# syntax=docker/dockerfile:1.5
FROM alpine
RUN --mount=type=cache,target=/var/cache/apk <<INSTALL
ln -s /var/cache/apk /etc/apk/cache
apk add -U \
curl \
bash \
go \
clang
rm /etc/apk/cache
INSTALL
poniedziałek, 6 marca 2023
Dockerfile for Alpine image with cached packages
To speed up builds:
sobota, 24 grudnia 2022
Docker's multi-platform images - some benchmarks - for M1/ARM and X86_64
Eenvironment
M1: 8 cores, 8 GB RAM, 4 cores for docker X86_64 A: 4 cores, 8 GB RAM (AMD Ryzen 5 3600 6-Core Processor), VM with Ubuntu 22.04 X86_64 B: 16 cores, 64 GB RAM (AMD Ryzen 9 5950X 16-Core Processor), Ubuntu 22.04, bare metalOn all nodes
docker run --rm --platform linux/amd64 alpine nproc docker run --rm --platform linux/arm64 alpine nproc
M1/X86_64 A
Resuilt: 4
X86_64 B
Resuilt: 32
Dockerfile
Base Dockerfile:
FROM ubuntu:22.04
ADD https://www.php.net/distributions/php-8.2.0.tar.gz /src/
WORKDIR src
RUN tar xzf php-8.2.0.tar.gz && rm php-8.2.0.tar.gz
ARG DEBIAN_FRONTEND noninteractive
ARG DEBCONF_NONINTERACTIVE_SEEN true
RUN apt-get update -qq && \
apt-get dist-upgrade -qq && \
apt-get install -qq \
build-essential \
libxml2-dev \
pkg-config \
libsqlite3-dev \
libssl-dev \
zlib1g-dev \
libonig-dev \
libsodium-dev \
libzip-dev && \
apt-get clean all && \
find /var/lib/apt/lists/ -type f -delete
WORKDIR /src/php-8.2.0
RUN ./configure \
--enable-mbstring \
--with-openssl \
--with-zlib \
--enable-bcmath \
--enable-intl \
--with-sodium \
--with-zip
Prepare linux/arm64 environment on X86_64:
docker run --privileged --rm tonistiigi/binfmt --install arm64 docker run --rm --platform linux/arm64 alpine uname -aPrepare images (on both nodes):
linux/amd64
export DOCKER_BUILDKIT=1 docker builder prune -a -f docker build --platform linux/amd64 -t wyga/docker-benchmark-multi-arch:amd64 -f Dockerfile .
Results:
M1: 326 s
X86_64 A: 60 s
linux/arm64
export DOCKER_BUILDKIT=1 docker builder prune -a -f docker build --platform linux/arm64 -t wyga/docker-benchmark-multi-arch:arm64 -f Dockerfile .
Results:
M1: 40 s
X86_64 A: 554 s
Images are also availlible from:
docker pull wyga/docker-benchmark-multi-arch:amd64 docker pull wyga/docker-benchmark-multi-arch:arm64
Benchmarks
export DOCKER_BUILDKIT=1 /usr/bin/time -p docker run --rm wyga/docker-benchmark-multi-arch:amd64 make /usr/bin/time -p docker run --rm wyga/docker-benchmark-multi-arch:amd64 make -j4 /usr/bin/time -p docker run --rm wyga/docker-benchmark-multi-arch:arm64 make /usr/bin/time -p docker run --rm wyga/docker-benchmark-multi-arch:arm64 make -j4
X86_64 A
Results:AMD64 make: 537 s AMD64 make -j4: 158 s ARM64 make: 7519 s ARM64 make -j4: 2231 s
X86_64 B
Results:AMD64 make: 368 s AMD64 make -j4: 111 s ARM64 make: 4861 s ARM64 make -j4: 1580 s
M1
Results:
AMD64 make: 4424 s AMD64 make -j4 1570 s ARM64 make 471 s ARM64 make -j4: 184 s
czwartek, 15 grudnia 2022
The old story of /dev/md127
I always used this solution to make sure that /dev/mdN will be /dev/mdN after restart (to prevent name change to /dev/md127 after reboot).
Starting with kernel 5.19 there is kernel option hostanme= which can be used to setup hostname at boot (before userspace). This can also be used to corellate user/kernel hostanmes.
This is related to metadata format 1.2. With metadata verion 0.90 "Preferred Minor" property is used.
mdadm --examime --scan >/etc/mdadm/mdadm.conf # edit /etc/mdadm/mdadm.conf # on debian/ubuntu update-initramfs -u -k allAnother solution (basicaly RTFM):
mdadm --create /dev/md0 -l 1 -n 2 --metadata=1.2 --homehost=any /dev/sdb /dev/sdchomehost == any - this is wildcard name of the host (hostname). By default current system hostname is inserted by mdadm.
Starting with kernel 5.19 there is kernel option hostanme= which can be used to setup hostname at boot (before userspace). This can also be used to corellate user/kernel hostanmes.
This is related to metadata format 1.2. With metadata verion 0.90 "Preferred Minor" property is used.
wtorek, 17 maja 2022
basic nginx config
server {
listen 80;
listen [::]:80;
server_name catch-all-for-nginx-wyga-cf;
server_name ~^test\d*\.nginx\.wyga\.cf$;
location /.well-known {
root /var/www/acme;
}
location / {
return https://$host;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name catch-all-for-nginx-wyga-cf;
server_name ~^test\d*\.nginx\.wyga\.cf$;
ssl_certificate /etc/nginx/tls/wyga-ca.pem;
ssl_certificate_key /etc/nginx/tls/wyga-ca.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
root /var/www/wyga;
index index.html;
location = /favicon.ico {
access_log off;
return 204;
}
location / {
try_files $uri $uri/ =404;
}
}
self-signed certificate take 2
Generate self-signed certificate (with basic constraints extension CA:TRUE):
openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 \ -keyout /etc/nginx/tls/wyga-ca.key \ -out /etc/nginx/tls/wyga-ca.pem \ -subj '/CN=WYGA-CA/'Add CA as trusted to you browser (works with Chrome). Regenerate certificate with SNI names:
openssl req -x509 -nodes -sha256 -days 3650 \ -key /etc/nginx/tls/wyga-ca.key \ -out /etc/nginx/tls/wyga-ca.pem \ -subj '/CN=WYGA-CA/' \ -addext "subjectAltName = DNS:test.nginx.wyga.cf, DNS:test1.nginx.wyga.cf, DNS: test2.nginx.wyga.cf"Firefox is more secure in that matter. This will not work with that browser ;)
d="change-me"
{
openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 \
-keyout "${d}.key" \
-out "${d}.pem" \
-subj '/CN=WYGA-CA/'
}
środa, 11 maja 2022
nginx proxy for HP iLO BMC (HTML5 console only)
This some PoC for proxing access to HP iLO module via nginx. This allow accessing HTML console (no Java or .NET console).
Tested only with iLO 4 (on proliant gen9 servers)
bmc.conf:
bmc-nodes.conf
Tested only with iLO 4 (on proliant gen9 servers)
bmc.conf:
include /etc/nginx/bmc-nodes.conf;
# https://www.rfc-editor.org/rfc/rfc7230#section-6.1
# https://datatracker.ietf.org/doc/html/rfc6455#section-4.2.1
# For iLO Connection: Upgrade is case-sensitive...
map $http_upgrade $connection_upgrade {
default Upgrade;
'' close;
}
# You need to listen on https port
# This will create mapping for to map name to IP adddress
# For ex:
# server1.bmc.example.com
# serverN.bmc.example.com
# etc...
server {
listen 443 ssl;
server_name ~(?.+)\.bmc\.example\.com;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_certificate /etc/nginx/tls/bmc.example.com.crt;
ssl_certificate_key /etc/nginx/tls/bmc.example.key;
proxy_http_version 1.1;
proxy_set_header Host $bmc_node;
# Set some message for unmapped hosts
#error_page 502 /bmc-missing.html;
# Set HTTP auth
#error_page 401 /bmc-auth.html;
#auth_basic "[BMC PROXY]";
#auth_basic_user_file /etc/nginx/bmc.passwd;
location / {
# Forece keep-alive to upstream...
proxy_set_header Authorization '';
proxy_set_header Connection '';
proxy_pass https://$bmc_node;
}
# WebSocket connection for HTML5 Console
location /wss/ircport {
proxy_set_header Authorization '';
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 1800;
proxy_pass https://$bmc_node;
}
# error page for 502
#location = /bmc-missing.html {
# auth_basic off;
# internal;
# root /var/www/bmc/;
#}
# error page for 401
#location = /bmc-auth.html {
# auth_basic off;
# internal;
# root /var/www/bmc/;
#}
}
bmc-nodes.conf
upstream server1 {
server 10.0.0.1:443;
keepalive 4;
}
upstream server2 {
server 10.0.0.2:443;
keepalive 4;
}
...
upstream serverN {
server 10.0.0.N:443;
keepalive 4;
}
środa, 27 kwietnia 2022
docker - arbitrary bridge's interface name
For docker-compose:
networks:
default:
driver_opts:
com.docker.network.bridge.name: br-name
For CLI:
docker network create -o com.docker.network.bridge.name=br-name name
Subskrybuj:
Posty (Atom)