#^DockerSlim - Lean and mean Docker containers. Smaller, faster, more secure and frictionless!

Optimize Your Docker Containers.

Don't change anything in your Docker container image and minify it by up to 30x making it secure too! Optimizing images isn't the only thing it can do though. It can also help you understand and author better container images.

Keep doing what you are doing. No need to change anything. Use the base image you want. Use the package manager you want. Don't worry about hand optimizing your Dockerfile. You shouldn't have to throw away your tools and your workflow to have small container images.

Don't worry about manually creating Seccomp and AppArmor security profiles. You shouldn't have to become an expert in Linux syscalls, Seccomp and AppArmor to have secure containers. Even if you do know enough about it wasting time reverse engineering your application behavior can be time-consuming.

docker-slim will optimize and secure your containers by understanding your application and what it needs using various analysis techniques. It will throw away what you don't need, reducing the attack surface of your container. What if you need some of those extra things to debug your container? You can use dedicated debugging side-car containers for that (more details below).

After a recent php:7.3-apache Docker image rebuild we were not able to connect to the M$SQL server anymore from our PHP application inside the docker container. Seems to be related with the Debian 9 (Stretch) --> Debian 10 (Buster) update of the official PHP base image.

The error message with the new container was:
[Microsoft][ODBC Driver 17 for SQL Server]TCP Provider: Error code 0x2746
[Microsoft][ODBC Driver 17 for SQL Server]Client unable to establish connection
Too lazy to find a proper solution right now, but a quick fix is to add following code to our Dockerfile:
RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
Another lessons learned is to use the right base image tag e.g.: php:7.3-apache-stretch

#^Browsh - A fully interactive, realtime and modern browser rendered to TTY

Browsh is a fully-modern text-based browser. It renders anything that a modern browser can; HTML5, CSS3, JS, video and even WebGL. Its main purpose is to be run on a remote server and accessed via SSH/Mosh or the in-browser HTML service in order to significantly reduce bandwidth and thus both increase browsing speeds and decrease bandwidth costs.

#^Kata Containers isolieren Workloads von Docker und Kubernetes - Aus Linux-Magazin 12/2018

Kata Containers versuchen die Leichtgewichtigkeit von Containern mit der strengen Isolation echter Server zu kombinieren. Dafür muss sich der Docker-User nicht einmal an neue Kommandos gewöhnen.

Why?

#^sSMTP - Debian Wiki

sSMTP - Simple SMTP
sSMTP is a simple MTA to deliver mail from a computer to a mail hub (SMTP server). sSMTP is simple and lightweight, there are no daemons or anything hogging up CPU; Just sSMTP. Unlike Exim4, sSMTP does not receive mail, expand aliases, or manage a queue.

Package is currently unmaintained
This package has been orphaned since 2019-03-19. msmtp can be used as an alternative.

Wonderful tool(s)! The Docker image is 1,6GB big, but it does combine quite a lot of things and makes it very convenient to use. In contrast to other such performance tools sponsored by a big company, Sitespeed.io complains about GA and GTM usage.

#^Sitespeed.io - Welcome to the wonderful world of Web Performance

Sitespeed.io is a set of Open Source tools that makes it easy to monitor and measure the performance of your web site.

Measuring performance shouldn’t be hard: you should be able to have full control of your metrics, own your own data and you should be able to do it without paying top dollars.

That’s why we created sitespeed.io.

The TSDB is something I want add to our monitoring server.

#^Safe Containers » ADMIN Magazine

By Martin Loschwitz
Docker containers are a convenient way to run almost any service, but admins need to be aware of the need to address some important security issues.
Container systems like Docker are a powerful tool for system administrators, but Docker poses some security issues you won't face with a conventional virtual machine (VM) environment. For example, containers have direct access to directories such as /proc, /dev, or /sys, which increases the risk of intrusion. This article offers some tips on how you can enhance the security of your Docker environment.

I already had a dockerized Selenium-Grid but it was a good idea to replace it with Selenoid. The state of automation and the video recording feature are really impressive.

#^Selenoid

Selenoid is a powerful implementation of Selenium hub using Docker containers to launch browsers.

Lightweight and Lightning Fast
Suitable for personal usage and in big clusters:
* Consumes 10 times less memory than Java-based Selenium server under the same load
* Small 7 Mb binary with no external dependencies (no need to install Java)
* Browser consumption API working out of the box
* Ability to send browser logs to centralized log storage (e.g. to the ELK-stack)
* Fully isolated and reproducible environment

#^Scalable Selenium Cluster: Up & Running | Ivan Krutov
by seleniumconf on YouTube

#^Securing Docker » ADMIN Magazine

Docker containers introduce serious security problems, but you can employ a number of methods to deploy them securely.

Few debate that the destiny of a hosting infrastructure is running applications across multiple containers. Containers are a genuinely fantastic, highly performant technology ideal for deploying software updates to applications. Whether you're working in an enterprise with a number of critical microservices, tightly coupled with a pipeline that continuously deploys your latest software, or you're running a single LEMP (Linux, Nginx, MySQL, PHP) website that sometimes needs to scale up for busy periods, containers can provide with relative ease the software dependencies you need across all stages of your development life cycle.

#^RDBMS Containers » ADMIN Magazine

If you spend very much of your time pushing containerized services from server to server, you might be asking yourself: Why not databases, as well? We describe the status quo for RDBMS containers.

Secure Your Containers with this One Weird Trick

Did you know there is an option to drop Linux capabilities in Docker? Using the docker run --cap-drop option, you can lock down root in a container so that it has limited access within the container. Sadly, almost no one ever tightens the security on a container or anywhere else.

Introducing Docker 1.13

Today we’re releasing Docker 1.13 with lots of new features, improvements and fixes to help Docker users with New Year’s resolutions to build more and better container apps. Docker 1.13 builds on and improves Docker swarm mode introduced in Docker 1.12 and has lots of other fixes. Read on for Docker 1.13 highlights.

Nearly all web projects are moved to #Docker containers now. The old infrastructure was mostly based on CentOS6/7 and the main reason for this step was the annoyance of legacy #PHP projects and their PHP version requirement conflicts. I don't need a cluster or swarm, so I have a single instance with #CentOS based #Project Atomic only. The dockerized projects include:
static pages with nginx
#TYPO3 7.6
#Drupal 8.2
#Piwik 2.17
#Revive Adserver 4.x
#OXID eShop 4.[9|10]
...

Here are some completely subjective "best practices":

• I was a bit disappointed about most available images in Docker's Hub. But make use of the official mariadb, php, drupal, nginx images!
  
• Use your Dockerfile and no massive entrypoint scripts.
  
• Don't try to build a base images for all your projects, the projects have all too different requirements. Found it much easier to build custom images from the official PHP images directly with only what was really needed for the projects.
  
• Think about mail delivery requirements. Does your application requires mail(), or can you configure a SMTP server. Use sSMTP if you need a local MTA.
  
• Get your persistent volumes right and use the correct #SELinux labels.
  
• A local repository makes deployment much easier.
  
• Use #Jenkins to build and deploy new images.
  
• Don't use --link, use Docker networks instead!
  
• jwilder/nginx-proxy still has some bugs, especially with custom nginx configurations, but a wonderful tool.
  
• jrcs/letsencrypt-nginx-proxy-companion and it was never easier to get certificates.
  
• Think about reboots. How you want your containers to be managed? Services for systemctl work quite well so far.
  
• Redirect your application logs to the right output. Log management I should take a look at again.
  

Should also get my private projects into containers next.

#^Infinit Joins Docker

Today, we are thrilled to announce that Infinit and Docker are joining forces. To anyone following the container space, this may not come as a surprise because persistent storage remains the number one challenge when it comes to container technologies. Still, for Infinit, this is a huge milestone, closing the loop that has taken the team through quite an incredible journey.

#^Portainer | Simple management UI for Docker

Portainer is a simple management solution for Docker. Easily manage your Docker hosts and Docker Swarm clusters via Portainer web user interface.

Interesting license decision Zlib-Libpng License

When you mount a single file into Docker, e.g.: -v /path/to/proxy/my_config.conf:/etc/nginx/conf.d/my_config.conf:ro,Z and wonder why your changes do not appear in the container check your editor to edit the original file and not renaming/replacing the original file.

When you use vim add a modeline to your file for example:
# Required when single files are mounted to container, so that inode does not change.
# vim: backupcopy=yes

I have a Docker container with a nginx reverse proxy with name based virtual hosts and also wanted to have IP-based virtual hosts. But I always got the default server configuration, even I saw in the logs that the correct destination IP was logged, but the listen statements for the ip:port just had no effect.
It seems not to work with the default bridge network. Running the container with --net=host solved this problem and also the IP-based vhosts worked.

Given your #CI generates #Docker images from your Git commits and tags them with something like web01-qa:$BUILD_NUMBER. Right now I can not set a name for the container that gets spun up after every commit, so I needed a solution to tear down the old containers after successful start of a new container based on the image they were created from. This is what I came up with:

docker ps --format "{{.ID}}\t{{.Image}}" | awk -F ':' '/web01-qa/{print $NF, $0}' | sort -r -n | tail -n+2 | awk '/web01-qa/{system("docker stop " $2)}'
Get all running containers, sort them by $BUILD_NUMBER for the image name containing web01-qa, stop all matching containers except the one from the newest image.

Or use docker rm -f if not interested in the old containers anymore.

#^Container Security » ADMIN Magazine

By Sebastian Meyer
The focus for container solutions such as Docker is increasingly shifting to security. Some vulnerabilities have been addressed, with plans to take further steps in the future to secure container virtualization.

Our docker service was a bit slowly loading...
$ docker ps -aq | wc -l
97691
#Docker? #Jenkins? #WTF?!?

Spinning up a container seems to be much quicker than removing an old container. I started to delete these containers this morning. After 7 hours there are still around 45000 containers left.