Docker

100

Solutions

129

Contributors

Docker is a computer program used to run software packages called containers in an operating-system-level virtualization process called containerization. It’s developed by Docker, Inc. and was first released in 2013.

I am new to Cloud Server Hosting and would like your option on the best and most cost effective Cloud Server Hosting site. I will be running a Debian 10 server with MySql. The total size will around 4 GB. I will have around 5 or so people accessing the server. In addition, has anyone used Docker on a Cloud Server before (is it even possible)?
0
Hi,

Please see https://www.experts-exchange.com/questions/29170630/Powershell-get-cve-score-specific-soft-version-via-cve-api.html

I could also use Docker to run on my Windows 2016 labserver and install the  CVE stuff on it: https://github.com/cve-search/cve-search

Just wonder: howto do this? When it is there, how can I scan for a CVE score, f.e. Firefox 60.1, what is its CVE score (preferrably Powershell based (run a ssh session or other options?)?

J
0
I have an ESXi Server in which I have a VM that I would like to utilize a USB device from a remote location from the server although it is still on the same LAN.

I have read that there are USB over IP devices available that would achieve what I am after. Can someone make a recommendation.

The VM is running linux and there is a possibility I could run it in docker as well. Is this still possible with Docker?
0
I am running a CentOS 7 server running Samba 4.9.1

I have a fileshare on a Win 2008 R2 (soon to be upgraded) server that I want to right to from the CentOS sever.

I have installed 'samba-clent' and 'cifs-utils'. I have added a line to [/etc/fstab] to create a mount point to a folder in the root called 'output' (i.e.  '/output') and passed credentials of a special windows user from a text file (username, password and domain).

On the Windows side I have granted the share folder 'Full control' to the windows user AND shared the folder with them.

This all works well and the two servers are now linked so that if I create a text file from CentOS in the folder '/output' it appears in the Windows share. I can list the share's contents. create folders, delete files and delete folders.

HOWEVER I when I run a shell script that runs a docker program (third-party that I can't upload) it returns 'Permission denied' when it tries to generate a database backup in that location.

The exact same setup worked under Ubuntu 16.04 so I am confused as to what is missing here.

I have even run '# semanage fcontext -a -t samba_share_t '/output(/.*)?' and then '# restorcon -v /output' to stop SELinux from blocking the Samba communication.

Questions:
  1. What could I be missing ?
  2. Do I need to create a Samba user just to access this share ? I didn't under Ubuntu 16.04
  3. How can I further manually test the share to see if I am missing permissions
0
Hi,
kindly please suggest

I injected below lines in tomcat catalina.policy,

grant codeBase "file:/<path_to_directory>/-" {
permission java.security.AllPermission;
permission java.io.FilePermission "", "read,write,execute";
permission java.util.PropertyPermission "", "read";
permission java.lang.RuntimePermission "getenv.*";
};

Open in new window


But I still get
Error in Full Agent Registration Info Resolver reading environment variable/system property 
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getenv.")

Open in new window

0
Hi Docker Experts,

I have a vendor provided docker image. Which I have it in my docker registry.

I have simple Docker File which uses this image as a BASE image.

1. Would like to copy a file from the docker image to host
2. update the copied file on the host
3. Copy updated file back to docker in the same location
4. build docker with new tag

please help

Simple Dockerifle
FROM xxxxxxxx.dkr.ecr.ap-southeast-2.amazonaws.com/busybox1

RUN echo foo > bar
COPY /tmp/test.txt /tmp/test_upd.txt

Open in new window


For me even simple COPY is failing
lstat tmp/test.txt: no such file or directory
0
On my RHEL7 VM, the reboot took about 30-40 mins to boot up
(was told by colleague who supports it, it's about 20 times longer).

 At the console, I could see
"dracut Warning: Cannot umount /oldroot
 dracut Warning: Blocking umount of /oldroot [14015]
   /usr/linb/systemd/systemd-shutdownreboot--log-leval6-log-targetkmsg
 dracut Warning: lrwxrwxrwx.  1  root  0  0 ...
   /proc/14015/exe-> /oldroot/usr/lib/systemd/systemd-shutdown

A few links suggest to disable firewalld but after it boots up, can't
   see that firewalld is running:
$ firewall-cmd --list-all |more
FirewallD is not running

is the dracut message on the console the cause of the slow booting
up or this long booting up is caused by another issue?  How can I
fix this?
0
I've added the following settings in /etc/sysctl.conf  as well as
issued 'sysctl -w ...'  to make it effective as part of hardening.

My apps colleague rebooted the RHEL 7 VMs & now
the docker gave the error '503 Service Unavailable'.

How should I reverse them back: just by removing
those lines from sysctl.conf & reboot (sysctl.conf was
quite empty initially)
OR
re-issue "sysctl -w ..." with the  alternate value (ie if
it's 0, set it to 1 & if it's 1, set it to 0)?  But this doesn't
seem right as we don't know what's the default
value initially.  So how do we know what's the
initial default value before the change??


sysctl -w fs.suid_dumpable=0
sysctl -w kernel.randomize_va_space=2
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.default.rp_filter=1
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.default.accept_source_route=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.conf.default.log_martians=1
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w …
0
refer to attached list of group/world writable folders:
many of them are under docker dir & some are owned by ftp.

Q1:
is it ok to remove  group writable  permission?

Q2:
Those files owned by ftp: can we amend to be owned by root?
gwrifold.zip
0
During hardening, found the following group or world writable files.
Any harm if I do  'chmod g-w  or o-w'  on them:

rw-rw-r--. 1 root utmp 1920 Nov 15 15:26 /run/utmp
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/member
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/user
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/relabel
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/create
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/access
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/context
--w--w--w-. 1 root root 0 Nov 12 22:18 /sys/fs/cgroup/blkio/docker/09445bf1ebac906fb92c97d9140a42710796b2dd34bb3474c71794b131f4741b/cgroup.event_control
--w--w--w-. 1 root root 0 Nov 11 18:29 /sys/fs/cgroup/blkio/docker/e760f8367ab29e50ea04629d2d1466013a0d19510052470e0617bb169993e652/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/5370fc625a376632a22e470e0d490e11a1e10ce7b142d87f5854ea258a2a5567/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/cadac22712699622cc1554a6ced7f662fdc8dd62b5793516096dea0f9d268548/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/ffd11120a3e494232e67bb4517bcf358c5d2e1690935455b37db9bcd169e9320/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/0d93b13bbc417a4d59cc89c5e28160217c844d702f80ea29bb7740df86e1ef3d/cgroup.event_control
--w--w--w-. 1 root root 0…
0
When verifying for RHEL7 CIS benchmark compliance item 1.2.1
"Ensure package manager repositories are configured", got the
message below:  is this an NC & what should be done to rectify?

All the CIS doc says is "Configure your package manager repositories
according to site policy" but currently we don't have one:

$ yum repolist
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
repo id                                                     repo name                                         status
!docker-ee-stable-17.06/x86_64         Docker EE Stable 17.06 - x86_64     19
repolist: 19
0
Hi,

I have Pihole running. Sometimes I look for something and I get
https://www.googleadservices.com/pagead/ ... then a link

but the googleadservices page is blocked and then I cannot ge to the final page.
How can I solve this?

Please advise.
J.
0
Hi,

I'm using PiHole on a Synology NAS in Docker container.
When I go to the PiHole site, it says:
Pi-hole Version v4.3.1 (Update available!) Web Interface Version v4.3 (Update available!) FTL Version v4.3.1

How do I update this Docker container quick & straight forward without losing all my configuration?

Please advise.
J.
0
I recently took away users local admin privileges from all the end users computers.  The people who seem to be affected by this the most are the programmers. They have issues with running docker which needs to be run with elevated privileges (Just one example so far ).  I would be interested in hearing what other sys admins are doing with the more technical end users to let them work properly?

Thank you.
0
Our apps architect recommends  Alpine Linux for our
microservices/container environment.

Some time back, a patch management vendor told us
that patching for Alpine can't be managed by Satellite
or BigFix  ie we have to manually download & patch.

Q1:
is the above true or is there something like 'yum' in
RHEL to patch Alpine.

Q2:
Also, there's no CIS hardening benchmark nor any
docs that standardize what to harden for Alpine.

Q3:
Architect further points out that Alpine is the most
secure & efficient Linux to use for microservices;
is this true?  Does Alpine has good development
team that constantly check for vulnerabilities &
release advisories/patches (at least like RHEL)?

https://alpinelinux.org/about/
https://en.wikipedia.org/wiki/Alpine_Linux

Q4:
Where can I view past Alpine's CVEs/vulnerabilities
list & how can we assess how good are support
for Alpine?  Don't want a case where we log a
case for support & there's lack of response &
no solution
0
Trying to run Docker and I'm getting this error:

$ bash bin/development.sh
Building express-mongoose-es6-rest-api
Step 1/9 : FROM node:8.10.0
 ---> 41a1f5b81103
Step 2/9 : MAINTAINER Kunal Kapadia <kunalkapadia12@gmail.com>
Service 'express-mongoose-es6-rest-api' failed to build: failed to start service utility VM (createreadwrite): hcsshim::CreateComputeSystem 7be3d4b1e2c0b1026873e49e7b782f851fde4296ed082a0942ddee02bbb9f688_svm: The virtual machine could not be started because a required feature is not installed.
(extra info: {"SystemType":"container","Name":"7be3d4b1e2c0b1026873e49e7b782f851fde4296ed082a0942ddee02bbb9f688_svm","Layers":null,"HvPartition":true,"HvRuntime":{"ImagePath":"C:\\Program Files\\Linux Containers","LinuxInitrdFile":"initrd.img","LinuxKernelFile":"kernel"},"ContainerType":"linux","TerminateOnLastHandleClosed":true})

When I'm looking at that, I'm seeing what I have in bold. I'm google-ing this stuff now, but if there's anybody out there who's been down this road who can tell me what I need to do to make this work, I'm all ears!

Thanks!
0
I've got Docker installed and I've downloaded a boilerplate from https://github.com/kunalkapadia/express-mongoose-es6-rest-api

Everything's installed including "yarn" - all good.

But when I run this: $ bash bin/development.sh, which, from what I understand is instantiating the docker dynamic, it just hangs on "3.4: Pulling from library/mongo."

Here's what it looks like:

screenshot
I am poised on the threshold of greatness! I've got my Node syntax proofed and ready! All I've got to do is drop it into the Boilerplate and wrap it in a Docker image and I will be done!

But I can't get past this thing and I'm stuck!

Thoughts?
0
Q1:
Is there any hardening guide for RHEL 8?
If there's none, can I assume it's very close to RHEL 7's hardenings?
Then I'll ask vendors to harden RHEL 8 as per CIS RHEL7's benchmark.

Q2:
We're hosting docker/microservices in an RHEL host: previously the
vendor tested using RHEL7: can I safely say it makes no difference/
impact to the services/app whether we use RHEL 7 or 8?

Q3:
at the VMs level is there any difference/impact?  The docker
instances is spinned from the various Ubuntu, Debian images,
so I'm guessing it doesn't matter which version of RHEL runs
on the VMs
0
i have a very little script which is running when i use   $ ./check_dock
docker -com.... ok cpuuerc 0.xx%
 when i used in $ ./check_nrp -H "ip/localhost/127.0.0.1" -c check_dock
return:  NRPE: Unable to read output
all other command i defined in nrpe is running.
What i missing here?

my check_dock scripts is:
-------
#!/bin/bash -el
#
#
#
# Author: Bahman Sharzad
# Mail: bshmsn.sharzad@process-factory.dk

SUDO=/usr/bin/sudo
alias direc="cd /usr/local/nagios/libexec"
# . check docker container
ERROR_CODE1=-1
statu=$((sudo /usr/local/nagios/libexec/check_docker -n $1 -c 80,90) | awk '{print $2}')
#echo $statu
all=$(sudo /usr/local/nagios/libexec/check_docker -n $1 -c 80,90)
#echo $all
if [ $statu = 'WARN' ]; then
        echo $all
        ERROR_CODE1=1
elif [ $statu = 'CRIT' ]; then
        echo $all
        ERROR_CODE1=2
elif [ $statu = 'OK' ]; then
        echo $all
        ERROR_CODE1=0
fi
exit $ERROR_CODE1
------

and command in nrpe is
--
command[check_dock]=/usr/local/nagios/libexec/check_dock docker-compose_mongodb_1
---
i run command :  $ sudo ./check_nrpe -H 127.0.0.1 -c check_dock
NRPE: Unable to read output
0
i have a ubuntu lxd container (on ubuntu 18.04).
i add a domain group in visudo. and run lxc set security.priviliged true on my lxd docker.
i try to update ubuntu 16 as domain user in sudores group:
return error : sudo apt update
sudo: unable to resolve host “my-host”
sudo: no tty present and no askpass program specified.
0
Is there any method to check status for docker container in nagios core 4?
0
hi,

reading this :

https://severalnines.com/blog/mariadb-maxscale-load-balancing-docker-deployment-part-1?utm_campaign=MariaDB_Campaign_JUN19&utm_content=maxscale_docker_1&utm_medium=Social_Media&utm_source=Facebook&fbclid=IwAR3pMjAyEA7qt4x9CKRHQdJah1feHuwIF_OhhRb-K6Bc_MjTDSRMJyfJzNA

what is  Docker Swarm ?

it say

"MaxScale Clustering with Docker Swarm
With Docker Swarm, we can create a group of MaxScale instances via Swarm service with more than one replica together with Swarm Configs."

so what is that ?


also in here:

https://severalnines.com/blog/mariadb-maxscale-load-balancing-docker-management-part-2

it say:

Query Rewriting
Query rewrite is a feature that, depending on the queries running against the database server, quickly allows to isolate and correct problematic queries and improve performance.

Open in new window


I dont' understand what it means ?

and this one :

uery rewriting can be done via regexfilter. This filter can match or exclude incoming statements using regular expressions and replace them with another statement. Every rule is defined in its own section and include the section name in the corresponding service to activate it.

Open in new window


this means if we see a bad query we use maxsale to replace any string ?
0
java invoked oom-killer: gfp_mask=0xd0, order=0, oom_score_adj=0

we are using docker swarm for deploying docker containers that run java application.   Recently the containers are getting stopped frequently and we have observed the above-metioned log in system logs.
0
Hi,

I would like to use Piehole (or another add blocking/security enabling feature) for my home network.
My Synology NAS supports Docker, so I stumbled upon this article: http://tonylawrence.com/posts/unix/synology/free-your-synology-ports/
Not going to buy a Pie, my Synology is good enough and dont want extra hardware to buy/maintain/configure anyway.
 
I like the idea of Docker/containers since I do think it is the future, I have no Docker experience whatsoever for now. My questions:
-is Piehole the right protection tool to use or are there better (Docker) solutions?
-if I follow the procedure described, what to do then, just point my dhcp dns to the ip of Synology? Any config I can do to the Piehole? Then where?  Not clear to me.
-I also have a Synology Router mc2200 ac, can/should I combine it's security features?

Thanks for your input!
J
0
hi,

I found this:

https://stackoverflow.com/questions/44648343/mysql-upper-case-table-schema-name

and i try that setting in server.cnf for mariaDB and it doesn't work, lower_case_table_names is STILL 0 if I double check from UI when MariaDB is up !:

SHOW VARIABLES LIKE 'lower_case_table_names';

for the content of my server.cnf please refer to this :

https://www.experts-exchange.com/questions/29151495/MariaDB-export-to-a-mariaDB-Docker.html?anchor=a42906273¬ificationFollowed=233535265#a42906273

when I do this inside MariaDB via UI :

SET lower_case_table_names=2;

Open in new window


error returns by saying:

Lookup Error - MySQL Database Error: Variable 'lower_case_table_names' is a read only variable

Open in new window



what is the problem? MariaDB seems can't see the setting in mysqlid section.

is it say it once MariaDB is installed we can't change it, what if it is a MariaDB docker ?

any doc detail how to set this setting during installation ?
0

Docker

100

Solutions

129

Contributors

Docker is a computer program used to run software packages called containers in an operating-system-level virtualization process called containerization. It’s developed by Docker, Inc. and was first released in 2013.