poniedziałek, 6 marca 2023

Dockerfile for Alpine image with cached packages

To speed up builds:
# syntax=docker/dockerfile:1.5
FROM alpine
RUN --mount=type=cache,target=/var/cache/apk <<INSTALL
   ln -s /var/cache/apk /etc/apk/cache
   apk add -U \
       curl \
       bash \
       go \
   rm /etc/apk/cache

sobota, 24 grudnia 2022

Docker's multi-platform images - some benchmarks - for M1/ARM and X86_64


M1: 8 cores, 8 GB RAM, 4 cores for docker
X86_64 A: 4 cores, 8 GB RAM (AMD Ryzen 5 3600 6-Core Processor), VM with Ubuntu 22.04
X86_64 B: 16 cores, 64 GB RAM (AMD Ryzen 9 5950X 16-Core Processor), Ubuntu 22.04, bare metal
On all nodes
docker run --rm --platform linux/amd64 alpine nproc
docker run --rm --platform linux/arm64 alpine nproc

M1/X86_64 A
Resuilt: 4

X86_64 B
Resuilt: 32


Base Dockerfile:
FROM ubuntu:22.04
ADD https://www.php.net/distributions/php-8.2.0.tar.gz /src/
RUN tar xzf php-8.2.0.tar.gz && rm php-8.2.0.tar.gz
ARG DEBIAN_FRONTEND noninteractive
RUN apt-get update -qq && \
  apt-get dist-upgrade -qq && \
  apt-get install -qq \
  	build-essential \
  	libxml2-dev \
    pkg-config \
    libsqlite3-dev \
    libssl-dev \
    zlib1g-dev \
    libonig-dev \
    libsodium-dev \
    libzip-dev && \
  apt-get clean all && \
  find /var/lib/apt/lists/ -type f -delete
WORKDIR /src/php-8.2.0
RUN ./configure \
	--enable-mbstring \
    --with-openssl \
    --with-zlib \
    --enable-bcmath \
    --enable-intl \
    --with-sodium  \

Prepare linux/arm64 environment on X86_64:
docker run --privileged --rm tonistiigi/binfmt --install arm64
docker run --rm --platform linux/arm64 alpine uname -a
Prepare images (on both nodes):

docker builder prune -a -f
docker build --platform linux/amd64 -t wyga/docker-benchmark-multi-arch:amd64 -f Dockerfile .

M1: 326 s
X86_64 A: 60 s

docker builder prune -a -f
docker build --platform linux/arm64 -t wyga/docker-benchmark-multi-arch:arm64 -f Dockerfile .

M1: 40 s
X86_64 A: 554 s

Images are also availlible from:
docker pull wyga/docker-benchmark-multi-arch:amd64
docker pull wyga/docker-benchmark-multi-arch:arm64



/usr/bin/time -p docker run --rm wyga/docker-benchmark-multi-arch:amd64 make

/usr/bin/time -p docker run --rm wyga/docker-benchmark-multi-arch:amd64 make -j4

/usr/bin/time -p docker run --rm wyga/docker-benchmark-multi-arch:arm64 make

/usr/bin/time -p docker run --rm wyga/docker-benchmark-multi-arch:arm64 make -j4

X86_64 A

AMD64 make:      537 s
AMD64 make -j4:  158 s 
ARM64 make:      7519 s
ARM64 make -j4:  2231 s

X86_64 B

AMD64 make:      368 s
AMD64 make -j4:  111 s 
ARM64 make:      4861 s
ARM64 make -j4:  1580 s


AMD64 make: 4424 s AMD64 make -j4 1570 s ARM64 make 471 s ARM64 make -j4: 184 s

czwartek, 15 grudnia 2022

The old story of /dev/md127

I always used this solution to make sure that /dev/mdN will be /dev/mdN after restart (to prevent name change to /dev/md127 after reboot).
mdadm --examime --scan >/etc/mdadm/mdadm.conf
# edit /etc/mdadm/mdadm.conf
# on debian/ubuntu
update-initramfs -u -k all
Another solution (basicaly RTFM):
mdadm --create /dev/md0 -l 1 -n 2 --metadata=1.2 --homehost=any /dev/sdb /dev/sdc
homehost == any - this is wildcard name of the host (hostname). By default current system hostname is inserted by mdadm.
Starting with kernel 5.19 there is kernel option hostanme= which can be used to setup hostname at boot (before userspace). This can also be used to corellate user/kernel hostanmes.
This is related to metadata format 1.2. With metadata verion 0.90 "Preferred Minor" property is used.

wtorek, 17 maja 2022

basic nginx config

server {
  listen 80;
  listen [::]:80;
  server_name catch-all-for-nginx-wyga-cf;
  server_name ~^test\d*\.nginx\.wyga\.cf$;
  location /.well-known {
    root /var/www/acme;
  location / {
    return https://$host;

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name catch-all-for-nginx-wyga-cf;
  server_name ~^test\d*\.nginx\.wyga\.cf$;

  ssl_certificate /etc/nginx/tls/wyga-ca.pem;
  ssl_certificate_key /etc/nginx/tls/wyga-ca.key;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 5m;

  root /var/www/wyga;

  index index.html;
  location = /favicon.ico {
     access_log off;
     return 204;

  location / {
    try_files $uri $uri/ =404;

self-signed certificate take 2

Generate self-signed certificate (with basic constraints extension CA:TRUE):
openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 \
  -keyout /etc/nginx/tls/wyga-ca.key \
  -out /etc/nginx/tls/wyga-ca.pem \
  -subj '/CN=WYGA-CA/'
Add CA as trusted to you browser (works with Chrome).

Regenerate certificate with SNI names:
openssl req -x509 -nodes -sha256 -days 3650 \
  -key /etc/nginx/tls/wyga-ca.key \
  -out /etc/nginx/tls/wyga-ca.pem \
  -subj '/CN=WYGA-CA/' \
  -addext "subjectAltName = DNS:test.nginx.wyga.cf, DNS:test1.nginx.wyga.cf, DNS: test2.nginx.wyga.cf"
Firefox is more secure in that matter. This will not work with that browser ;)
openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 \
  -keyout "${d}.key" \
  -out "${d}.pem" \
  -subj '/CN=WYGA-CA/'

środa, 11 maja 2022

nginx proxy for HP iLO BMC (HTML5 console only)

This some PoC for proxing access to HP iLO module via nginx. This allow accessing HTML console (no Java or .NET console).
Tested only with iLO 4 (on proliant gen9 servers)

include /etc/nginx/bmc-nodes.conf;

# https://www.rfc-editor.org/rfc/rfc7230#section-6.1
# https://datatracker.ietf.org/doc/html/rfc6455#section-4.2.1
# For iLO Connection: Upgrade is case-sensitive... 
map $http_upgrade $connection_upgrade {
    default Upgrade;
    ''      close;

# You need to listen on https port
# This will create mapping for  to map name to IP adddress
# For ex:
#  server1.bmc.example.com
#  serverN.bmc.example.com
#  etc...
server {
    listen 443 ssl;
    server_name ~(?.+)\.bmc\.example\.com;

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_certificate /etc/nginx/tls/bmc.example.com.crt;
    ssl_certificate_key /etc/nginx/tls/bmc.example.key;

    proxy_http_version 1.1;
    proxy_set_header Host $bmc_node;
    # Set some message for unmapped hosts
    #error_page 502 /bmc-missing.html;

    # Set HTTP auth
    #error_page 401 /bmc-auth.html;
    #auth_basic            "[BMC PROXY]";
    #auth_basic_user_file  /etc/nginx/bmc.passwd;

    location / {
        # Forece keep-alive to upstream...
        proxy_set_header Authorization '';
        proxy_set_header Connection '';
        proxy_pass https://$bmc_node;

    # WebSocket connection for HTML5 Console
    location /wss/ircport {
        proxy_set_header Authorization '';
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_read_timeout 1800;
        proxy_pass https://$bmc_node;

    # error page for 502
    #location = /bmc-missing.html {
    #    auth_basic off;
    #    internal;
    #    root /var/www/bmc/;
    # error page for 401
    #location = /bmc-auth.html {
    #    auth_basic off;
    #    internal;
    #    root /var/www/bmc/;

upstream server1 {
    keepalive 4;

upstream server2 {
    keepalive 4;
upstream serverN {
    server 10.0.0.N:443;
    keepalive 4;

środa, 27 kwietnia 2022

docker - arbitrary bridge's interface name

For docker-compose:
      com.docker.network.bridge.name: br-name
For CLI:
docker network create -o com.docker.network.bridge.name=br-name name