Addressing Concerns/Questions from Businesses Evaluating Moqui

Hello Everyone,

I trust this message finds you in good spirits.

I want to extend my heartfelt appreciation for the enriching discussions we shared during our recent meeting with the Moqui contributors on Eastern Moqui Call. Our dialogue centered around our vision for future development and contributions to the framework, with a particular focus on addressing the concerns that often arise when businesses evaluate Moqui.

Through our collective insights, we identified three key areas of concern: Security, Scalability, and Community Support.

Recognizing the importance of proactively addressing these concerns, we have decided to take decisive action by establishing a dedicated page on the Moqui Wiki. This page will serve as a robust resource, designed to alleviate the apprehensions of businesses considering Moqui for their projects.

Our discussions were extensive, exploring various use cases and scenarios. It became abundantly clear that Moqui possesses the requisite capabilities to effectively address these concerns and more.

In addition to providing valuable support to our existing user base, this initiative will significantly enhance Moqui’s value proposition. By showcasing our commitment to:

1. Security: Ensuring robust security measures to safeguard sensitive data and protect against potential vulnerabilities.
2. Scalability: Demonstrating Moqui’s ability to seamlessly scale with the evolving needs of businesses, from small-scale projects to enterprise-level applications.
3. Community Support: Highlighting the vibrant and supportive community surrounding Moqui, offering resources, assistance, and collaboration opportunities.

Through a dedicated and transparent resource, we reinforce Moqui’s position as a reliable and trusted framework for businesses of all sizes.

As we move forward with this endeavor, I wish to express my sincere gratitude to @taher, @michael, @visvendra, and @nirendra for their enthusiastic support and willingness to contribute to this collective effort.

Together, we are not only addressing the concerns of prospective users but also elevating Moqui’s standing within the development community. Your continued support and dedication are invaluable as we strive to make Moqui the framework of choice for businesses worldwide.

Thank you for your unwavering commitment.

@pandeypranay Thanks for posting.

Here’s my notes from the call:
Have a place where we can share success stories

Big customers typically want to know about:

• Security (Also create a Hardening Guide?)
  Configuring CORS
  SSL Termination at server
  SSL Connection to database
  Security monitoring?
  Security Updates
  Limited Admin Permissions
  Have clear scope of who can access what and use least possible permissions
  Disabling useful, but dangerous screens
• Scalibility:
  How to scale a database (vertical then have horizontal read replicas)
  app server horizontal (using hazelcast and a load balancer)
  open search (horizontal scaling with sharding usage guide?)
• Community
  Small base of highly skilled people that build the engine that everything else runs on

We should consider creating a more figured out contribution workflow for documentation and website

Hello Folks,

Thank you for starting this discussion. So I will list my thoughts and experience below with the three items (security, scalability and community). Perhaps after that we need to think of a way to move forward in putting this information somewhere useful as a reference.

Security

In addition to the good points mentioned by @michael maybe the below list could be useful to expand on:

• session duration
• password strength
• password history
• password expiry
• api_key settings
• api_key end-points
• encryption protocols
• Network settings, Maybe we can add sample code for iptables or ufw
• rate limiting (brute force), perhaps as part of firewall settings or using a load-balancer
• docker settings including open ports (development vs production)
• credentials storage (env variables, env files, dev vs prod, etc …)
• how to utilize scanning tools like zaproxy against custom screens

Scalability

I think @michael nailed all the major technical points that should be addressed. In addition to these points what I think would make a huge difference is providing actual data as a reference to people evaluating moqui. For example:

• Provide information on actual implementations in the community and how they scaled.
  • Transactions frequency per second / hour / day
  • Number of concurrent users
  • Machine specs running these transactions and their architecture
  • Resilience strategies, if they used queues or things like SystemMessage entity
• Provide success stories that scaled, including a successful IPO?
• Provide load testing scripts (say JMeter or whatever) that can be actually downloaded and used by persons to evaluate the actual limits of the system under certain hardware constraints and for certain end-points

Community

For some reason I suspect most of the community is like us, working very hard, very silently This makes estimating the community size sort of difficult.

In addition, we don’t seem to be highlighting in the website the calendars of our community meetings, or our forum, or the various activities that are happening. We don’t show faces and voices of people that represent what moqui is all about.

Here is another idea, how about encouraging the service providers make videos about their experience with moqui, and we promote it somewhere. Showing what kind of solutions were developed on top of it. Do you know that there are real-time streaming systems developed on top of moqui? Do you know of the various fantastic solutions out there? Why not make a page and call it made with moqui for example.

So I think moqui is healthy and growing, and this is not advertised well enough to put people at ease in adopting it. Some of the ideas above might help in pushing this information out.

As a reference to scalability, I made a test to a simple end-point (fetch a bunch of product features) using JMeter. In my tests I used 10,000 concurrent users on 50 requests (so half a million requests) with a ramp up period of 1 second. This is the most aggressive that I could get my computer to run, My CPU was clocked at 100% on a ryzen 9 16 core rig with 32 GB of ram. I got requests failing at around 0.3% on these figures and the average request duration climbed up to 3000 ms. Mind you this is both jmeter and moqui running on the same machine, so I can probably get more out of it with separate instances.

This shows that moqui can scale really far before having to look into horizontal scaling.

This is great to see. Thanks for sharing

Agreed those are good.

If we really care about this, I suggest having this run in a reproducable way. Such as on aws ec2 deployed through a terraform script. And running through common tasks like ecommerce, work management, and financial transactions / reconciliation.

This is something that I’ve been meaning to do for a while.

I can start building some JMeter test files to help us out and automate the task of running load tests against moqui in various situations with various different loads. Then perhaps people would either observe the results on the AWS instance itself, OR they download the scripts and run them to confirm on their own.

Are there volunteers for some of the other tasks? Especially around documentation? I would find it much easier to “contribute” than “start” the whole thing

I can start on some of the documentation, and get others on board as needed.

@taher and @pandeypranay IIRC, the original goal was to put this up on the Moqui website as a landing page. Should we go ahead with that or add a page in the wiki?

I think starting with a Wiki page will good. Later when we have refined details we can conclude to add it to the website, wdyt?

Yeah that sounds good to me