Friday, 3 June 2016

Recipe - Docker, web apps and Lets Encrypt

Intro


If you're after easy hosting of dockerized web services with automatic certificate enrolment using Lets Encrypt, then the solution is to use 2 docker containers - nginx as a web proxy and Lets Encrypt Companion to handle certificates. LE Companion can provide either LIVE or STAGING certificates, depending on configuration, but you can run only one at a time.

Container definitions below are in a docker-compose format and the recipe below contains absolutely no security hardening of the Docker installation - this is something you need to consider separately

Web proxy

TLSproxy:
  image: 'jwilder/nginx-proxy:latest'
  ports:
    - '80:80'
    - '443:443'
  volumes:
    - '/etc/letsencrypt:/etc/nginx/certs:ro'
    - /etc/nginx/vhost.d
    - /usr/share/nginx/html
    - '/var/run/docker.sock:/tmp/docker.sock:ro'
  environment:
    - 'DEFAULT_HOST=default.vhost.tld'

TLSproxy is nginx based reverse proxy that automatically discovers and configures virtual hosts running on the same machine. See image description on docker hub for details. TL;DR simple approach is:

docker run -d -e VIRTUAL_HOST=blog.domain.tld ghost

Please note, the DEFAULT_HOST variable - it's quite useful to have it set right :-)

Thursday, 18 February 2016

Adding private insecure registry to Rancher nodes

Quick post before I forget - there's quite a few people asking how to get insecure docker registry running on RancherOS node. Here's what worked well for me.

First thing that helps a lot is to have some DNS entry for your registry - remember you will use this hostname quite often, so better set it up now than use IP addresses going forward.
As I run my own internal DNS server with local zones, I have created registry.rancher.lan entry and pointed to the node running registry container.

All of my nodes were already up and running, so I didn't use cloud-config.yml file for that and had to stick to ssh to get it working, but there's nothing to stop you from adding it right there for node installation time. The ssh process is super simple - please note entire command is a single line:

$ sudo ros config set rancher.docker.args "[daemon, --log-opt, max-size=25m, --log-opt, max-file=2, -s, overlay, -G, docker, -H, unix:///var/run/docker.sock, --userland-proxy=false, --insecure-registry=registry.rancher.lan:5000]"
I've marked in bold the key element. Be aware, the syntax is quite sensitive if you use quotes. I had multiple crashes on boot because single quote was converted to python(ish) three single quotes, which of course didn't parse well going forward. Clearly the config tool tries to be smart, so please, let it be and remove quotes in parameters passed in the array.

Finally, reboot and off you go - the node will now find and correctly use the images hosted in your own registry.

Tuesday, 10 February 2015

Raspberry Pi 2 - first impressions


  1. First impression is that (in my opinion) it is visibly faster than the previous one (1st gen. model B with 512MB RAM), even on tasks that can't use more than one CPU core - this is a good sign. The difference is even more visible when comparing to 1st gen. model B with 256MB RAM...
  2. I measured power consumption at the wall using kill-a-watt type plug and here are the results:
    • No SD card inserted (not booting) - 0.6W
    • Booted up and idle, with Ethernet connected - 1.4W
    • CPU cores under load (via sysbench prime number test, with Ethernet):
      • 1 thread - 1.8W, 296 sec to complete
      • 2 threads - 2.0W, 148 sec to complete
      • 4 threads - 2.5W, 74 sec to complete
  3. I tried the Xeon flash bug (or feature) and yes, it works. Of course it doesn't react to LED generated light and the usual laser pointers - I'd love to test it against a real lightning flash but I guess I'll have to wait for weather to change. Here's the Xeon flash test:

  4. Finally, the main sticking point for use experience is slow SD card access, so pick the fastest card you can get - it's worth it!

Sunday, 9 November 2014

haste-server Base URL Hack/Patch

Recently I came across haste-server, a server behind hastebin, which is a pastebin clone written in node.js. The application is minimalistic, fairly simple and works really well, except for one rather major glitch - it takes over the root directory of the whole website.

I've noticed that several people raised an issue on GitHub asking the author for help, but so far nobody shared fully working solution. Some people tried to work reverse proxy magi, others tried to patch the code - with moderate success. Instead of adding to the problem area I thought I'll try to offer a solution - keep in mind I don't know JavaScript ;-)


Tuesday, 28 October 2014

Wake-on-Lan issues with Intel PRO Series NIC

Over the last few months I was experimenting with setting up my ham-radio station for completely remote operation, so once the rare DX comes on air I can work it regardless of where I am at the time.

The idea seems simple but this means that for a start I need to be able to remotely turn on and off all of the devices. Leaving the design itself for another post, the core element of my remote control concept is rather old ThinkPad x60s laptop. This one comes with Intel PRO/1000 Ethernet NIC and I want to use WoL to boot it up remotely.

What is WoL?
It's a simple way to turn on a machine connected to the network by sending it a single ethernet packet. Very useful if you want to boot up a machine for out-of-hours maintenance run or something similar - like in my case.

Problem
WoL works great but only once, so after you shut down the OS there's no way to do remote start again. This is something that many have encountered judging by the amount of forum posts and questions asked about the same issue.

Once I wasted more time than I should on trying to figure out what's going on, the fix turned out to be "trivial". Lesson learned for sure.

Saturday, 1 March 2014

Running AirView2 [EoL] on Windows 8.1

This is purely "note to self" type post for getting End-of-Life AirView2 device (introduced here) to run under the latest version of Windows.


The AirView2 requires an app and a driver. AirView tool installer (msi format) that checks the OS version and aborts installation if it's different than XP or Vista. The viewer app is written in Java but the AirView2 needs a driver as well (technically it will show up as simple COM port afterwards).

Manual Installation:

  1. Download and install Java JRE (ouch!)
  2. Download the latest software (32 or 64bit) from http://www.ubnt.com/airview/downloads
  3. Manually unpack the MSI file to some location. In command line window this goes like:
    msiexec /a AirView-Spectrum-Analyzer-v1.0.11_win32-setup.msi /qb TARGETDIR=C:\AirView2
  4. Plug in the dongle into USB port and go to the Device Manager - you will see AirView2 having driver issues. Update driver and tell Windows to look for a new one under C:\AirView2
  5. Double click on airview-o.jar to run the app - happy scanning!
AirView app doesn't care where it was unpacked so you can move it anywhere you want to ;-)

Monday, 25 November 2013

LG SmartTV (47LW640S) confirmed to be "snooping"

Following some revelations from DoctorBeet's Blog about LG Smart TVs snooping on our watching habits and further information posted on Mark's blog, I realised my parents recently bought one of those... :-)

First of all we should be rational and assume that any "smart device" is doing that. Unfortunately (for LG) this is pretty bad timing for this kind of news to come out in the light of the recent NSA/Snowden/whatever leaks. Oh well, nothing to see and almost moving on....
Here is a screenshot of traffic from a TV running in Poland, model 47LW640S (also visible in the request headers).

TV turned ON