Remote coding with Go and the OCI SDK

Overview

For our OCI work, we have some developed some tooling using the command line client, and usually development is done on my local machine and then later deployed onto a server housed within OCI, where we leverage instance principal authentication. 

There is one problem with this architecture of development. You're not doing a like for like development with creating the tools and where they actually end up running, because locally you have to use a token authentication, whereas the underlying tools end up living on a server that relies on dynamic groups for instance principal authentication. 

A better practice would be if you development was done with the same dynamic group applying to where you develop your code.

Thankfully, a popular text editor/IDE, VSCode, has some tooling around remote development - so that on our local machine we can set up a SSH host to a server on OCI.

OCI Setup

Server

The first step is to set up the environment where we will do our development that we can set up a dynamic group against in order to support an instance principal. So in OCI head over to your computes and set up a new instance if you don't already have a candidate.


Be sure to specify an SSH key as you set up your server so that you can connect. For my case, i just went with the default of Oracle Linux. That means in order to connect we would use the opc user account.

Once you set it up you will want to validate you can connect. Something like: ssh opc@n.n.n.n.

Dynamic Policies

In order to use instance principal authentication you need to set up a policy to give your server permission to interact with the SDK. Here we use Dynamic Groups.

Head to Identity, Dynamic Groups and create a new dynamic group. I called my group OCIToolingDynamicGroup. The rule is defined that the instance ID is equal to the OCID of our compute instance, which you can find by viewing the instance details.

Now that you have the group set up, we now have to go and create a policy for that group defining what resources in OCI the compute instance has permission to access. Be careful with what you grant, because anyone with access the server may be able to interact with more parts of the tenancy that you'd like.

When defining policies, a good resource to use is this common policies document. With that in mind, the policy I end up coming up with defines the following rule:

Allow dynamic-group OCIToolingDynamicGroup to read instance-family in tenancy

After we install the OCI CLI client on the machine, we can validate it's working - see below for more details.

SDK Tooling

Once you have your server and you can connect, you will want to set up the OCI SDK. The example I will be using in this post will be using Go. But, I will also install the CLI - this is a useful tool when debugging that your policies are correct before diving into the intricacies of your language of choice (you can of course build your tooling using bash scripting).

The CLI Client

As per the documentation, since we are running Oracle Linux, we can install the client directly from the repositories. Otherwise you can manually install the client by pulling the install script from GitHub.

sudo yum install python36-oci-cli

We will want to verify we have the correct policies in place, so we can do simple list compute operation

export OCI_CLI_AUTH=instance_principal
oci compute instance list -c "TODO_COMPARTMENT_ID"

You can find your compartment ID by navigating to Administration, Tenancy Details.



Install Go

As mentioned previously, this example will be using Go. So we need to install Go and also the OCI Go SDK. The SDK requires Go minimum version of 1.13, and the default version in the repos is 1.9. Luckily, Oracle Linux provides an alternate install path which includes, as at time of writing, 1.15. As described here, run the following:

sudo yum install -y oracle-golang-release-el7.x86_64
sudo yum install golang

One of Go's tools, go get, depends on git. So, we also need to install git.

sudo yum install git

Next install the SDK. That same documentation suggests installing a package from the repo, however for whatever reason during my tests, the library didn't resolve in my program when following that method. So, you can install the SDK by running:

go get github.com/oracle/oci-go-sdk

VSCode Setup

Now that the OCI side should be all set up, we can look to set up VSCode so that we can develop from our local machine, over SSH. The tooling available in VSCode is actually quite nice.

In the market place, go ahead and search for remote - ssh. Then go ahead and install it.


Once installed, in your status bar you will see a green area with an icon that looks like a broken connection. Click on that area of the status bar and then choose the option to connect to host. Specify to add a new host and finally specify the ssh connect command. So for my compute it becomes: ssh opc@168.138.12.124.  VSCode finally prompts you to save the configuration to a file. This would most likely just be your $HOME/.ssh/config file.



All these steps set up the host in your configuration so that you can easily connect. Now we have to actually connect. So repeat the steps to choose the "Connect to Host" option, and specify the host you just added.

The first time you connect, VSCode will install some things into the server which ends up to the location: $HOME/.vscode-server

The Code

Now that was have the right policies in place to allow our compute instance to interface with the SDK, VSCode is set up to be able to develop remotely, lets go ahead and actually build something to see this in action.

On the project page of the Go SDK there is an examples folder which lists some common examples. The first key example is the instance principal example which shows us how to authenticate using an instance principal style configuration. The function, ExampleInstancePrincipals, goes on to list availability domains.

So, let's replicate that example. From the terminal, make a path to store your program. Replace username with your github username.

mkdir -p $HOME/go/src/github.com/username/computetool

Open that path in VSCode, and then add a new file main.go.

At this point, VSCode will detect you are working with Go and prompt you to install it to the server. After activated, go will also prompt you to install a number of go programs that go hand-in-hand with the extension.


With all that done, we can now set up our working example:

Great, that works. Now let's move onto a program that lists the compute instances.

What we can learn from this code example is:

  1. We need a provider with authentication information on how we will connect
  2. We need a request object describing what we are doing
  3. We need a client object against the namespace we are interfacing with
  4. We call the desired operation from the client passing in our request object

In the Go SDK, computes fall under the core namespace, and the function name is ListInstances.  We can come up with the following prototype.

With that we can then distribute the compiled binary to the prod location.

Popular posts from this blog

Report row buttons firing a dynamic action

Image
A lot of the time on reports of data, we'll define a link column, and specify an image which is the beloved pencil icon. Which is good and all, but looking in the Sample Database Application (packaged application), they have taken a different approach to style links - a button that stretches the width of it's containing cell. So, the UI ends up looking like so: So, is this done? Well first, you define a new column for the placeholder. Suppose I want my link column to be Report, I define an extra column in my query: , 'Report' report_link Then I need to go to my new column's attributes, and change the column type to a link. And, in the link attributes, set the text to what you want displayed. Here, I'm just going to display the value of the new column and point to my desired page. So I set the target page, then also the Link text as #REPORT_LINK#. At this point the report will just show link text, as we expect. So, then to replicate t
Read more

Accessing the last request value from a page submission

Image
When you submit the page, you will typically have page processes that run. For me, I use these request values to determine which processes are run. This is rather straight forward for on submit processes as you can just specify the condition request = Expression 1 Or, if you have multiple requests that link to this process, Request is Contained within Expression 1, and Expression 1 would be a comma delimited set of values. Request simply refers to the bind variable :REQUEST (or apex_application.g_request). If we try and do the same on a page rendering process, we no longer have access to this value - which makes sense. If you update the branch, to set the request portion of the URL, we will then be able to access the bind variable :REQUEST in all page rendering processing points. This has the obvious downside that if the user wants to reload the page,  clicks in the address bar and hits enter (or clicks refresh), the processes on that condition
Read more

Installing Oracle Instant Client on Ubuntu

Now that Oracle has enabled us to download instant client without any click through for accepting the license , I wanted to revisit a seamless install of the instant client on a new set up. Ubuntu has the documentation about installing the instant client here: https://help.ubuntu.com/community/Oracle%20Instant%20Client. First - because Oracle provides their releases in RPM archive format (or a tarball), in order to have an installer you need to create a DEB archive. There is a package in the archives, alien, which aids this process. This gives the start of the script: #!/bin/bash # Install dependencies sudo apt install alien The 3 packages the Ubuntu documentation tells us to retrieve are: - devel - basic (I opt for basiclite instead) - sqlplus So, over at the downloads page: https://www.oracle.com/database/technologies/instant-client/linux-x86-64-downloads.html we can grab the link. # Download files. Example specific to 19.3 # Some links were not correct on the do
Read more