Setup Docker Swarm in Ubuntu

Ok let me drop down what i did here to setup this docker swarm without repeating since i have been very indecisive on whether to deploy multi-host docker swarm or just single location with fail over between multiple machines. In the end, i stick with single region and expand from here if needed.

Machines Setup

Installing Dockers

throw these in each machine

sudo apt-get install     apt-transport-https     ca-certificates     curl     software-properties-common -y
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo apt-key fingerprint 0EBFCD88
sudo add-apt-repository    "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable"
sudo apt-get update
sudo apt-get install docker-ce -y

doing this gives us the latest docker setup

Installing Docker Swarm

Now i need to setup docker swarm, its pretty straight forward with the following command on the master machine

docker swarm init --advertise-addr 192.168.10.10

then on other worker machine do the following to add them into swarm,

docker swarm join --token secret-token 192.168.10.10:2377

replace your secret-token with the real deal. Now i'm gonna secret our network a bit with overlay with the name overnet

docker network create  --opt encrypted --driver overlay --attachable overnet

this doesn't make you feel any differences but it creates an overlay network between each node in the swarm.

Installing reverse proxy for docker swarm

now i need to create a reverse proxy for my docker swarm since i wants to do a lot with it.

docker service create \
--name traefik \
--constraint=node.role==manager \
--publish 80:80 \
--publish 8080:8080 \
--mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
--network overnet\
traefik:latest \
--docker \
--docker.swarmmode \
--docker.domain=traefik \
--docker.watch \
--web

for more information on this, you can visit traefik web page for more information on its configuration.

cPanel Webmail inbox disappear but are still visible in /cur

This is an interesting issue with cPanel recently faced by one of my clients. Searching on the internet brings me to an article in cPanel forum where someone else happens to also face such an issue. The solution is pretty straight forward firing the below command with the email affected.

 doveadm force-resync -u [email protected] INBOX

It seems like the inbox just needed a re-sync rather than the user third party email got deleted. This guy definitely save my ass!

Dell Powerconnect 6224 connect to serial port

Firstly you need a server/computer with a serial port. Next just fire the following command after you've connected your serial port into your machine.

screen /dev/ttyS0 19200

And it should show you your console. If it doesn't, restart your switch or just check your cable!

Find out more setting on its user guide.

Mac Fix for Java 8+ & iDRAC 6 Connection Failed

If you are using iDrac6 with your Mac. Good luck to you my friend as you will mostly keep getting connection failed on your Java application and this is VERY scary since you can't talk to your machine anymore! But there is a solution! (at least i figure one) so let's get started

Java Setup

Firstly, you need to go to your Java Control Panel and do a few things and here are what you need to do on your Mac Java Control Panel as show below,

Once you've added to the exception site list and set your connection to direct. You'll need to go to your terminal to edit Java Security located at 

sudo vi /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security

open it up with vim and look for SSLv3 and comment it out

#jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
#    EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC

i need to remove both lines in this case. Once you're done. save it and we are done with Java security tweak!

iDrac Changes

Firstly you need to head over to Console/Media and disable Video Encryption

and change 'Plug-in Type' to 'Native'

Click on apply and you are done. Now try again.

Docker link expose MySQL/MariaDB root password on phpinfo() via MYSQLIP_ENV_MYSQL_ROOT_PASSWORD

alright. today I'm on a verbal puking spree! This is another scary security risk with the official docker MariaDB container if you are using a docker link. And if you are wondering what the heck is a docker link, it's basically the command you use to link one docker container to another. for example,

docker run -it --restart=always --name phpfpm \
--link mariadb:ip \
-v /root/www:/home \
-w /home claylua/phpfpm:7.0.29-fpm-alpine3.4

where I am linking MariaDB to my PHP-fpm container.

This is practically what everyone does without noticing that your PHP application actually exposes MariaDB root password for everyone to see with the variable "MYSQLIP_ENV_MYSQL_ROOT_PASSWORD".

As you can see, my root password is visible for all to see. And this is NOT good at all.

Solution

In order to resolve this issue, we need to wrap all our containers into their own private network. We can create a private network in docker with the following command,

docker network create hungred

Now, we have a new network called 'hungred'. And in order for every container to talk in secret, we need them to all use this network. Anyone outside of this network will not be able to communicate with other dockerscontainer. Thus, throwing a 502 error or Nginx error or anything that you'll not expect.

Now, for our example, we will join the hungred network with the following command,

docker run -it --restart=always --name phpfpm \
--net=hungred \
--link mariadb:ip \
-v /root/www:/home \
-w /home claylua/phpfpm:7.0.29-fpm-alpine3.4

where our phpfpm container now runs in the hungred network.

And if you try to run phpinfo() on your application, you won't be able to find the variable "MYSQLIP_ENV_MYSQL_ROOT_PASSWORD" anymore!

P.S: Do take note that ALL your dockers will have to join the same network or else you'll get a lot of unnecessary hiccups.