Docker pitfalls for Internet-facing hosts

Planning to use Docker on an unprotected Internet-facing host? If so, don’t rush it. It works, but the default installation is probably not what you want.

By default Docker sets up iptables firewall rules for connections between the host and the containers. This is how it works on Ubuntu 14.04 and CentOS 7 and it is probably true for most distributions. The last thing I want on an Internet-facing host is something messing with the firewall!

What to do? A friend at Red Hat recommends overlay networking, for example with flannel as described here for Kubernetes with Fedora. It certainly seems like a much better (safer) option.

In summary, take care and make sure to test the firewall configuration not only when things are stable, but as containers are started and stoppped!

Categories: Linux, Networking

Routing for multiple uplinks with CentOS 7

How do you configure a Linux host to connect a local network to the Internet through multiple providers? Linux Advanced Routing and Traffic Control HOWTO is a good starting point. However, it only describes the commands, not where to put them.

With Red Hat and CentOS 7 the commands are split between several files. Following the HOWTO, assume that eth0 is connected to the LAN, eth1 to provider 1 and eth2 to provider 2.

Edit /etc/iproute2/rt_tables and add one line for T1 and one for T2. This creates two custom routing tables.

Optionally edit /etc/sysconfig/network and add NOZEROCONF=yes to get rid of the zero-config routing rules that are created by default.

In /etc/sysconfig/network-scripts/ there should be configuration files for all network cards: ifcfg-eth0, ifcfg-eth1 and ifcfg-eth2. Edit the files and remove GATEWAY, as we will add our gateways manually.

Create three new files named route-eth0, route-eth1 and route-eth2. They should contain the routing commands from the HOWTO. For example the route-eth1 could contain:


$P1_NET dev eth1 src $IP1 table T1
default via $P1 table T1
$P1_NET dev eth1 src $IP1

Optionally add a default as well (see the HOWTO for more advanced setups):


default via $P1

This covers the routes. Create rule-eth1 and rule-eth2 with the rules, for example rule-eth1:


from $IP1 table T1

Try it out and see how the routing tables change when a network interface is started or stopped.

This is just a starting point. My goal is to point out where the configuration in the HOWTO should go in Red Hat/CentOS 7, not to create a full-blown configuration. Good luck!

Categories: Linux, Networking

Tomcat 7 hangs during startup with CentOS 7

I recently installed Tomcat 7 for CentOS 7 and had a weird problem. The server would hang at startup. No errors, but no progress either. Strange, Tomcat has always been very stable and simple to use in my experience. It turned out to be an issue with SecureRandom. If the entropy source used for initialization is low on entropy it can take a very long time to set things up. See this post for details.

The solution was simple, just add a system property to /etc/tomcat/tomcat.conf:


JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom"

Problem solved, SecureRandom uses the specified file as entropy source and it works.

Categories: Java

Configure CentOS 7 to use SSD TRIM on encrypted filesystems

Today most systems use SSD:s in some way, so surely a modern OS supports them out of the box? Well, yes and no. CentOS 7 (and hence Red Hat 7 and probably most other Linux distros) correctly identifies that a SSD device supports the TRIM command, which is essential for good long-term performance, but it doesn’t use it and if you add encryption or LVM on top of the device the TRIM support is not automatically retained. See this blog for a very good explanation.

In case the link stops working, you basically need to add discard to all lines for SSD devices with encryption in /etc/crypttab and if you are using LVM you need to add issue_discards = 1 to /etc/lvm/lvm.conf. That enables support for discard/TRIM. To issue TRIM commands in real time, add discard in /etc/fstab as well. However, that is not recommended for optimal performance. It is much better to wait and use fstrim with a weekly cron job. Something like:


#!/bin/sh
for fs in $(lsblk -o MOUNTPOINT,DISC-MAX,FSTYPE | \
       grep -E '^/.* [1-9]+.* ' | awk '{print $1}' | \
       sort -u); do
   fstrim "$fs"
done

The code has been copied and adapted a bit from the link above.

Categories: Linux

Remove the “Get Windows 10” icon

Since I keep doing this for one Windows computer after another, here goes. Microsoft “helpfully” advertises the Windows 10 upgrade by installing a tray icon for Windows 7 and 8 users through Windows Update. It is annoying and it steals CPU cycles, so let’s get rid of it. There is a good explanation here, but in summary uninstall KB3035583 and then mark the update as hidden.

Categories: Windows

Externalize JSF project stage

Java ServerFaces (JSF) has a configuration option that should be set to Development in development and Production in production:


<context-param>
  <param-name>javax.faces.PROJECT_STAGE</param-name>
  <param-value>Development</param-value>
</context-param>

Unfortunately it is defined in web.xml, so the binary file installed in development must differ from the binary file in production. Find and replace at build time works, but it is cumbersome and prone to errors.

The ideal solution would be to use system properties, but JSF does not support that. However, JSF can use JNDI lookups! Why they would support something as complex as JNDI in place of something as simple and straightforward as system properties beats me, but there you are.

To use a JNDI lookup, add the following to web.xml instead of the context parameter:


<resource-ref>
  <res-ref-name>jsf/ProjectStage</res-ref-name>
  <res-type>java.lang.String</res-type>
  <lookup-name>JsfProjectStage</lookup-name>
</resource-ref>

The lookup name can be defined in the application server. If it is missing JSF will warn, but defaults to production mode.

Categories: Java

Chocolatey brings package management to Windows

Finally there is a package manager like apt-get or yum for Windows! Chocolatey can install and upgrade applications with simple commands, very similar to the Linux equivalents. For example, install the native Windows docker client with choco install docker and keep it up to date with choco upgrade docker. Highly recommended.

Categories: Windows
Follow

Get every new post delivered to your Inbox.