run kong with compose

Here a simple docker-compose.yml file to get kong community up and running. It is configured to use postgresql that persists data to a local docker volume. All ports are mapped to localhost only and log goes to stdout/stderr.

version: '3.4'
services:
  kong-db:
    image: 'postgres:10.1'
    ports:
      - 127.0.0.1:5432:5432
    environment:
      POSTGRES_USER: kong
      POSTGRES_PASSWORD: kong
      POSTGRES_DB: kong
      PGDATA: /var/lib/postgresql/data/pgdata
    volumes:
      - db-volume:/var/lib/postgresql/data/pgdata
    healthcheck:
      test: 'echo "select 1" | psql -U kong kong || exit 1'
      interval: 1m
      timeout: 3s
      retries: 3
    restart: unless-stopped

  kong:
    image: 'kong:0.11.2'
    ports:
      - 127.0.0.1:8000:8000
      - 127.0.0.1:8443:8443
      - 127.0.0.1:8001:8001
      - 127.0.0.1:8444:8444
    environment:
      KONG_DATABASE: postgres
      KONG_PG_HOST: kong-db
      KONG_PG_DATABASE: kong
      KONG_PG_USER: kong
      KONG_PG_PASSWORD: kong
      KONG_PROXY_ACCESS_LOG: /dev/stdout
      KONG_ADMIN_ACCESS_LOG: /dev/stdout
      KONG_PROXY_ERROR_LOG: /dev/stderr
      KONG_ADMIN_ERROR_LOG: /dev/stderr
    links:
      - kong-db
# uncomment following line to run migrations for a new database
#    command: kong migrations up -v
    depends_on:
      - kong-db
    healthcheck:
      test: 'curl -f http://localhost:8001/status || exit 1'
      interval: 1m
      timeout: 3s
      retries: 3
    restart: unless-stopped

volumes:
  db-volume:

Attention: The kong container fails to start unless migrations are not run on the connected database. To do this simply uncomment the marked line and start the containers. With the command set the container will execute database migrations and stop with exit code 0. After that the line can be commented out again. Then you can start kong with the given file.

IntelliJ IDEA on Mac OS

When using IntelliJ IDEA with Spring Boot on a Mac make sure you have the entry

127.0.0.1 <hostname>.local

in your /etc/hosts file. Replace <hostname> with your Mac’s name. Also make sure that the result of the command ‘hostname’ is in your /etc/hosts file as well pointing to your local address.

Java 9 released

After years of development Oracle has released Java 9. It is available to download from the Oracle page as usual. Here is the EOL message for Java 8:

End of Public Updates for Oracle JDK 8

Oracle will not post further updates of Java SE 8 to its public download sites for commercial use after September 2018. Customers who need continued access to critical bug fixes and security fixes as well as general maintenance for Java SE 8 or previous versions can get long term support through Oracle Java SE Advanced, Oracle Java SE Advanced Desktop, or Oracle Java SE Suite. For more information, and details on how to receive longer term support for Oracle JDK 8, please see the Oracle Java SE Support Roadmap.

Openssl certificates for apache

In my former post i described a way how to create self signed SSL certificates with an own certificate authority. These certificates didn’t work in latest chrome versions so I updated my scripts to create valid certificates for chrome. This time I only create wildcard certificates because creating one for every subdomain was annoying.

#!/bin/bash
if [ -e ca.key ]; then
	echo "ca.key already exists"
	exit 1
fi

openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
  -subj "/C=AT/ST=Vienna/L=Vienna/O=Coffeebeans/CN=Coffeebeans Domain Validation Secure Server CA/emailAddress=office@coffeebeans.at"
#!/bin/bash
NAME=star.$1
if [ "star." == $NAME ]; then
	echo "usage: $0 <domain.name>"
	exit 1
fi
if [ -e $NAME.key ]; then
	echo "$NAME.key already exists"
	exit 1
fi
if [ ! -e ca.crt ]; then
	echo "no ca certificate created"
	exit 1
fi

CONFIG=$(cat <<-EOF
[ca]
default_ca=CA_default

[CA_default]
dir=./ca
database=\$dir/index.txt
new_certs_dir=\$dir/newcerts
serial=\$dir/serial
private_key=./ca.key
certificate=./ca.crt
default_days=3650
default_md=sha256
policy=policy_anything
copy_extensions=copyall

[policy_anything]
countryName=optional
stateOrProvinceName=optional
localityName=optional
organizationName=optional
organizationalUnitName=optional
commonName=supplied
emailAddress=optional

[req]
default_bits=4096
prompt=no
default_md=sha256
req_extensions=req_ext
distinguished_name=dn
 
[ dn ]
C=AT
ST=Vienna
L=Vienna
OU=Domain Control Validated
emailAddress=office@coffeebeans.at
CN=*.$1
 
[ req_ext ]
subjectAltName=@alt_names
 
[ alt_names ]
DNS.1=$1
DNS.2=*.$1
EOF
)

# PREPARE
echo "$CONFIG" > config.txt
if [ ! -d ./ca ]; then
	mkdir -p ./ca/newcerts
	touch ./ca/index.txt
fi

openssl genrsa -out $NAME.key 4096
openssl req -new -key $NAME.key -out $NAME.csr -config config.txt
openssl ca -create_serial -batch -in $NAME.csr -out $NAME.crt -config config.txt

# CLEANUP
rm -f *.csr config.txt
chmod 644 *.key *.crt

I also tried to use these certificates in postfix which did NOT work. To create files for postfix see my former post.

 

Robo 3T MongoDB client fails to start on ubuntu 16.04

I tried to rim robo3t-1.1.1-linux-x86_64 downloaded from https://robomongo.org/ and got the following error when trying to run it:

This application failed to start because it could not find or load the Qt platform plugin "xcb"
in "".

Available platform plugins are: xcb.

Reinstalling the application may fix this problem.
Aborted

Trying to install xcb via apt install xcb doesn’t change the behavior. Then I found a solution by removing all libstdc++* files from the lib directory in the extracted directory:

rm lib/libstdc++*

failed to run Kubelet: failed to create kubelet: misconfiguration: kubelet cgroup driver: “systemd” is different from docker cgroup driver: “cgroupfs”

Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial

Docker version 17.06.0-ce, build 02c1d87

openshift-origin-server-v3.6.0-c4dd4cf-linux-64bit

I followed the steps under https://docs.openshift.org/latest/getting_started/administrators.html#downloading-the-binary and got the error in the title. To fix this you have to add “–exec-opt native.cgroupdriver=systemd” to ExecStart of docker. The best way to do this is to add a addin file /etc/systemd/system/docker.service.d/override.conf with following content:

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --exec-opt native.cgroupdriver=systemd

Then reload systemd and restart docker:

sudo systemctl daemon-reload
sudo systemctl restart docker

 

SSL certificates for apache

Simple way to create self-signed SSL certificates.

#!/bin/bash
# usage: ./create-ca.sh
if [ -e ca.key ]; then
	echo "ca.key already exists"
	exit 1
fi

openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
  -subj "/C=AT/ST=Vienna/L=Vienna/O=coffeebeans.at/OU=IT/CN=coffeebeans.at/emailAddress=office@coffeebeans.at"
#!/bin/bash
# usage: ./create-key.sh CN
NAME=$1
SERIAL=`ls -l *.key | wc -l`

if [ $SERIAL -lt 10 ]; then
	SERIAL="0$SERIAL"
fi

if [ -e $NAME.key ]; then
	echo "$NAME.key already exists"
	exit 1
fi

if [ ! -e ca.crt ]; then
	echo "no ca certificate created"
	exit 1
fi

echo "creating key for $NAME with serial $SERIAL"
openssl genrsa -out $NAME.key 4096
openssl req -new -key $NAME.key -out $NAME.csr \
  -subj "/C=AT/ST=Vienna/L=Vienna/O=coffeebeans.at/OU=IT/CN=$NAME/emailAddress=office@coffeebeans.at"
openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key \
  -set_serial $SERIAL -in $NAME.csr -out $NAME.crt

rm *.csr

 

Ubuntu: Docker behind proxy 

sudo mkdir /etc/systemd/system/docker.service.d
cat /etc/systemd/system/docker.service.d/http-proxy.conf
[Service]
Environment="HTTP_PROXY=http://proxy-address:8080/"
Environment="HTTPS_PROXY=http://proxy-address:8080/"
Environment="NO_PROXY=localhost,127.0.0.1,.localdomain"

sudo systemctl daemon-reload
sudo systemctl restart docker