Posted on Leave a comment

GitHub 2FA and personal access token

Reading Time: < 1 minute

Even since I enabled the 2 factor authentication on GitHub, I am using the developer personal access token (PAT) for pushing the code.

The normal steps (please ignore the numbers in the beginning of each line):

  514  git remote remove origin
  515  git remote add origin
  516  git remote -v
  517  git push
  518  git push --set-upstream origin master

This works for both the public and private repo. I’m thinking another way to do it is when using “git clone” to begin with, we use the PAT. I am going to try it next time. Note I created the repo in the GitHub website first.

Posted on Leave a comment

Hiring Right

Reading Time: 2 minutes

In a little over last year or so, I was involved in many technical interviews, and sometimes hiring decisions (one vote only, but a No vote is usually a No for the candidate). This is quite different from normal technical contributor’s job. But I learn something from this process too. I think overall I had two bad “Yes”, meaning I should have said “No”, but I said “Yes”. In one instance it was purely my unforced error, in another case the process went haywire.

Let me recall my mistake first. I was talking to candidate, and I noticed something unusual in the resume. Basically it appears the resume has some contradiction with what’s been said by the candidate. I have two colleagues on the phone, not sure if they saw it on video (likely not as I may not have video camera for the laptop then). But basically at that moment the candidate grabbed the resume back from me. I was stunned to say the least. I told my two colleagues No. But they somehow asked me to re-think. And they talked me into “give him an opportunity”. Things did not work out eventually, as the manager eventually let that person go as he has some personality issue.

The second bad “Yes”, was process oriented. Basically after we made “hire” decision after interview, I recall I have seen the resume. I searched email and found out that candidate was “no show twice” in last September (sept 2019). No show is a red flag. No show without explanation is even worse. Not matter how talented someone is, it’s very hard to overcome this kind of issues. My regret there is we did not have a process to flag a candidate in our system. I recall at my former workplace, due to some back and forth, one hiring manager said “enough”, let’s flag this person on our system. So basically we are unlikely to see this person again. In a way it’s a good thing, because as minimum it gives some warning: one can always over-ride computer, but computer has better memory than human beings in many occasions. This process would have helped, if we had one.

Last but not least, some interview advice from Joel Spolsky. Quote: You should always try to have at least six people interview each candidate that gets hired, including at least five who would be peers of that candidate (that is, other programmers, not managers). || (more quote) So: don’t listen to recruiters; don’t ask around about the person before you interview them; and never, ever talk to the other interviewers about the candidate until you’ve both made your decisions independently. That’s the scientific method. || I spend about 30 seconds telling the person who I am and how the interview will work. I always reassure candidates that we are interested in how they go about solving problems, not the actual answer.

Posted on

Java keytool

Reading Time: < 1 minuteKeytool

The Most Common Java Keytool Keystore Commands


  • keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks (or cacerts)
    (keytool -keystore $CACERTS_STORE -storepass changeit -importcert -alias jfrog.root -file jfrog.root.cer -noprompt)


  • keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

Install Spring STS on Mac

Drag the STS to the Application may not necessary, as it could not find the vFabric server (need to open the folder to let base_instance know)

Other setup for Maven (3.0.5)
home brew maven30 (stackoverflow thread)

Last but not least

Java dev blogs at Okta

Posted on Leave a comment

GCP Data Fusion

Reading Time: < 1 minute

(Update 12-10-2020) Ran the DataFusionQuickstart from Data Fusion Hub. Need to make sure the compute@developer service account have the following roles:

BigQuery Admin
Cloud Data Fusion Runner
Dataproc Worker
Service Account User
Storage Admin

then the datafusion user service account still has “Service Account User” role (this is same as below). The big query and storage roles are needed because the pipeline uses both. When it runs successfully, at the end we will see “Pipeline ‘DataFusionQuickstart’ succeeded.”

(Original 10-26-2020) Tried running couple more pre-set pipelines from google. It took a while to run (don’t know why). More on permissions (IAMs): need to add “Dataproc Worker” role to “Compute Engine default service account”. Continue added Service Account User to “Cloud Data Fusion Service Account / Cloud Data Fusion API Service Agent”

Couple tutorials

Targeting campaign pipeline

Creating a reusable pipeline

Permission issue (note the exact error will depends on the setup of network as well, for example, this DF service account needs to have network access to run the pipeline, and it needs that role if applicable).

Cost: the developer edition for data fusion instance costs 35 cents per hour. The basic edition is 1.80 per hour but comes with first 120 hours free, this is 5 days free usage and recommended. Also, there is ways in GCP to set up budgets and alerts.

Posted on Leave a comment


Reading Time: < 1 minute


Prepare for Certification

Get Started – AWS : below has some issues, cannot find the image. Note I tried to find correct ami image id too (ami-032930428bf1abbff, via AWS console), but it appears there is another issue when a correct ami image id was used.

resource "aws_instance" "example" {
  ami           = "ami-830c94e3"
  instance_type = "t2.micro"

Error: Error launching source instance: VPCResourceNotSpecified: The specified instance type can only be used in a VPC. A subnet ID or network interface ID is required to carry out the request.
	status code: 400, request id: c8d85874-93fb-4e48-b515-97b50172826b

  on line 15, in resource "aws_instance" "example":
  15: resource "aws_instance" "example" {

*Amazon Linux AMI 2018.03.0 (HVM), SSD Volume Type – ami-032930428bf1abbff (from aws console)


Get Started – Google Cloud

Get Started – Azure : one interesting part is it seems the user name and password for Azure in TF script is not checked (or in other words they are stateless?). Not sure why. Was using admin_username=plankton later while it was setup it was Password1234!

Two more comments on Azure: the Store Remote State part did not work perfectly. I believe Azure free tier has one year limit: it shows 6 cents so far for my infrastructure experiment. Also: the detailed cost.

Get Started – Terraform Cloud

Posted on Leave a comment

hosts file for productivity

Reading Time: < 1 minute

Sometimes we need to get something done without the distraction of facebook, twitter or for that matter, linkedin (or some other sites you want to stay away). Here is a tip for how to do it on Mac.

sudo vi /etc/hosts
(note you don’t have to use vi, feel free to use nano or other editor of your choice)

referene entries below
# Host Database
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
## localhost broadcasthost
::1 localhost


Then do this in command line.
sudo dscacheutil -flushcache

Reference articles:

How to Edit the Hosts File in Mac OS X with Terminal

How To Edit Hosts File In Linux, Windows, Or Mac

Posted on Leave a comment

WeChat is not banned, at least not yet

Reading Time: 2 minutes

(Update 09-20-2020) It looks like the 9th court temporarily blocked the WeChat ban (NPR). The TikTok ban became irrelevant because there is the new deal with Oracle / Walmart (theverge).

(Original 09-18-2020)

CNN: US will ban WeChat and TikTok downloads on Sunday. Quote: “The only real change as of Sunday night will be [TikTok users] won’t have access to improved apps, updated apps, upgraded apps or maintenance,” Commerce Secretary Wilbur Ross said Friday morning on Fox Business. || Also, quote: “The restrictions targeting WeChat are more extensive. Beginning Sunday, it will be illegal to host or transfer internet traffic associated with WeChat, the Department said in a release. The same will be true for TikTok as of Nov. 12, it said.” I don’t know if this part is doable (again not sure if it’s legal) in the US. Also this part seems contradicts with Wilbur Ross’s comments. Btw, Wilbur Ross made most of his money from coal industry (and coal miners’ pension or healthcare): this part is similar to how his boss got rich…

(Earlier) TechCrunch: Justice Department says WeChat users won’t be penalized under Trump’s executive order : the normal chat / group chat function will continue to work after Sunday September 20. It does seem impact the WeChat pay (financial transaction) as well as the App / Google Play store (workaround later). Also refer to this Ars Technica article.

The workaround for the App store is to change your country / region, for example, change from the US to Canada. You may create a new user if needed. One thing I found out is if I have app store credit on account, I cannot switch. This applies to TikTok users as well.


  1. There are ways to download apps even if the apps are no longer available in the US App Store or Google Play Store. The trick is to pick another country / region in the store setting. There is a limit though: if you have balance (credit, money) in the App Store, you cannot switch (have to spend it first). In this case you may have to create another app store id solely for the purpose to download apps (for example, in addition to wechat, there are some other apps only available in China app store).
  2. If the administration decide to block the web traffic (app traffic is a part of web traffic, it’s usually at the http level). One may use VPN service to get around that. This is nothing new.
  3. There is also desktop app (Mac, Windows) and web app on WeChat web site. You may install the desktop app, or use the web app (essentially it’s like a website). Note WeChat still needs the phone app for sign in for those.

Here is a link to the US WeChat User Alliance. They are suing the US government for the unreasonable action (likely illegal as well).

Last but not least, this is mostly a last ditch effort from the current administration to save the re-election (this part if proven, it’s illegal too). Because, in the US the political campaign and governing are separate.

Posted on Leave a comment

Virtual Learning

Reading Time: < 1 minute

I normally use google calendar for kiddos’ Zoom meetings. My older daughter who is going to be FGC dragon knows get to Zoom via Google classroom. I can train her on the google calendar too. But now I am thinking I will take Monday off for the full time support of virtual learning (I feel I need a break from work too). || A bigger question though, this kind of management tool seems like new normal to all of us. In the past I used Google Calendar for all my personal appointments and all my kids activities, this includes my girl’s basketball (time, location), and my volunteer meeting at kids school etc. || Also, a side note, I have not looked into kiddos iPad yet, but I assume everything is setup including google classroom. But I prefer kids not to watching iPad whole day. So I setup bigger monitor with laptops (MacBooks) and webcams. I will need to provide some support for my 1st grader on this…

Posted on Leave a comment

API Gateway

Reading Time: < 1 minute


Kong is a cloud-native, fast, scalable, and distributed Microservice Abstraction Layer (also known as an API Gateway or API Middleware). Made available as an open-source project in 2015, its core values are high performance and extensibility.

Actively maintained, Kong is widely used in production at companies ranging from startups to Global 5000 as well as government organizations.

CA Layer 7 / API Gateway: was owned by CA Technology, formerly Computer Associates. Sold it to Broadcom the chip company in recent years. It used slightly older technology as Kong, apigee and Okta.