This is my first longer article for InfoQ (rather than being a news item), and it’s intended to be a comprehensive backgrounder on Docker: ‘an overview of the Docker journey so far and where it is headed along with its growing ecosystem of tools for orchestration, composition and scaling. This article provides both a business and a technical point of view on Docker and separates the hype from the reality.’

continue reading the full article at InfoQ


I got my Lenovo X230 when I started with CohesiveFT almost 18 months ago. I’ve generally been very happy with it, but the cracks are starting to show – literally:

Frame above wrist pad coming away, and also a hairline crack at the top of the ExpressCard slot.

Frame above wrist pad coming away, and also a hairline crack at the top of the ExpressCard slot.

Not as robust

I’ve had a succession of ThinkPads – T20[1], T41, X60T, X201T, a loaner X220 from the good people at Bromium, and now my X230. They’ve all been pretty indestructible apart from the X230. The screen has always felt a bit flimsy, but now other bits are falling off it. Earlier in the week the ThinkPad logo on the wrist rest came off:

Look closely and see the marks from the superglue I used to put this back

Look closely and see the marks from the superglue I used to put this back

and now I see that the indicator cover for the top LEDs has gone missing:

X230_LEDs

I don’t think I’ve been treating this one any harder than other ThinkPads I’ve owned, so I can only conclude that build quality is being compromised. I’d also note that my other Thinkpads have generally done 3 years of service before being retired, meaning that this one should only be half way through its journey. It also needs a new battery, as endurance has fallen from 5hrs to just over an hour – at least the battery is replaceable (and not too expensive).

The reason I got it in the first place

I chose the X230 because it can take 16GB RAM (and because I know from experience that 8GB isn’t enough for my typical usage). The newer X240 only takes 8GB RAM, which seems to me a significant step back.

X230_X240_RAM

From the Crucial memory configurator

I’ll soldier on for the time being

As there really aren’t any great alternatives. I quite liked the Dell XPS13 that I got on loan a little while ago, but that also tops out at 8GB RAM. At a push I might go for a 13″ MacBook Pro with 16GB RAM, but what I really want is an 11″ (or better still 12″) MacBook Air with 16GB RAM (and a 1TB SSD[2]). My fingers are crossed that after this year’s Intel Developer Forum we see some serious machines with lots of RAM and storage in a lightweight and robust package (and not more gimmicky convertible tablety things).

Notes

[1] My T20 survived an incident where a Newark taxi driver slammed the trunk down on my bag carving a gouge into the lid of the laptop. I’m pretty sure that most lesser machines would have been smashed to bits by that. My T20 came through with a scar, but it had no effect on how I used it, and it delivered a few more years of reliable service.
[2] I recently swapped out the Samsung 840 500GB SSD that I put in when I got the X230 for a Samsung 840 evo 1TB mSATA SSD. The process was pretty painless as I was able to have both drives in the laptop at once. Having completed the migration I moved the new SSD to an mSATA to SATA adaptor, as the mSATA port on the X230 is only SATA2, so I was missing the full (and impressive) speed of the newer drive.


Before writing my InfoQ story about Flocker I ran through my now usual process of getting my 3 tier demo[1] working on it (in addition to running through the getting started guide[2]).

What I found is that Flocker doesn’t yet support multi container apps, but then it is only at release 0.1 (and proper multi container support if promised for 0.2). It was however possible to get things working with a little hacking.

Database

Flocker is made for running stateful apps, so getting MySQL working was pretty straightforward. I created the following files:

"version": 1
"nodes":
  "172.16.255.250": ["mysql-volume-example"]
  "172.16.255.251": []
"version": 1
"applications":
  "mysql-volume-example":
    "image": "cpswan/todomvc.mysql"
    "ports":
    - "internal": 3306
      "external": 3306
    "volume":
      # The location within the container where the data
      # volume will be mounted:
      "mountpoint": "/var/lib/mysql"

To get it fired up I then ran:

$ flocker-deploy mysql-deployment.yml mysql-application.yml

After something of a wait for my container image to be pulled from Docker Hub I had a running database that I could connect to with the mysql client. I then created an alternative deployment file and moved the database to another host:

"version": 1
"nodes":
  "172.16.255.250": []
  "172.16.255.251": ["mysql-volume-example"]
$ flocker-deploy mysql-deployment-moved.yml mysql-application.yml

Some further testing confirmed that the database was working. I could even connect to the other VM and use the Flocker proxy to get through to my container.

App and Web Servers

I used ssh to connect to the Flocker VM running the database and attached the app and web servers in the usual way:

$ docker run -dp 4567:4567 --name todomvc_app \
--link mysql-volume-example:db cpswan/todomvc.sinatra
$ docker run -dp 443:443 --name todomvc_ssl \
--link todomvc_app:app cpswan/todomvc.ssl

A quick test with a web browser attached through and SSH port forward confirmed that everything was working.

I then had a go at moving the database again, which got me a screen full of SQL errors. The app server could no longer connect to the container it had linked to, and the Flocker proxy wasn’t helping.

Hacking the link

The app server is configured using environment variables that are populated by the Docker linking mechanism, so DB_PORT_3306_TCP_ADDR gets set to something like 172.17.0.9:3306. Using a slightly different command line this can be set to use the local Flocker proxy rather than connecting directly to a container that might not stay there (after stopping and removing the todomvc_app container):

$ docker run -dp 4567:4567 --name todomvc_app \
-e "DB_PORT_3306_TCP_ADDR=172.16.255.250:3306" \
cpswan/todomvc.sinatra

With that done the app server was able to connect to the MySQL database, whichever VM it was running on.

Notes

[1] I’ve also put the demo onto Fig and Panamax.
[2] Luckily I already had a Linux machine with VirtualBox and Vagrant all set up after playing with Panamax over the weekend.


Flocker is a volume and container management system for Docker based on ZFS. It allows for stateful containers, such as databases, to be moved between virtual or physical hosts. This provides a capability that is analogous to the live migration features of some virtual machine hypervisors. Version 0.1 has been released by ClusterHQ as an Apache 2.0 open source project.

continue reading the full story at InfoQ


Just as I did with Fig I had a go at composing my three tier demo app with CenturyLink’s Panamax as I was writing my InfoQ piece on the launch.

You can see the resulting todomvc.pmx template file in GitHub (and see that it’s very similar to my fig.yml), but it’s a visual tool, so let’s look at some screenshots, starting with an overview of the service:

Panamax ToDoMVC

Zooming in, the template is made up out of three underlying services:

PanamaxToDoMVCServices

I started out with the mysql service, which is why it has the _latest suffix dangling there. I could edit it out, but didn’t bother. Clicking on that service the only things that matter are the EXPOSEd port and the volume mapping:

PanamaxToDoMVC_DB

It will be interesting to see what Panamax adds under the hood for volumes, as right now the mount point needs to be created manually, and such things don’t play well in multi server deployments.

The Sinatra app server needs a link back to the database in addition to exposing its own port:

PanamaxToDoMVC_App

Finally the container with Nginx for SSL termination links back to the app server and binds to port 443:

PanamaxToDoMVC_SSL

 

Because the whole thing is running inside VirtualBox it’s necessary to do another port forward. The instructions for that are included in the template and can be brought up on screen:

PanamaxToDoMVC_Docs

Having set the application up I then entered a GitHub token in order to allow it to be saved as a template.

Give it a try for yourself. Add cpswan/panatest to your sources:

PanamaxSources

Then search for todomvc:

PanamaxToDoSearch

 


CenturyLink has launched Panamax, a tool that they describe as ‘Docker Management for Humans’. Panamax distinguishes itself from other composition tools for Docker by offering a web based user interface, which can be used to compose multiple Docker containers into templates that can then be shared on GitHub. Alongside the launch of the open source project CenturyLink are running the ‘Panamax App Template Challenge 2014’, a competition offering $100,000 in prizes for the best submissions across a variety of categories.

continue reading the full story at InfoQ

Panamax ToDoMVC


TL;DR

I hacked together my own USB shaver charger using a cheap DC-DC converter I bought on eBay, so fewer worries (and things to carry) next time I’m travelling.

USB shaver cable

Background

I use an electric shaver most days, and I travel a fair bit. Usually the battery is enough to get me through a trip, but if I’m away for weeks then I need to recharge.

The charger that came with my shaver (in the UK) is a European type like this:

340 Charger

If I had a US charger, I’d be fine, because most places in Europe have both types. Sadly the reverse isn’t true, so it’s less common to find European sockets in the US.

To make things worse the European shaver plug looks like a Swiss style plug, but actually has larger prongs, so it doesn’t just fit into a multinational adaptor. Here’s the hideous jury rig I had to put together on my most recent trip to get a charge:

Shaver charging hack

That photo has a European shaver charger, a euro to UK adaptor (from my wife’s GHDs), a Swiss World Travel adaptor, and an elastic hair band.

I’ve thought in the past that it would be a good idea if somebody like iGo did shaver tips for their travel chargers, but that hasn’t happened. Of course most smaller devices these days use USB for charging.

USB shavers

They do exist, but they don’t look great. I’ll stick with my Braun.

Why not USB?

It’s a mystery to me why the shaver manufacturers like Braun, Philips etc. haven’t shifted to using 5v for charging and supplying a USB charger. I guess they’re stuck in the same place the mobile phone makers were a decade ago (before the European commission mandated microUSB).

The solution

My shaver charger is 12v at 400mA. I got a MC34063A based DC-DC converter module from eBay for £1.68. It’s claimed to be 78% efficient and can output up to 1.5A (though it’s recommended that it’s only pushed to 800mA).

Crunching the numbers:

12v * 400mA = 4.8W

4.8W output/ 78% efficiency = 6.15W input

6.15W/5V = 1.23A

1.23A is well inside the capabilities of a typical USB travel charger for something like a tablet, and even a more mundane 1A charger is likely to be sufficient – worst case the shaver will charge fractionally slower.

The voltage converter came already set up for 12v, so it was simply a matter of dismembering an existing charger cable, and a spare USB cable, followed by a quick bit of soldering and heat shrinking. The picture at the top of the post shows the finished article (with the coiled shaver cable wrapped around the USB charger cable to keep things tidy).

Improvements

At the moment both cables come out of the same side of the converter, and it would be better if it was just a bump in the wire; and that bump could be more elegant than a lump of heat shrink encased electronics.

I’m probably not going to bother polishing this thing any further myself. It works, and I’m happy with it.

Maybe some enterprising Chinese manufacturer will come up with something properly designed, with variants (or even interchangeable plugs) for different shaver types.


Docker based platform as a service (PaaS) Deis has announced integration with Docker Hub as a source for container images. This complements their existing integration with git. The open source platform is built on Docker and CoreOS to present a Heroku inspired workflow.

continue reading the full story at InfoQ

Deis Architectural Diagram


This post originally appeared on the CohesiveFT blog

The Docker subsystem available since version 3.5 allows additional virtualized network functions (VNFs) to be run on VNS3. I’ve previously written about using this capability for content cachingSSL termination and load balancing. This time I’ll cover using it as a network intrusion detection system (NIDS).

Introducing Suricata


The archetypal NIDS system for Linux is Snort. Suricata is the newer alternative developed by the Open Information Security Foundation. It’s multi threaded, to make it more scalable, has improved protocol and file identification, and is somewhat easier to install and configure (though that’s taken care of with a Dockerfile anyway).

The demo application

For a little while I’ve used an application based on Nginx, Sinatra and MySQL to demo VNS3. It’s gratuitously three tier, but it’s a good way of showing off the various moving parts of an overlay network. The app implements a simple web based todo list with persistence to the database

Getting the traffic into the NIDS

Firstly I uploaded my suricata-demo Dockerfile to VNS3 to become a container image, then I allocated a container from it, which was given the first available IP of 198.51.100.2. Getting traffic off the overlay and into the container just needs an entry like this in the firewall:

# copy all traffic from the overlay network to the NIDS container
MACRO_CUST -j COPY --from tun0 --to 198.51.100.2 --bidirectional

Whilst I’m there it’s also worth putting in the rules so that I can connect to the container over SSH (in order to see detection in action):

# enable NAT to allow containers to talk to the outside world
-o eth0 -s 198.51.100.0/28 -j MASQUERADE
# forward port 2222 from the VNS3 manager to port 22 on the container
PREROUTING_CUST -i eth0 -p tcp -s 0.0.0.0/0 --dport 2222 -j DNAT --to 198.51.100.2:22

Application specific rules

A nice thing about application centric networks is that they can have application specific rules for intrusion detection – there’s no need to have a kitchen sink list of rules to catch every possible attack that would apply to an entire enterprise network.
For demo purposes I have a single rule that detects Mastercard numbers:

alert tcp any any <> any any (pcre:"/5\d{3}(\s|-)?\d{4}(\s|-)?\d{4}(\s|-)?\d{4}/"; msg:"MasterCard number detected in clear text";sid:9000001;rev:1;)

This rule is looking for the pattern 5XXX-XXXX-XXXX-XXXX where each X is a digit and each – could be a dash, a space, or nothing. It’s not doing any validation that the numbers are valid Mastercard numbers, it’s just picking up the pattern of something that looks like a Mastercard number
When this triggers (by putting a Mastercard number into the todo list) an alert can be seen in Suricata’s fast.log file e.g.:

07/22/2014-19:51:20.753227  [**] [1:9000001:1] MasterCard number detected in clear text [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.111:4567 ->; 10.0.6.50:37589

Try it for yourself

The full cohesiveft/suricata image is available on Docker Hub (and Github). It uses Oinkmaster to pull a full set of rules from Emerging Threats.

The cut single rule down demo version cohesiveft/suricata-demo described above is also available on Docker Hub (and Github).

Whether you start out with a full rule set, and cut out the stuff that causes too much noise, or come at it the other way to build up a rule set to address specific concerns – the choice is yours.


This post originally appeared on the CohesiveFT blog

Amazon recently announced the new t2 family of low end instances, which I wrote about on InfoQ. Pricing wise the headline is that the t2.micro is ¢1.3/hr, which is a fair bit cheaper than the ¢2/hr of the t1.micro it replaces. It also has much better performance, and more consistent performance, and more transparent performance characteristics, and more RAM.

¢1.3/hr is good, but it’s still not sub penny. It somehow reminds me of the big old pre decimal pennies that people still had in little china pots when I was a kid.

¢1.3/hr is however the on demand pricing. It’s also possible to get t2.micro reserved instances in medium and heavy usage varieties. Pushing things to the max gets a 3yr heavy utilisation reserved instance that costs $109 up front and ¢0.2/hr. If we leave the instance up for the full 3 years, and amortise the $109 up front then that comes out to ¢0.615/hr – a little less than half the on demand pricing.

¢0.615/hr – now that’s sub penny :)




Follow

Get every new post delivered to your Inbox.

Join 90 other followers