --list --online
   The following is a list of valid distributions that can be installed.
   Install using 'wsl --install -d <Distro>'.
   
   NAME            FRIENDLY NAME
   Ubuntu          Ubuntu
   Debian          Debian GNU/Linux
   kali-linux      Kali Linux Rolling
   openSUSE-42     openSUSE Leap 42
   SLES-12         SUSE Linux Enterprise Server v12
   Ubuntu-16.04    Ubuntu 16.04 LTS
   Ubuntu-18.04    Ubuntu 18.04 LTS
   Ubuntu-20.04    Ubuntu 20.04 LTS
   

2. Now, pass the desired distribution name while running wsl --install

   C:\Users\Abhimun>wsl --install --distribution Ubuntu-20.04
   Downloading: Ubuntu 20.04 LTS
   Installing: Ubuntu 20.04 LTS
   Ubuntu 20.04 LTS has been installed.
   Launching Ubuntu 20.04 LTS...
   

3. Once installed, it will be Launched automatically.

Option#2:

1. Open Microsoft Store
2. Choose your preferred Linux Distributions (e.g. Ubuntu).
3. Click "Install" button to start.

   

Option#3:

1. In case if Microsoft Store app is retricted by your organization or not avilable, then you can download offline installer.

Downloading distributions:

• Ubuntu 20.04
• Ubuntu 20.04 ARM
• Ubuntu 18.04
• Ubuntu 18.04 ARM
• Ubuntu 16.04
• Debian GNU/Linux
• Kali Linux
• SUSE Linux Enterprise Server 12
• SUSE Linux Enterprise Server 15 SP2
• openSUSE Leap 15.2
• Fedora Remix for WSL

This will cause the .appx packages to download to a folder of your choosing.

2. Double click the downloaded package.
3. Click "Install" to start.

   

Launch Linux Distribution

At the end of installation, you will get option to Launch the installed Linux Distribution. In my case, it is Ubuntu 20.04 and I am seeing the following in my screen.

Installing, this may take a few minutes...
Please create a default UNIX user account. The username does not need to match your Windows username.
For more information visit: https://aka.ms/wslusers
Enter new UNIX username: abhijit
New password:
Retype new password:
passwd: password updated successfully
Installation successful!
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.10.16.3-microsoft-standard-WSL2 x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Aug 26 01:36:36 EDT 2021

  System load:  0.0                Processes:             8
  Usage of /:   0.4% of 250.98GB   Users logged in:       0
  Memory usage: 1%                 IPv4 address for eth0: 172.23.22.192
  Swap usage:   0%

0 updates can be installed immediately.
0 of these updates are security updates.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update


This message is shown once once a day. To disable it please create the
/home/abhijit/.hushlogin file.
abhijit@playground:~$

Bonus Section

If you're wondering how to change the hostname permanently on Ubuntu running on WSL2, then following video will help you.

If you prefer reading, then check the following article on How to change hostname on Ubuntu running on Windows WSL?

Summary

Because of "..seamless integration between Windows and Linux, fast boot times, a small resource footprint, and requires no VM configuration or management", lightning-fast installation & setup of Linux distribution, WSL2 is becoming the popular choice for local development.

References

• Comparing WSL 1 and WSL 2
• Offline Linux Distributions
• Deployment Image Servicing and Management (DISM) platform

The launch of the 2020 version of the Scrum Guide reimagined the role of the Scrum Leader. Servant-leader a term that had become synonymous with the role of a Scrum Master was coined by Robert Greenleaf in his essay published in 1970.

A servant-leader focuses primarily on the growth and well-being of people and the communities to which they belong. While traditional leadership generally involves the accumulation and exercise of power by one at the “top of the pyramid,” servant leadership is different. The servant-leader shares power, puts the needs of others first and helps people develop and perform as highly as possible.
Ref: https://www.greenleaf.org/what-is-servant-leadership/

This style of leadership worked well for Scrum, where the importance of a Scrum Master is not in lieu of any designation and influence enjoyed by him/ her is drawn from the team itself.  

Jeff Sutherland: The 2020 Scrum Guide is shorter, more focused, and has One Team. In addition to tying the three artifacts to goals with commitments, we addressed two of the biggest challenges in the industry: servant leaders who don’t lead, and self-organizing developers doing whatever they want and not meeting the commitments.
After wrestling for a long time with servant leadership, we finally just changed the word order. A Scrum master is a leader who serves.
Ref: Changes in the 2020 Scrum Guide: Q&A with Ken Schwaber and Jeff Sutherland

One of the major catalyst for certain changes made to the Scrum Guide was the Comprehensive Human Appraisal for Originating Software Report published in 2019. It stated that 58% Agile projects failed or were challenged. And one of the major reasons for this was attributed to Scrum Masters not leading the teams.

Today, the Scrum Master needs to be a leader first. Anyone in the organization, who delivers value, enables the team and embodies the principles of Agile is a Scrum Master.

Scrum Master - A Leader who Serves | From Servant Leader to True Leader - Scrum Guide 2020:

References

• What is Servant Leadership?
• Changes in the 2020 Scrum Guide: Q&A with Ken Schwaber and Jeff Sutherland
• Agile Project Success Rates Are 2X Higher Than Traditional Projects (2019)

If you are running Ubuntu on Windows WSL (Windows Subsystem for Linux) and wondering how to change hostname permanently then follow all steps mentioned below.

Once hostname is changed, if you get "unable to resolve host <hostname>: Name or service not known" then follow the step #4 for the fix.

Video Tutorial:

1. Note down your hostname

abhijit@DESKTOP-ABC222:~$ hostname
DESKTOP-ABC222

Here, DESKTOP-ABC222 is hostname of Ubuntu running in my Windows 10 (OS Build 19043.1083) WSL.

2. Open /etc/wsl.conf or create the same if it does not exist.

abhijit@DESKTOP-ABC222:~$ sudo nano /etc/wsl.conf
[sudo] password for abhijit:

3. Add following lines in /etc/wsl.conf.

[network]
hostname = SrcCodes
generateHosts = false

hostname = SrcCodes will update the hostname in /etc/hostname.
generateHosts = false will prevent WSL from automatic generation of /etc/hosts file. Otherwise, hosts file change will be overwritten during re-launch of Ubuntu and we'll get "unable to resolve host <hostname>: Name or service not known"

abhijit@SrcCodes:~$ sudo apt update
sudo: unable to resolve host SrcCodes: Name or service not known

Reference: https://docs.microsoft.com/en-us/windows/wsl/wsl-config#network

4. Open /etc/hosts and update

abhijit@DESKTOP-ABC222:~$ sudo nano /etc/hosts

You will see some entries similar to below

# This file was automatically generated by WSL. To stop automatic generation of this file, add the following entry to /etc/wsl.conf:
# [network]
# generateHosts = false
127.0.0.1       localhost
127.0.1.1       DESKTOP-ABC222.localdomain     DESKTOP-ABC222
192.168.2.14    host.docker.internal
192.168.2.14    gateway.docker.internal
127.0.0.1       kubernetes.docker.internal
44.99.0.122     ip-44-99-0-122.lazerpenguin.com

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Find all occurences of hostname (e.g. "DESKTOP-ABC222") and replace with new one (e.g. "SrcCodes").

127.0.1.1       SrcCodes.localdomain     SrcCodes

Save and exit from the nano editor.

5. Close Ubuntu and re-launch.

Change will not reflect immediately. You must wait ~8 seconds as mentioned below in the document.

If you launch a distribution (ie. Ubuntu), modify the wsl.conf file, close the distribution, and then re-launch it. You might assume that your changes to the wsl.conf file have immediately gone into effect. This is not currently the case as the subsystem could still be running. You must wait ~8 seconds for the subsystem to stop before relaunching in order to give enough time for your changes to be picked up. You can check to see whether your Linux distribution (shell) is still running after closing it by using PowerShell with the command: wsl --list --running. If no distributions are running, you will receive the response: "There are no running distributions." You can now restart the distribution to see your wsl.conf updates applied.

Reference: https://docs.microsoft.com/en-us/windows/wsl/wsl-config#configure-per-distro-launch-settings-with-wslconf

If you don't want to wait, then open Windows Terminal or Windows PowerShell run wsl --shutdown to shut down the WSL 2 VM or terminate a specific distribution (e.g. "Ubuntu") using wsl -t Ubuntu and relaunch it.

Check what all are running.

PS C:\Users\Abhijit\Desktop> wsl --list --running
Windows Subsystem for Linux Distributions:
Ubuntu (Default)

Then run shutdown or terminate command.

PS C:\Users\Abhijit\Desktop> wsl --shutdown

or

PS C:\Users\Abhijit\Desktop> wsl -t Ubuntu

Verify it is stopped.

PS C:\Users\Abhijit\Desktop> wsl --list --running
There are no running distributions.
PS C:\Users\Abhijit\Desktop>

6. Finally re-launch and verify.

Launch Ubuntu and check hostname.

abhijit@SrcCodes:~$ hostname
SrcCodes

Verify "hosts" entry is also working correctly. You will not see following message anymore "unable to resolve host <hostname>: Name or service not known"

abhijit@SrcCodes:~$ sudo apt update
[sudo] password for abhijit:
Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Hit:2 http://archive.ubuntu.com/ubuntu focal InRelease
Hit:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease
Fetched 114 kB in 1s (135 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
abhijit@SrcCodes:~$

References

• Windows Subsystem for Linux Documentation
• Ubuntu on WSL
• Windows Terminal

Ever since the November 2020 version was released, I had been curious about the what's and why's of the changes that were made to the July 2017 version. Whether we choose to drop the term "servant-leader" (to describe a Scrum Master) from our vocabulary is altogether a different (and contentious) conversation. For now, let us quickly take a look at the noticeable changes.

Development Team v/s Developers

The 2020 update does away with the concept of Development Team, which had the connotation of a team within the Scrum Team. Henceforth, we would be using the term Developers.

The Scrum Team consists of one Scrum Master, one Product Owner, and Developers. Within a Scrum Team, there are no sub-teams or hierarchies.

Self-organizing v/s Self-managing

The Scrum Guide now uses the terms “self-managing” and “self-management” to emphasize that Scrum Teams choose “who, how and what to work on”. The 2017 version used the terms “self-organizing” and “self-organization” to describe that Development Teams chose “who and how to do work”. In both cases however, it was evident that the Scrum Team does not operate as directed by those outside the team.

Servant-leader v/s True Leader

The term servant-leader was removed, and Scrum Masters are now described as “true leaders who serve the Scrum Team and the larger organization” The Scrum Master is accountable for the Scrum Team’s effectiveness.

Though it has been almost six-months since the release of the 2020 update, the term "servant-leader" is still very much in use in all the conversations taking place within the Agile community.

Sprint Planning

The Sprint Planning ceremony now attempts to answer the following questions:

1. Why is this Sprint valuable?
2. What can be Done this Sprint?
3. How will the chosen work get done?

The question "why is the Sprint valuable?" was added to draw more focus on the commitment that is "Sprint Goal". So, this change echoes the newly introduced concepts of Commitments.

Daily Scrums

As a stance, the Scrum Guide November 2020 version is less prescriptive and no longer lists the set of three questions like the older version. The purpose of the ceremony is clearly stated, but the structure and technique is left open-ended to the interpretations of the Developers.

Sprint Retrospective

Earlier, it was suggested that by the end of the Sprint Retrospective, the Scrum Team should have identified improvements that it will implement in the next Sprint. But now, though the Scrum Team identifies the most helpful changes to improve its effectiveness their addition to the upcoming Sprint Backlog is optional.

Accountabilities v/s Roles

The current update of the Scrum Guide is sprinkled with a generous dose of the terms "accountable" and "responsible". One of the most frequently used term "roles" has now been replaced by "accountabilities".

Commitments

The Scrum Guide November 2020 version clearly outlines the commitment for each artifact.

Jeff Sutherland: The 2020 Scrum Guide is shorter, more focused, and has One Team. In addition to tying the three artifacts to goals with commitments, we addressed two of the biggest challenges in the industry: servant leaders who don’t lead, and self-organizing developers doing whatever they want and not meeting the commitments.

Product Goal

In the 2017 version of the Scrum Guide "vision" is only mentioned once in the context of the Increment.

The increment is a step toward a vision or goal.

An ode to the importance of Product Goal, the 2020 version goes on to emphasize

The Product Goal is in the Product Backlog. The rest of the Product Backlog emerges to define “what” will fulfill the Product Goal.

Definition of Done

As consequence of removing the idea of Development Teams from the Scrum Guide, the responsibility to create the Definition of Done now falls upon the Scrum Team. Earlier, it was the created by the Development Teams if there wasn't one defined by the development organizations.  

Team Size

In stance of being less prescriptive, the Scrum Guide 2020 update simply suggests a team size of 10 or fewer people.  

Let me begin by congratulating you for securing the Scrum certification!

But I hope you realize that a certification simply validates your awareness about the guiding concepts and theories. It is not a living proof of your actual ability to bring those thoughts to life.

So, how do you build your knowledge and skill? What can you do before you land that Scrum Master role? This article briefly discusses actions that we all can take to further our career goals.

Reading

Reading might sound old fashioned to some in the world of social media and video content. But we have to agree that content is the key ("king"). So, it is for you to decide whether you choose to read a book, e-book or listen to an audio-book, but these are the ones that you mustn't overlook.

• The New New Product Development Game - by Hirotaka Takeuchi and Ikujiro Nonaka (https://hbr.org/1986/01/the-new-new-product-development-game)
• Scrum: The Art of Doing Twice the Work in Half the Time by Jeff Sutherland (Author), J.J. Sutherland (Author)
• Scrum - A Pocket Guide Gunther Verheyen
• Scrum Mastery - Watts Geoff
• Software in 30 Days - by Ken Schwaber (Author), Jeff Sutherland (Author)

Finding a Mentor

Seek out a mentor. It has been my experience that Scrum Masters happen to be excellent mentors in their private lives as well. The problem is if you’re seeking them out solely for job referrals and job postings, you might face a challenge. But if your goal is to understand how to develop yourself, what courses to take, which ceritificates to acquire and which books to read, more often than not, you shall find yourself being guided in the right direction by your mentor.

Joining Agile Mentorship Program

Can’t find a Mentor, connect with an Agile Mentorship program. I am aware that major cities have Agile Mentorship groups that conduct workshops. With COVID everything has gone virtual, and so you might be able to participate in a program that is based out of a different city and a different country as well. Take advantage of joining a program that mentors and nurtures talent in this field.

Building a Network

Finally, try to build your network. This doesn’t only mean sending a LinkedIn request. Join a professional group on LinkedIn and be a part of the conversation. This is a dynamic field and every day new ideas and tools are coming up. These groups are a great place to stay on top of things.

What's Next? Setting a goal

What’s next? You completed Scrum certification, set your next goal. Which field are you planning to join? What knowledge area do you need to master to build your confidence and profile? Never stop growing. Always know where you’re going next. A job is simply incidental to your journey. Focus on setting your leanring goals that keep you motivated and pivot you forward.

References

• Scrum Master Learning Path
• Product Owner Learning Path

There are many reasons why one would want to become a Professional Scrum Product Owner. An IT professional working as a part of a Scrum Team, in the scope of a Business Analyst, might decide to transition to the role of a Product Manager/ Product Owner, while a person not from the industry might use this as a stepping stone to joining the IT industry as a domain-specific Product Owner. Once you decide that you want to get certified, the next question is which organization you choose. There are a few organizations that provide training and certification for the role of a Scrum Product Owner like Scrum Alliance and Scrum.org.

My reason to go with Scrum.org was because of the following reasons:

1. I had the option to prepare for the test on my own, without having to mandatorily undertake their training (which are quite expensive); and
2. The PSPO I certificate doesn’t have an expiry date.

PSPO I Assessment Details

The Professional Scrum Product OwnerTM level I (PSPO I) test details

Fee: USD 200 per attempt
Passing score: 85%
Time limit: 60 minutes
Number of Questions: 80
Format: Multiple Choice, Multiple Answer, and True/False
Difficulty: Intermediate
Language: English only

The PSPO I assessment includes questions from the following Focus Areas as defined in the Professional Scrum Competencies.

• Understanding and Applying the Scrum Framework:
  • Empiricism, Scrum Team, Events, Artifacts, Done.
• Developing People and Teams:
  • Self-Managing Teams.
• Managing Products with Agility:
  • Forecasting & Release Planning, Product Vision, Product Value, Product Backlog Management, Business Strategy, Stakeholders & Customers.

Source: Scrum.org

Two Weeks To Go

These videos have been developed from my personal experience of preparing and clearing the PSPO I test. I suggest that you invest two weeks in the preparation of the test. In case you are unable to spend 3-4 hours a day for the test, kindly adjust the days based on your availability.

In the Week 1 of your prep (or when the test is 2 Weeks away) the following could be your first course of action:

• Step 1 - Register with Scrum.org Create your account. This will give you access to all their blogs, resources, and even training schedules. Do note, these can be accessed without registering but the act of creating an account helps set the stage for the next couple of weeks.
• Step 2 - Download the Scrum Guide Download the latest November 2020 issue of The Scrum Guide. Read the guide. Please don’t underestimate the volume and depth of knowledge, ideas, and concepts shared in this 14-paged document. As you read, you’ll realize that a lot of the understanding is left open to interpretation, and only a serious and thorough study of The Scrum Guide shall help you understand what Ken Schwaber and Jeff Sutherland wanted to convey to its readers. Read and reflect. After that start adding your notes and interpretations to your copy of the Guide.
• Step 3 - What is Scrum? Go through the page as it has links to all the articles, blogs, and resources you need for your test preparation.
• Step 4 - Product Owner Learning Path This page will provide links to resources for Understanding and Applying the Scrum Framework / Empiricism.
• Step 5 - Scrum Glossary This is a quick peek into the terms and concepts of Scrum and should be referred to multiple times.
• Step 6 - Online Nexus Guide Even though this relates to Scaling Scrum, I have seen many suggest this in the reading list for Product Owners. Hence, I also read it once before the exam.
• Step 7 - Take the Scrum Open assessment Taking the Scrum Open Assessment will give you an idea about the structure of the questions as well as develop familiarity with the interface. Save a pdf after every test.
• Step 8 - Take the Product Owner Open assessment This week, take this a few times. It will help set a baseline of your current knowledge and monitor your improvement going forward. The assessment has 15 questions selected from a larger pool. Save a pdf after every test as it details the right answer and over time you will develop a repository of questions (with their correct answers)

One Week To Go

Into the second week of your preparation, you can consider the following action points:

• Step 1 - Buy PSPO I Assessment When you buy the assessment, it acts as a driver and motivator for you as you inch closer to the test. While making the purchase you don’t need to set a date, hence, there is no problem with rescheduling or any last-minute hiccups. You can take it when you feel you’re ready to do so using the code mailed to you by Scrum.org.

• Step 2 - Time Management By now, you should have taken the open assessments many times.
  1. Scrum Open In the assessment, you have to answer 30 questions in 30 minutes. Try to increase your speed, so that you can attain accuracy within 15-20 minutes. This might sound absurd, but will help you save time on D-day. Also, after taking the test 6-8 times, you will see that the questions appear from a pool of 100 (approx) questions, and over time you are answering known questions. Practice time-management.
  2. Product Owner Open In the assessment, you are expected to answer 15 questions in 30 minutes. Please try to complete the test in 10 minutes to develop a time advantage for yourself when you take the test. Continue saving pdfs, revise and ensure you can eliminate recurring mistakes.

• Step 3 - Try the Free Product Owner Assessments from the Mikhail Lapshin website These are free tests that you can take either in Learning Mode or Real Mode. I took them at least once every day and find them useful. The only problem is that it is still being updated for the 2020 version of Scrum Guide and hence you might find a few answers to be incorrect from the latest Scrum Guide standpoint. Even then, most of the questions should still be relevant to your preparation.
• Step 4 - Continue Reading the Scrum Guide & Product Owner Learning Path resources. You must have a very well-used and inked copy of The Scrum Guide. Also, concepts of empiricism, team, and other concepts and terms should be familiar by now.
• Step 5 - When are you ready to take the PSPO I Test? When you are consistently scoring over 95% in your Scrum Open and Product Owner Assessments and above 90% in your mlapshin.com Free Assessments.

Day of the Test

These are the most important tips for your test.

• No distractions. You’re taking the test at a time and place that is convenient for you. For me it was post-midnight, but only when you can focus without any distractions.
• Internet Connectivity This is an online test with a time box. Ensure you have stable Wi-fi, else take it on your mobile just to be sure.
• Flag all doubts You cannot leave any question unanswered. When you are faced with doubt, flag the question and move on. You can look back at the flagged questions once you sail through the 80 questions.
• Clear Desk Even though this exam is not proctored, a clear desk with a bottle of water should be sufficient. Answering 80 questions within the hour doesn’t leave you any time for reading your notes or interpreting the Guide. Having a clear desk helps you focus and that’s the most important tool.
• Tests your depth of knowledge of the Scrum framework and its application While answering questions, always base them on the Guide and not on your personal work experience. Every organization might have a few practices that are not in sync with the Guide. This test only wants to test your understanding of the Scrum framework.

References

• Mlapshin Scrum Quizzes
• Scrum Guide
• Scrum Open assessment
• Scrum Product Owner Open Assessment
• Glossary of Scrum Terms
• Scrum Guide Comparison 2020 & 2017
• What is Scrum?
• Product Owner Learning Path

There are many reasons why one would want to become a Professional Scrum Master. An IT professional working as a part of a Scrum Team might decide to transition to the role of a Scrum Master, while a person not from an IT background might use this as a foothold to join the IT industry. Once you decide that you want to get certified, the next question is which organization you choose. There are currently a few organizations that provide training and certifications for the role of Scrum Master like Scrum Alliance, Scrum.org, Scrum Inc., etc.

My reason to go with Scrum.org was because of the following reasons:

1. I had the option to prepare for the test on my own, without having to mandatorily undertake their training (which are quite expensive); and
2. The PSM I certificate doesn’t have an expiry date. (e.g. Scrum Alliance certificates have to be renewed every two years)

PSM I Assessment Details

The Professional Scrum Master level I (PSM I) test details

Fee: $150 USD per attempt
Passing score: 85%
Time limit: 60 minutes
Number of Questions: 80
Format: Multiple Choice, Multiple Answer and True/False
Difficulty: Intermediate
Language: English only

Source: Scrum.org

Two Weeks To Go

These videos have been developed from my personal experience of preparing and clearing the PSM I test. I suggest that you invest two weeks in the preparation of the test. In case you are unable to spend 3-4 hours a day for the test, kindly adjust the days based on your availability.

In the Week 1 of your prep (or when the test is 2 Weeks away) the following could be your first course of action:

• Step 1 - Register with Scrum.org Create your account. This will give you access to all their blogs, resources, and even training schedules. Do note, these can be accessed without registering but the act of creating an account helps set the stage for the next couple of weeks.
• Step 2 - Download the Scrum Guide Download the latest November 2020 issue of The Scrum Guide. Read the guide. Please don’t underestimate the volume and depth of knowledge, ideas, and concepts shared in this 14-paged document. As you read, you’ll realize that a lot of the understanding is left open to interpretation, and only a serious and thorough study of The Scrum Guide shall help you understand what Ken Schwaber and Jeff Sutherland wanted to convey to its readers. Read and reflect. After that start adding your own notes and interpretations to your copy of the Guide.
• Step 3 - What is Scrum? Go through the page as it has links to all the articles, blogs, and resources you need for your test preparation.
• Step 4 - Scrum Glossary This is a quick peek into the terms and concepts of Scrum and should be referred to multiple times.
• Step 5 - Take the Scrum Open assessment. This week, taking the Scrum Open Assessment will give you an idea about the structure of the questions as well as develop familiarity with the interface. Save a pdf after every test, as it details the right answer and over time you will develop a repository of questions (with their correct answers)

One Week To Go

Into the second week of your preparation, you can consider the following action points:

• Step 1 - Buy PSM I Assessment When you buy the assessment, it acts as a driver and motivator for you as you inch closer to the test. While making the purchase you don’t need to set a date, hence, there is no problem with rescheduling or any last-minute hiccups. You can take it when you feel you’re ready to do so using the code mailed to you by Scrum.org.
• Step 2 Start Timing the Scrum Open assessments By now, you should have taken the open assessments many times. In the assessment, you have to answer 30 questions in 30 minutes. Try to increase your speed, so that you can attain accuracy within the span of 15-20 minutes. This might sound absurd, but will help you save time on D-day. Also, after taking the test 6-8 times, you will see that the questions appear from a pool of 100 (approx.) questions, and over time you are answering known questions. Practice time-management.
• Step 3 - Try the Free PSM Assessments from the Mikhail Lapshin website These are free tests that you can take either in Learning Mode or Real Mode. I took them at least once every day and find them really useful. The only problem is that it is still being updated for the 2020 version of Scrum Guide and hence you might find a few answers to be incorrect from the latest Scrum Guide standpoint. Even then, most of the questions should still be relevant to your preparation.
• Step 4 - Continue Reading the Scrum Guide You must have a very well-used and inked copy of The Scrum Guide.
• Step 5 - When are you ready to take the PSM I Test? When you are consistently scoring over 95% in your Open Scrum Assessments and above 90% in your mlapshin.com Free Assessments.

Day of the Test

These are the most important tips for your test.

• No distractions. You're taking the test at a time and place that is convenient for you. For me it was post-midnight, but only when you are able to focus without any distractions.
• Internet Connectivity This is an online test with a time box. Ensure you have stable Wi-fi, else take it on your mobile just to be sure.
• Flag all doubts You cannot leave any question unanswered. When you are faced with doubt, flag the question and move on. You can look back at the flagged questions once you sail through the 80 questions.
• Clear Desk Even though this exam is not proctored, a clear desk with a bottle of water should be sufficient. Answering 80 questions within the hour doesn’t leave you any time for reading your notes or interpreting the Guide. Having a clear desk helps you focus and that’s the most important tool.
• Tests your depth of knowledge of the Scrum framework and its application While answering questions, always base them on the Guide and not on your personal work experience. Every organization might have a few practices that are not in sync with the Guide. This test only wants to test your understanding of the Scrum framework.

References

• Mlapshin Scrum Quizzes
• Scrum Guide
• Scrum Open assessment
• Glossary of Scrum Terms
• Scrum Guide Comparison 2020 & 2017
• What is Scrum?

"No News is Good News". That is what I used to get from Identity Guard®. But yesterday, I got email & sms notification "Alert: Your Login Credentials Have Been Exposed Online". And partial password shared in that notification is actually matching with my credentials. So, mine got exposed. Check yours.

What is "Breach Combo List 3.2B" ?

"COMB List 3.2B" is a compilation of many breaches. 3.2 billions loginid and password has been published in plain text format. It contains billions of login credentials from LinkedIn, Netflix, Exploit.in and many more from past breaches. 3.2 billions is massive considering 4.66 billion active internet users worldwide.

How many people use the internet?"

As of January 2021 there were 4.66 billion active internet users worldwide - 59.5 percent of the global population. Of this total, 92.6 percent (4.32 billion) accessed the internet via mobile devices."
Source: statista.com

I always use separate set of emails & password combinations for email communication, banking sites, major social media sites and third party OAuth. Based on the below combination, I easily identified that my LinkedIn login credentials got exposed on the Dark Web in this mind-boggling breach.

Market research company "CyberNews" has provided a online tool "Personal Data Leak Checker". It has 500 GB database (15 billion compromised accounts) of hashed emails that have been leaked over time.

How does this tool work?

Our checker has a 500 GB database of hashed emails that have been leaked. To check if your email address was leaked:

1. You enter the email address in the search field. Your email is not collected, logged or stored
2. The tool hashes the email you entered and uses only this hash to perform a search in our database
3. The search results appear on the same page
   Source: https://cybernews.com/personal-data-leak-check/

How do we store data from breaches?

Our database contains nothing more than the email address and the source of the leak. All information in our database is hashed with Blowfish based crypt (bcrypt) hashing algorithm. It is one of the safest hashing algorithms. All emails are anonymised and linked only to the source of the leak.

What happens when you check if your data has been leaked?

The email address that you enter in the search field is hashed and we use only this hash to perform a search in our database. We do not collect entered emails, nothing is logged when you perform the data leak check.
Source: Leak check FAQ

Many of us use the same email id for communication, social sites, banking sites etc. Sometime, same password everywhere. It is an unsafe practice.

The SMS breach alert got me worried, but it did not have catastrophic consequences for me. Solely because I use different set of credentials for all major sites / applications and always enable Multi-Factor Authentication (MFA) or 2-step verification. Even if someone has access to my credentials, One-Time-Password (OTP) / second level of verification will work as second line of defence. This significantly reduces limits the risk if your login credentials are exposed on Dark Web.

Sharing few recommendations that I received from Identity Guard® along with the security alert.

What should I do?

1. We recommend that you update your password for any account where the email address shown in your alert is used as a user name.
2. Always use unique passwords for all of your accounts. This limits your risk if your login credentials are exposed.
3. Consider activating multi-factor authentication—which means your password in addition to one or more other means of authentication—on any account that allow this option. Multi-factor authentication is the best way to keep your accounts more secure.
   Source: Identity Guard® FAQ

Gmail, Facebook, Twitter, LinkedIn, etc. all are amazing services. We mostly don't pay anything directly to them. It is absolutely free, if one is gone, we can open another one. But reality is beyond this. If we loose access, it may create huge damage in terms of reputation, financially or inconvenience based on kind of user we are and our usage pattern.

References

• Identity Guard® FAQ
• CyberNews - Personal Data Leak Checker
• CyberNews - Leak check FAQ

Techsmith Camtasia 2020 introduces a video template. Now, we can create a video template and share it with the team to build consistent and professional videos quickly. This is really great. But like many Camtasia users, I also terribly miss the feature to add Quick Properties to the custom groups, assets, or templates. As a result, we can share assets but we can not customize quickly. Therefore, it is not truly reusable. However, they allow this for assets that are downloaded from the Techsmith Camtasia assets library. In this post, I’ll share quick steps to enable you to make custom assets having Quick Properties.

I went through all the Camtasia forums, Google Search, and YouTube contents, but I have not found any solution or workaround anywhere. Therefore, I am creating this content to share what I have found after reverse-engineering the Camtasia project file.

When we create a new project in Camtasia, all the configurations get saved in the project file with the .tscproj extension. This file is nothing but a human-readable JSON file. We can open it in any text editor (optionally JSON viewer) to explore it. When I compared a Camtasia project having assets downloaded from the Camtasia library with a project having a custom group, I can see only the below difference.

 "assetProperties" : [
	{
	  "type" : 0,
	  "name" : "Name of imput",
	  "objects" : [ id1 ]
	},
	{
	  "type" : 1,
	  "name" : "Color 1",
	  "objects" : [ id1, id2 ]
	}
  ]

When I was playing around with these configs, I have noticed that we can add quick properties for a custom asset just by making required changes in the .tscproj.

I have created a detailed YouTube video to explain how the .tscproj is structured and exactly what changes you need to make to add quick properties. In the end, I shared 3 easy steps that you can apply to the Camtasia project file using any text editor to get it done in 5 minutes.

Note: Please keep a backup copy of your .tscproj before you start making any changes.

Andy  learning to code. He seemed a little worried. Mike happens to stop by.

"You seem worried. What’s on your mind?" asked Mike.

"Well Mike, I’ve been trying to understand exception handling. But I can’t seem to wrap my head around it." answered Andy.

Mike laughed and said "I see. Come with me. First we will watch a video, then, I’ll explain."

Andy was excited! They watched the following clip from the movie "Toy Story".

After the video ended, Mike said with a smile "So Andy, now let’s discuss exception handling. You know that Buzz cannot fly, he knows that too. But when the rocket is about to blow up him and Woody, he manipulates the situation and uses its force to propel them to the safety of the car!! Two things happen - One, the rocket doesn't kill them. Second, they land in their desired spot! In Buzz’s words, they were falling with style!!!"

"I get that. But how does that explain exception handling?" wondered Andy.

"You see Andy, what Buzz did was ‘exception handling’. When the standard code does not yield the expected output due to some uncontrollable factors; you can use a smart code to handle the exception to your advantage. Thereby, avoiding an unpleasant user experience."

"Now I see your point Mike. Exception handling is nothing but "falling with style!!!"

Is node-gyp (Node.js native addon build tool) failing during yarn install or npm install? If your macOS got upgraded to Catalina (10.15) recently, then you will find the fix right here.

Explainer Video:

Sample Error

abhijit@macpro gulp-responsive % npm install --save-dev gulp-responsive
> sharp@0.21.3 install /Users/abhijit/workspace/image-optimization/gulp-responsive/node_modules/sharp
> (node install/libvips && node install/dll-copy && prebuild-install) || (node-gyp rebuild && node install/dll-copy)
info sharp Detected globally-installed libvips v8.9.2
info sharp Building from source via node-gyp
gyp: No Xcode or CLT version detected!
gyp ERR! configure error 
gyp ERR! stack Error: `gyp` failed with exit code: 1
gyp ERR! stack     at ChildProcess.onCpExit (/usr/local/lib/node_modules/npm/node_modules/node-gyp/lib/configure.js:351:16)

So, what went wrong?

node-gyp uses XCode Command Line Tools for macOS.

Both upgrading to macOS Catalina and running a Software Update in Catalina may cause normal node-gyp installations to fail. This might manifest as the following error during npm install:

gyp: No Xcode or CLT version detected!
Reference: Installation notes for macOS Catalina (v10.15)

Check MacOS version

Run sw_vers in terminal to check your MacOS version. Actually, if ProductVersion is less then 10.15, then fix of this post may not be applicable.

abhijit@macpro ~ % sw_vers
ProductName:	Mac OS X
ProductVersion:	10.15.6
BuildVersion:	19G2021

How to fix?

Reinstall the XCode Command Line Tools.

1. Remove the XCode Command Line Tools.

   abhijit@macpro gulp-responsive % xcode-select --print-path
   /Library/Developer/CommandLineTools
   abhijit@macpro gulp-responsive % sudo rm -r -f /Library/Developer/CommandLineTools
   Password:
   
   

   or

   abhijit@macpro gulp-responsive % sudo rm -rf $(xcode-select -print-path)
   Password:
   
   

2. Install the XCode Command Line Tools.

   abhijit@macpro gulp-responsive % xcode-select --install
   xcode-select: note: install requested for command line developer tools
   

   Click "Install" button in the wizard, accept "License Agreement" and click "Done" once the software is installed.

Acid Test

If the below acid test passes, we are good to go.

abhijit@macpro ~ % curl -sL https://github.com/nodejs/node-gyp/raw/master/macOS_Catalina_acid_test.sh | bash
Command Line Tools version: 12.0.0.0.1.1597368733

Verify

Finally, we'll run the initial npm install that failed for us.

bhijit@macpro gulp-responsive % npm install --save-dev gulp-responsive
> sharp@0.23.4 install /Users/abhijit/workspace/image-optimization/gulp-responsive/node_modules/gulp-responsive/node_modules/sharp
> (node install/libvips && node install/dll-copy && prebuild-install) || (node-gyp rebuild && node install/dll-copy)
info sharp Detected globally-installed libvips v8.9.2
info sharp Building from source via node-gyp
  TOUCH Release/obj.target/libvips-cpp.stamp
  CXX(target) Release/obj.target/sharp/src/common.o
  CXX(target) Release/obj.target/sharp/src/metadata.o
  CXX(target) Release/obj.target/sharp/src/stats.o
  CXX(target) Release/obj.target/sharp/src/operations.o
  CXX(target) Release/obj.target/sharp/src/pipeline.o
  CXX(target) Release/obj.target/sharp/src/sharp.o
  CXX(target) Release/obj.target/sharp/src/utilities.o
  SOLINK_MODULE(target) Release/sharp.node
npm WARN RespImg@1.0.0 No repository field.

+ gulp-responsive@3.0.1
added 43 packages from 120 contributors and audited 389 packages in 23.309s

References

• node-gyp
• Installation notes for macOS Catalina (v10.15)

4,153,406 hits in single day!

Sounds like a really big number for many of us. I was surprised when I noticed this in Production ELK for the first time. I didn't expect that many hits for an application with only 5 microservices. That too for a Beta application with a handful (~2k) of users. It will grow to 25+ microservices within next one year. Once migration completes, millions of users will use this application. I can not imagine where this number shall skyrocket then.

We should Log smartly, not in Volume. Its great if this is already taken care of in your application. But if you are looking for more, then reading this post might add value.

As a developer, we at times don't give much thought to what we are logging and how much we are logging. Everything is taken care of by the underlying logging framework. It has hardly any cost considerations for us, the developers.  

While talking about cost, following few comes to mind.

• IO:
  • Logger - To write log statements in file or console
  • Beats - To collect data from environment.
• Network:
  • Beats - To ship data from edge machines to Logstash
  • Logstash - To ship processed data to preferred "Stash"
• Processing:
  • Beats: To parse collected raw data.
  • Logstash: To ingest, parse, transform, ship log to destination
  • Elasticsearch: To index, search & run analytics.
• Storage: To store & retain huge logs from all sources for a certain period of time

Enough talk! Let's see what we can optimize using the following two configurations. There are more. Plan is to reduce log volume without impacting your existing applications.

1. Customizing Logger Name Length
2. Customizing Stack Traces

1. Customizing Logger Name Length

Define appropriate length for shortenedLoggerNameLength of LogstashEncoder in Logback configuration.

How?

<encoder class="net.logstash.logback.encoder.LogstashEncoder">
  <shortenedLoggerNameLength>30</shortenedLoggerNameLength>
</encoder>

It works in same way %logger{length} conversion pattern works.

Let's do the Math
Take an example of bare minimum Logger name com.srccodes.lob.project.service.api.MyService (46 characters). Now if we shorten to c.s.l.p.s.a.MyService (21 characters), we'll save 25 characters for each hit. So total unrealized savings of storage & bandwidth would be 103+ millions (4153406 X 25 = 103835150) characters each day in the current Beta application. Just to give a rough idea, 1 million characters is equivalent of ~23 hours 8 min of speech duration.

Conversion Word
%logger{length} will shorten the logger name, usually without significant loss of meaning. Setting the value of length option to zero constitutes an exception. It will cause the conversion word to return the sub-string right to the rightmost dot character in the logger name. The next table provides examples of the abbreviation algorithm in action.

Conversion specifier	Logger name	Result
%logger	mainPackage.sub.sample.Bar	mainPackage.sub.sample.Bar
%logger{0}	mainPackage.sub.sample.Bar	Bar
%logger{5}	mainPackage.sub.sample.Bar	m.s.s.Bar
%logger{10}	mainPackage.sub.sample.Bar	m.s.s.Bar
%logger{15}	mainPackage.sub.sample.Bar	m.s.sample.Bar
%logger{16}	mainPackage.sub.sample.Bar	m.sub.sample.Bar
%logger{26}	mainPackage.sub.sample.Bar	mainPackage.sub.sample.Bar

Please note that the rightmost segment in a logger name is never abbreviated, even if its length is longer than the length option. Other segments may be shortened to at most a single character but are never removed.

2. Customizing Stack Traces

logstash-logback-encoder includes a very powerful throwableConverter called ShortenedThrowableConverter. It'll be a good idea to customize stack traces for optimizations.
rootCauseFirst is a cool feature. It is very handy to see the root cause first rather than browsing through chains of "Caused by:". Logs gets truncated beyond buffer_size of Logstash (65536 bytes on Logstash >= 5.1). In such cases, root cause will be lost and toubleshooting might be a nightmare.
Otherside, maxLength & shortenedClassNameLength will help to reduce log message size.

Customize Stack Traces

• Limiting the number of stackTraceElements per throwable (applies to each individual throwable. e.g. caused-bys and suppressed)
• Limiting the total length in characters of the trace
• Abbreviating class names
• Filtering out consecutive unwanted stackTraceElements based on regular expressions.
• Using evaluators to determine if the stacktrace should be logged.
• Outputing in either 'normal' order (root-cause-last), or root-cause-first.
• Computing and inlining hexadecimal hashes for each exception stack

For example:

<encoder class="net.logstash.logback.encoder.LogstashEncoder">
 <throwableConverter class="net.logstash.logback.stacktrace.ShortenedThrowableConverter">
   <maxDepthPerThrowable>30</maxDepthPerThrowable>
   <maxLength>2048</maxLength>
   <shortenedClassNameLength>20</shortenedClassNameLength>
   <exclude>sun\.reflect\..*\.invoke.*</exclude>
   <exclude>net\.sf\.cglib\.proxy\.MethodProxy\.invoke</exclude>
   <evaluator class="myorg.MyCustomEvaluator"/>
   <rootCauseFirst>true</rootCauseFirst>
   <inlineHash>true</inlineHash>
 </throwableConverter>
</encoder>

Though the cost of storage, network & processing power are getting cheaper by the day, applications are also scaling up and scaling out in many folds over time. So, I believe, it is important to optimize as much as possible.

Please share your thoughts and experiences on this. Thanks in advance.

References

• logstash-logback-encoder
• Logback Layout - Conversion Word

Entrepreneurs are not a homogeneous group and hence attributing their success or failure to a set of characteristics might be difficult as well as open to challenges.  People often have the notion that entrepreneurs are born with their natural affinity to innovation and an appetite for risk taking. Their success in businesses is simply a consequence of these inherent qualities. While one can argue that the product ideas of the likes of Bill Gates, Steve Jobs and Larry Page were enough to skyrocket their start-ups to hugely successful business empires; the newer breed of entrepreneurs like Mark Zuckerberg  and Jeff Bezos are riding on the promise of smarter delivery and better consumer experience.

In the dynamic landscape of business, a few key traits form the fabric of their character.

Passion

An entrepreneur has to be passionate about their product or idea. Reaping the dividend of their business venture might be the ultimate motivator, but being able to live their passion everyday is what fuels them on during the initial trials and testing times.

Consumer insight

One might have an idea for a new product or service but it must be deliberated whether there exists a market for it or can it generate future consumer demand. An ability to survey the current consumer trends and forecast the projected demand for the new product or service would be invaluable.    

Conviction

An entrepreneur with a strong belief in his idea and vision will be adept to sell it to various groups  ranging from reluctant investors to first time customers. Conviction also endows upon you the confidence to heed only the good from the avalanche of advice mounted upon you from all quarters.

Networking

The benefits of having an amiable and extrovert personality cannot be emphasised enough. The ability to make a good impression on people goes a long way in securing the financing deal or making that first sale. A good news for introverted and shy people is that networking can now happen virtually through social media and might be quite effective for following up and keeping in touch. The success of your new endeavour weighs heavily of your network of friends and business acquaintances.  

Ability to learn from failure

An entrepreneur must always be prepared to fail. If he is able to treat a setback as a lesson learnt, he will be able to move forward with better understanding and preparation.

Resourcefulness

There will be occasions when one would be expected to make the most of available resources. This attitude would help the business in the initial days of operation when resources are limited. A resourceful person is not only able to use sparse supplies sensibly but also find novel uses for them.

Other personality traits like ability to take risks, work hard, empathize, observe respectfulness, etc. are also important in the successful launch of a start-up. This article however chooses to focus only on the key qualities that help set apart the successful entrepreneurs from the crowd.

Pandemic! Human race is now at stake. Flatten the curve. Whole world is running after this epidemic curve. Why it so important?

By RCraig09 - Own work, CC BY-SA 4.0, Link

Fight or Flight. Neither medicine nor vaccine for COVID-19  is out there. Naturally, second one would be the wisest choice.

Wash hand, disinfection, wear mask, keep distance, stay at home, social bubbles, lockdown - so many temporary strategies. But for what?

Idea here is don't fall sick. Delay the  peak number of infected people that health care system can handle at a time. Don't put more pressure on already stressed out healthcare system. Help administration to buy time to increase health care capacity ("raise the line") .

Why am I talking all these in the context of microservices? Probably, you got me . Just think microservice application as healthcare system and each person (who requires health care support) as request to that application then you'll find amazing similarities.

We may have experienced 1-2 pandemics in 100 years. But we see it frequently in IT application environment.  Therefore, it is very important to know how to handle pandemic in application.

Broadly, there are three different states of dealing with this epidemic. This is almost same across all countries (except Big Bro :-)).

1. Open (Pre Covid-19 / Hopefully Post Covid-19)
2. Locked Down (Everything absolutely closed)
3. Slowly opening / Semi-open / half-open (Social bubbles, Stage 1, Stage 2, Stage 3 etc.)

Third state is very tricky. Wait, watch and take action. If situation continuously improves, then open  particular area / city / business otherwise close it immediately.

For our applications, we use to have Input Sanitization (Wash Hand),  Virus / Malware / Vulnerability scanner (Disinfection), Firewall / VPC / Security Group / ACL / Private Subnet etc. (Face Mask, Home Isolation, Social bubbles etc.). We also need something that will help us to continuously monitor and decide when not to pass request if underlying system is already stressed out.

Roughly, Circuit Breaker pattern helps to address this and make an application more resilient. It is partially works like an electric circuit breaker that protects electrical appliances from unexpected level of current flow at our home. It is absolutely essential and most important safety mechanism for our home. Similarly, Circuit Breaker pattern is also absolutely necessary for our modern software applications.  

Circuit Breaker pattern is implemented as finite state machine with 3 main states - "Closed", "Open" and "Half-Open". It monitors and aggregate outcome of calls in a rolling / sliding window. Once,  failures rate crosses the configured threshold, Circuit Breaker trips ("Closed" --> "Open") and all subsequent calls get rejected with immediate error or fallback response. After configured wait time, it goes to "Half-Open" state and allow configured number of calls to verify the backend health. If all calls are successful then it moves to "Closed" state, otherwise again goes back to "Open" state and restart the wait timer.

Two java implementations of Circuit Breaker pattern are very popular.
1. Netflix Hystrix:

Hystrix is no longer in active development, and is currently in maintenance mode.

Hystrix (at version 1.5.18) is stable enough to meet the needs of Netflix for our existing applications. Meanwhile, our focus has shifted towards more adaptive implementations that react to an application’s real time performance rather than pre-configured settings (for example, through adaptive concurrency limits). For the cases where something like Hystrix makes sense, we intend to continue using Hystrix for existing applications, and to leverage open and active projects like resilience4j for new internal projects.
Source: https://github.com/Netflix/Hystrix

2. Resilience4j

Resilience4j is a lightweight fault tolerance library inspired by Netflix Hystrix, but designed for Java 8 and functional programming. Lightweight, because the library only uses Vavr, which does not have any other external library dependencies. Netflix Hystrix, in contrast, has a compile dependency to Archaius which has many more external library dependencies such as Guava and Apache Commons Configuration.
Source: https://github.com/resilience4j/resilience4j

Personally, I prefer Resilience4j for my projects. Reason is obvious from above quotes. Please let me know in the comment what are you using in your projects?

Thanks for reading! :)

References

• CircuitBreaker - Martin Fowler
• Resilience4j
• Netflix Hystrix
• Comparison to Netflix Hystrix