Third-Party Dependencies (Risk Assessment)

In this document we cover the core 3rd party dependencies we have in UCloud and assess risk based on the following factors:

• How essential is the dependency for UCloud?

  • Scale: 1 (low) - 5 (high)

• How essential is knowledge of the system to develop UCloud (while keeping it stable and secure)?

  • Scale: 1 (low) - 5 (high)

  • The assessment will include if the knowledge is only essential for a single component or system-wide

• Difficulty of migrating to an alternative technology

  • Scale: 1 (low) - 5 (high)

• Likelihood of the dependency getting discontinued in the coming 5 years

  • Scale: 1 (low) - 5 (high)

We consider a 3rd party dependency to be anything not created by the SDU eScience Center, examples include:

• Software library

• Tool

• Hosted software (e.g. a database server)

• Technical specifications

We use the following format:

### Dependency name

- __Website:__ https://example.com
- __Short description:__ Lorem ipsum dolor sit amet, consectetur adipisicing elit.
- __Described in:__ [Article 1](#), [Article 2](#), [Article 3](#)

__Assessment:__

- __How essential is the dependency for UCloud?__ 1 (low) - 5 (high)
- __How essential is knowledge of the system to develop UCloud?__ 1 (low) - 5 (high)
- __Difficulty of migrating to an alternative technology:__ 1 (low) - 5 (high)
- __Alternative technologies:__ (If relevant) We could use ...
- __Likelihood of the dependency getting discontinued in the coming 5 years:__ 1 (low) - 5 (high)

Notes and explanation go here

Backend

Kotlin

• Website: https://kotlinlang.org/

• Short description: The Kotlin programming language is a modern programming language which runs on various platforms, including the JVM. In UCloud we run the JVM variant. All micro-services of UCloud are written in Kotlin.

• Described in: Indirectly in the following documents: Structure of a micro-service, Getting started

Assessment:

• How essential is the dependency for UCloud? 5

• How essential is knowledge of the system to develop UCloud? 5

• Difficulty of migrating to an alternative technology: 5

• Likelihood of the dependency getting discontinued in the coming 5 years: 1

kotlinx.coroutines

• Website: https://github.com/Kotlin/kotlinx.coroutines

• Short description: Coroutine support library for Kotlin. Used by large chunks of UCloud for all threading needs. Ktor also depends on this library.

• Described in: Indirectly in the following documents: Structure of a micro-service, Getting started

Assessment:

• How essential is the dependency for UCloud? 5

• How essential is knowledge of the system to develop UCloud? 4 (system-wide)

• Difficulty of migrating to an alternative technology: 4

• Likelihood of the dependency getting discontinued in the coming 5 years: 1

kotlinx.coroutines is listed as an official JetBrains product making it roughly as reliable as the Kotlin programming language itself.

Ktor

• Website: https://ktor.io

• Short description: Provides the web-server and web-client for UCloud.

• Described in: HTTP Implementation

Assessment:

• How essential is the dependency for UCloud? 4

• How essential is knowledge of the system to develop UCloud? 2 (system-wide)

• Difficulty of migrating to an alternative technology: 2

• Alternative technologies: Both client and server could be replaced by another lightweight alternative

• Likelihood of the dependency getting discontinued in the coming 5 years: 1

Ktor is listed as an official JetBrains product making it roughly as reliable as the Kotlin programming language itself.

Migration is a fairly straight-forward process since most of the code is wrapped by UCloud code. Business logic would most likely not be significantly affected by the migration.

HTTP and WebSockets

• Website: https://html.spec.whatwg.org/multipage/

• Short description: UCloud utilizes the Web and WebSockets for all of its services and frontend.

• Described in: HTTP implementation, WebSockets implementation, RPC HTTP, RPC WebSockets

Assessment:

• How essential is the dependency for UCloud? 5

• How essential is knowledge of the system to develop UCloud? 5 (system-wide)

• Difficulty of migrating to an alternative technology: 5

• Likelihood of the dependency getting discontinued in the coming 5 years: 1

Kubernetes

• Website: https://kubernetes.io/

• Short description: Container orchestration. This is used both for the deployment of UCloud and scheduling of user jobs.

• Described in: app-kubernetes

Assessment:

• How essential is the dependency for UCloud? 4

• How essential is knowledge of the system to develop UCloud? 4 (few components), 2 (rest of system)

• Difficulty of migrating to an alternative technology: 3

• Alternative technologies: Nomad. Bare-metal deployment and compute on different platform (e.g. slurm).

• Likelihood of the dependency getting discontinued in the coming 5 years: 2

Note that our current Kubernetes deployment uses K3s. See infrastructure documentation for more details.

Docker

• Website: https://www.docker.com/

• Short description: Container runtime.

• Described in: Getting started

Assessment:

• How essential is the dependency for UCloud? 3

• How essential is knowledge of the system to develop UCloud? 2 (system-wide)

• Difficulty of migrating to an alternative technology: 3

• Likelihood of the dependency getting discontinued in the coming 5 years: 2

Docker is natively supported by all large cloud providers, including AWS and Azure. Docker is unlikely to be discontinued without an alternative in place.

PostgreSQL

• Website: https://www.postgresql.org/

• Short description: PostgreSQL is an open source object-relational database system.

• Described in: PostgreSQL

Assessment:

• How essential is the dependency for UCloud? 5

• How essential is knowledge of the system to develop UCloud? 5 (system-wide)

• Difficulty of migrating to an alternative technology: 3

• Alternative technologies: A different SQL database.

• Likelihood of the dependency getting discontinued in the coming 5 years: 1

PostgreSQL has had active development since 1986 with many large companies using it in production as well as sponsoring development.

Redis

• Website: https://redis.io/

• Short description: Provides an in-memory data structure store. UCloud uses it primarily as a message broker.

• Described in: Event streams, Distributed locks

Assessment:

• How essential is the dependency for UCloud? 4

• How essential is knowledge of the system to develop UCloud? 2 (system-wide)

• Difficulty of migrating to an alternative technology: 3

• Likelihood of the dependency getting discontinued in the coming 5 years: 1

Redis has been in active development since 2009. According to DB-engines ranking Redis is the most popular key-value database.

Most of the code in UCloud never interfaces directly with Redis. All micro-services of UCloud should instead interface with the abstractions provided by service-lib. This makes significant knowledge of redis mostly irrelevant.

ElasticSearch

• Website: https://www.elastic.co/elasticsearch/

• Short description: ElasticSearch is a database which provides powerful free-text search. UCloud uses it for storing logs and limited file meta-data.

• Described in: Internal of a UCloud micro-service, Micro features

Assessment:

• How essential is the dependency for UCloud? 3

• How essential is knowledge of the system to develop UCloud? 4 (few component), 1 (rest of system)

• Difficulty of migrating to an alternative technology: 2

• Likelihood of the dependency getting discontinued in the coming 5 years: 1

ElasticSearch has been in active development since 2010. According to DB-engines ranking ElasticSearch is the most popular search engine database.

Gradle

• Website: https://gradle.org

• Short description: Build tools used in UCloud for all micro-services.

• Described in: Getting started

Assessment:

• How essential is the dependency for UCloud? 4

• How essential is knowledge of the system to develop UCloud? 3

• Difficulty of migrating to an alternative technology: 4

• Likelihood of the dependency getting discontinued in the coming 5 years: 1

Gradle is a build tool which is recommended in many parts of the official Kotlin documentation.

Jenkins

• Website: https://www.jenkins.io/

• Short description: Automation server which powers our CI/CD system

• Described in: CI/CD

Assessment:

• How essential is the dependency for UCloud? 3

• How essential is knowledge of the system to develop UCloud? 1

• Difficulty of migrating to an alternative technology: 2

• Likelihood of the dependency getting discontinued in the coming 5 years: 1

Frontend

ReactJS

• Website: https://reactjs.org/

• Short description: A JavaScript library for building user interfaces.

• Described in: Frontend README

Assessment:

• How essential is the dependency for UCloud? 5

• How essential is knowledge of the system to develop UCloud? 5

• Difficulty of migrating to an alternative technology: 5

• Likelihood of the dependency getting discontinued in the coming 5 years: 1

Developed by Facebook and used in many different companies and websites.

NPM

• Website: https://www.npmjs.com/

• Short description: Node package manager. Used internally in the frontend to manage dependencies.

• Described in: Frontend README

Assessment:

• How essential is the dependency for UCloud? 4

• How essential is knowledge of the system to develop UCloud? 4

• Difficulty of migrating to an alternative technology: 3

• Likelihood of the dependency getting discontinued in the coming 5 years: 2

Vite

• Website: https://vitejs.dev/

• Short description: Tooling + module bundler for JavaScript applications.

Assessment:

• How essential is the dependency for UCloud? 4

• How essential is knowledge of the system to develop UCloud? 3

• Difficulty of migrating to an alternative technology: 3

• Likelihood of the dependency getting discontinued in the coming 5 years: 1

TypeScript

• Website: https://www.typescriptlang.org/

• Short description: The entire frontend of UCloud is developed in the TypeScript.

• Described in: Frontend README

Assessment:

• How essential is the dependency for UCloud? 5

• How essential is knowledge of the system to develop UCloud? 5

• Difficulty of migrating to an alternative technology: 5

• Likelihood of the dependency getting discontinued in the coming 5 years: 1

Redux

• Website: https://redux.js.org/

• Short description: State container for JavaScript applications.

• Described in: Frontend README

Assessment:

• How essential is the dependency for UCloud? 5

• How essential is knowledge of the system to develop UCloud? 5

• Difficulty of migrating to an alternative technology: 3

• Likelihood of the dependency getting discontinued in the coming 5 years: 2

Redux is a commonly used library for state management in React-based applications. It has more than 3.5 million weekly downloads on NPM.

Tools

IntelliJ IDEA (and other relevant JetBrains IDEs)

• Website: https://www.jetbrains.com/idea/

• Short description: Integrated Development Environment (IDE) for many different languages. It is used internally to develop the software for UCloud.

• Described in: Postgres Tutorial

Assessment:

• How essential is the dependency for UCloud? 2

• How essential is knowledge of the system to develop UCloud? 2

• Difficulty of migrating to an alternative technology: 1

• Alternative technologies: Any other text editor. IntelliJ IDEA is not a requirement to develop UCloud.

• Likelihood of the dependency getting discontinued in the coming 5 years: 1

Developed by JetBrains who has also developed several of our other dependencies.

Git

• Website: https://git-scm.com/

• Short description: Distributed version control system. Used to keep track of changes and merge changes from multiple developers.

• Described in: Infrastructure README

Assessment:

• How essential is the dependency for UCloud? 5

• How essential is knowledge of the system to develop UCloud? 4

• Difficulty of migrating to an alternative technology: 3

• Likelihood of the dependency getting discontinued in the coming 5 years: 1

GitHub

• Website: https://github.com

• Short description: GitHub provides hosting of our git repository along with issue tracking.

• Described in: Infrastructure README

Assessment:

• How essential is the dependency for UCloud? 3

• How essential is knowledge of the system to develop UCloud? 3

• Difficulty of migrating to an alternative technology: 3

• Alternative technologies: Any other hosting platform for Git repositories

• Likelihood of the dependency getting discontinued in the coming 5 years: 1

ZenHub

• Website: https://www.zenhub.com/

• Short description:

• Described in: Not currently described in the UCloud documentation.

Assessment:

• How essential is the dependency for UCloud? 4

• How essential is knowledge of the system to develop UCloud? 5

• Difficulty of migrating to an alternative technology: 2

• Alternative technologies: If required, we could fallback to using just the issues in our GitHub issue tracker. ZenHub stores all issues directly in GitHub.

• Likelihood of the dependency getting discontinued in the coming 5 years: 2