Minutes of PHP Tour 2015
Two weeks ago, we attended the PHP Tour 2015, organized by AFUP, the French PHP Users Association in Luxembourg. It was a great chance to meet other passionate developers, to exchange about current PHP best practices, brand new frameworks, or other indispensable tips to enhance our productivity. But it was also the occasion to watch several interesting talks.
The theme of this edition was the cloud. A lot of conferences were about migration from physical server to multi-scalable instances, and how to secure deployments.
As a first talk, this was a good one. Michelangelo talked about continous deployment. Automating every step of the development process is fundamental to let developers do what they do the best: develop. Then, the recipe to transform production deployment for big events to a common task you can do every day is:
- Use Vagrant or Docker to manage your system infrastructure,
- Think about a SCM workflow to not let other developers get in your work,
- Detect regressions ASAP with continous integration (Jenkins, Travis, etc.)
- Smooth production deployment using continous full automated deployment
About continous integration, I especially remember of one quote, which illustrates perfectly agility in development:
This talk showed a wide range of tools used to enhance your development process, to spend less time in cumbersome tasks, and think more about business solutions. We fully agree with it, as these concepts have been used for several years at marmelab. ;)
Extra kudos for discovering NetFlix Chaos Monkey, an evil monkey shutting down random parts of your AWS infrastructure.
I was pretty lukewarm before attending to this talk. As a pragmatic developer, I generally try to use the right tool for the right purpose. If I want to do some asynchrounous tasks, I use Node.js or Golang, not PHP. Yet, I was curious enough to watch this speaker.
That was a nice surprise. I discovered ReactPHP, a well-thought framework. It looks a lot like JS promises, which I've come to become fond of. If I were trapped in a pure PHP project, it would be worth to give ReactPHP a try. Otherwise, I would just keep Node.js. Indeed, some features or tools are still lacking to do asynchronous PHP efficiently. For instance, the excellent async utility to control multiple promises execution flow.
Side-effect discovery: there is already a built-in Thread class in PHP to manage asynchrounous tasks.
Oswald's motto is "Developers should focus on code, not on deployment". After a quick explanation about different provisionning tools (Puppet / Chef / Ansible), he focused on how to deploy PHP code with Chef, Berkshelf, Kitchen, Knife, Serverspec, Vagrant and Packer.
Chefis used to provision servers in the architecture (installing Apache, MySQL & Solr) with a couple of cookbooks
Knifeis the command line tool helping to manage recipes
Berkshelfmanage cookbook dependencies
Serverspecallow to test cookbooks automatically
Packercreates images (iso/ami/..) that can be deployed to a cloud prodiver
This was a complete overview of how we can provision, test and deploy a simple application on a cloud infrastructure with some code and configuration.
This talk was an honest feedback about how to migrate a nightmare website (no best practice, no documentation, huge developer turn-over) into a cloudy infrastructure. However, I didn't catch with this talk. The main motto of this talk is "Ask help everytime you need!". Of course it is still a valuable advice, but the lack of technical section left me a little bit disappointed.
Disclaimer: François also works at marmelab. So, yes, it is an excellent talk. ;)
More seriously, this talk was great, both in substance and form. François plays the leader of the Innovation Party, and tries to convinces the audience that we should not rely on big full-stack frameworks. Indeed, these frameworks are changing, unlike the business domain, which would still be topical. We should rather use micro-frameworks to reduce dependencies to a single code chunk. And do not hesitate to test new technologies into your real-world application. This way, you will be able to follow Web evolution without being stuck with outdated frameworks.
Frederic explained during this talk how we should deal with errors in our PHP applications. To sum up, log everything but don't show any error messages for security reasons. Only banalities then (but just my personal opinion (-:).
I never use Ansible before. This talk inspired me a lot, and I will probably give it a try. Ansible allows to deploy apps based on configuration files, setuping your system easily. It integrates well with Docker containers, used both to install Docker on a fresh server, and to configure your container using some recipes.
Thibault gave us some insights about processes to build a brand new REST API for ARTE. Thibault and his team worked the agile way (daily stand-ups, task prioritization, etc.), using continous integration as a safety net. He also shared a lot of technical details about what they used for automation, development and monitoring. Nice humane and technical feedbacks.
William presented what REST really is: more than just using HTTP methods (GET, POST, etc.), it is also about HATEOAS and semantics. Yet, even if it sounds good, it is impossible to industrialize a strict RESTful API, and we should go toward a degraded REST standard that William calls HTTP++. Very instructive talk, with a good trip back to reality.
I registered to the security workshop without a lot of hope. Generally, these kind of workshops show only the basic SQL injection and XSS vulnerabilities. Yet, it was the best security workshop I ever attended. I was nicely surprised. Manuel Silvoso let us of course manipulate these flaws, but also went further:
- How to secure passwords correctly, with
- Generate one-time password with Yubikeys, a hardware device linked to an API
- Discovering of XSS dangers through BeeF Framework
- OWASP Cheat Sheet, a list of known vulnerabilities and how to counter them
- Detect vulnerabilities using honey pots, IDS or tar traps
- Lot of other stuff
Slides are not publicly available. But if you want to play with his vulnerable app, that's on GitHub: msilvoso/vulnerableApp.
This talk was about how to scale our application thanks to Amazon Beanstalk. This service helps to auto-scale servers, and deploy application from a zip file.
Docker containers ; a Dockerfile can be added at the root of the application, and
EBS will take care of the container lifecycle.
An Amazon Elastic Load Balancer is used in front of all contaners to dispatch web traffic.
A good tip for a zero downtime: you can choose a number (or a percentage) of containers that can be migrated to migrate progressively. Your application will continue to respond to requests because of the not-yet-migrated containers.
Enrico shows us the future of Zend Framework. It will be released on October 2015, optimized for PHP7, and splitted into components.
The ZF core team learned about their mistakes on ZF1: single repository, embedded components, ...
ZF3 will also be
PSR-7 is a recommendation followed by many PHP Frameworks about how to handle an HTTP request, and how to response to it. Middlewares will be available to transform the request or the response depending on a context.
The new AWS SDK comes with better performance, and new features (like async requests, or paginators). This was the opportunity to learn how to deploy an application using the PHP AWS SDK.
This SDK can be used to run some
DynamoDB instances easily. With some code, we can configure all services, and avoid to configure them via the web interface.
Carlos explains each step of the configuration with many infrastructure graphs. Instructive.
The creator of Pomm gives us an overview of the NoSQL capabilities of Postgres.
jsonb type (binary JSON, much faster than the
json type), we can store non-structured documents and simply search through them. We can also use it to store internationalized content, instead of using another table.
This was a great summary of the power of Postgres; it gave me the desire to use Postgres even more.
Today, applications are often developed using a client framework such as Angular.js or React. The server application is then pushed to background, exposing only an API. This refreshing talk presented this new way of structuring web applications, using Angular and Silex, but also with an introduction to Express. Speaking of Node.js in PHP Tour was a daring but successful bet!
Here is another talk about deployment and its best practices. We can list:
- Do not use file system as a datastore (true for logs too)
- Mix datastores, each one has its own strengths and weaknesses
- Modularize your app with event brokers
- Do not commit dependencies
A good talk, even if there was too many animated Gifs.
I got tangled up in this talk. It deals with the application of strict object oriented programming. An object should only be aware of its own functioning and of its interface with the outside world. If the basic idea looks good, the practice implies a lot of interfaces, which as far as I understand, complexify the code a great deal. But I probably missed the point. :)
A quick overview of new features of PHP7:
- Syntaxic sugar with
<=>(kudos for the name) operators,
- Fatal errors are turned into exceptions,
- Scalar type hinting,
- Ability to declare return types for functions,
- Anonymous classes, like anonymous functions
Performance isn't forgotten in this new version. You can expect using half the memory and CPU power with version 7 compared to PHP6.
This was the first edition of PHP Tour we attended to. We were delightly surprised by the quality of talks, which were quite varied. See you again in 2016?