#352: Running Python in Production Transcript
00:00 Do we talk about running Python in production enough?
00:02 I can tell you the Talk Python infrastructure, courses, podcasts, APIs, and so on get a fair
00:08 amount of traffic, but they look nothing like what Google or Instagram or insert big tech
00:13 name here's deployments look like.
00:15 Yet, mostly, we hear about interesting feats of engineering at massive scale that, while
00:20 impressive, often is outside the world of most Python devs.
00:25 On this episode, we have three great guests who do think we should talk more about small
00:29 to medium-sized Python deployments.
00:31 Emily Morehouse, Hennick, and Glyph.
00:34 I think you'll enjoy the conversation.
00:35 They each bring their own interesting perspectives.
00:38 This is Talk Python to Me, episode 352, recorded January 12, 2022.
00:44 Welcome to Talk Python to Me, a weekly podcast on Python.
01:01 This is your host, Michael Kennedy.
01:03 Follow me on Twitter, where I'm @mkennedy, and keep up with the show and listen to past
01:07 episodes at talkpython.fm.
01:09 And follow the show on Twitter via at Talk Python.
01:12 We've started streaming most of our episodes live on YouTube.
01:16 Subscribe to our YouTube channel over at talkpython.fm/youtube to get notified about upcoming
01:21 shows and be part of that episode.
01:23 This episode is brought to you by SignalWire and Tonic.ai.
01:27 Please check out what they're offering during their segments.
01:30 It really helps support the show.
01:31 Emily, Hennick, Glyph, welcome to Talk Python to Me.
01:35 It's so good to have you here on the show.
01:38 And I'm super excited about talking about running Python in production.
01:42 And I'm glad that it's more than just one of you, because I think everyone has their own
01:47 perspective and their own context and whatnot.
01:50 You know, do you work for a small company or a large company or do you have many people on
01:55 the team or just a couple, right?
01:57 And I think that really influences what you might cover, some of the decisions you might
02:01 make and so on.
02:02 But before we get to that, let's just start off with a little bit of background.
02:06 Emily, it's been a while since you've been on the show.
02:08 Maybe, you know, tell people a bit about yourself.
02:10 Yep.
02:11 So I'm Emily Morehouse.
02:12 I am the director of engineering at Cuddlesox.
02:14 We are a digital product development company.
02:18 So we kind of touch on anything from web, mobile, IoT, DevOps.
02:23 We really touch the whole stack and get to work with a lot of different industries.
02:28 And then I also am a Python core developer and the PyCon chair for this year.
02:33 Yeah.
02:33 You just happened to grab that role right when, you know, COVID hit and conferences got insanely
02:41 complicated and uncertain.
02:43 How did you juggle all that?
02:45 It was a really big bummer.
02:46 I think because PyCon is really such an important piece of our community and getting to see people
02:52 in person and connect on a regular basis.
02:54 But of course, we wanted to do the thing that was going to keep everyone the most safe.
02:59 So kind of last minute going online and then doing a full online conference and then still
03:04 hoping that things will settle down this year so that in person is something that feels very
03:09 safe for us to do.
03:10 But I was grateful.
03:11 I actually wound up staying on for this third year as chair just so I could have that sort
03:15 of like last hurrah of hopefully getting to be in person.
03:18 Yeah.
03:19 Yeah.
03:19 Yeah.
03:20 I hope so.
03:21 Awesome.
03:21 Well, thanks for all your hard work on it, even if we didn't get a meet in Pittsburgh.
03:24 Glyph, you want to go next?
03:26 I'm Glyph.
03:26 I am probably best known for Twisted.
03:29 I've worked on a variety of production Python environments in my career.
03:33 I am currently in the process of exploring some options for something independent, all
03:40 of which are secret and I can't really say anything about here yet.
03:44 Most recently of Pilot.com.
03:46 They are a fantastic company and I very much recommend people work there.
03:50 And we also ran a ton of Python in production over there.
03:53 I'm sure that folks in the Python podcasting space have probably heard me occasionally before,
03:58 so I won't belabor my introduction.
04:00 Yeah.
04:00 Sounds good.
04:01 Well, good to have you here again.
04:02 Henrik, welcome.
04:03 Welcome.
04:03 Yes.
04:04 Thank you for having me.
04:05 I think more or less my first Python podcast in my life.
04:09 Well, it's awesome to have you.
04:10 You do so much writing and you have such an influence on through like conferences and presentations.
04:16 You should definitely be here.
04:18 So it's long overdue.
04:20 Welcome.
04:20 It's great to hear because I don't think about it like myself.
04:23 But so I'm Henrik.
04:24 I work for a small web hosting company.
04:27 We are like a traditional web hoster.
04:29 I've been working there for now like 14 years, which is a very long time, which is like a thousand
04:33 years in Silicon Valley time, I think.
04:35 Everything I do, I do in Python basically there.
04:38 Like from web services to simple web pages over proxies, applications, you name it.
04:45 We use Python for it.
04:46 Oh, fantastic.
04:46 Do you like control VMs and provision VMs and stuff and that kind of thing?
04:51 Or what type of work are you doing?
04:53 We are more on the, no, we don't sell VMs.
04:57 We don't sell anything where you can have root on it.
05:00 So we're selling a platform basically.
05:02 Like mostly PHP.
05:03 Like it is what it is.
05:06 Yeah, sure.
05:06 At least you can control it all in Python.
05:08 Yeah.
05:09 Well, fantastic.
05:10 And so the reason we're all here today actually is it's your fault, Henrik.
05:13 So you wrote this article back about a year ago.
05:18 Yeah, check the date.
05:19 Yeah, I know.
05:20 We've been talking about getting the four of us together for a while, haven't we?
05:24 It's been a bit of a journey.
05:26 So we didn't mean for it to be that long, but I don't think there's anything that is dated
05:31 about this.
05:32 So it's totally fine.
05:33 What I meant is that it was like right before Corona.
05:36 Like when I was, I was writing this article on my phone while listening to a podcast in
05:42 a van going to a husky farm in Finland.
05:45 A husky farm like the dogs?
05:48 Yeah.
05:48 Yeah.
05:48 I did a husky safari basically.
05:50 Like riding husky sleds, mushing.
05:52 Yeah.
05:53 Oh, that sounds interesting.
05:55 It was.
05:55 It was my last trip before Corona.
05:57 So, which makes it kind of funny because I talk about conferences later on, which, yeah.
06:02 Yeah.
06:03 That kind of got put on hold, but well, we can replace it with things like this and other
06:08 conversations.
06:09 So in this article, you talked about the title is Python in production.
06:13 Of course, we'll link to it in the show notes.
06:15 And you said you were missing a key part from the public Python discourse and would like to
06:19 help change that.
06:20 Basically, we should have more conversations about running in productions.
06:24 So let me see if I get this right.
06:26 You're a huge proponent of microservices.
06:28 Everything should just be a bunch of small microservices and everyone else is doing it
06:32 wrong.
06:32 I'm just kidding.
06:33 You actually don't take a different view than that.
06:36 But we're going to go through, you know, sort of some of the themes in your article, some
06:41 of the other ones out there.
06:42 And then also just all of us talk about sort of what we're doing in production, some of the
06:47 considerations and trade-offs.
06:48 So a lot of fun there.
06:50 Let's talk about cloud computing first.
06:53 I'll pick one of these out of here and then we can touch on the whole microservice monolith
06:58 thing as well.
06:59 You know, Glyph, I'll just pick you.
07:01 We have this trade-off, right?
07:03 We could go and create a VM, set up our own system, and it's totally portable.
07:07 It could run in a data center.
07:08 It could run in the cloud or whatever.
07:10 Or we could go all in with Lambda and other, you know, very specialized services tied to AWS
07:16 or to Azure or whatever.
07:19 What are your thoughts on this whole running in the cloud story?
07:21 There's as many dimensions to that question as there are services in AWS, which is to
07:28 say like a higher order than ALF null infinity.
07:31 The way that I look at that question is you have to look at each service kind of one at
07:37 a time.
07:37 And the way that I would generally suggest people decide whether or not it's a good idea to adopt
07:42 a particular service has to do with the way that their operational footprint works in terms
07:49 of overhead.
07:50 So for example, should you run your own Postgres or should you use RDS?
07:56 Almost always you should just use RDS because the operational footprint of that is Amazon configures
08:03 and manages the tremendous complexity of operating a relational data store in production.
08:08 And when you need to set that up for development, because like part of production is having a
08:14 development environment that matches closely enough that it works well and that you can test
08:19 things and know for sure that you're getting like adequate test coverage is you can just run a
08:25 Postgres Docker container.
08:26 And functionally for your infrastructure, it's probably the same.
08:29 You rarely need to do like deep configuration that is like meaningful to your application
08:35 between your local development Postgres container and your RDS instance.
08:39 As that slider moves further and further towards like, well, actually our data store configuration
08:44 is really part of our application.
08:46 Well, actually we need to like tune things very closely.
08:49 Even running your own data store might make sense.
08:51 That's a pretty unusual circumstance, but that you can look at that for other
08:56 aspects of your platform as well.
08:58 Routing, like load balancing, caching.
09:01 Is that part of your app?
09:03 Do you care about it in development?
09:04 If it breaks in an interesting way, is that going to like take you down?
09:09 And look at each of those issues for each cloud service.
09:13 How much, how expensive is it going to be for you to replicate it in development?
09:16 And how accurate is that reflection going to be of what's in production?
09:20 And always try to pick the answer that is the lowest overhead for your particular team
09:25 configuration.
09:26 That said, the tricky part is this changes as your team grows.
09:32 Right.
09:33 And as your service gets more complex.
09:35 One of the things that I imagine I'm going to touch on a few times is that probably the
09:39 most interesting Python in production experience I had was running pilot.com's application, which
09:44 started in a very different place than it ended up.
09:47 And I'm very happy with the way that that went.
09:49 But we started in an incredibly like super macro service, just one big Python container
09:55 and like nothing else towards picking up application load balancers and lambdas and all kinds of
10:04 other stuff that eventually became part of that infrastructure as the team grew.
10:08 We had more of a dedicated infrastructure, like operational footprint that we could actually
10:12 manage because it was staffed.
10:13 Yeah, that makes a lot of sense.
10:14 It definitely changes as your team changes.
10:17 Emily, what do you think?
10:18 What's your view on this?
10:19 How much of the cloud should you bite off?
10:21 And where's the trade-offs?
10:23 I agree with a lot of the things that Gliff said.
10:25 I think that once you get to the point where you're adding complexity to your local development
10:30 environment, that's usually a red flag for me.
10:32 And you have to be doing something that gives you a lot of value.
10:36 So for example, we'll use like Firestore as an offline database for mobile applications.
10:42 And whether you're using that or you're using CouchDB, whatever choice you're making there,
10:48 you're going to have some sort of added complexity locally.
10:51 So yeah, I totally agree with like RDS is a really easy swap.
10:54 And if it's RDS on AWS or moving to GCP or Peroku or whatnot, your portability between
11:03 those different ecosystems is going to be pretty straightforward.
11:05 But if you want to rewrite your Lambda functions to use Cloud Run instead, like it's not just a
11:13 drag and drop sort of thing.
11:14 Right.
11:15 You don't just change a connection string and now it's all good again.
11:18 Yeah.
11:19 And I think it's going to depend on, you know, like where the company is at.
11:23 Again, for us, like we're often looking at what our client needs.
11:28 So if they're a client that doesn't have a technical team that they just kind of want to
11:32 like let this run on its own and they don't want to manage it, like that's going to impact
11:36 whether we choose Heroku or AWS.
11:38 So like really looking at where you're at now and what sort of support you need in the future
11:43 is a big question to ask for that decision.
11:46 Which way does that gauge go for you if they are kind of hands-off and not super technical?
11:51 Do you give them Heroku or what do you give them?
11:53 Yep.
11:53 If they're non-technical, we give them Heroku.
11:55 If they are technical, even then that kind of depends.
11:59 A lot of times it's AWS or GCP, just kind of depending on what other pieces of the ecosystem
12:04 that they need.
12:05 Or since we work with a lot of existing tech companies, a lot of times they say,
12:08 hey, we are a GCP company or an AWS company.
12:12 And then we just say, cool, we can do either.
12:14 Right.
12:14 And if they're already there, you might as well just keep going with that, right?
12:17 Yeah, definitely.
12:18 Yeah, absolutely.
12:19 But I will say that like 95% of the time, anything that's like web application or API based,
12:26 it's going to be in a Docker container anyway, just to give us that portability.
12:30 Sure.
12:30 Henick, thoughts?
12:31 I have very, very little first-hand experience with cloud services because we use none.
12:37 It would be kind of odd for a cloud hosting company to use somebody else's cloud.
12:41 Although I know that people are doing it.
12:43 It totally happens.
12:44 People are more or less reselling the big cloud.
12:47 That's true.
12:47 Yeah.
12:48 Wrapper.
12:48 Yeah.
12:49 We run our own hardware in own cages in a shared data center, like military grade.
12:55 I once almost got tasered because I took a photo from the outside.
12:59 Security came running immediately.
13:01 So the one thing we run outside is Sentry because that makes sense.
13:08 And I didn't want to run it anymore myself.
13:10 But there's also the thing that Europeans in general and Germans in particular are not very
13:16 excited when you put their data on other people's servers, particularly of US companies.
13:22 So often it is also like a competitive advantage for us to just say our data literally does not leave Berlin.
13:29 Right.
13:30 That's certainly something that here in the US, it's easy to kind of forget about.
13:36 Right.
13:36 Oh, these just the thing of, oh, it's just the big clouds.
13:38 Right.
13:38 These are big cloud companies.
13:39 But really, those are US cloud companies.
13:42 Right.
13:42 And if you're in Europe or somewhere else, that's another angle to think about.
13:46 Right.
13:46 I have maybe one thing to add as a user.
13:49 That as a user, I don't care that US East 1 is down.
13:53 But you will know.
13:57 You'll still know.
13:57 Yeah.
13:57 This is what I see happening.
13:59 Right.
13:59 Again, people rely too much on cloud services.
14:01 that half of the internet is down when some of that many people are not talking about.
14:06 Yeah, for sure.
14:07 So maybe we can wrap this up real quick.
14:10 But I do want to add just one thing.
14:12 A roller out there in the audience says, I prefer my $5 DigitalOcean VM and just my Nginx,
14:17 MongoDB, Postgres, Python.
14:19 So how often do you think about, you know, especially, I guess, you, Emily, how often do you think about
14:25 price?
14:26 You know, if you look at the price for AWS, it can add up.
14:30 And for some companies, that doesn't matter.
14:31 Right.
14:32 Just having infrastructure is great.
14:34 But for others, you know, maybe they don't have revenue yet or they're not profitable and
14:39 they're really trying to squeeze by.
14:41 Like, where do you land on like, let's save you some money.
14:44 We could do this for $10, but we're going to do it for $500 because it's the right architecture
14:49 to run this distributed thing.
14:50 You know, what are your thoughts?
14:52 What do you tell your customers?
14:53 Sure.
14:54 The cost benefit often comes down to picking an ecosystem that's going to be super stable.
15:00 for them where we can say, hey, yeah, this is going to cost you a few hundred dollars
15:03 a month.
15:04 But if you need somebody to step in and start to manage your system for you, you know, a
15:11 couple of developer hours will easily outshine their cost for their cloud hosting.
15:16 So that kind of puts it in perspective.
15:18 A lot of these clients are already people who have spent multiple thousands, you know,
15:23 tens to hundreds of thousands of dollars actually building their software in the first place.
15:27 So as long as you're, you know, on a much lower order of magnitude, you're typically okay.
15:32 Yeah, that's true.
15:33 If you, especially if you're not technical and you've got to hire someone in to kind of
15:37 fix it, then yeah.
15:39 Then any sort of failure is a big problem.
15:41 This portion of Talk Python to Me is brought to you by SignalWire.
15:46 Let's kick this off with a question.
15:47 Do you need to add multi-party video calls to your website or app?
15:51 I'm talking about live video conference rooms that host 500 active participants, run in the
15:56 browser and work within your existing stack and even support 1080p without devouring the
16:01 bandwidth and CPU on your user's devices.
16:04 SignalWire offers the APIs, the SDKs and edge networks around the world for building the
16:08 realest of real-time voice and video communication apps with less than 50 milliseconds of latency.
16:14 Their core products use WebSockets to deliver 300% lower latency than APIs built on REST,
16:20 making them ideal for apps where every millisecond of responsiveness makes a difference.
16:25 Now, you may wonder how they get 500 active participants in a browser-based app.
16:29 Most current approaches use a limited but more economical approach called SFU or selective
16:34 forwarding units, which leaves the work of mixing and decoding all those video and audio
16:38 streams of every participant to each user's device.
16:41 Browser-based apps built on SFU struggle to support more than 20 interactive participants.
16:47 So SignalWire mixes all the video and audio feeds on the server and distributes a single unified
16:52 stream back to every participant.
16:53 So you can build things like live streaming fitness studios where instructors demonstrate
16:58 every move from multiple angles.
17:00 Or even live shopping apps that highlight the charisma of the presenter and the charisma of
17:05 the products they're pitching at the same time.
17:06 SignalWire comes from the team behind FreeSwitch, the open-source telecom infrastructure toolkit
17:12 used by Amazon, Zoom, and tens of thousands of more to build mass-scale telecom products.
17:17 So sign up for your free account at talkpython.fm/signalwire.
17:22 And be sure to mention Talk Python to me to receive an extra 5,000 video minutes.
17:26 That's talkpython.fm/signalwire.
17:29 And mention Talk Python to me for all those credits.
17:32 One thing that I'd love to add on to that is, well, two things.
17:35 First of all, on the notion of price and sort of related to which technologies you should use,
17:42 I think the question you constantly need to be asking is really never ask about one side of
17:47 the equation.
17:48 Never ask about features or price.
17:50 You always want to be looking at a price-performance ratio.
17:54 And that performance shouldn't necessarily, in fact, usually should not be like metrics like gigabytes
17:59 or throughput or anything like that.
18:02 You should be looking at, do you need what the product offers?
18:06 And what is it going to save you time on?
18:08 So like when Emily says, if it's going to save you development time, that is gold.
18:12 You always want to go err on the side of saving development time.
18:16 Developers are very expensive.
18:17 We're very finicky.
18:18 And anything that you develop, you also need to maintain.
18:21 So one of the big benefits of cloud services is think of that price, not just in terms
18:25 of like development cost, but are you going to need to maintain it?
18:28 And on the flip side, do you need this thing at all?
18:31 Quite like Hinnick was talking about having, you know, just not using cloud at all.
18:36 And yet he successfully develops and deploys many services in production and they all seem
18:41 fine.
18:42 And so I think that there's often kind of this tool obsession where we look at features,
18:47 features, features, and assume that features equals benefits.
18:49 But features are only benefits to you if you need them.
18:52 If you don't need them, they're additional costs.
18:54 You have to learn stuff about every single one of those features.
18:58 The time your developers spend learning the surface of the AWS API is a cost you have to
19:04 think about.
19:04 And so like, it's quite often just better to not use the cloud because it's cheaper to
19:09 not figure it all out.
19:10 If you know how expensive it's going to be in your own infrastructure.
19:14 Or as Emily pointed out, if it's in a Docker container, you may run it in the cloud now,
19:18 but it's fairly portable and not super tied to it.
19:21 Paul Everett out in the audience has a quick question.
19:24 He says, we talk about pinning dependencies to control change.
19:27 But when we talk about cloud computing, we say let things like AWS handle it.
19:31 You know, you're sort of, that's kind of a dependency on their compatibility of each one
19:35 of those services you take on.
19:37 What do you think about, you know, stability of those APIs and those services over time?
19:42 I think Azure maybe is a little more changing than AWS.
19:46 Things come and go, but still it's something to consider, right?
19:49 It's another thing you've got to deal with churn on, I guess.
19:51 Yeah.
19:52 And I think it depends on like how quickly you're jumping on new services.
19:56 So we actually started using ECS right after it was released and it's come a long way since
20:01 then.
20:02 And both like the product and our perficiency has come a long way.
20:05 So I think that taking any sort of like new service with a heavy dose of skepticism and
20:10 making sure that it's something that is really stable, that's going to fulfill the need.
20:15 It's an important thing to look at.
20:17 Yeah.
20:17 That's a really good point.
20:18 All right.
20:18 Let's move on.
20:18 We touched on this enough.
20:20 I think let's talk about microservices.
20:22 I was joking with Hennick about that at the beginning.
20:26 So we have this spectrum.
20:28 We can have just one code base, one process that runs in micro WSGI or G Unicorn or whatever,
20:34 where we could have a little Lask API that does user management and login, another part
20:40 that does, you know, the catalog or whatever.
20:43 We could have a bunch of these little services, these microservices, and then put them all
20:47 together.
20:47 I have thoughts on this, but where are your thoughts?
20:50 My opinion at this point is, I think, quite public.
20:53 I think you should start with a monolith first for this simple reason that microservices come
21:00 with a lot of adjacent complexity.
21:02 We basically just talked about with cloud services, right?
21:05 Like you cannot have microservices without service discovery.
21:09 You cannot have microservices without tracing because every error becomes like a, I thought
21:14 it's once called a distributed murder mystery.
21:17 When you're trying to find the fault of it, there are things that people don't think about, like retries need to be kept.
21:27 Otherwise, you're going to get exponential growth and you denial service yourself and stuff like that.
21:34 So, I mean, it's a general good idea to have as few moving parts as possible, which already someone said about cloud computing.
21:42 And because more moving parts are always harder to make reliable, right?
21:46 And Martin Foller calls it the microservice premium, which I like.
21:50 And it's again, it's a trade-off.
21:52 Is this premium worth it to you?
21:55 And I think you need a lot more experience to make this trade-off than many people think.
22:02 That's my experience.
22:03 Yeah.
22:04 You probably start simple and then with just two or three pieces and then you end up with 20 and you're like, well, how do we get here?
22:10 Yeah.
22:10 Yeah.
22:11 And they don't really know why, right?
22:12 Like if people want boundaries, like I cannot speak for huge teams because one of the peculiarities of my job is that our team is very small with a lot of responsibility.
22:20 But there are big teams that have boundaries that do not come with a network partition.
22:25 So, yeah, it's a trade-off.
22:27 And I think that most people need more experience to actually make this trade-off.
22:31 Yeah, I would, I very much agree with that.
22:34 particularly the people who tend to be asking this question are often asking it because they're at a small company.
22:42 They have a small team.
22:43 They saw a really cool white paper or a presentation by somebody at Google or Netflix.
22:48 And they're like, wow, all this stuff about microservices sounds great.
22:52 Fault isolation and distributed tracing and, you know, use whatever language you want.
22:58 And I'll get back to that one in a second.
23:00 And again, like I said before, you will need to think about everything in terms of cost benefit and not just benefit.
23:07 And the folks at Google and Netflix are talking about 10,000 person teams and like, how do you manage complexity at that scale?
23:16 How do you deal with the problems that come with that type of organization?
23:20 And so asking like, I also, even the shape of this debate has long bothered me because the terms that we're using, right?
23:28 Do we want monoliths or microservices?
23:32 Asking that question is like saying, well, when we have a wheel, do we want it to be like an 18-wheeler, like truck wheel?
23:40 Or do we want it to be like one of those wheels that comes on like a micromachines car?
23:43 And the answer is, I don't know.
23:46 Like, what are you putting on the vehicle that this wheel is going to be attached to?
23:49 Like, it really depends.
23:51 The question of like, how big do you want your service to be?
23:54 Which is, I think, a better question than do you want a microservice or a monolith?
23:57 It comes down to what is the surface area to volume ratio of your team?
24:02 It takes about 12 people to run a microservice, I would say.
24:06 Like a dozen people per service is roughly what you should be thinking about.
24:10 Plus, there's the fixed overhead of a microservice architecture where you need service discovery and tracing and logging and like a whole bunch of other stuff,
24:18 which you probably need in today's modern fancy cloud environment if you're going to be able to leverage services like Honeycomb and CloudWatch and like just manage all your logs and not have to deal with that yourself.
24:29 Then you're talking about maybe a six-person team that can just do infra.
24:34 And if you are at a three-person startup and thinking, huh, that sounds like a lot of people, you want a monolith.
24:41 You want one piece of code you can maintain because the benefit of having something like a very fine-grained microservice architecture is that you can say, we're going to have each team own its little piece.
24:54 And we're going to move a lot of the complexity of orchestrating from code to configuration because our operations team can like deal with the configuration and manage their process around testing configurations.
25:07 But if you're a small development team, you want code you can write unit tests for.
25:11 You want code you can run and understand the way that you run and understand everything else.
25:16 And if you push everything into YAML files and INI files and cloud APIs, what does your development environment look like anymore?
25:22 How do you test those changes?
25:24 Right. Even developing on your own machine becomes tricky.
25:26 Yeah, exactly. Yeah.
25:28 Yeah. I think the big takeaway is that the team needs to match what microservices are optimized for.
25:33 Yeah, exactly.
25:34 That's a really good point.
25:35 Emily, I suspect the people you suggest use Heroku probably are not receiving 10 microservices over there, are they?
25:42 No, definitely not.
25:44 I think one of the things that we typically have built in is a certain amount of ability to scale independently.
25:50 And so we typically do have two different workers on Heroku.
25:53 So we're going to have, you know, a Django application and a Celery task worker.
25:58 And then we know that we can kind of scale those two independently.
26:00 But that's where we really see the division of load.
26:05 So that's my lens that I look at monolith versus microservices with is really, do I need to scale them independently?
26:14 Yeah. And I certainly think having some kind of, we're going to kick off the long running work over there.
26:19 So it's not happening as part of a web request.
26:21 That certainly makes sense.
26:23 Even things just like sending a group of people an email often takes too long if the group is large enough before the request will time out and wreck your servers and all sorts of stuff.
26:32 So yeah, it makes sense.
26:33 But I think developer experience is a really big one.
26:35 We have had the pleasure of working with another like very large tech company, like multiple hundreds of employees, and they had a monolithic Rails app.
26:46 And it was absolute hell to work with as a developer because you're constantly like having hundreds of PRs open at a time.
26:53 You open a PR and within 20 minutes, you have a merge conflict with somebody else.
26:57 And you really, at that point, it makes sense from a developer perspective too, to be able to divide it up and say, okay, like, this is your area of expertise.
27:06 This is your area of expertise.
27:07 And at least set up those partitions.
27:09 But you can do that in a monolith as well.
27:12 It just takes a little bit of like awareness and slice in the problem a little differently.
27:16 Yeah.
27:17 So let me think of a, let me throw out an idea that I just thought of that I'm not sure I'm advocating this or even that it is a good idea.
27:26 But one of the problems you have is sort of you have this big monoliths, like you were touching on, Emily, is a lot of people are changing the same bits of code and they're kind of in all over the place.
27:35 So the microservices is one way to solve that problem.
27:38 What about trying to think about, you know, could we package up some of the functionality of what our application does or our area into Python packages that we can then install and use in the main app?
27:51 That idea?
27:51 Good idea?
27:52 I mean, it's interesting, but it's also another level of complexity, right?
27:55 Yeah.
27:55 Yeah.
27:56 You got to run your own private server or something.
27:58 I would actually say that that is a prerequisite to microservices.
28:03 Specifically, one of the things that people often forget about the whole service architecture thing, and this comes down to the future.
28:10 Remember, I said I was going to talk about choose your own language kind of thinking before.
28:14 One of the things that people often choose microservice architecture for badly is this idea that they want to experiment with different programming languages because they want to use the right tool for the right job.
28:25 And number one, just the cognitive overhead of jumping between Haskell and OCaml and Python and Rust on your back end is way, way higher than most people think.
28:35 But even forgetting about the sort of human cognitive overhead, your service architecture, your service fabric needs to be logging and recording metrics and dealing with load balancers and dealing with data stores in a consistent way.
28:47 And that task by itself is complex enough that you probably need a library, which means every supported language in your environment needs to have packages installed that are maintained by your infrastructure team and not by your application teams.
29:00 And that means before you can even think about microservices, you have to be able to split your workflow into multiple different package repositories, different source control, different teams, different CI.
29:12 Like you need to be able to do that first before you can reasonably split things across like multiple actual services.
29:19 That doesn't necessarily mean you need to like not have a quote unquote monolith because you can put a monorepo into that kind of multiple package, multiple library workflow.
29:29 And that's also fine, but you do need to be able to have multiple work streams going that end up in the same service package.
29:37 This portion of Talk Python To Me is brought to you by Tonic.ai.
29:40 Creating quality test data for developers is a complex, never-ending chore that eats in the valuable engineering resources.
29:48 Random data doesn't do it.
29:50 And production data is not safe or legal for developers to use.
29:54 What if you could mimic your entire production database to create a realistic dataset with zero sensitive data?
30:00 Tonic.ai does exactly that.
30:04 With Tonic, you can generate fake data that looks, acts, and behaves like production data because it's made from production data.
30:11 Using their universal data connectors and a flexible API, Tonic integrates seamlessly into your existing pipelines
30:18 and allows you to shape and size your data to scale, realism, and degree of privacy that you need.
30:24 Their platform offers advanced subsetting, secure de-identification, and ML-driven data synthesis
30:31 to create targeted test data for all your pre-production environments.
30:36 Your newly mimicked datasets are safe to share with developers, QA, data scientists, and, heck, even distributed teams around the world.
30:44 Shorten development cycles, eliminate the need for cumbersome data pipeline work,
30:48 and mathematically guarantee the privacy of your data with Tonic.ai.
30:53 Check out their service right now at talkpython.fm/tonic or just click the link in your podcast player's show notes.
31:00 Be sure to use our link, talkpython.fm/tonic, so they know you heard about them from us.
31:08 Another thing is versioning across the services, right?
31:10 The definition, like if you're using SQLAlchemy, the user shape has to match all the parts that talk to the database that might touch a user object or something like that.
31:19 So I guess I'll wrap it up with a quick thought that for me, microservices feel like I'm trading code and developer complexity for operational and DevOps complexity.
31:29 And I personally feel much more comfortable managing and working with code complexity than like infrastructure complexity.
31:36 But if your team and your organization is all about managing infrastructure complexity and DevOps, and you have a bunch of junior devs, maybe microservices make sense.
31:45 I don't know.
31:45 It kind of depends.
31:46 But my vote's for the monolith side because I'd rather manage the software complexity.
31:50 Let's talk about security.
31:52 I mean, we've had some crazy stuff.
31:55 I think it's log4jmeme.
31:58 There's a .com.
31:59 I think that is a .com.
32:01 Yeah.
32:01 So like security is clearly on the, it's something we always have to think about, but something, right, that recently log4j obviously being a Java, not Python thing.
32:11 But it's the one thing that makes me nervous about running stuff in production.
32:15 Honestly, we've got stuff like status cake or various other things that you can fire up or uptime or whatever that will tell you if your site is down and send you notifications and things like that.
32:27 But the security one is a little bit scary.
32:29 So how do you approach thinking about this?
32:32 You know, Henrik, maybe you go first hosting other people's code is like a next level is like meta security.
32:38 Yeah.
32:38 The one flag I want to wave here is defense in depth, which is something that's very dear to my heart and which I feel is, yeah, which could be a bit more popular.
32:48 Sure.
32:48 Because every significant attack nowadays is a multi-stage one.
32:52 It doesn't matter if it's like owning your Chrome or owning a server.
32:56 It's usually multiple stages.
32:58 So you shouldn't make it as hard as possible to the attackers, even though they have entered your infrastructure at this point.
33:07 So for me, it means that I treat our own network, which is very private.
33:11 You need a VPN to get in and everything as if it has intruders inside it.
33:15 And that's our standard.
33:16 So you should hash your passwords as the maintainer of Argon2CFFI, of course, using Argon2, but use whatever.
33:24 We use TLS even in private networks, because I know that cloud providers have virtual LANs, which are also often encrypted.
33:32 But still, it's just another layer.
33:34 You cannot have enough layers to protect yourself at this point, because if someone intrudes you, you don't want them to sniff passwords out of your traffic and things like that.
33:43 The list goes on.
33:44 Yeah, it definitely does.
33:45 Emily, security thoughts?
33:47 Yeah, luckily, this isn't one that we've necessarily had to worry too much about.
33:51 I think the worst thing that's happened for us is DDoS attack, and that's about it.
33:55 So for me, I think definitely staying on top of dependency management, keeping things up to date, which is not necessarily always the easiest thing.
34:04 Especially the Python 2.3 transition, upgrading Django is sometimes a little bit more complex than you'd want it to be.
34:11 But I think that getting those security updates and making sure that you're on an LTS version is really important.
34:16 LTS being long-term support.
34:18 Yeah, absolutely.
34:18 Yeah.
34:19 So one of the things that I think, you know, I made the, I was picking on the log4j thing.
34:24 But one of the problems that made this a little bit harder, I mean, this is going to be something we live with for a long time.
34:30 It's going to be a nightmare.
34:31 But the consequences of it.
34:33 But one of the problems was that the fixed version of log4j, which for those who didn't know, the log4j problem is if you can basically get a server to print a message with any of your input, like this URL was invalid, or this email tried to log in and failed, you can own the computer.
34:54 Which is really, really bad.
34:55 So it has to be fixed, like straight away.
34:57 But the problem was, the fixed version was on a newer version, like Java 8.
35:02 So if you were running Java 7, you had to both not just upgrade your library, but then upgrade your whole runtime, which might be problematic.
35:09 So Emily, that makes me think that, you know, you probably, one of the good rules to go by is don't let your frameworks get too far out of date.
35:18 Like you don't have to be on the latest Django, but don't stay on Django 1 when Django 4 is about to be released.
35:24 Or don't stay on Python 3.6 when you could be on the newer one or something like that.
35:31 How do you all feel about that?
35:32 Yeah, and I think that, like looking at it from an open source maintainer's perspectives, making sure that you have the ability to kind of hotfix previous versions and be very clear about which versions you're supporting and which ones you're not.
35:45 That way, you make it easy for a user to know, like, yeah, I'm not going to get the security update and I need to upgrade and have that done ahead of time to stay on top of things.
35:55 Yeah.
35:55 And AgraGliff, old frameworks, what do you think?
35:57 I think that this is a, I don't think I can find this right away, but I remember one of my more popular tweets was one of those sort of two buttons memes where the guy can't choose.
36:07 And on one side, you've got get owned because your dependencies are out of date and you have no way to immediately update them or get owned because you're automatically updating from an upstream that you don't know if you can trust or not.
36:18 And that's kind of, so the way that I sort of split that difference in practice is you really want to make sure that it's not just about like regularly upgrading because you can always say like, oh yeah, we'll regularly upgrade.
36:35 But you've only got a fixed budget for security, right?
36:38 Like it's possible to spend all of your time spinning your wheels trying to increase the cost for attackers across every possible access.
36:44 I'm sorry, access.
36:46 Yeah.
36:46 But eventually you got to ship features and deliver stuff.
36:48 Like that's really.
36:49 Exactly.
36:50 It's a balance.
36:51 Yeah.
36:51 Thinking about Hinnick's suggestion of defense in depth, the way that I like to think about that is you want to raise the bar to a certain minimal level in a bunch of different areas.
36:58 And then not get too obsessed with getting that last 5% of security on each possible access.
37:05 So for dependencies, the way that I think about that is have the, you know, very widely available automation that already does this stuff like depend a bot.
37:14 Make sure you are getting those PRs automatically pin everything so that you're never dealing with a library upgrade in the middle of future development.
37:24 Your library upgrade work should always be, I am upgrading this library now.
37:28 And 90% of the time, if you have that set up where you've got a build that is running on every PR that builds your whole dependency structure, that's got everything pinned and hashes pinned and everything.
37:41 And then is also regularly receiving these PR updates.
37:45 Most attackers who are doing things with supply chain attacks aren't all that clever.
37:49 And so they will just end up trying to pop your CI and you'll see that you'll get some kind of error.
37:55 You'll probably notice.
37:57 Not necessarily attackers can be very sophisticated, but like you want to have everything, every library running in your nicely isolated CI environment on your GitHub actions or whatever first.
38:11 And again, you want that those changes to all be like same code with the old dependencies, same code with new dependency.
38:17 And every so often you'll get one very expensive upgrade that you really got to do and you got to make time for.
38:22 If you're not upgrading all the super easy, almost free, like just hit the green button on the PR that's working.
38:30 If you're not doing that all the time, then when you do get to those big upgrades, you will be upgrading 50 dependencies at a time.
38:37 Yeah, it's going to be rough.
38:37 Yeah.
38:38 You really need to think about the cost to you as the defender.
38:41 And the way that you reduce that cost on dependency upgrades is spending just a little bit of time every week, tending that automation and looking for those upgrades that are really going to take some development work.
38:52 And there are fewer than you might think, like quite often feels like a really big task because most people get stuck in this, oh no, it's time to do the dependency upgrades this quarter.
39:02 And you have like a seven week project that you're like trying to figure out which dependency is the one that's making all your tests fail.
39:08 And you're like changing 50 lines in your requirements.txt all at once.
39:11 If you don't do that, and by the time you're upgrading the one library that really does have a big breaking API change, it's not actually that hard as long as everything else is already up to date.
39:21 Yeah.
39:22 And usually there's one or two libraries that are massive, like Gingo or Flask.
39:26 And then it's all the little dependencies that probably require no effort on your part.
39:30 One other thing that I switched to, you talked about Dependabot, which is really great.
39:36 And I have Dependabot turned on for my stuff, but I started using pip compile where it'll go and basically you give it an in file and it'll build your requirements.txt.
39:46 And it'll even say like, this thing is here because it depends.
39:50 You know, you installed Flask.
39:51 That's why it's dangerous is here, for example.
39:53 And I really like having that because it's just, you know, this week I'll go and I'll run it and it'll tell me what the new requirements are.
40:00 I'm actively knowing that's happening.
40:02 I'll sort of process it and go with it.
40:04 What do you all think?
40:05 Emily, are you using Dependabot or something else?
40:08 Yeah, we do use Dependabot.
40:09 I think another interesting like integral piece of being able to upgrade your dependencies is having tests that give you the confidence that you can.
40:17 So do you feel confident to say, yes, our upgraded dependencies passed our test suite, therefore we can upgrade?
40:24 Or is there something that is going to require somebody else to go in and look at it?
40:27 But yeah, I think we've come a really long way in terms of dependency management.
40:31 I do not miss the giant requirements.txt files that had all the dependencies of dependencies of dependencies all the way down and you didn't know what you would install versus another library.
40:42 Yeah, exactly.
40:42 I also like things like pip compile because it lets you have a little bit more control over the child dependencies versus relying on a top level library like Django to specify their own requirements in a way that works for your organization.
40:59 Yeah, absolutely.
40:59 So I also use Dependabot, like I said, and if you go and run pip-tools and then you commit that back to the repo, Dependabot will notice that that's been upgraded and it will automatically close the PR.
41:10 So there's kind of a nice match between them as well.
41:13 Yeah, the answers to all these questions are really are so much simpler than they used to be, you know, five, six years ago.
41:19 I've been using requires.io for probably almost a decade and Dependabot is much better, largely because it defaults just sending you those individual upgrades and you can really tune how much stuff it's going to try to do at once.
41:34 So yeah, mostly the answer on this is like, make something that builds your Docker container or whatever your fully realized application artifact is, run it all the time and have part of that process be like, freeze your dependencies, pin everything.
41:48 You need to make sure that everything is pinned so that you get very reliable, repeatable builds.
41:51 But having done that, you can really just bask in the, you know, cornucopia of tools that we have available to do this now that make it all pretty easy.
42:00 Yeah, it's definitely getting easier and easier.
42:02 Let's talk about performance a little bit.
42:03 I guess maybe I'll show just really quickly, I'll throw out there that at sneak.io, S-N-Y-K.io, they've got some stuff where you can put in like a package or something like that.
42:14 Let's see.
42:15 I don't remember where you go to do it, but you can basically put in like a Python package.
42:19 It'll give you a security report for it.
42:20 So that's, I don't know how accurate that turns out to be for everything, but it's something.
42:25 But let's talk about performance.
42:26 And one thing I'd like to touch on is.
42:28 Actually, can we just say one more thing about security before we move on?
42:31 Yeah, go for it.
42:32 Because Hennick mentioned encryption and not trusting your local network at the beginning.
42:35 And one other thing I wanted to mention, speaking of tools that are much better than they used to be.
42:39 One popular idiom is to like have a production mode that has all your encryption on and a development mode where you like just turn it all off for convenience.
42:50 And I'm a big fan of setting up like an entry in your hosts file for each developer and having some infrastructure for provisioning certificates for individual developer machines.
43:00 So that encryption is just always on.
43:02 So that encryption is just always on.
43:02 Nobody ever makes a connection without TLS on it.
43:05 Even your like local API stubs still have some kind of TLS on them.
43:10 Because it's actually not all that hard, particularly with Let's Encrypt.
43:13 You get a couple of DNS plugins and you can easily vend those certificates to your dev team.
43:17 It takes a couple of days of work at most.
43:19 And having done that, not only are you more secure because you just don't even have that switch anymore to like accidentally be sending everything in plain text.
43:29 But also you spot a surprising number of configuration issues.
43:32 And like you get to see how your like for real certificates work while you're doing development.
43:38 And that can really help a lot of developers like understand what's going on with the somewhat tricky world of HTTPS.
43:45 So it's just running a little bit closer to production.
43:48 Yeah.
43:48 All right.
43:48 Let's talk about performance.
43:49 And I'll just put this up on the screen because I think it's a fun thing.
43:52 Have you all seen Locus.io?
43:54 Yeah, we use it regularly for load testing.
43:56 Do you?
43:57 Yeah.
43:57 Maybe tell people about it real quick.
43:59 I've used it once or twice and it's fantastic.
44:01 Yeah, definitely.
44:01 So it's a tool that allows you to essentially write a script that will emulate requests to your server.
44:08 And then you can give it a variety of, wow, mom brain with no sleep makes me forget words.
44:14 But basically just like different parameters that you can specify.
44:17 So it makes it really easy to say like, here is the approximate randomized behavior for a single user.
44:24 And then scale it up to hundreds or thousands of users and see how your server handles it.
44:29 Right.
44:29 You give it a Python script, which is really interesting, right?
44:32 You create a class and you say, here's a typical user of this type.
44:35 And it does different things like it'll call the index page.
44:39 It'll call the about page.
44:40 It'll go do a search.
44:41 And you can say things like, there's going to be a certain amount of delay between pages.
44:46 And then you can, as you said, scale that up.
44:49 Say like, I want 2,700 regular users and 50 admin users and let them go crawl around on the site and do what they do.
44:57 Right.
44:58 Yeah.
44:58 So it's super cool.
44:59 And the, like the real, a real time dashboard is neat.
45:02 So if you want to know about your performance, you could use this, but you know, how do you all think about performance for the apps, either you're running or delivering, you know, what's fast enough?
45:12 What's just wasting your time, getting that last millisecond of response time?
45:16 So I'm going to make this the bold statement that for the vast majority of developers, Python is fast enough.
45:23 Oh yeah, absolutely.
45:25 It is fast enough to saturate a database.
45:27 And once your database is saturated, you have different problems.
45:30 Like there's definitely things for what it is, where it is a problem.
45:34 Like you cannot saturate an LDAP server, for example.
45:37 I know that because I tried and it's one of our Go services.
45:40 It would be nice if Python could be faster.
45:43 And I'm very excited about Guido's performance task force at Microsoft.
45:47 It's great.
45:48 Yeah.
45:48 I feel like the indifference that the no-jill movement has been shown kind of shows that nobody really thinks that intensively about it anymore.
45:58 Like for most people, it's fine.
46:00 It's not good.
46:01 It's not great.
46:02 It's fine.
46:03 And I mean, Instagram is printing money with it.
46:05 So they absolutely are.
46:08 Yeah.
46:09 You know, you can go and put your site into PageSpeed Insights and see what you get.
46:14 And I think once you get down to several millisecond response time per page, it just, you know, there's not a whole lot you can do to make it faster.
46:24 There's not a lot of benefit to doing that work, right?
46:27 It's mostly tuning a database with the right indexes and caching.
46:31 That's the two things.
46:32 Yeah.
46:32 And everything else is like the last 10% or something.
46:35 Yeah, absolutely.
46:36 So what I wanted to definitely emphasize here and hear your thoughts.
46:39 I feel like there's so many times I go to some page and it doesn't necessarily, some site doesn't necessarily have to be Python.
46:45 It's just some database backed page.
46:47 And you go there and it's sitting on what seems like one of their primary pages.
46:51 And it's like five seconds until it responds or several seconds even.
46:55 It's like, what is this thing doing?
46:58 And I just, I know they don't have indexes in their database.
47:01 They just, they can't.
47:02 So, you know, I just want to put out a plea for please use like some database profiling feature.
47:09 Please look at your queries and please put an index.
47:12 It's so incredibly easy.
47:14 Like any of you all want to rant on that with me?
47:16 I need to bring up one tool before we talk about this.
47:19 And it's called PG mustard.
47:21 Okay.
47:21 I've never been able to fully understand an explained statement.
47:25 Like I learned it many times and then I forgot it again.
47:28 And PG mustard is amazing.
47:30 You just take an explain.
47:32 You copy paste it into a web app and it tells you exactly what's going wrong.
47:36 Oh, nice.
47:37 And I've shaved, like I had like one query, which is like very big.
47:40 It's from a financial system.
47:41 And I've, I think like 66% of the query at runtime, I was able to shave off.
47:46 Yeah.
47:46 Just because there was an index, but it was set up wrong.
47:49 It was amazing.
47:50 Yeah.
47:51 So here's a really beautiful visual thing.
47:53 And it's also a bit of like a profiler.
47:55 So it says on this part of the query statement, you spent 0.4% of the time.
48:00 And this part you spent 58% of the time, right?
48:03 Here's an index scan.
48:04 That's the best part.
48:05 It doesn't just tell you what's going wrong, but do this, make this index.
48:10 Things like that.
48:11 Okay.
48:11 I've never seen this before.
48:13 This is fantastic.
48:14 Emily, thoughts on indexes?
48:15 Join my plea.
48:16 Yeah.
48:18 So I think that that piece of it's definitely very important.
48:21 Like making sure that you're doing those sort of basic things to get you to that, you
48:25 know, 80 to 90% performance potential.
48:27 But I would also argue that these days in a vast majority of applications, you're going
48:33 to have a decoupled front end from your back end.
48:35 And I would argue that making sure that you're implementing best practices for user experience
48:41 on your front end is going to give you so much more payoff than trying to optimize that
48:46 API call by, you know, a few milliseconds.
48:49 So previously I had pulled up the PageSpeed Insights before, right?
48:54 And at PageSpeed.web.dev from Google, I believe.
48:58 Yeah.
48:59 And what's really interesting about that is if you go and put your site into there,
49:04 it doesn't feel fantastic to do it, by the way.
49:06 So if you go and you put your site in here, you at some point might get a good number.
49:11 I'm getting 100 out of 100 on the TalkByThan training site right now.
49:14 But that's because I spent three days addressing every little thing.
49:19 Like this image is not sized right.
49:21 This JavaScript is not bundled with that JavaScript.
49:24 This element is being resized by the browser.
49:26 You should make it the same size by default.
49:29 And just all of these little things.
49:31 And it wasn't even about the server response time, which was always pretty low.
49:36 It's about all the other stuff.
49:38 It's like, how does it feel to the user to get to the page rather than what is the, you
49:43 know, HTML out of the server response time?
49:46 And that's what you're talking about, right?
49:48 That kind of stuff?
49:48 Yep.
49:49 Yeah.
49:49 Yeah, definitely.
49:50 Awesome.
49:50 All right.
49:51 So I have so many feelings about this.
49:54 This is probably the number two topic for me behind packaging.
49:57 Okay.
49:58 Those of you not listening on the live stream, if this next part sounds choppy, it's because
50:02 I talked for an hour and a half and Michael had to edit it down.
50:05 We just cut him off.
50:07 We just had to cut him off when he lost his voice.
50:10 But seriously, the thing that I think is most important is the, quite often the parts of
50:15 your application that end up being the performance issues are once you're past this step.
50:22 Now there are lots of like, you all have been mostly talking about websites, except for Hennek
50:26 mentioning LDAP, which is an interesting.
50:28 I've never really thought about scaling that one.
50:30 No.
50:31 I have also scaled LDAP.
50:33 So the two major applications that I've dealt with performance issues on are an internal
50:38 calendaring service that I maintained at a large company that you can figure out which
50:42 one it is by reading my Wikipedia page and pilot.com's internal bookkeeping automations.
50:48 And in both of those, so number one, the calendar service was an API with no front end.
50:54 The front end was maintained by the client teams that were not even doing web stuff.
50:59 And the way that we had to performance test that involved standing up our own custom load
51:05 generation tool and running it as kind of a qualification process for our deployments.
51:10 And the reason that I bring up that one is it's interesting because we had to figure out
51:15 what our actual interesting load patterns were.
51:17 We couldn't use any of these like standard HTTP load generation things because we needed very
51:22 specific data.
51:23 And that often ends up being the problem that you're facing.
51:27 We, on that service in particular, we had performance problems that arose because we
51:32 added too many indexes.
51:34 So we were having problems on the right side of the equation.
51:37 Every time you add an index, you're optimizing read at the expense of write.
51:42 And usually it's like a lot of read performance for a little write performance, but eventually
51:47 it does add up.
51:48 It does.
51:49 Yeah.
51:49 Kivo out in the audience says, yeah, you've got to be careful adding too many indexes as
51:54 well.
51:54 There's two parts to that, right?
51:56 One part is when you write something, the indexes have to be computed for that thing that's going
52:01 in.
52:01 And the other is more indexes mean more stuff in memory.
52:04 And so like another really important aspect is do your, does the totality of your indexes
52:09 reside in memory or does it have to get paged out?
52:12 Right.
52:12 And so you would, you would hit that problem.
52:14 Both of those problems you would run into by having too many indexes.
52:17 Right.
52:17 And you really need to, so you need to be ready to measure things because you don't necessarily
52:23 know.
52:24 Like, I mean, this is that, you know, chestnut about not really, you know, premature optimization,
52:28 not knowing what the hotspots are until you run them.
52:30 But that also means, so there's two things about that.
52:32 One, the tools for doing this are not great.
52:35 Like the one that I really wish were good and just isn't is SpeedCenter, which Twisted and
52:41 PyPy used to monitor their performance over time.
52:43 Like what the performance of each revision of the code is.
52:46 And there's nothing like, you know, GitHub Actions or Travis CI, there's no sort of leader
52:51 in that field that will just tell you like, hey, your performance regressed by 10% on this
52:56 commit.
52:57 And that is the tool which I desperately want to exist.
53:00 And so most of the things that I do are trying to approximate that.
53:03 Part of that is making sure you have metrics in production that are telling you so that you
53:07 notice when things are slow.
53:09 You don't want to be having users telling you, or even really like if you're getting the bad
53:14 performance metrics out of your load testing tool, and that's a surprise to you, that means
53:18 you're probably not instrumenting enough in prod to know like, oh, users are seeing some
53:23 slowness here.
53:23 Because you're also going to get things where like your database is doing great.
53:26 Everything seems like it's super fast, but your queries are actually really slow.
53:30 They're just all running in memory.
53:31 And then you hit the cliff where suddenly you're hitting the disk.
53:34 And now everything's much, much slower.
53:36 And none of your code changed.
53:38 And your data only grew by like 10%.
53:40 And being able to spot stuff like that means you have to be looking at perf in prod.
53:45 You can't do synthetic tests for everything.
53:48 And particularly if you have a large site with a lot of users, it's very easy to miss if your
53:53 95th percentile is falling off a cliff, right?
53:56 Like you have to be looking at your core tiles and like all of these different things, not just
54:02 like average performance.
54:03 And the second part of that is the custom data generation for your synthetic tests.
54:08 So for example, on the calendar service had those issues that I just mentioned.
54:12 And pilot service had this issue where most of the performance stuff was not the database.
54:18 It was talking to APIs to pull in financial transactions and analyze them.
54:23 And it was those APIs being slow, us being silly and not talking to those APIs in parallel,
54:29 data volumes just being huge, like thousands and thousands and thousands of transactions
54:33 in a single call.
54:35 And that you have to know that that's going to happen.
54:38 And you have to be able to on demand add to your test suite or your performance test suite
54:44 new types of data.
54:46 And that performance tool with where you like write Python code looks like a great way to
54:51 do that.
54:51 I actually had never used that one.
54:52 This thing is glorious.
54:53 Yeah.
54:54 What was it?
54:55 Locust.io?
54:55 Yeah.
54:56 Yeah.
54:56 And it has the dynamic sort of graphs and dashboards show you sort of as it ramps up
55:01 and as you change it.
55:01 And it's, I think that might give you like the right, because you basically structure with
55:06 Python how it hammers on the server, which is pretty neat.
55:09 Yeah.
55:09 And the one thing I'd say about that was you need to do that.
55:12 You will need to write custom stuff.
55:14 Don't just assume you can like add a couple indexes.
55:16 Like you should just add a couple indexes at first if performance is not your primary concern.
55:21 But having done that, you have to know you're going to need to think about perf and like
55:26 write code to monitor it.
55:28 Absolutely.
55:28 All right.
55:29 I think we're just about out of time, although we have barely scratched the surface of all
55:33 the stuff we could talk about.
55:35 Let's close out with this question.
55:36 Do any of you have, sounds like maybe you've thought about this.
55:41 You have CI performance checks or failures or anything like that, right?
55:47 Like we have run our tests.
55:49 The build doesn't pass if the tests don't pass.
55:51 But do you have something like that for performance?
55:53 That's the thing I want to exist.
55:54 And I've never managed.
55:56 I've done things that approximate it within tests, but never gotten it really.
56:00 I have nothing like that either.
56:02 Emily?
56:02 No, I mean, I think the closest approximation that we get is we focus a lot on like Cypress
56:08 tests for front end.
56:09 So actually the user going through and working with the application.
56:12 And I think the closest thing that we could get at this point is just setting our max time
56:17 out in our like HTTP service, bumping that down and saying like, if anything's taking over
56:23 10 seconds to respond when we run the tests, then it should fail.
56:26 But no, I don't think we don't do any like regular performance testing.
56:31 Yeah.
56:31 Henick?
56:32 We do not know.
56:32 Yeah.
56:33 But we all kind of are like, that was kind of nice to have, I think.
56:36 But yeah.
56:36 There's a lot to set it up though, right?
56:38 You've got to have enough data in the database for it to be meaningful.
56:40 And that's tricky to do in CI.
56:42 And it would be cool though.
56:43 I think Glowth makes a really good point that like the load testing and the manual testing
56:48 of performance is great, especially when it's a prerequisite to launch.
56:51 But there's no way that you're going to be able to replicate anything in production.
56:55 And the best thing that you can do is monitor prod as closely as you can.
56:59 Yeah, absolutely.
57:00 Some of that real-time monitoring.
57:01 Fantastic.
57:02 All right.
57:02 Well, thank you all for being here.
57:04 This has been super interesting to chat about.
57:06 Before you got out of here, let me, I think I'll just put it down to one of the final
57:10 two questions so that we don't take too long.
57:12 But you're going to write some Python code, what editor to use?
57:15 Let's go.
57:15 Blockwise, Henick, how about you?
57:17 What are you writing code with these days?
57:18 Well, I have a long story of editors.
57:20 I've used almost all of them at some point.
57:22 I usually stopped using because I got crippled, like Emix Pinky.
57:26 Nowadays, I usually use either Vim in a console or VS Code.
57:31 Okay.
57:31 Right on.
57:32 Cliff?
57:32 There's an implicit thing in this question where it sounds like you're recommending the
57:36 thing that you use.
57:37 So I want to be clear that I'm not doing that.
57:39 Don't do as I do.
57:41 Yeah.
57:42 I use Emix, but with about 10 megabytes of custom Elisp, which I'm never going to share
57:48 with anyone.
57:49 Fantastic.
57:49 Because you shouldn't use it.
57:50 Just use VS Code.
57:51 Awesome.
57:52 Emily?
57:52 VS Code.
57:53 All day.
57:54 Okay.
57:54 Big thanks to Brett Cannon, who sat me down at a Python and forced me to use it because
57:59 the first time I used it, I hated it and I went back to Sublime.
58:02 But yeah, I don't think there's anything that competes these days.
58:05 Yeah.
58:05 He's such a good ambassador for that.
58:06 So it's good to have him working on it.
58:08 All right.
58:09 Thank you all for being on the podcast.
58:10 It's been great to chat about the stuff and really insightful to get your experience.
58:15 Thanks so much for having us.
58:16 Awesome.
58:16 Thanks for having us.
58:17 Yeah.
58:17 You bet.
58:17 Bye.
58:17 Bye.
58:17 Bye.
58:19 This has been another episode of Talk Python to Me.
58:22 Thank you to our sponsors.
58:24 Be sure to check out what they're offering.
58:25 It really helps support the show.
58:27 Add high-performance, multi-party video calls to any app or website with SignalWire.
58:32 Visit talkpython.fm/SignalWire and mention that you came from Talk Python to Me to get started
58:38 and grab those free credits.
58:39 Tonic.ai creates quality test data that does not contain personally identifiable information.
58:47 Your generated data sets are safe to share with developers, UA, and data scientists.
58:51 Most importantly, they behave like production because they're made from production data.
58:56 Check them out at talkpython.fm/tonic.
59:00 Want to level up your Python?
59:02 We have one of the largest catalogs of Python video courses over at Talk Python.
59:06 Our content ranges from true beginners to deeply advanced topics like memory and async.
59:12 And best of all, there's not a subscription in sight.
59:15 Check it out for yourself at training.talkpython.fm.
59:17 Be sure to subscribe to the show.
59:19 Open your favorite podcast app and search for Python.
59:22 We should be right at the top.
59:23 You can also find the iTunes feed at /itunes, the Google Play feed at /play,
59:28 and the direct RSS feed at /rss on talkpython.fm.
59:32 We're live streaming most of our recordings these days.
59:36 If you want to be part of the show and have your comments featured on the air,
59:40 be sure to subscribe to our YouTube channel at talkpython.fm/youtube.
59:44 This is your host, Michael Kennedy.
59:46 Thanks so much for listening.
59:47 I really appreciate it.
59:48 Now get out there and write some Python code.
59:50 Bye.
59:51 Bye.
59:51 Bye.
59:51 Bye.
59:51 Bye.
59:52 Bye.
59:53 Bye.
59:54 Bye.
59:55 Bye.
59:55 Bye.
59:56 Bye.
59:57 Bye.
59:57 Bye.
59:57 Bye.
59:57 Bye.
59:57 Bye.
59:57 Bye.
59:58 Bye.
59:59 Bye.
59:59 Bye.
59:59 Bye.
01:00:00 Bye.
01:00:01 Bye.
01:00:01 Bye.
01:00:01 Bye.
01:00:01 Bye.
01:00:02 Bye.
01:00:02 Bye.
01:00:03 Bye.
01:00:03 Bye.
01:00:04 Bye.
01:00:05 Bye.
01:00:05 Bye.
01:00:05 Bye.
01:00:06 Bye.
01:00:07 you you you Thank you.
01:00:10 Thank you.