This is a valid RSS feed.
This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.
<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:admin="http://webns.net/mvcb/"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/">
<channel>
<title>Daniel Nashed’s Blog</title>
<description>Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/</link>
<language>en-us</language>
<lastBuildDate>Wed, 17 Apr 2024 00:52:58 +0200</lastBuildDate>
<item>
<title>Updateing autoupdate.nsf with the new template (14.0 08.03.2024)</title>
<pubDate>Wed, 17 Apr 2024 00:52:58 +0200</pubDate>
<description>
<![CDATA[
The new fit & finish work and the new autcat.nsf integration requires template changes. Please make sure you are getting the template version 14.0 from 08.03.2024 and not the earlier version from ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/domino-14.0fp1-autoupdate.ntf-update.htm</link>
<category>autoupdate</category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/domino-14.0fp1-autoupdate.ntf-update.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/domino-14.0fp1-autoupdate.ntf-update.htm</guid>
<content:encoded><![CDATA[ <br /><span style=" font-size:10pt;font-family:sans-serif">The new fit & finish work and the new <strong>autcat.nsf</strong> integration requires template changes.</span> <br /><span style=" font-size:10pt;font-family:sans-serif">Please make sure you are getting the template version <strong>14.0</strong> from <strong>08.03.2024</strong> and not the earlier version from 03.11.2023 shipped with Domino 14.</span> <br /> <br /><span style=" font-size:10pt;font-family:sans-serif">When deploying the container image I noticed an issue with the folder permissions where the container image is getting template updates for Fixpacks.<br /> <br /> The directory <strong>/opt/hcl/domino/notes/latest/linux/data1_bck/140FP1/localnotesdata</strong></span><span style=" font-size:10pt;font-family:Arial"><strong> </strong>contains updated templates.</span> <br /> <br /><span style=" font-size:10pt;font-family:Arial">But the directory can be only accessed by "<strong>root</strong>" and the container runs with the "notes" user.</span> <br /><span style=" font-size:10pt;font-family:Arial">This is not new to 14.0 FP1. Also 12.0.2 fixpacks had the same permissions, but nobody noticed the missing updates.</span> <br /> <br /><span style=" font-size:10pt;font-family:Arial">I fixed it in the HCL Community container build. But the HCL container image does have the file permissions which prevent the deployment.<br /> For hte HCL image you can remove <strong>/local/notesdata/domino_ver.txt</strong>, stop and remove the container and run it again.<br /> This will initiate a full release template update - which also contains the FP templates.</span> <br /> <br /><span style=" font-size:10pt;font-family:Arial"><br /> In general if you are not using a container image, please make sure design refresh is running on autoupdate.nsf to get the latest functionality.</span> <br /> <br /> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/domino-14.0fp1-autoupdate.ntf-update.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/domino-14.0fp1-autoupdate.ntf-update.htm?opendocument&comments</wfw:comment>
</item>
<item>
<title>Domino AutoUpdate AUT Catalog integration in action</title>
<pubDate>Wed, 17 Apr 2024 00:02:53 +0200</pubDate>
<description>
<![CDATA[
When the new integration is enabled, client web-kits are just pushed to AUT Catalog. The push will also happen for existing web-kits once the document is updated with data containing the Metadata XM ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/domino-autoupdate-aut-catalog-integration-in-action.htm</link>
<category>AutoUpdate</category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/domino-autoupdate-aut-catalog-integration-in-action.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/domino-autoupdate-aut-catalog-integration-in-action.htm</guid>
<content:encoded><![CDATA[ <br /><span style=" font-size:10pt;font-family:sans-serif">When the new integration is enabled, client web-kits are just pushed to AUT Catalog. <br /> The push will also happen for existing web-kits once the document is updated with data containing the Metadata XML.</span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> No manual steps needed. The documents and the new view have a button to directly jump into AUT Catalog.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> The button on top only shows up for software pushed to AUT Catalog.</span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> AUT Catalog sometimes has multiple documents for the same web-kit.</span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> For example the Standard and All Client (Admin/Design client) needs the same FP.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Or the 32bit to 64bit client packages are also a separate file and product document in autocat.nsf</span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Domino AutoUpdate knows all of the web-kits and dependencies and pushes documents accordingly.</span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> It will also correct missing documents. It uses the AUT Catalog hash to ensure software is only pushed once.<br /> And also knows about the language versions of web-kits.</span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> -- Daniel</span><span style=" font-size:12pt"> <br /> <br /> <br /> </span><img alt="Image:Domino AutoUpdate AUT Catalog integration in action" border="0" src="https://blog.nashcom.de/nashcomblog.nsf/dx/domino-autoupdate-aut-catalog-integration-in-action.htm/content/M2?OpenElement" /><span style=" font-size:12pt"><br /> </span> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/domino-autoupdate-aut-catalog-integration-in-action.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/domino-autoupdate-aut-catalog-integration-in-action.htm?opendocument&comments</wfw:comment>
</item>
<item>
<title>Notes/Domino 14.0FP1 released -- What’s new?</title>
<pubDate>Tue, 16 Apr 2024 22:53:23 +0200</pubDate>
<description>
<![CDATA[
The What's New section of AutoNotify doesn't show up until you update to Domino 14.0 FP1. This is actually one of the improvements in the AutoNotifiy back end code in 14.0 FP1 There are a couple o ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/notesdomino-14.0fp1-released-whats-new.htm</link>
<category>Autoupdate</category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/notesdomino-14.0fp1-released-whats-new.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/notesdomino-14.0fp1-released-whats-new.htm</guid>
<content:encoded><![CDATA[ <span style=" font-size:10pt;font-family:sans-serif"><br /> The What's New section of <strong>AutoNotify</strong> doesn't show up until you update to Domino 14.0 FP1.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> </span> <br /><span style=" font-size:10pt;font-family:sans-serif">This is actually one of the improvements in the AutoNotifiy back end code in 14.0 FP1</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:Arial"><br /> There are a couple of fit & finish changes in AutoUpdate as well. <br /> </span> <br /><span style=" font-size:10pt;font-family:Arial">The <strong>software.json</strong> data has been improved to use dynamic categories and can distinct different client types.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:Arial"><br /> Beside that there is a brand new AUT Catalog integration to automatically push client web-kits directly to <strong>autocat.nsf</strong>.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:Arial"><br /> No more Metadata XML to download or manual attach. Configure it once to get web-kits automatically pushed to autcat.nsf.</span><span style=" font-size:12pt"> <br /> </span> <br /><span style=" font-size:10pt;font-family:Arial">Along with those autoupdate enhancements, there are also DAOS improvements. <br /> This is the first time HCL added features in a Fixpack.</span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:Arial"><br /> If you want to hear about details about AutoUpdate including Domino 14.0 FP1 enhancements join me at Engage in my session next week.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:Arial"><br /> <br /> </span><span style=" font-size:10pt;font-family:sans-serif">If you can't wait for Engage, here is a link to the documentation --> </span><a href=https://help.hcltechsw.com/domino/14.0.0/admin/wn_140FP1.html><span style=" font-size:10pt;color:blue;font-family:sans-serif"><u>https://help.hcltechsw.com/domino/14.0.0/admin/wn_140FP1.html</u></span></a><span style=" font-size:10pt;font-family:sans-serif">.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> My session will go into much more detail and explain the new functionality.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> -- Daniel</span><span style=" font-size:12pt"> <br /> <br /> </span><img alt="Image:Notes/Domino 14.0FP1 released -- What’s new?" border="0" src="https://blog.nashcom.de/nashcomblog.nsf/dx/notesdomino-14.0fp1-released-whats-new.htm/content/M2?OpenElement" /> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/notesdomino-14.0fp1-released-whats-new.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/notesdomino-14.0fp1-released-whats-new.htm?opendocument&comments</wfw:comment>
</item>
<item>
<title>Adding TOTP to your own application</title>
<pubDate>Mon, 15 Apr 2024 10:32:07 +0200</pubDate>
<description>
<![CDATA[
The oathtool is the standard tool on Linux. It comes as a command-line tool or a dynamic and static link lib to be used in your own applications. You can statically link the code into your applicati ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/adding-totp-to-your-own-application.htm</link>
<category>TOTP</category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/adding-totp-to-your-own-application.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/adding-totp-to-your-own-application.htm</guid>
<content:encoded><![CDATA[ <span style=" font-size:10pt;font-family:sans-serif"><br /> The <strong>oathtool</strong> is the standard tool on Linux. It comes as a command-line tool or a dynamic and static link lib to be used in your own applications.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> You can statically link the code into your application and generate TOTP codes and also validate them.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> The homepage contains information about the command line tool "<strong>oathtool</strong>" and also the lib "<strong>liboath</strong>".</span><span style=" font-size:12pt"> </span><span style=" font-size:12pt;color:blue"><u><br /> <br /> </u></span><a href="https://www.nongnu.org/oath-toolkit/"><span style=" font-size:10pt;color:blue;font-family:sans-serif"><u>https://www.nongnu.org/oath-toolkit/</u></span></a><span style=" font-size:12pt"> <br /> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><strong><br /> <br /> Example how to use it on command-line. </strong><br /> <br /> The example used the base32 encoded secret for "test".</span><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> <br /> oathtool --totp -b ORSXG5AK </span></tt><span style=" font-size:12pt"><br /> </span><span style=" font-size:10pt;font-family:sans-serif"><strong><br /> <br /> Key URI Format</strong></span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> When importing TOTP secrets into a TOTP client it is very conventient to use a QR code.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Some clients don't even let you specify parameters like signing algorithm manually.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> There is a URI format documented here:</span><span style=" font-size:12pt"> </span><span style=" font-size:12pt;color:blue"><u><br /> <br /> </u></span><a href="https://docs.yubico.com/yesdk/users-manual/application-oath/uri-string-format.html"><span style=" font-size:10pt;color:blue;font-family:sans-serif"><u>https://docs.yubico.com/yesdk/users-manual/application-oath/uri-string-format.html</u></span></a><span style=" font-size:12pt"> </span><span style=" font-size:12pt;color:blue"><u><br /> </u></span><a href="https://github.com/google/google-authenticator/wiki/Key-Uri-Format"><span style=" font-size:10pt;color:blue;font-family:sans-serif"><u>https://github.com/google/google-authenticator/wiki/Key-Uri-Format</u></span></a><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> To create a QR code you can use the <strong>qrencode</strong> Linux tool, which can generate an ASCII graphics QR code.</span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><strong><br /> <br /> Example code to generate a QR code for TOTP setup</strong></span><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> <br /> echo "otpauth://totp/NashCom:nsh@acme.com?secret=$(echo test | base32)&issuer=NashCom&algorithm=SHA1&digits=6&period=30" | qrencode -tANSI256 -o -</span></tt><span style=" font-size:12pt"> <br /> <br /> <br /> </span><img alt="Image:Adding TOTP to your own application" border="0" src="https://blog.nashcom.de/nashcomblog.nsf/dx/adding-totp-to-your-own-application.htm/content/M2?OpenElement" /><span style=" font-size:10pt;font-family:sans-serif"><strong><br /> <br /> Example C code</strong></span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> Without error checking the C code to generate a TOTP code drills down to this:</span><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> <br /> oath_init();</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> oath_base32_decode (SecretB32, strlen (SecretB32), &pSecret, &len);</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> oath_totp_generate2 (pSecret, len, now, OATH_TOTP_DEFAULT_TIME_STEP_SIZE, OATH_TOTP_DEFAULT_START_TIME , 6, flags, szOTP);</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> oath_done();</span></tt><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> It took me a moment to bring all those pieces together.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Specially on the C code side the important part is to that you want the Base32 encoded secret to be stored and use the conversion routine to convert it back as an imput.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Don't try to store the decoded string and pass it manually.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><strong><br /> <br /> Conclusion</strong></span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> Now you have all your pieces to generate and verify TOTP digits either on command line or in your own application.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> For security reasons I would not invoke the command-line tool from an application and instead statically link the lib into your application as show in my simple example.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> My first use case will be my own <strong>sudo su -</strong> implementation to use TOTP to switch to root instead of using a password.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> The tricky part will be now to store the secret in a way, that nobody can read it. But that's a different story.</span><span style=" font-size:12pt"> <br /> </span> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/adding-totp-to-your-own-application.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/adding-totp-to-your-own-application.htm?opendocument&comments</wfw:comment>
</item>
<item>
<title>DominoBackupRunFaster=1 with a file back-end</title>
<pubDate>Thu, 11 Apr 2024 22:05:14 +0200</pubDate>
<description>
<![CDATA[
The standard configuration for Domino backup is a file back-end. This makes mostly sense with de-duplicating storage. This could be for example a NetApp appliance or any other de-duplicating storage ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/dominobackuprunfaster1-with-a-file-back-end.htm</link>
<category>Domino Backup</category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/dominobackuprunfaster1-with-a-file-back-end.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/dominobackuprunfaster1-with-a-file-back-end.htm</guid>
<content:encoded><![CDATA[ <br /><span style=" font-size:10pt;font-family:sans-serif">The standard configuration for Domino backup is a file back-end. This makes mostly sense with de-duplicating storage.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> This could be for example a NetApp appliance or any other de-duplicating storage device.</span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Also an appliance or Linux machine running ZFS as the file-system with compression enabled, is a good backup target.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Just a plain backup to normal storage does not make much sense, because it would be add the amount of your NSF files for every backup to the backup storage.</span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> When Domino Backup was introduced in Domino 12.0 the the native Domino file copy operations used a quite small block size, which lead to low thruput rates on Windows and Linux depending on the back-end.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Therefore Domino Backup increased the buffer to <strong>128 KB</strong> by default with the option to increase it further up to<strong> 1 MB</strong>.</span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Depending on your storage back-end and file-system, the following parameter can be a true <strong>RunFaster=1</strong> parameter for you.</span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> notes.ini <strong>FILE_COPY_BUFFER_SIZE=1048576</strong></span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> If you are using Domino Backup with a file back-end, you should really try this out and report the difference back here including your OS version and type of storage (disk, NFS mound, Windows share etc).</span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> See my recent Proxmox ZFS de-duplication blog for ZFS de-dup performance. <br /> The parameter was also listed there. But maybe wasn't sufficient highlighted.</span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> -- Daniel</span><span style=" font-size:12pt"> </span> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/dominobackuprunfaster1-with-a-file-back-end.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/dominobackuprunfaster1-with-a-file-back-end.htm?opendocument&comments</wfw:comment>
</item>
<item>
<title>Linux - Using Cron to schedule periodic jobs like certificate updates</title>
<pubDate>Wed, 10 Apr 2024 11:38:27 +0200</pubDate>
<description>
<![CDATA[
In all the years I have never looked into cron. But it is really a very straightforward functionality, which is used by Linux itself. You can either schedule user specific jobs or use /etc/cron.d ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/linux-using-cron-to-schedule-periodic-jobs-like-certificate-updates.htm</link>
<category>Linux</category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/linux-using-cron-to-schedule-periodic-jobs-like-certificate-updates.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/linux-using-cron-to-schedule-periodic-jobs-like-certificate-updates.htm</guid>
<content:encoded><![CDATA[ <span style=" font-size:10pt;font-family:sans-serif"><br /> In all the years I have never looked into cron. <br /> But it is really a very straightforward functionality, which is used by Linux itself.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> You can either schedule user specific jobs or use <strong>/etc/cron.d</strong> files or <strong>/etc/crontab.</strong></span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> There is a certificate update script --> </span><a href="https://github.com/HCL-TECH-SOFTWARE/domino-cert-manager/blob/main/examples/nginx/cert_upd_nginx.sh"><span style=" font-size:10pt;color:blue;font-family:sans-serif"><u>https://github.com/HCL-TECH-SOFTWARE/domino-cert-manager/blob/main/examples/nginx/cert_upd_nginx.sh</u></span></a><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> I did not automate it end to end yet.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> A quick look into <strong>/etc/crontab</strong> shows how it works.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> I also added Certificate URL Health on<strong> certstore.nsf</strong> on top.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> But this should automatically pull updated certs from certstore.nsf daily and update the NGINX config.</span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> -- Daniel</span><span style=" font-size:12pt"> <br /> </span><tt><span style=" font-size:10pt"><br /> <br /> SHELL=/bin/bash</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> PATH=/sbin:/bin:/usr/sbin:/usr/bin</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> MAILTO=root</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> <br /> # For details see man 4 crontabs</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> <br /> # Example of job definition:</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> # .---------------- minute (0 - 59)</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> # | .------------- hour (0 - 23)</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> # | | .---------- day of month (1 - 31)</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> # | | | .------- month (1 - 12) OR jan,feb,mar,apr ...</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> # | | | | |</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> # * * * * * user-name command to be executed</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> <br /> 07 07 * * * nginx /local/nginx/cert-update-dnug-lab.sh >> /local/nginx/cert-update.log 2>&1</span></tt><span style=" font-size:12pt"> <br /> </span> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/linux-using-cron-to-schedule-periodic-jobs-like-certificate-updates.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/linux-using-cron-to-schedule-periodic-jobs-like-certificate-updates.htm?opendocument&comments</wfw:comment>
</item>
<item>
<title>Howto convert cert formats from and to PEM</title>
<pubDate>Wed, 10 Apr 2024 10:17:05 +0200</pubDate>
<description>
<![CDATA[
CertMgr uses PEM internally for all operations. The PEM format is the most important format. But you might get your files from your admin or a CA in different formats. CertStore can import and expor ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/howto-convert-cert-formats-from-and-to-pem.htm</link>
<category>CertMgr</category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/howto-convert-cert-formats-from-and-to-pem.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/howto-convert-cert-formats-from-and-to-pem.htm</guid>
<content:encoded><![CDATA[ <br /><span style=" font-size:10pt;font-family:sans-serif">CertMgr uses PEM internally for all operations. The PEM format is the most important format.<br /> But you might get your files from your admin or a CA in different formats.</span> <br /> <br /><span style=" font-size:10pt;font-family:sans-serif">CertStore can import and export PEM and PKCS12 (PFX, p12).<br /> But this might not always work in the way you expect it because of legacy encryption.</span> <br /> <br /><span style=" font-size:10pt;font-family:sans-serif">I just wrote a new howto document providing some background and providing OpenSSL command line options.</span> <br /> <br /><a href="https://opensource.hcltechsw.com/domino-cert-manager/howto_convert/"><span style=" font-size:10pt;color:blue;font-family:sans-serif">https://opensource.hcltechsw.com/domino-cert-manager/howto_convert/</span></a> <br /> <br /><span style=" font-size:10pt;font-family:sans-serif">If you are using CertMgr you might want to also look into another document added a while ago:</span> <br /> <br /><span style=" font-size:10pt;font-family:sans-serif"><strong>Anatomy of a TLS Credentials document</strong></span> <br /> <br /><a href="https://opensource.hcltechsw.com/domino-cert-manager/tls_credentials_anatomy/"><span style=" font-size:10pt;color:blue;font-family:sans-serif">https://opensource.hcltechsw.com/domino-cert-manager/tls_credentials_anatomy/</span></a> <br /> <br /> <br /><span style=" font-size:10pt;font-family:sans-serif">I hope this type of information helps you to understand some of the backgrounds and also to help you converting your certs.</span> <br /><span style=" font-size:10pt;font-family:sans-serif"><br /> </span> <br /><span style=" font-size:10pt;font-family:sans-serif">-- Daniel</span> <br /> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/howto-convert-cert-formats-from-and-to-pem.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/howto-convert-cert-formats-from-and-to-pem.htm?opendocument&comments</wfw:comment>
</item>
<item>
<title>OpenSSL past and present -- what you need to know about standards and conversions</title>
<pubDate>Wed, 10 Apr 2024 01:01:17 +0200</pubDate>
<description>
<![CDATA[
OpenSSL is the open source project, which is part of most software today. It is an integral component of Linux and the foundation software is built on. There are three major streams you should kno ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/openssl-past-and-present-what-you-need-to-know-about-standards-and-conversions.htm</link>
<category>OpenSSL</category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/openssl-past-and-present-what-you-need-to-know-about-standards-and-conversions.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/openssl-past-and-present-what-you-need-to-know-about-standards-and-conversions.htm</guid>
<content:encoded><![CDATA[ <span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> OpenSSL is the open source project, which is part of most software today.<br /> It is an integral component of Linux and the foundation software is built on.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> There are three major streams you should know about:</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> - 1.0.2 LTS</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> - 1.1.1. LTS</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> - 3.0.x LTS</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> The jump in the version number to version 3.0 is an indication of a major change.<br /> <br /> - OpenSSL 1.0.2 should be avoided for quite some time and I would personally also move off 1.x in general.<br /> - OpenSSL 3.0 is modularized and supports loading different providers like the FIPS provider.<br /> <br /> But it also deprecates some older functionality, which must be loaded explicitly from a legacy module.<br /> On the other side it uses some defaults which older software does not support.<br /> <br /> Not all software has made the jump to at least OpenSSL 3.0.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Therefore it is important to understand some new defaults and some removed standards.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><strong><br /> <br /> </strong></span> <br /><span style=" font-size:12pt;font-family:sans-serif"><strong>OpenSSL development changes</strong></span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> If you are a OpenSSL developer you know a lot more changed under the covers and a lot of functionality needs to be changed to be fully OpenSSL 3.x compatible.<br /> The first functions you run into are the RSA/EC keys, which should be replaced with EVP keys in OpenSSL 3.0. <br /> But also using the Fetch functionality is important. You can find the a good starting point in the documentation here --> </span><a href="https://www.openssl.org/docs/manmaster/man7/ossl-guide-libcrypto-introduction.html"><span style=" font-size:10pt;color:blue;font-family:sans-serif"><u>https://www.openssl.org/docs/manmaster/man7/ossl-guide-libcrypto-introduction.html</u></span></a><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> When looking in Milan's post today about an issue he ran into I took a look into the old format he was using. <br /> (</span><a href="https://milanmatejic.wordpress.com/2024/04/09/hcl-notes-crash-while-importing-pkcs12-database-to-the-hcl-domino-certificate-manager/"><span style=" font-size:10pt;color:blue;font-family:sans-serif"><u>https://milanmatejic.wordpress.com/2024/04/09/hcl-notes-crash-while-importing-pkcs12-database-to-the-hcl-domino-certificate-manager/</u></span></a><span style=" font-size:10pt;font-family:sans-serif">)<br /> <br /> The problem is already escalated to development and there is a SPR and a fix going into the next release and fixpacks.<br /> But reading the old standard with out the MAC is problematic in general. But it should not crash.<br /> Below is a command-line to convert the PKCS12 file even with modern OpenSSL 3.0.x. <br /> <br /> <br /> ------<strong><br /> <br /> </strong></span><span style=" font-size:12pt;font-family:sans-serif"><strong>Export/Import/Conversion challenges</strong></span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> I created some test PKCS12 files without a MAC and noticed the <strong>-nomac</strong> option is only available in older OpenSSL versions.<br /> Version 3.0 and above does not have this functionality any more.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Windows still uses this old version and creates encrypted PKCS12 files and also encrypted PEM files with a quite old standard.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> I tried to open the PKCS12 file with my own certificate command-line tool, which statically links with the latest OpenSSL 3.x versions and ran into an error message importing the very old format.<br /> The same happens when you try to open it with a OpenSSL 3.0 command line:</span><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><strong><br /> <br /> </strong></span></tt><tt><span style=" font-size:10pt;color:blue"><strong>openssl pkcs12 -in mac.pfx -out export.pem -nodes</strong></span></tt><span style=" font-size:12pt;color:blue"> </span><tt><span style=" font-size:10pt"><br /> <br /> Error outputting keys and certificates</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> 40672F2A027F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:</span></tt><tt><span style=" font-size:10pt;color:red"><strong>Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()</strong></span></tt><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> If you want to convert a legacy PKCS12 file, you need to specify the <strong>-legacy</strong> option.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><strong><br /> <br /> </strong></span> <br /><span style=" font-size:12pt;font-family:sans-serif"><strong>Modern encryption standard used</strong></span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> Here is a text from OpenSSL, which describes the new standard and the legacy option.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> The default encryption algorithm is <strong>AES-256-CBC with PBKDF2</strong> for key derivation.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> When encountering problems loading legacy PKCS#12 files that involve, for example,<strong> RC2-40-CBC</strong>, try using the -legacy option and, if needed, the -provider-path option.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><strong><br /> <br /> -legacy</strong></span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> Use legacy mode of operation and automatically load the legacy provider. <br /> If OpenSSL is not installed system-wide, it is necessary to also use, for example, -provider-path ./providers or to set the environment variable OPENSSL_MODULES to point to the directory where the providers can be found.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> In the legacy mode, the default algorithm for certificate encryption is <strong>RC2_CBC</strong> or <strong>3DES_CBC</strong> depending on whether the <strong>RC2</strong> cipher is enabled in the build.<br /> The default algorithm for private key encryption is <strong>3DES_CBC</strong>. If the legacy option is not specified, then the legacy provider is not loaded and the default encryption algorithm for both certificates and private keys is <strong>AES_256_CBC with PBKDF2</strong> for key derivation.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><strong><br /> <br /> <br /> </strong></span><span style=" font-size:12pt;font-family:sans-serif"><strong>Conclusion</strong></span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> Use the <strong>-legacy</strong> option if you really need it to read old format. But make sure you use the new default, more modern and secure standards whenever you can.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> New versions might have the challenge to not being able to read older formats at some point.<br /> <br /> The CertStore functionality isn't directly built on OpenSSL code. But it uses the same modern standard for export.<br /> Import/Export are client code. The encryption is always performed on the client.<br /> <br /> In case you need an older encryption standard for Java and other applications, there is a client side notes.ini settings to lower the standard to 3DES.<br /> <br /> <strong>PKCS12_EXPORT_LEGACY</strong></span><span style=" font-size:12pt">=1 </span> <br /><span style=" font-size:10pt;font-family:sans-serif"><br /> But again this is also just a fallback intended for compatibility. <br /> <br /> Importing PKCS12 and PEM encrypted files will still work with older formats without a setting.<br /> Only the missing MAC is a problem, which can be avoided with the OpenSSL command line shown above.<br /> <br /> <br /> </span> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/openssl-past-and-present-what-you-need-to-know-about-standards-and-conversions.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/openssl-past-and-present-what-you-need-to-know-about-standards-and-conversions.htm?opendocument&comments</wfw:comment>
</item>
<item>
<title>Domino meets Grafana & Loki</title>
<pubDate>Sun, 7 Apr 2024 10:17:19 +0200</pubDate>
<description>
<![CDATA[
The latest Sametime version offers a graphical statistics dashboard based on Grafana and Prometheus. Domino statistics out of the box don't play well with Grafana. Prometheus needs a pull model an ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/domino-meets-grafana-loki.htm</link>
<category>Grafana</category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/domino-meets-grafana-loki.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/domino-meets-grafana-loki.htm</guid>
<content:encoded><![CDATA[ <span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> The latest Sametime version offers a graphical statistics dashboard based on Grafana and Prometheus.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Domino statistics out of the box don't play well with Grafana.<br /> <br /> Prometheus needs a pull model and the Domino Stats Package added in Version 10 only supports the push model.<br /> Sametime uses the push gateway, but because the Domino statistic names need to be transformed anyway, I wrote a small servertask to provide the stats to be included into the <strong>node_exporter</strong>, which already is used to provide Linux system statistics.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> Beside statistics I also looked into Grafana Loki to collect logs and make them available over the Grafana interface. The data is collected by <strong>promtail</strong>.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> After a couple of interesting experiences and iterations collecting the data, I am now at the stage where I can look into real world statistics in production.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> For now I am building my own dashboards and try to better understand the magic behind Grafana.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> The key is to collect the data in the right way. Specially bringing the Domino stats into the same metrics collector used by the OS makes statistics much easier to evaluate.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> One next step could be converting some Domino text statistic information into labels (e.g. the device names etc).</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> But it sounds like the platform stats (which are only collect once per minute by Domino) might not be as useful as the <strong>node_exporter</strong> native Linux stats.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> Is anyone using Grafana today? What are your key metrics?</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> How did you build your integration to get the data out of Domino?<br /> <br /> I am loving my panel already and it brings up new ideas checking my server. The drop of the SAI once in a while catched my interest ..<br /> <br /> <br /> --- Daniel</span><span style=" font-size:12pt"> <br /> <br /> <br /> </span><img alt="Image:Domino meets Grafana & Loki" border="0" src="https://blog.nashcom.de/nashcomblog.nsf/dx/domino-meets-grafana-loki.htm/content/M2?OpenElement" /> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/domino-meets-grafana-loki.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/domino-meets-grafana-loki.htm?opendocument&comments</wfw:comment>
</item>
<item>
<title>Quick look into SUSE Harvester</title>
<pubDate>Sat, 30 Mar 2024 11:57:34 +0200</pubDate>
<description>
<![CDATA[
Now that admins are looking for alternate solutions, I took a quick look at SUSE Harvester. A new Kubernetes based platform which leverages Linux native kernel virtualization (KVM) to run VMs in a cl ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/quick-look-into-suse-harvester.htm</link>
<category>SUSE Harvester</category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/quick-look-into-suse-harvester.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/quick-look-into-suse-harvester.htm</guid>
<content:encoded><![CDATA[ <br /><span style=" font-size:10pt;font-family:sans-serif">Now that admins are looking for alternate solutions, I took a quick look at SUSE Harvester.<br /> A new Kubernetes based platform which leverages Linux native kernel virtualization (KVM) to run VMs in a cluster.</span> <br /><span style=" font-size:10pt;font-family:sans-serif">Harvester is "<em>Cloud-Native Hyperconverged Infrastructure</em>" available for free.<br /> "<em>Designed to help operators consolidate and simplify their virtual machine workloads alongside Kubernetes clusters, Harvester is the next generation of open-source hyperconverged infrastructure solution designed for modern cloud-native environments.</em>"</span> <br /><span style=" font-size:10pt;font-family:sans-serif"><br /> For details see </span><a href=https://www.suse.com/products/harvester/><span style=" font-size:10pt;color:blue;font-family:sans-serif">https://www.suse.com/products/harvester/</span></a><span style=" font-size:10pt;font-family:sans-serif"><br /> </span> <br /><span style=" font-size:10pt;font-family:sans-serif">Multiple admins pointed me to this solution in my blog and Discord. So I had a quick look.<br /> The installation is a piece of cake -- if you have sufficient resources.</span> <br /><span style=" font-size:10pt;font-family:sans-serif"><strong><br /> </strong></span><span style=" font-size:12pt;font-family:sans-serif"><strong>Minimum system requirements</strong></span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> The minimum requirements are 32 GB RAM, 8 CPU cores and 250 GB disk -- and they really mean it!<br /> I set it up on my Proxmox host with 4 CPU cores and 20 GB RAM.<br /> </span> <br /><span style=" font-size:10pt;font-family:sans-serif">RAM wasn't an issue, but already in idle without any VMs running my CPUs are <u>40% busy</u>!<br /> Most RAM was still used for file system cache. So there wasn't a high use by Harvester.<br /> But the Kubernetes back end needed quite some CPU resources.<br /> <br /> This isn't new to me. Other platforms like Redhat OpenShift have similar behavior.<br /> The management of the environment for flexibility, scaling and high availability in a cluster, has it's costs.<br /> And this wasn't even a cluster with multiple hosts.. </span> <br /> <br /><span style=" font-size:12pt;font-family:sans-serif"><strong>Setting it up and managing VMs</strong></span> <br /> <br /><span style=" font-size:10pt;font-family:sans-serif">Installation was fully automatic and after a while and some 100% CPU load of my 4 CPU cores, I had my SUSE Havester server.<br /> The interface really reminds we on the Rancher server -- which isn't a coincident nor surprise.</span> <br /><span style=" font-size:10pt;font-family:sans-serif">I just installed a mini VM using Alpine Linux as you can see below.<br /> <br /> The whole experiment took me just an hour end to end. So getting it up and using it is quite simple.<br /> </span> <br /><span style=" font-size:12pt;font-family:sans-serif"><strong>Conclusion</strong></span><span style=" font-size:10pt;font-family:sans-serif"><br /> </span> <br /><span style=" font-size:10pt;font-family:sans-serif">SUSE Harvester really looks like a solid product, which might be a good option for the enterprise business.<br /> But it's not a platform I want to run at home in my environment.<br /> <br /> Other platforms like Proxmox are much more resource efficient and provide a lot more VM capabilities.<br /> I don't see that this can replace ESXi installations at home.</span> <br /><span style=" font-size:10pt;font-family:sans-serif">My new favorite platform at home is and stays Proxmox.<br /> </span> <br /> <br /><span style=" font-size:12pt;font-family:sans-serif"><strong>Harverster VM's console</strong></span> <br /> <br /><img alt="Image:Quick look into SUSE Harvester" border="0" src="https://blog.nashcom.de/nashcomblog.nsf/dx/quick-look-into-suse-harvester.htm/content/M2?OpenElement" /> <br /> <br /><span style=" font-size:12pt;font-family:sans-serif"><strong>Harvester Web interface</strong></span> <br /> <br /><span style=" font-size:10pt;font-family:sans-serif">The web interface pretty much looks like the Rancher interface.</span> <br /> <br /><img alt="Image:Quick look into SUSE Harvester" border="0" src="https://blog.nashcom.de/nashcomblog.nsf/dx/quick-look-into-suse-harvester.htm/content/M3?OpenElement" /> <br /> <br /><span style=" font-size:12pt;font-family:sans-serif"><strong>Havester CPU load on my Proxmox server</strong></span> <br /><span style=" font-size:10pt;font-family:sans-serif"><br /> You can see that I got round 40% of CPU load on my 4 CPU cores even in idle.</span> <br /><span style=" font-size:10pt;font-family:sans-serif">There was nothing else running on the Proxmox host at the same time.<br /> And you can see when I stopped the Harvester VM, the CPU dropped.</span> <br /> <br /><img alt="Image:Quick look into SUSE Harvester" border="0" src="https://blog.nashcom.de/nashcomblog.nsf/dx/quick-look-into-suse-harvester.htm/content/M4?OpenElement" /> <br /> <br /> <br /><span style=" font-size:12pt;font-family:sans-serif"><strong>Havester VM Top</strong></span> <br /> <br /><span style=" font-size:10pt;font-family:sans-serif">A quick look into top on the Harvester host shows what keeps it busy. <br /> </span> <br /><img alt="Image:Quick look into SUSE Harvester" border="0" src="https://blog.nashcom.de/nashcomblog.nsf/dx/quick-look-into-suse-harvester.htm/content/M5?OpenElement" /> <br /> <br /> <br /><span style=" font-size:12pt;font-family:sans-serif"><strong>Alpine VM Top</strong></span> <br /> <br /><span style=" font-size:10pt;font-family:sans-serif">Top in the Alpine Linux VM shows almost zero load.<br /> So the VM isn't keeping the machine busy at all.</span> <br /> <br /><img alt="Image:Quick look into SUSE Harvester" border="0" src="https://blog.nashcom.de/nashcomblog.nsf/dx/quick-look-into-suse-harvester.htm/content/M6?OpenElement" /> <br /> <br /> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/quick-look-into-suse-harvester.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/quick-look-into-suse-harvester.htm?opendocument&comments</wfw:comment>
</item>
<item>
<title>SNMP with Domino on Docker</title>
<pubDate>Sat, 30 Mar 2024 09:26:08 +0200</pubDate>
<description>
<![CDATA[
Simple Network Management Protocol (SNMP) is a rarely used functionality in Domino, which has been implemented in Domino in the last century. But I got a request from a customer to get SNMP working ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/snmp-with-domino-on-docker.htm</link>
<category>SNMP</category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/snmp-with-domino-on-docker.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/snmp-with-domino-on-docker.htm</guid>
<content:encoded><![CDATA[ <span style=" font-size:10pt;font-family:sans-serif"><strong><br /> <br /> <br /> S</strong>imple <strong>N</strong>etwork <strong>M</strong>anagement <strong>P</strong>rotocol (SNMP) is a rarely used functionality in Domino, which has been implemented in Domino in the last century.<br /> But I got a request from a customer to get SNMP working with Domino in a container to monitor the server.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> On Kubernetes there are other ways to monitor servers. But for a stand-alone Docker host, SNMP could still make sense and can be implemented.</span><span style=" font-size:12pt"> </span><span style=" font-size:12pt;font-family:sans-serif"><strong><br /> <br /> <br /> SNMP components involved</strong></span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> To understand how it works, it is good to understand all the components.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><strong><br /> <br /> <br /> SNMP Master Agent</strong></span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> SNMP uses a host level master SNMP agent <strong>"snmpd</strong>".<br /> The agent listens on port 161 UDP and is installed as a systemd service.<br /> <br /> On Redhat/CentOS based distributions the agent can be installed like this:</span><tt><span style=" font-size:10pt"><br /> <br /> dnf install -y net-snmp net-snmp-utils</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> systemctl enable --now snmpd</span></tt><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> On Ubuntu you need different package names:</span><tt><span style=" font-size:10pt"><br /> <br /> apt install -y snmpd snmp snmp-mibs-downloader</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> systemctl enable --now snmpd</span></tt><span style=" font-size:10pt;font-family:sans-serif"><strong><br /> <br /> <br /> Domino SNMP Agent</strong><br /> <br /> Domino brings it's own SNMP agent "<strong>lnsnmp</strong>", which needs to be started as <u>root</u> user as a systemd service.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Note: Domino does not ship with a service, but I added one to the Domino start script replacing older init.d scripts, which are not supported on newer Linux versions.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><strong><br /> <br /> Domino Servertasks<br /> <br /> quryset</strong> and <strong>intrcpt</strong> are two servertasks working hand in hand with the Domino SNMP agent and implement the logic.<br /> You can enable debugging via notes.ini settings to see their details about SNMP processing on teh Domino side:</span><tt><span style=" font-size:10pt"><br /> <br /> set config <strong>QS_DEBUG=255;/local/notesdata/debug-quryset.log</strong><br /> set config <strong>DEBUG_TRAP=255;/local/notesdata/debug-intercept.log</strong></span></tt><span style=" font-size:12pt;font-family:sans-serif"><strong><br /> <br /> <br /> Communication among the components</strong></span><span style=" font-size:12pt"> <br /> <br /> </span> <ul> <li><span style=" font-size:10pt;font-family:sans-serif">The SNMP master agent is listening on UDP port 161<br /> <br /> </span> </li><li><span style=" font-size:10pt;font-family:sans-serif">The Domino SNMP agent communicates via SNMP on port UDP 161 with the master agent and registers itself<br /> It registers a AF_UNIX socket with the name <strong>/tmp/.esaMainProxy</strong> to communicate with the two servertasks</span><span style=" font-size:12pt"> <br /> <br /> </span> </li><li><span style=" font-size:10pt;font-family:sans-serif"><strong>quryset</strong> and <strong>intrcpt</strong> communicate with the Domino SNMP agent leveraging the socket</span></li></ul><span style=" font-size:12pt;font-family:sans-serif"><strong><br /> <br /> <br /> Bringing SNMP into the container</strong></span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> Basically there would be two approaches which would work.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> The straightforward implementation is to copy the Domino SNMP files to the host and run the Domino SNMP service on the host.<br /> Then expose the UNIX socket to the container by mounting it as a volume via </span><tt><span style=" font-size:10pt;color:blue"><strong><br /> <br /> -v /tmp/.esaMainProxy:/tmp/.esaMainProxy</strong></span></tt><span style=" font-size:10pt;color:blue;font-family:sans-serif">.</span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> Using this approach does not need any changes in the container image.<br /> The Domino server in the container just communicates thru the socket with the host level Domino SNMP agent, which talks directly to the SNMP master agent.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> <br /> --- <br /> <br /> The second approach is not recommended and I am describing it just for educational purposes.<br /> In theory the Domino SNMP agent could run as a daemon inside the container and would create the UNIX socket directly in the container to allow <strong>quryset</strong> and <strong>intrcpt</strong> to communicate with Domino SNMP.<br /> If running in network <strong>host mode</strong> the Domino SNMP agent does not need any further configuration to talk to the SNMP master agent.<br /> <br /> This approach would involve a process running as <u>root</u> inside the container. Domino could still start the SNMP agent in the background when the binary gets teh SUID permissions set.<br /> With SUID the Domino SNMP agent would switch to the <strong>root</strong> user -- even the container is started as the "<strong>notes</strong>" user.<br /> <br /> I have tested booth approaches, but I don't think we want the SNMP agent to run inside the container.<br /> But if a customer would require this type of configuration, I could add a container build option for native support SNMP in future.</span><span style=" font-size:12pt"> </span><span style=" font-size:12pt;font-family:sans-serif"><strong><br /> <br /> <br /> Conclusion</strong></span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> I personally don't think SNMP with Domino is used often. But it is good to have SNMP working for the Domino container image if needed.<br /> This short write up should also explain the communication among the components involved and might give you a better understanding of the SNMP agent.<br /> <br /> There are more modern monitoring options today. I would personally not favor SNMP in combination with Domino running in container -- but it works.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Example: </span><tt><span style=" font-size:10pt"><br /> <br /> snmpwalk -m /opt/hcl/domino/notes/latest/linux/domino.mib -c public -v2c 127.0.0.1 lnServerName</span></tt><span style=" font-size:12pt"> </span> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/snmp-with-domino-on-docker.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/snmp-with-domino-on-docker.htm?opendocument&comments</wfw:comment>
</item>
<item>
<title>HCL Verse 3.2.1 shipped and it has never been easier to download</title>
<pubDate>Thu, 28 Mar 2024 21:21:11 +0200</pubDate>
<description>
<![CDATA[
The HCL Domino Container project always uses the latest versions. The versions are added by by a software.txt file. With the new My HCLSoftware portal and the automated Domino Download script on Linu ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/hcl-verse-3.2.1-shipped-and-it-has-never-been-easier-to-download.htm</link>
<category>Verse</category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/hcl-verse-3.2.1-shipped-and-it-has-never-been-easier-to-download.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/hcl-verse-3.2.1-shipped-and-it-has-never-been-easier-to-download.htm</guid>
<content:encoded><![CDATA[ <br /><span style=" font-size:10pt;font-family:sans-serif">The HCL Domino Container project always uses the latest versions.<br /> The versions are added by by a <strong>software.txt</strong> file.</span> <br /><span style=" font-size:10pt;font-family:sans-serif">With the new My HCLSoftware portal and the automated Domino Download script on Linux, I just go thru the menu, download the software and copy the meta data.</span> <br /><span style=" font-size:10pt;font-family:sans-serif">From the meta data I create the entry in software.txt and initiate a build and automation test run, before publishing the new data.</span> <br /> <br /><span style=" font-size:10pt;font-family:sans-serif">Here are the details about the release --> </span><a href="https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0108589"><span style=" font-size:10pt;color:blue;font-family:sans-serif">https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0108589</span></a> <br /> <br /><span style=" font-size:10pt;font-family:sans-serif">-- Daniel</span> <br /> <br /><tt><span style=" font-size:10pt">--------------------------------------------------------------------------------</span></tt> <br /><tt><span style=" font-size:10pt">WebKit : HCL Verse 3.2.1 for Domino Multiplatform Multilingual</span></tt> <br /><tt><span style=" font-size:10pt">Name : HCL_Verse_3.2.1.zip</span></tt> <br /><tt><span style=" font-size:10pt">Version : 3.2.1</span></tt> <br /><tt><span style=" font-size:10pt">Platform : all</span></tt> <br /><tt><span style=" font-size:10pt">Size : 96439903</span></tt> <br /><tt><span style=" font-size:10pt">SHA256 : 87feda28be377b836d115c961b0ff6c76d9cc3bd2ada8c4baccead59cd5cc4dd</span></tt> <br /><tt><span style=" font-size:10pt">ID : Vt5jAKevMOoaTz4sPD8yT</span></tt> <br /><tt><span style=" font-size:10pt">Modified : 2024-03-28T00:00:00.000Z</span></tt> <br /><tt><span style=" font-size:10pt">--------------------------------------------------------------------------------</span></tt> <br /> <br /> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/hcl-verse-3.2.1-shipped-and-it-has-never-been-easier-to-download.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/hcl-verse-3.2.1-shipped-and-it-has-never-been-easier-to-download.htm?opendocument&comments</wfw:comment>
</item>
<item>
<title>Important: Domino ID Vault -- Don’t remove old servers if still referenced in user documents</title>
<pubDate>Tue, 26 Mar 2024 12:38:29 +0200</pubDate>
<description>
<![CDATA[
When you migrate to new servers, you have to be aware of the following limitation, which is documented in 12.0.2/14.0 but also affects older servers. To ensure you can recover all user.IDs make sure ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/important-domino-id-vault-dont-remove-old-servers-if-still-referenced-in-user-documents.htm</link>
<category>Domino</category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/important-domino-id-vault-dont-remove-old-servers-if-still-referenced-in-user-documents.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/important-domino-id-vault-dont-remove-old-servers-if-still-referenced-in-user-documents.htm</guid>
<content:encoded><![CDATA[ <span style=" font-size:10pt;font-family:Arial"><br /> </span><span style=" font-size:10pt;font-family:sans-serif">When you migrate to new servers, you have to be aware of the following limitation, which is documented in 12.0.2/14.0 but also affects older servers.</span> <br /><span style=" font-size:10pt;font-family:sans-serif">To ensure you can recover all user.IDs make sure the server document is still present and the server is still in the ID vault configuration. See the following warning in help and Kbase document.<br /> This is a recent update in documentation and I just sent it to a customer during a server upgrade/move workshop.</span> <br /> <br /><span style=" font-size:10pt;font-family:sans-serif">-- Daniel</span> <br /> <br /><a href=https://help.hcltechsw.com/domino/14.0.0/admin/conf_addingorremovingidvaultservers_t.html><span style=" font-size:10pt;color:blue;font-family:sans-serif">https://help.hcltechsw.com/domino/14.0.0/admin/conf_addingorremovingidvaultservers_t.html</span></a> <br /><a href="https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0082442"><span style=" font-size:10pt;color:blue;font-family:sans-serif">https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0082442</span></a> <br /> <br /><img alt="Image:Important: Domino ID Vault -- Don’t remove old servers if still referenced in user documents" border="0" src="https://blog.nashcom.de/nashcomblog.nsf/dx/important-domino-id-vault-dont-remove-old-servers-if-still-referenced-in-user-documents.htm/content/M2?OpenElement" /> <br /> <br /> <br /> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/important-domino-id-vault-dont-remove-old-servers-if-still-referenced-in-user-documents.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/important-domino-id-vault-dont-remove-old-servers-if-still-referenced-in-user-documents.htm?opendocument&comments</wfw:comment>
</item>
<item>
<title>HDMI Ghost seems to make my Intel NUC Proxmox server run better</title>
<pubDate>Mon, 25 Mar 2024 22:35:46 +0200</pubDate>
<description>
<![CDATA[
Looks like I might have found a solution for my stability issue and it seems to also lower the CPU consumption on my Intel NUC. I had some crashes/hangs I could not explain. There was no display con ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/hdmi-ghost-seems-to-make-my-intel-nuc-proxmox-server-run-better.htm</link>
<category>Proxmox</category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/hdmi-ghost-seems-to-make-my-intel-nuc-proxmox-server-run-better.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/hdmi-ghost-seems-to-make-my-intel-nuc-proxmox-server-run-better.htm</guid>
<content:encoded><![CDATA[ <br /><span style=" font-size:10pt;font-family:sans-serif">Looks like I might have found a solution for my stability issue and it seems to also lower the CPU consumption on my Intel NUC.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> I had some crashes/hangs I could not explain. There was no display connected to the machine and when it hang adding a display did not lead to any prompt.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> After some research I found side comments about HDMI Ghost plug-ins which keep the GPU enabled and make Proxmox machines more stable.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> I ordered one over the weekend and today my Proxmox server seem to run better.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> The HDMI Ghost plug was about 5 Euro and might have solved my problem.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> I am still testing but it looks goo so far.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> Does anyone have similar experience? <br /> <br /> -- Daniel</span><span style=" font-size:12pt"> </span> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/hdmi-ghost-seems-to-make-my-intel-nuc-proxmox-server-run-better.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/hdmi-ghost-seems-to-make-my-intel-nuc-proxmox-server-run-better.htm?opendocument&comments</wfw:comment>
</item>
<item>
<title>Domino on Linux server.id with password</title>
<pubDate>Mon, 25 Mar 2024 22:34:01 +0200</pubDate>
<description>
<![CDATA[
This idea is in my head for a while and I wrote my own "nshvault" application to protect secrets of all kinds. For now it is my private project for my own environment, but it might be an official pro ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/domino-on-linux-server.id-with-password.htm</link>
<category>Domino</category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/domino-on-linux-server.id-with-password.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/domino-on-linux-server.id-with-password.htm</guid>
<content:encoded><![CDATA[ <br /><span style=" font-size:10pt;font-family:sans-serif">This idea is in my head for a while and I wrote my own "<strong>nshvault</strong>" application to protect secrets of all kinds.<br /> For now it is my private project for my own environment, but it might be an official project at some point.<br /> <br /> I can feed data into different applications like AWS client, SSH agents and unwrap secrets to be consumed over a FIFO (for example for NGINX).<br /> The data is encrypted on rest and can be wrapped into expiring temporary secrets, which access tokens can be passed via environment variables (similar to what an SSH agent does).</span> <br /><span style=" font-size:10pt;font-family:sans-serif">In that context I also thought about Domino and built something separate, which would also work nicely with the nshvault idea.</span> <br /> <br /><span style=" font-size:10pt;font-family:sans-serif"><strong>Domino server.id password support</strong><br /> <br /> For Domino on Windows there is already Notes Shared Login (NSL).<br /> But for Domino on Linux there is no native solution available.</span> <br /><span style=" font-size:10pt;font-family:sans-serif">So I wrote a small extension manager, which can feed the password from an external credential helper.</span> <br /><span style=" font-size:10pt;font-family:sans-serif">The credential helper could be anything like my nshvault or any other secure application.<br /> You could even get passwords from remote machine in your own network, to protect against running machines or copies of your machine somewhere else.</span> <br /> <br /><span style=" font-size:10pt;font-family:sans-serif"><strong>Here is the idea</strong></span> <br /><span style=" font-size:10pt;font-family:sans-serif"><br /> Invoking another process with <strong>stdin</strong>, <strong>stdout</strong> and <strong>stderr</strong> connected to get the password from the external program.<br /> The external program can have the <strong>SUID</strong> permission set and run with a "<strong>vault</strong>" user. <br /> </span> <br /><span style=" font-size:10pt;font-family:sans-serif">For now only <strong>stout</strong> is actively used. But this could be extended to pass some security token or other additional information from the Domino server to the credential helper.</span> <br /><span style=" font-size:10pt;font-family:sans-serif"><br /> A password file could be encrypted and only readable by this helper program. But already writing it to a file, which only the vault user can read, would be sufficient protection in most environments.<br /> This helper application can also check who is calling it by checking the <strong>PPID</strong> and the calling binary via <strong>/proc/pid/exe</strong>.<br /> Only white listed binaries will receive the password.<br /> <br /> I wrote a first version over the weekend and I am not yet sure if I want to make it available for free. Or even open source it.</span> <br /><span style=" font-size:10pt;font-family:sans-serif">Mid term a simple credential helper call-out would be great to have in standard Domino.</span> <br /><span style=" font-size:10pt;font-family:sans-serif"><br /> What do you think about this credential helper approach?</span> <br /><span style=" font-size:10pt;font-family:sans-serif"><br /> -- Daniel</span> <br /> <br /> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/domino-on-linux-server.id-with-password.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/domino-on-linux-server.id-with-password.htm?opendocument&comments</wfw:comment>
</item>
<item>
<title>Engage Session Highlight: Domino Containers - The Next Step</title>
<pubDate>Sun, 24 Mar 2024 12:17:21 +0200</pubDate>
<description>
<![CDATA[
Two years ago Martijn de Jong (a fellow HCL Ambassador) presented a great "Domino Docker" session. In the last two years a lot happened. Martijn's abstract is even missing some recent additions I kn ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/engage-session-highlight-domino-containers-the-next-step.htm</link>
<category>Domino Container</category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/engage-session-highlight-domino-containers-the-next-step.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/engage-session-highlight-domino-containers-the-next-step.htm</guid>
<content:encoded><![CDATA[ <span style=" font-size:10pt;font-family:sans-serif"><br /> Two years ago Martijn de Jong (a fellow HCL Ambassador) presented a great "Domino Docker" session.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> In the last two years a lot happened. Martijn's abstract is even missing some recent additions I know he will cover.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> I just finished work on an automatic container environment preparation script, which will work on the major distributions to get ready for Domino containers.</span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> It's an early morning session. But if you are interested in Domino containers or if your are running Domino containers, this session is for you!</span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> -- Daniel</span><span style=" font-size:12pt"> <br /> <br /> </span><img alt="Image:Engage Session Highlight: Domino Containers - The Next Step" border="0" src="https://blog.nashcom.de/nashcomblog.nsf/dx/engage-session-highlight-domino-containers-the-next-step.htm/content/M2?OpenElement" /><span style=" font-size:12pt"><br /> <br /> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><strong><br /> Ad10. Domino Containers - The Next Step</strong></span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Wednesday, April 24 | 08:00 - 08:45 | D. Schilderskamer</span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> It's been two years since we called Domino containers ready for production use. In the mean time, a lot has happened in the Domino container project.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Automated downloads and an easy-to-use menu have made it easier than ever to create your own Domino container images, while automated testing during the image build process ensures that your image is working flawlessly before you deploy it.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Join this demo-rich session to learn how easy it is to use Domino containers in your environment and prepare to be WOW-ed!</span><span style=" font-size:12pt"> <br /> </span> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/engage-session-highlight-domino-containers-the-next-step.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/engage-session-highlight-domino-containers-the-next-step.htm?opendocument&comments</wfw:comment>
</item>
<item>
<title>Introducing the Domino One Touch Installer V2</title>
<pubDate>Sun, 24 Mar 2024 11:33:56 +0200</pubDate>
<description>
<![CDATA[
The Domino One Touch install was a small script I worked on for a DNUG workshop to quickly setup Domino servers. Now I am bringing the install script to a new level. I married the script with functi ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/introducing-the-domino-one-touch-installer-v2.htm</link>
<category>Domino</category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/introducing-the-domino-one-touch-installer-v2.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/introducing-the-domino-one-touch-installer-v2.htm</guid>
<content:encoded><![CDATA[ <span style=" font-size:10pt;font-family:sans-serif"><br /> The Domino One Touch install was a small script I worked on for a DNUG workshop to quickly setup Domino servers. Now I am bringing the install script to a new level.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> I married the script with functionality form the Domino container project, where Domino is installed automatically when building a container image with all add-on software.<br /> Instead of rewriting the components I added a "<strong>-installnative</strong>" option to the container build script (build.sh) levering all the existing functionality.<br /> <br /> Now the <strong>install_domino.sh</strong> installs Domino using the build script from the container project with all add-on packages like Nomad, Verse RESTAPI, Language packs..<br /> In addition it automatically installs the Domino Download Script. It also understands options configure the download script with a token.<br /> The script can be either invoked from cloned or downloaded and extracted GitHub repositories or it can be invoked with a curl download and shell redirection.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> Here is an example, which automates all the steps. Once the script is done, you can run the "domino" script to setup and run the Domino server.</span><tt><span style=" font-size:11pt"><strong><br /> <br /> curl -sfL </strong></span></tt><a href="https://raw.githubusercontent.com/nashcom/domino-startscript/develop/install_domino.sh"><tt><span style=" font-size:11pt;color:blue"><strong><u>https://raw.githubusercontent.com/nashcom/domino-startscript/develop/install_domino.sh</u></strong></span></tt></a><tt><span style=" font-size:11pt"><strong> | INSTALL_OPTIONS="domino -verse -nomad" DOMDOWNLOAD_TOKEN=xyz bash -</strong></span></tt><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> Installing Domino on a Linux machine now can be performed with a simple command-line.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Once done installed, Domino can be started with the "domino" command, which by default now includes a setup and run-time menu as mentioned in a previous blog post.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><strong><br /> <br /> Current options passed via environment variables</strong></span><tt><span style=" font-size:10pt"><br /> <br /> INSTALL_OPTIONS="domino -verse -nomad"</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> DOMDOWNLOAD_TOKEN=xyz</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> DOMDOWNLOAD_CUSTOM_URL=</span></tt><a href=https://user:password@download.acme.com/><tt><span style=" font-size:10pt;color:blue"><u>https://user:password@download.acme.com</u></span></tt></a><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> LinuxYumUpdate=No</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> DOMINO_INSTALL_DATA_TAR=/local/HCLSoftware/domino_install_notesdata.taz</span></tt><span style=" font-size:12pt"> </span> <br /> <br /> <ul> <li><span style=" font-size:10pt;font-family:sans-serif">If no install options are passed, the menu is invoked.</span><span style=" font-size:12pt"> </span> </li><li><span style=" font-size:10pt;font-family:sans-serif">If no download token is specified and software packages are missing in <strong>/local/software</strong> or a specified remote location, the script prompts for a download token.</span><span style=" font-size:12pt"> </span> </li><li><span style=" font-size:10pt;font-family:sans-serif">You can also pass a URL to your own internal download server instead of the My HCLSoftware token as shown below</span></li></ul><span style=" font-size:10pt;font-family:sans-serif"><br /> The update is already in the develop branches of the two projects.<br /> <br /> -- Daniel</span><span style=" font-size:12pt"> </span> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/introducing-the-domino-one-touch-installer-v2.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/introducing-the-domino-one-touch-installer-v2.htm?opendocument&comments</wfw:comment>
</item>
<item>
<title>Replacing GNU Debugger with gdb-minimal package for Domino to avoid python dependencies</title>
<pubDate>Sun, 24 Mar 2024 10:56:01 +0200</pubDate>
<description>
<![CDATA[
Domino on Linux leverages the GNU debugger (gdb). Over time the project got a lot of extra dependencies. The container image moved from the full "gdp" packages to the "gdb-minimal" package w while a ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/replacing-gnu-debugger-with-gdb-minimal-package-for-domino.htm</link>
<category></category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/replacing-gnu-debugger-with-gdb-minimal-package-for-domino.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/replacing-gnu-debugger-with-gdb-minimal-package-for-domino.htm</guid>
<content:encoded><![CDATA[ <span style=" font-size:10pt;font-family:sans-serif"><br /> Domino on Linux leverages the GNU debugger (gdb). Over time the project got a lot of extra dependencies.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> The container image moved from the full "<strong>gdp</strong>" packages to the "<strong>gdb-minimal</strong>" package w while ago.<br /> <br /> The benefit is not only less storage, but it also comes with far less dependencies.<br /> For example python is a dependency for the full "gdb".<br /> <br /> If your Linux machine already has those packages installed, there is no difference.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> But if you are trying to reduce the packages installed and the exposure to CVEs, installing <strong>gdb-minimal</strong> would be a good idea.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> After you installed it, you also need to set a symbolic link to the original location where Domino's NSD expects it to be located.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> When you build the container image on a platform that does not have python installed, it will not be installed when building the container image.<br /> For example UBI minimal does not include it by default.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> Example:</span><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> <br /> yum install -y gdb-minimal</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> ln -s /usr/bin/gdb.minimal /usr/bin/gdb</span></tt><span style=" font-size:12pt"> </span> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/replacing-gnu-debugger-with-gdb-minimal-package-for-domino.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/replacing-gnu-debugger-with-gdb-minimal-package-for-domino.htm?opendocument&comments</wfw:comment>
</item>
<item>
<title>Creating Domino One Touch Setup JSON via Lotus Script</title>
<pubDate>Sun, 24 Mar 2024 09:05:41 +0200</pubDate>
<description>
<![CDATA[
The idea for Domino One Touch Setup (OTS) was born in the Domino Container Community project and HCL added a native implementation into Domino 12 available cross platform. The Domino container image ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/creating-domino-one-touch-setup-json-via-lotus-script.htm</link>
<category>OTS</category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/creating-domino-one-touch-setup-json-via-lotus-script.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/creating-domino-one-touch-setup-json-via-lotus-script.htm</guid>
<content:encoded><![CDATA[ <br /><span style=" font-size:10pt;font-family:sans-serif">The idea for Domino One Touch Setup (OTS) was born in the Domino Container Community project and HCL added a native implementation into Domino 12 available cross platform.<br /> The Domino container image and also the Domino Start Script can consume it and ship with first and additional server OTS JSON files including prompting to replace placeholders.</span> <br /><span style=" font-size:10pt;font-family:sans-serif">Beside the standard documentation there is a GitHub repository for examples and additional information -> </span><a href="https://github.com/HCL-TECH-SOFTWARE/domino-one-touch-setup"><span style=" font-size:10pt;color:blue;font-family:sans-serif">https://github.com/HCL-TECH-SOFTWARE/domino-one-touch-setup</span></a> <br /> <br /><span style=" font-size:10pt;font-family:sans-serif">The basic configuration isn't that complicated. But you can also use it to create databases from templates and add or update documents.</span> <br /><span style=" font-size:10pt;font-family:sans-serif">Generating JSON from existing documents might be quite time consuming.</span> <br /> <br /><span style=" font-size:10pt;font-family:sans-serif">I wrote Lotus Script code to convert documents into JSON and also a small routine to create the setup part of OTS.</span> <br /> <br /><a href="https://gist.github.com/Daniel-Nashed/a0a436e983d91e7c54388219045f39b0"><span style=" font-size:10pt;color:blue;font-family:sans-serif">https://gist.github.com/Daniel-Nashed/a0a436e983d91e7c54388219045f39b0</span></a> <br /> <br /><span style=" font-size:10pt;font-family:sans-serif">For now it is a simple script I added to a database where I dump documents I want to add to OTS.<br /> </span> <br /><span style=" font-size:10pt;font-family:sans-serif">But in future we could make it a full application. <br /> <br /> What do you think?<br /> </span> <br /><span style=" font-size:10pt;font-family:sans-serif">-- Daniel</span> <br /> <br /> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/creating-domino-one-touch-setup-json-via-lotus-script.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/creating-domino-one-touch-setup-json-via-lotus-script.htm?opendocument&comments</wfw:comment>
</item>
<item>
<title>Building Images on Docker behind a proxy</title>
<pubDate>Sat, 23 Mar 2024 11:26:09 +0200</pubDate>
<description>
<![CDATA[
This challenge came up at a customer when building an image in a corporate environment. It can be quite tricky and the devil is in the detail. There are multiple layers where you need the proxy set: ...
]]>
</description>
<link>https://blog.nashcom.de/nashcomblog.nsf/dx/building-images-on-docker-behind-a-proxy.htm</link>
<category>Docker</category>
<dc:creator>Daniel Nashed</dc:creator>
<comments>https://blog.nashcom.de/nashcomblog.nsf/dx/building-images-on-docker-behind-a-proxy.htm?opendocument&comments</comments>
<guid isPermaLink="true">https://blog.nashcom.de/nashcomblog.nsf/dx/building-images-on-docker-behind-a-proxy.htm</guid>
<content:encoded><![CDATA[ <span style=" font-size:10pt;font-family:sans-serif"><br /> This challenge came up at a customer when building an image in a corporate environment. It can be quite tricky and the devil is in the detail.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> There are multiple layers where you need the proxy set:</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> 1. Docker needs to be able to pull images</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> 2. The container image build Linux needs to have access to a repository server to load new packages and update existing packages</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> If you have an internal repository server for Linux updates for the base image you choose, you want to point image to that repository.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> In this case you might want to build your own base image containing the right repository URLs like you configure your normal Linux servers.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> But sometimes your host OS and the container image might differ and you want to pull the Linux packages from a trusted external resource.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> In some cases customers even restrict the target URLs on their proxy, which can be also problematic.<br /> But in this case your Squid proxy access.log or equivalent on your proxy is your friend.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> Once you figured out where and how you get your base image and Linux updates, you can start setting the configuration.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> In my case I am using a Squid proxy for HTTP and HTTPS requests.</span><span style=" font-size:12pt"> <br /> </span><span style=" font-size:12pt;font-family:sans-serif"><strong><br /> <br /> Configure proxy on Docker host</strong></span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> Once Docker has a proxy setting, it will pass the proxy to the container during build via environment variables.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Those settings are picked up by your build container.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> For local connections I had to modify the build logic to exclude the NGINX local hosting IP, which would have gone thru the proxy too.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> Curl in the currently used versions in most distributions does not yet allow to exclude IP ranges.<br /> Therefore I am excluding the IP address of the NGINX container only.</span><span style=" font-size:12pt"> <br /> </span><tt><span style=" font-size:10pt"><strong><br /> <br /> vi /usr/lib/systemd/system/docker.service</strong></span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> <br /> ---</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> <br /> Environment=https_proxy=</span></tt><a href=http://192.168.96.99:3128/><tt><span style=" font-size:10pt;color:blue"><u>http://192.168.96.99:3128</u></span></tt></a><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> Environment=http_proxy=</span></tt><a href=http://192.168.96.99:3128/><tt><span style=" font-size:10pt;color:blue"><u>http://192.168.96.99:3128</u></span></tt></a><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> <br /> systemctl daemon-reload</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> systemctl restart docker</span></tt><span style=" font-size:12pt"> <br /> </span><span style=" font-size:12pt;font-family:sans-serif"><strong><br /> <br /> Configure proxy on Docker client</strong></span><span style=" font-size:12pt"> <br /> </span><tt><span style=" font-size:10pt"><strong><br /> <br /> mkdir ~/.docker</strong></span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><strong><br /> vi ~/.docker/config.json</strong></span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> <br /> ---</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> <br /> {</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> "proxies": {</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> "default": {</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> "httpProxy": "</span></tt><a href=http://192.168.96.99:3128/><tt><span style=" font-size:10pt;color:blue"><u>http://192.168.96.99:3128</u></span></tt></a><tt><span style=" font-size:10pt">",</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> "httpsProxy": "</span></tt><a href=http://192.168.96.99:3128/><tt><span style=" font-size:10pt;color:blue"><u>http://192.168.96.99:3128</u></span></tt></a><tt><span style=" font-size:10pt">"</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> }</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> }</span></tt><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> }</span></tt><span style=" font-size:12pt"> <br /> </span><span style=" font-size:12pt;font-family:sans-serif"><strong><br /> <br /> Configure proxy for your current session for curl, git and other operations</strong></span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br /> <br /> Usually the proxy should be already set on OS level.<br /> But if it is not generally set, you can export the proxy using environment variables in your current session.</span><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> <br /> export https_proxy=</span></tt><a href=http://192.168.96.99:3128/><tt><span style=" font-size:10pt;color:blue"><u>http://192.168.96.99:3128</u></span></tt></a><span style=" font-size:12pt"> </span><tt><span style=" font-size:10pt"><br /> export http_proxy=</span></tt><a href=http://192.168.96.99:3128/><tt><span style=" font-size:10pt;color:blue"><u>http://192.168.96.99:3128</u></span></tt></a><span style=" font-size:12pt"> <br /> </span><span style=" font-size:10pt;font-family:Arial"><br /> <br /> This last step might not be needed for a Docker build, but would be useful for curl and other operations.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:Arial"><br /> Your admin might have already globally set the proxy in your environment.</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:Arial"><br /> Else also for pulling Linux updates or installing packages on your host needs the proxy (unless you configured a local repo cache)</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:Arial"><br /> <br /> The proxy would be also used by your Git client to pull updates from GitHub.</span><span style=" font-size:12pt"> <br /> <br /> </span> ]]></content:encoded>
<wfw:commentRss> https://blog.nashcom.de/nashcomblog.nsf/dxcomments/building-images-on-docker-behind-a-proxy.htm</wfw:commentRss>
<wfw:comment> https://blog.nashcom.de/nashcomblog.nsf/dx/building-images-on-docker-behind-a-proxy.htm?opendocument&comments</wfw:comment>
</item>
</channel></rss>
If you would like to create a banner that links to this page (i.e. this validation result), do the following:
Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src
attribute if necessary):
If you would like to create a text link instead, here is the URL you can use:
http://www.feedvalidator.org/check.cgi?url=http%3A//blog.nashcom.de/nashcomblog.nsf/feed.rss