Archive for August, 2015

Docker pitfalls for Internet-facing hosts

Planning to use Docker on an unprotected Internet-facing host? If so, don’t rush it. It works, but the default installation is probably not what you want.

By default Docker sets up iptables firewall rules for connections between the host and the containers. This is how it works on Ubuntu 14.04 and CentOS 7 and it is probably true for most distributions. The last thing I want on an Internet-facing host is something messing with the firewall!

What to do? A friend at Red Hat recommends overlay networking, for example with flannel as described here for Kubernetes with Fedora. It certainly seems like a much better (safer) option.

In summary, take care and make sure to test the firewall configuration not only when things are stable, but as containers are started and stoppped!

Categories: Linux, Networking

Routing for multiple uplinks with CentOS 7

How do you configure a Linux host to connect a local network to the Internet through multiple providers? Linux Advanced Routing and Traffic Control HOWTO is a good starting point. However, it only describes the commands, not where to put them.

With Red Hat and CentOS 7 the commands are split between several files. Following the HOWTO, assume that eth0 is connected to the LAN, eth1 to provider 1 and eth2 to provider 2.

Edit /etc/iproute2/rt_tables and add one line for T1 and one for T2. This creates two custom routing tables.

Optionally edit /etc/sysconfig/network and add NOZEROCONF=yes to get rid of the zero-config routing rules that are created by default.

In /etc/sysconfig/network-scripts/ there should be configuration files for all network cards: ifcfg-eth0, ifcfg-eth1 and ifcfg-eth2. Edit the files and remove GATEWAY, as we will add our gateways manually.

Create three new files named route-eth0, route-eth1 and route-eth2. They should contain the routing commands from the HOWTO. For example the route-eth1 could contain:

$P1_NET dev eth1 src $IP1 table T1
default via $P1 table T1
$P1_NET dev eth1 src $IP1

Optionally add a default as well (see the HOWTO for more advanced setups):

default via $P1

This covers the routes. Create rule-eth1 and rule-eth2 with the rules, for example rule-eth1:

from $IP1 table T1

Try it out and see how the routing tables change when a network interface is started or stopped.

This is just a starting point. My goal is to point out where the configuration in the HOWTO should go in Red Hat/CentOS 7, not to create a full-blown configuration. Good luck!

Categories: Linux, Networking

Tomcat 7 hangs during startup with CentOS 7

I recently installed Tomcat 7 for CentOS 7 and had a weird problem. The server would hang at startup. No errors, but no progress either. Strange, Tomcat has always been very stable and simple to use in my experience. It turned out to be an issue with SecureRandom. If the entropy source used for initialization is low on entropy it can take a very long time to set things up. See this post for details.

The solution was simple, just add a system property to /etc/tomcat/tomcat.conf:


Problem solved, SecureRandom uses the specified file as entropy source and it works.

Categories: Java

Configure CentOS 7 to use SSD TRIM on encrypted filesystems

Today most systems use SSD:s in some way, so surely a modern OS supports them out of the box? Well, yes and no. CentOS 7 (and hence Red Hat 7 and probably most other Linux distros) correctly identifies that a SSD device supports the TRIM command, which is essential for good long-term performance, but it doesn’t use it and if you add encryption or LVM on top of the device the TRIM support is not automatically retained. See this blog for a very good explanation.

In case the link stops working, you basically need to add discard to all lines for SSD devices with encryption in /etc/crypttab and if you are using LVM you need to add issue_discards = 1 to /etc/lvm/lvm.conf. That enables support for discard/TRIM. To issue TRIM commands in real time, add discard in /etc/fstab as well. However, that is not recommended for optimal performance. It is much better to wait and use fstrim with a weekly cron job. Something like:

for fs in $(lsblk -o MOUNTPOINT,DISC-MAX,FSTYPE | \
       grep -E '^/.* [1-9]+.* ' | awk '{print $1}' | \
       sort -u); do
   fstrim "$fs"

The code has been copied and adapted a bit from the link above.

Categories: Linux