Network security group configuration for virtual machines

I like Azure, and since I worked with it in anger last a few years ago Microsoft have revised their portal (twice) and added lots and lots of new features. One that I really like is the “resource group” which is a way to logically group together Azure resources.

Inside a resource group it’s possible to create a Network Security Group. This is a neat container for combining together firewall rules and routing between network interfaces.

And this is where it all goes a bit wrong.

Continue reading “Network security group configuration for virtual machines”

WordPress on Azure

As I just mentioned in my last post, this ‘ere blog is running in Azure, because I’m a cheapskate and get free hosting from Microsoft.

But it wasn’t as easy as I’d thought.

In the day job I’m doing lots of Azure stuff again. Our esteemed leader wants us to use Platform-as-a-Service where we can, which makes sense as the firm I’m working with don’t want to write anything themselves if they can help it. Buy, not build is their mantra.

So I merrily went to Azure and chose Add New, “WordPress + MySQL”. Entered all the passwords (so many!) and left the wheels to spin. Whoops!

Continue reading “WordPress on Azure”

StyleCop, NuGet Package Restore and Jenkins: beware, caustic mixture

Individually, they’re lovely: now it’s open-source, StyleCop seems to be (finally!) getting the love and attention it needs, NuGet has rapidly come of age to be the one-stop-shop for package management in .NET without the angle-bracket heartache that is Maven, and Jenkins, well, Jenkins just rocks.

But together they don’t play nice at all.

Continue reading “StyleCop, NuGet Package Restore and Jenkins: beware, caustic mixture”

Game over: on Azure, don’t IISRESET

Like, I suspect, many other developers, I think I need to know more about my deployment environment than perhaps is good for me. But with PaaS (platform-as-a-service) hosting, sometimes that can give, well, unexpected results.

For example, Windows Azure offers a (really very handy) facility to open a Remote Desktop session to a Windows Server host that runs an Azure instance. You’re logged in as local Administrator, too, so you can cause some serious damage in there if you want.

Or even if you don’t want.

Many Windows developers get into the habit of performing an iisreset from time to time to gently shake a mis-behaving IIS host. This forces a complete restart of IIS and any accompanying ASP.NET applications.

Now, while this can sometimes be useful on a local machine — for instance, if you’ve sent your ASP.NET application into an infinite loop and just want to kill it quickly — it’s definitely not a good idea on a production server.

And on an Azure server… it looks like it stops the load balancer working, too, so you trash the instance completely as there’s no way to route traffic to it.

So if your Azure instance has got mixed up somehow, it’s obviously time to consider alternatives.

A rather useful utility (named by its author aspreset.exe) is here. Alternatively

  • make a whitespace change to web.config in the application root
  • use a file utility such as touch.exe to change the filetime of an assembly in the bin folder
  • use a Sysinternals tool e.g. pskill to kill the w3wp.exe process manually

Or if you can wait a while, simply recycle the instance and go and put the kettle on!

Faking DNS entries for the Android emulator using Unbound

Previously I ranted about JQuery Mobile and the immature state of mobile development tools. While I was on that project I reckoned it might be a good idea to use an emulator so I could test what my mobile Web site might look like in real life.

A nice idea, but in practice it seems the mobile toolchain is… rather more full of good intentions than actual capability.

A quick check with my product owner confirmed that based on anecdotal research on the use of mobile devices by doctors in the NHS, iOS was the primary target, with Android a distant second.

Unfortunately another quick check confirmed that the budget wouldn’t stretch to anything capable of running an iPhone development kit. I was so tempted to nip down to the local Apple Store and get a Mac Mini, but, given that once this job had finished it’d really just be a toy… I vetoed that one.

So. I’ve had my fingers burned (a bit) with previous Windows Mobile devices, but lots of people I know and respect reckon that Windows Phone 7 is really pretty good. So it’s off to the Microsoft site to download their emulator… which promptly told me that my video drivers were Just Not Up To Scratch. Which is fairly reasonable given that I’m using athree-year-old laptop.

So. Android. My wife has an HTC Desire HD which is really rather cool, so off to Google we go to get the Android emulator. Only to find that – well, it’s really not that brilliant on Windows. Don’t get me wrong, it works, but it’s just … not quite right.

Oh, and it’s slower than molasses on a January day in Gloucestershire. Slower than a real device, which is quite remarkable, and probably explains why Android apps are quite fast: developers get used to the poor performance of the emulator.

Whatever. I can (eventually) get to the mobile browser and enter some sites, which work fine — at least, they work as well as they ever do on a mobile browser.

But there’s a snag: hacking the local hosts file.

This project uses host headers to allow multiple ASP.NET sites to run on a single IIS server. The same goes for local development boxes, so to allow local IIS to work as it should we have a dozen or so entries in our local hosts file. Locally, the Windows DNS system checks this file for the “development” versions of the hosts first, and so all is well.

However, the emulator is its own host, which (from what I can tell) doesn’t use the DNS name resolver on the PC. Rather, it uses the DNS subsystem on the phone itself.

At its heart Android is really a Linux distro under the hood, so in theory we should find something useful in or around/etc/hosts; and, yes, sure enough there is.

A quick Google brought up a couple of sites that suggested that hacking that hosts file is quite feasible and should work. But other sites suggested that the Android hosts file is really very sensitive to line endings, tabs, the current phase of the moon and other random variables.

Whatever it was I did, I clearly didn’t invoke the right deity, as no matter what I tried the darned thing wouldn’t resolve my host. OK, I grant you that given that each boot-up cycle took ten minutes (!) I didn’t try too hard, but it was still frustrating.

So I gave up and carried on using Chrome on the PC to test the site, which was reasonably close.

A few weeks later and I’m further on the project but don’t yet have a real device to test the JQuery Mobile modifications I’ve made. So I take the plunge and give myself a free morning to sort the situation out.

This time, one thing I do that’s different is to install the emulator on an Ubuntu virtual machine. In hindsight this seems crazy — why run an emulator on an emulator? — but the Android ecosystem is much better supported on Linux than Windows and the tooling felt, well, right when run on a Linux host.

Better, I now had a degree of redirection that I could use to crack the DNS issue. The VMware Workstation virtual machine can be configured to use a virtual network shared with the host, so I had a scout around to see if I could configure a DNS server on the PC that would supply the missing network names. My theory was that I could then point the DNS client on the Ubuntu box to point to my Windows host.

One option was to install a Windows Server virtual machine and configure a DNS server through Active Directory… er, no, thanks.

Another option was to install a natty bit of open source software I found called Unbound. This is a full DNS server that appears to do … everything .. and that runs as a Windows service.

And, it works a treat, even though configuring it is a little bit of a challenge. In particular there’s all kinds of options for DNSSEC that I just didn’t need as this was going to run on a virtual network locally to my PC.

Here’s my configuration file:

# Unbound configuration file on windows.
 verbosity: 2
 logfile: "C:\temp\unbound.log"

use-syslog: yes
# the IP address of the
access-control: allow
access-control: ::0/0 allow
domain-insecure: "."
local-data: " IN A"
local-data: " IN A"
local-data: " IN A"
local-data: " IN A"
 name: "."

Or, put another way, this

  • logs reasonably verbosely to a file
  • listens only on IP address, which is the IP address of the Windows host on the virtual network
  • allows access from anywhere – not an issue as the resolver is only listening on a private internal virtual network
  • adds four hostnames, each of which resolves to the local Windows host
  • forwards anything else through to, which is the address of the local DNS server.

I saved this as service.conf in the Unbound folder and verified that all was well by running Unbound at the command line. I then reconfigured VMware to use this as the default DNS server for DHCP requests for that private network – and, hurrah, after a reboot the Linux host could resolve my custom hostnames!

Better, the Android emulator – which is also dispensed a network address through DHCP – worked just fine, too. At which point I ran into all sorts of issues about cross-domain AJAX calls, but that’s a post for another day.

I’m still waiting for Add Reference…

Yes, I know the .NET Framework is big and I’ve lots of amazing assemblies in my GAC… but why-oh-why does it take so long to populate this?

The Add Reference dialog in Visual Studio

If it t’were up to me I’d populate this in the background a few moments after Visual Studio has loaded. As it is, there’s a jolly good chance you won’t find the assembly you’re looking for until a minute or two have gone by and the list box isproperly populated.

My dodge for detecting when it’s loaded is to click on the “Component Name” column. If the little triangle appears, you’re in business:

Then you can type incrementally to get the assembly you’re after. Another pet peeve, that: why no Search… box?


JQuery Mobile: a cautionary tale

I’m really a server-side fellow, at home with code that can be unit tested and where the only user is a computer. I suspect like most developers I find computers more predictable than people…

I’ve just finished a quick proof-of-concept for a nice bunch of people who wanted an API for their Web site. We needed a proof-of-concept for the proof-of-concept so we thought “well, what about a mobile Web site that calls the API?”

Well, it turned out that Microsoft’s most awesome WCF Web API made the first cut of the API a matter of a couple of day’s work. I guess I had should have rubbed my chin and had a sharp intake of breath and said to my colleagues “Oh, this’ll take ages” before ‘working at home’ on a beach somewhere pleasant. But I’m not professional enough yet too honest to do that.

So I ended up throwing together a little HTML5 Web site that used a little bit of JQuery Ajax magic to get some data from the API and sling it on to a page. I managed to get the Web API to play nicely with OAuth 2 authentication through Azure ACS from JavaScript (a blog post coming on that real-soon-now). My JavaScript application would request an access token through ACS which was then validated by my API.

Job done? Almost, just need a bit of styling and we’re there.

Or so I thought.

Naively, I was planning on pasting a bit of JQuery Mobile goodness on top of the Web site to make the buttons look pretty and the listboxes format appropriately. These things aren’t too hard with regular JQuery UI, after all; and given that the whole premise of the Semantic Web is that we shouldn’t have to worry about UI concerns in our markup, all should be well.


It turns out that to do the fancy page-transition malarkey, JQuery Mobile processes <a href=""> tags all by itself. You need to define a bit of your page that will transition, then the JavaScript cleverness loads the new content, slides it in place, then unloads your old content.

As far as the browser is concerned you’ve not actually changed URLs, it just looks that way. Which is fine… unless you need to handle pages which include querystrings.

Like I say, I’m really a server-side guy. I’m quite happy with RESTful addressing schemes where my WCF (or, indeed, MVC) app can interpret a nice long URI and figure out what resource needs to be processed.

The OAuth 2 libraries that Microsoft make available assume, reasonably, that these nice long URIs belong to the service, and that to pass around OAuth 2 tokens and what-have-you they can use querystrings.

So my rough plan of action was to check in JavaScript if my current access token had expired. I’d then do the usual OAuth redirect if it had, which should end me back on my page with a fresh token in the querystring.

Except JQuery Mobile always stripped off the querystring. Could I get it back? No – and this seems to be an intrinsic limitation of the library at the moment.

I worked around that in the short term by using a tiny ASP.NET site to directly squirt the access token into my pages. That wasn’t ever going to be a long-term solution, but worse was to come.

I was keen on making sure that the site would actually work on a real mobile device. Not having an iPhone to hand, and not having a laptop that supports the Windows Mobile SDK, I fired up an Android emulator.

Besides being incredibly slow, unsurprisingly the emulator didn’t really play properly on Windows. Configuring an Ubuntu virtual machine for the emulator helped a fair bit and seemed much more natural; it seems most Android developers work this way.

I managed to get my application running – but no data appeared. Something, somewhere, was causing an undefined “error” to occur deep in the bowels of JQuery during the AJAX call. Stripping out JQuery Mobile… everything worked.

So it’s just as well I didn’t go to the beach: doing this in pure JavaScript on the client was clearly going to be really hard to pull off. I gave up.

Two weeks later I had a full ASP.NET MVC site running that did all the OAuth and data retrieval server-side instead of client-side — and the application ran very nicely on Android and on the iPhone. But, I can’t package that up as an app. and submit it to an app store, and there’s still some dodgy code that works around the querystring issue.

So some morals, and things to bear in mind:

  • Even today, UI frameworks can invalidate assumptions followed by other bits of the code.
  • Do a quick trial of everything before you commit to a technology. If I’d found that cross-domain data access with Ajax was never going to work easily on Android I would probably not have gone further with the 100% JavaScript solution. Better would have been to validate all of the technology end-to-end.
  • Don’t cut your fingers on the bleeding edge. While up-to-the-minute latest-and-greatest technologies like JQuery Mobile may seem awesome at first glance there’s a reason for most systems to have a version 2. And version 3.