Node-RED’s cool GUI for the Internet of Things

Node-RED and a quick IRC bot flow
Node-RED and a quick IRC bot flow
The latest version, 0.5.0 of IBM’s Apache licensed, incredibly useful and very cool Node-RED has landed but before going further, I suspect a lot of readers will want to know what Node-RED is.

There’s usually a lot of connecting of things involved with making the Internet of Things do something useful. Whether it be detecting messages on Twitter, listening to IRC, watching a Websocket or grabbing a web page, each source then needs to be processed and if required make something happen. Now, you can write a lot of code to do that or you can check out Node-RED. Billing itself as a “Visual tool for connecting the Internet of Things”, Node-RED is built atop of Node.js and offers a graphical world of IoT building blocks in the browser for you to wire up as needed and test.

Those building blocks, nodes in Node-RED, start with the simple, inject to send something, function to process it using JavaScript and debug to see what is being sent. They then build up to more powerful capabilities such as Http requests, MQTT subscription and publication, WebSocket listening and writing, tcp and udp comms and sentiment analysis. To connect up to social networks, nodes for Twitter and IRC listening and publishing are included. There’s also file storage, logical switches, data manipulation and delay nodes and, for the brave, even a node which will exec a process on the system.

Each node can be placed, configured and its outputs connected to other nodes inputs in the Node-RED GUI, and with the click of the Deploy button, put into action. New nodes can be created and plugged into the system too and there’s a repository of user created extra nodes available.

But, you say, where’s the Internet of Things in this? Well, Node-RED is able to work with Arduinos (connected via USB to host computers over serial or Firmata protocols) or run directly on Raspberry Pi (with GPIO and wiring-Pi modules) and the BeagleBone Black (with BoneScript access). And, obviously, you can write your own plugin nodes to connect up whatever hardware or devices you need to access.

Node-RED is a very capable tool and worth adding to your toolkit. For example, while writing this I was also prototyping an IRC bot which did basic sentiment analysis and commented in the channel. Why not give it a go over the coming holidays? You can download Node-RED from the website or you can find it on GitHub. Documentation including a quick tutorial on creating flows, along with instructions on writing function nodes, creating new nodes, embedding Node-RED into existing applications and running it with Arduino, Raspberry Pi and BeagleBone Black.

The latest version, which we mentioned at the start, has new visuals for showing the deployment state of nodes and handles the idea of “unknown nodes” visually when importing a flow from someone who’s used nodes you haven’t got yet. There’s also new user and direct message tracking in the Twitter node, session aware TCP and WebSocket nodes, enhancements to the MQTT node for authentication and client ID, an “otherwise” option in the Switch node, selectable data delimiters for the serial node and a HTTP Request node that follows 301s. The contributed nodes now include a Snapchat node and a Phillips Hue mode.

The Node-RED developers are now looking at making new nodes installable with npm, Node.js’s package manager, and tackling the separation of the administration UI from the runtime so it’s more easily deployed into future production scenarios.

Microsoft and Adobe’s October Patch Tuesday – Security Snippets


  • Microsoft’s Monthly: It’s remote code execution holes all the way down in this months Patch Tuesday. From a bundle of Internet Explorere fixes in MS13-080 to a crunchy critical remote code execution and extra ‘important’ privilege escalation holes in Windows drivers, MS13-081 going all the way back to XP SP3 and all the way up to Windows 8. But wait, there’s more according to the cumulative advisory, MS13-Oct. Critical remote code execution holes in .NET Framework (MS13-082) and Windows Common Control Library (MS13-083) and “Important” remote code execution holes SharePoint Server (MS13-084), Excel (MS13-085 and Word (MS13-086) are also reported. There’s also an information disclosure hole in SilverLight (MS13-087). Fixes available from your friendly Microsoft Update service.
  • Adobe patches help up: Adobe’s fixes for this month have also been released. As well as the usual Reader and Acrobat fixes, developers who use Adobe’s RoboHelp will want to check out APSB13-24 as its a critical hole which could enable code execution. Adobe are priority rating 3, as it’s “not historically been a target for attackers”, but there’s always a first time.

Apache CloudStack goes 4.2.0

cloudstackThe other other open source IaaS Cloud, CloudStack, has had an update with the release of CloudStack 4.2. What’s new? reveals a lot of work which the announcement summarises as 57 new features and 29 improved features such as the ability to plug in external or internal S3-compatible storage services and support for Cisco’s UCS compute chassis and SolidFire storage arrays.

A trawl through the release notes shows that there is far more than the headline items though. There’s a whole set of features to help support for regions, zone wide primary storage and a plug-in framework for writing UI extensions.

Networking has had a lot of work done to it too with initial support for IPv6 (as a technical preview), portable elastic IPs which can be transferred between zones, the ability to assign a VLAN to an isolated networks and persistent networks which can exist without VMs assigned to it. There’s also Cisco VNMC and VMware VDS support, enhanced support for Juniper gear and global server load balancing with health checks for load balanced instances.

Host support has not been left out. Windows 8 and Windows Server 2012 can now be VM Guest OS’s, ownership of VMs can now be changed by an administrator, resizable data disk volumes, storage migration (for XenServer and VMware), the ability to scale CPU and memory on running VMs (VMware and XenServer again), over-provisioning of memory and cpu (VMware, XenServer and KVM), bare-metal provisioning kickstarter, VM resetting on reboot and VMware VM snapshots.

Finally, there’s a who set of enhancements to the monitoring, maintenance and operations end of CloudStack, with support for auto purging alerts, API request throttling, forwarding of alerts to external SNMP and Syslog systems, a log collection tool, ability to change default password encryption and new VM snapshot and backup capabilities.

You can download the source or binaries (in deb and rpm packages) from where there is also documentation including installation and admin guides.

Mosquitto’s home, Firefox memory, OpenOffice updates – Snippets


  • Eclipse erects Mosquitto net: The MQTT broker Mosquitto is being proposed as a new open source project at Eclipse. It not only implements the TCP based MQTT but has support for MQTT-SN, a connectionless version for UDP and other networks. The plan is to merge Mosquitto and RSMB, a previously closed source MQTT broker implementation, at Eclipse. If, or more when, this proposal is accepted, it will mean that the Eclipse M2M initiative will have a full MQTT cross platform stack under their wing. If you want a low-nonsense, low-overhead publish and subscribe messaging system, you will want to look at MQTT.
  • Firefox memory saves: Sometimes memory saving is marginal. Other times, like this it can be huge. A combination of two fixes applied to the Firefox code base have take peak memory use on image heavy pages down from, in an example, 3GB in Firefox 23 to “a couple of hundred megabytes” in Firefox 26 (Aurora). Excellent work from the Firefox Memshrink team; this wasn’t just a matter of closing leaks but working out what was and wasn’t onscreen and what could have been likely to be on screen.
  • Apache OpenOffice updates: Apache OpenOffice 4.0 has just had its first update in the shape of version 4.0.1. Along with bug fixes, there’s 9 new translations (Basque, Khmer, Lithuanian, Polish, Serbian Cyrillic, Swedish, Traditional Chinese, Turkish and Vietnamese) getting OpenOffice up to 32 languages supported, and a number of performance improvements including speeding up Excel spreadsheet saving by 230% in “one common scenario”. Release notes also show updated translations and updated English (US and proper), Gaelic, French, Italian and Spanish dictionaries. And if you are wondering what this has to do with code; remember you can use OpenOffice headless as a document processing service (start it with the -headless parameter).

Updates for RethinkDB and FreeBSD and a 64-bit .NET JIT boost – Snippets


  • RethinkDB gets multi-indexing: The developers of the open source, NoSQL database RethinkDB have announced version 1.10 which comes with the ability to index rows with fields of multiple values, like say an list of tags for a blog entry. Looking for all records with a particular tag previously required slow iteration, but now with the multi-index it is possible to index the set of values within the field and then to “get_all” for a particular tag value using that index. RethinkDB server is written in C++ and AGPL licensed with Apache licensed client drivers.
  • FreeBSD 9.2 released: In the latest FreeBSD release ZFS gets added TRIM support for solid state drives and lz4 compression and there’s updates for OpenSSL (to 0.9.8y), DTrace (to 1.9.0), Sendmail (to 8.14.7) and OpenSSH (to 6.2p2). There’s also virtio drivers and enabled Dtrace in the “GENERIC” kernel. Read more in the FreeBSD 9.2 release announcement.
  • RyuJIT for .NET: Over in the world of .NET, interesting things are afoot with a new 64-bit just-in-time compiler, RyuJIT, making its debut as a CTP (Community Technical Preview). .NET’s had a 64-bit JIT for some time, though the JIT has apparently been quite slow. RyuJIT runs twice as fast and overall gives a 30% speed up to start up. One benchmark with regular expressions went off the scale, going from a 1.4GB working set and 60 seconds run time to 199MB and 1.8 seconds run time – yes the older compiler is particularly bad at regular expressions.

Beta Ceylon, VLC 2.1 released, Whois research and Retro-browsing – Snippets


  • Ceylon goes beta: Red Hat’s own JVM-hosted language, Ceylon, has been declared feature-complete and released as a 1.0 beta. There’s a formal language spec, command line tools, SDK and a beta of an Eclipse based IDE for Ceylon too. Lots of language features have been added coming up to beta, including annotations, static methods, try for resources, switch statements that know strings and characters and more.
  • VLC 2.1 debuts: Every coder needs a video player that can handle any format. Thats my excuse anyway and here’s the newly released VLC 2.1 arriving to fill in the latest gaps in my playback capability. A new audio rendering pipeline, OpenGL ES support, new ports (Android from 2.1 to 4.3 for ARM, x86 and MIPS and iOS 5 to 7), a partial WinRT port, Microsoft Smoorth Streaming, support for VNC/rfb and remote desktop view-only modes, lots of new hardware decoding support on OS X, Android, Linux with VDPAU and Windows QuickSyncVideo. Oh yes and there’s the foundations for UltraHD support. And developers will find the code is amenable to integration with more software due to libVLC (and most of the modules) being under the LGPL2.1+.
  • Whois Privacy: An interesting study of whois and the identity proxies used to cover the identity of owners. Interesting in that the idea that only those with something nefarious to hide may use the obfuscating services is blown out of the water – “for example banks use privacy and proxy services almost as often as the registrants of domains used in the hosting of child sexual abuse images; and the registrants of domains used to host (legal) adult pornography use privacy and proxy services more often than most (but not all) of the different types of malicious activity that we studied”. Fixing Whois is going to be harder than we thought.
  • Browse like its 1992: Cern have launched [Line Mode Browser 2013], an emulation of 1992’s line mode browser, using Node.js and modern browser technology to recreate the glow green matrix of terminals of that era. You can find the code on GitHub.

Go 1.2’s Coming, iOS7’s Multipath, RSA’s Aaargh and Tails’ Updates – Snippets


  • Go 1.2’s coming: The first release candidate for Go 1.2 has been released. Lots of changes though the developers say its “a smaller delta from 1.0 to 1.1”. Read up on whats coming in the Go 1.2 Release notes and look out especially for the changes in the use of nil. If you want to test it, downloads are at the project’s Google Code page.
  • iOS7’s Multipath: There’s a difference between having code that works and having code in production and according to NetworkWorld Apple just made that jump with iOS7 and Multipath TCP. MPTCP lets multiple interfaces, such as Ethernet, WiFi and 3G, and different paths work together to get to a connection to a destination. Apple are using MPTCP to talk to their backend services and it’ll be interesting to see how this works out in the field.
  • RSA’s Aaargh: The RSA have reacted to the NIST pulling Dual EC DRBG, the cryptographic algorithm that has been historically dubious and believed to have been compromised by the NSA at specification stage, in for review by issuing an advisory. The advisory’s bad news covers “all versions of RSA BSAFE Toolkits, including all versions of Crypto-C ME, Micro Edition Suite, Crypto-J, Cert-J, SSL-J, Crypto-C, Cert-C, SSL-C”. The really bad news? “The currently released and supported versions of the BSAFE libraries (including Crypto-J 6.1.x and Crypto-C ME 4.0.x) and of the RSA DPM clients and servers use Dual EC DRBG as the default PRNG”. Yes, as a default. Background in this Ars Technica article where one of the comments has the full text of the advisory. If you use RSA crypto, start your audit now.

The details on NGINX Inc’s plans – Extra Scaling

nginx-smallExtra Scaling is when CodeScaling does something slightly different. In this case, we talked to NGINX Inc, the company behind the NGINX web server and reverse proxy, who recently announced they were rolling out a commercial subscription support service, NGINX Plus, which also included a number of commercially licensed, closed source modules. This, as is the way of these things, caused some controversy and consternation in the FOSS community. The devil of these things is always in the details, so we got in touch with NGINX Inc’s CEO and team to get some answers from them on those details. The answers are presented here for your edification…

Codescaling: NGINX Plus has what appears to be a proprietary shell in terms of added features for deployment and management. This leads to accusations of the “open core” approach being used to lock in customers, so…

NGINX: We’re fully committed to growing and developing the open source product – that’s the key strength of NGINX. At the same time we’re confident in our ability to serve both free open source customers and commercial customers in parallel.

It is important to note that most of our customers don’t want to be locked into software, and they want choice. NGINX Plus is exactly about choice. With NGINX Plus there are several supported product options:

  • NGINX Plus with advanced modules that provide greater functionality (standard or premium support available)
  • NGINX Plus using our current NGINX OSS (standard or premium support available)

Customers using either standard distribution or the one with advanced functionality can be 100% sure the quality standards and the code base is the same. The decision to use the advanced modules is 100% with the customer.

CS: What licence does apply to the added features of NGINX Plus? Does a customer get access to the source while a customer?

NGINX: We provide a dual license: BSD for the NGINX open source code, commercial license for advanced modules. For our commercial offering, we provide a combination of open source NGINX together with additional advanced modules (shipped as a single binary). We do not provide the source code access for these additional advanced modules.

CS: Will features be migrated from the NGINX Plus set to NGINX itself in the future?

NGINX: We plan to continue to innovate both products in parallel. The advanced features in NGINX Plus are primarily targeted at problems like ADC replacement, load balancing, edge caching, streamlined management, and security. Our users always have a choice to either implement additional functionality and build customised solutions themselves, or introduce our certified commercial offerings as part of their web architecture. We obviously appreciate both approaches but want to help companies who don’t have either time or budgets to create and maintain DIY-style solutions in their production environments.

Features that are more generally applicable and related to the web server side of NGINX will continue to be in the OSS stream, and we’ll always continue to add more. Some examples of include SPDY and WebSocket modules, and the request authentication module that was released in August.

However, it is early and we’re listening to our customers and to NGINX users like we always did. We aren’t going to make decisions in a vacuum and will be listening to the needs of customers and users to determine where future enhancements will appear.

It is reasonable to assume that proprietary features will make their way into the open source product, and as we cross that bridge further down the road, we’ll have a very clear strategy to share.

CS: What rules will define where future enhancements appear, in NGINX or NGINX Plus?

NGINX: We’ll base our development of future enhancements on the existing use cases. Our open source community largely deploys NGINX as a web server in front of PHP, Python, Java and other application containers. Our enterprise/commercial customers use NGINX for a number of other scenarios, e.g. replacing a hardware ADC with NGINX in a cloud environment, load balancing, edge caching, security, automated provisioning, management and monitoring — avoiding chained, DIY-style solutions.

We will continue the same development as we’ve always done on the OSS side, and continue to address the cases enterprises are facing. We won’t close-source or remove existing open source features.

CS: What drove the decision to choose this model for business?

NGINX: This was the model requested by our customers. They asked for support but also wanted advanced features. They were clear that if they could get these advanced features in a supported build from Nginx Inc then this would be of value and they would be happy to purchase a subscription.

CS: Can instances of NGINX and NGINX Plus be mixed on a site?

NGINX: Yes. Moreover, NGINX Plus provides support for both NGINX and NGINX Plus code. As long as the customer has active subscriptions, we are able to support both.

An ExceptionalMail, a Contrail, a Concord and a Phenom(enon) – Snippets


  • Expect the Exceptional: A system admin is faced with a regular pattern of emails arriving that confirm things have either worked or occasionally failed. The admin scans them for the “is on fire” part and acts accordingly. But there’s also the other case where no mail was generated, but how would you know that email hadn’t arrived. With that in mind, Alan Bell has just rolled out This is a system designed to detect that exceptional moment when the mails don’t appear or do appear and have trigger words in them and then make sure you realise that this exceptional thing has happened. He’s written a blog post about the system, the AGPLv3 licensed source of which is up on GitHub.
  • Juniper’s SDN Contrail: Juniper has open sourced its SDN controller for its Contrail Software Defined Networking offering and started to host the Apache 2.0 licensed software. Plus points to Juniper for using open protocols like XMPP for messaging between components. They are also running labs to get developers up to speed and the source is available on GitHub. So, if you want another open source way to manage the physical and virtual networking between physical and virtual servers, there’s another option. The SDN world is rapidly evolving and being open source seems to be the easiest way to get partner/competitors on board though in this case, Juniper’s VP of Software Bob Muglia says the switch to open source was driven by customers says who are going down the OpenStack and CloudStack paths. Interestingly, this release is ahead of schedule as it was due in 2014. Lets see how Juniper plays with the world.
  • Concord: The good part – Dave Winer has released an outliner called Concord which is designed to be embedded “anywhere information is structured and organised”. The bad part – Winer says he want to ensure compatibility between features added by developers and has licensed the JavaScript code under the GPL which in no way stops someone from adding entirely incompatible features and breakage to their version while making it unlikely to be used in many public facing web projects where permissive licenses are much more common. Still, at least GPL3 licensed projects have access to an outliner now. You can find the code over on GitHub
  • Something like a Phenom(enon): Facebook have quietly release libPhenom, an eventing framework for Linux and OS X applications written in C. It lets developers break up their applications into Jobs which can be scheduled by the library, comes with memory management which keeps count, has streaming, buffered I/O, a set of useful data structures, a data type for JSON and a printf implementation which can be taught about how to format different objects. It looks light and simple, its licensed under Apache 2.0 and its in active development. If you are writing C based servers and want to make them scale, this may be one to check out.

Security Snippets : Django updated, Lua exploited, Internet scanned


  • Urgent Django Update: There’s a security update for Django released on Sunday which has been rushed out as the issue was reported on the Django developers list and thus was already public. It’s a DoS problem wherein an attacker can use very large passwords to tie up the system as it hashes the password using PBKDF2. The fixes make passwords greater than 4K automatically fail authentication.
  • Lua 5.1 exploitation: A detailed post on GitHub’s Gists looks at the process of escaping the Lua 5.1 sandbox on a 32-bit Windows system explaining how the exploit works and loads a DLL from within the what should be a locked-down environment. An interesting read for a “whirlwind tour” of the Lua VM involved.
  • Fast scanning the net: Errata Security’s Robert Graham talks about Masscan, his port scanning software which can scan “the entire internet in 3 minutes” using only a quad core desktop processor… oh and a dual port 10Gbps Ethernet card. Want to do that yourself? You can read the source at GitHub along with even more details about how to build the program. But don’t assume its open source – the License says you have no permission to use or run it (and yes, we’ve asked and we’ll update when we know more).