Unsurprisingly my adventure in containers failed. again.

I can’t catch a break.

2018-05-28 07:31:48 > [Sun May 27 23:31:46.625718 2018] [core:crit] [pid 17] (13)Permission denied: [client A.B.C.D:34944] AH00529: /var/www/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/var/www/' is executable
2018-05-28 07:31:48 > A.B.C.D - - [27/May/2018:23:31:46 +0000] "GET /wordpress/category/japanese-software/ HTTP/1.1" 403 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50"
2018-05-28 07:31:48 > [Sun May 27 23:31:46.742137 2018] [core:crit] [pid 18] (13)Permission denied: [client A.B.C.D:34950] AH00529: /var/www/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/var/www/' is executable
2018-05-28 07:31:48 > A.B.C.D - - [27/May/2018:23:31:46 +0000] "GET /feed/ HTTP/1.1" 403 538 "-" "Tiny Tiny RSS/17.12 (4fa64e8) (http://tt-rss.org/)"
2018-05-28 07:31:48 > [Sun May 27 23:31:48.249140 2018] [core:crit] [pid 19] (13)Permission denied: [client A.B.C.D:35034] AH00529: /var/www/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/var/www/' is executable
2018-05-28 07:31:48 > A.B.C.D - - [27/May/2018:23:31:48 +0000] "GET /2014/05/ HTTP/1.1" 403 541 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50"

Or even later on, trying to restart the container
2018-05-28 20:20:34 > Starting task neozeed-blog_webserver_web1.828b8c42-6271-11e8-bbc7-c22eda63b1bd
2018-05-28 20:20:37 > docker: Error response from daemon: VolumeDriver.Mount: {"Error":"open /dev/scinia: invalid argument"}.
2018-05-28 20:20:37 > See 'docker run --help'.
2018-05-28 20:20:46 > Starting task neozeed-blog_webserver_web1.8ae12f33-6271-11e8-bbc7-c22eda63b1bd

I swear this is such a crappy year for hosting…. I guess we’ll see how long this one lasts, lol

so here we go again.

Docker is going nuts after I had to reboot for some ‘critical’ update for something else.

Looks like it’s going crazy regarding ARP:

07:27:18.632243 ARP, Request who-has 172.17.0.4 tell 172.17.0.2, length 28
07:27:18.632275 ARP, Reply 172.17.0.4 is-at 02:42:ac:11:00:02, length 28

Of course the weird thing is that 172.17.0.2 doesn’t need to talk to 172.17.0.4 at all.

I keep getting this on the db server:

2018-04-11 9:11:30 139923730724608 [Warning] Aborted connection 4226 to db: ‘virtuall_wp152’ user: ‘root’ host: ‘172.17.0.3’ (Got timeout reading communication packets)

which of course is up the entire time.  restarting either the web server or the db server puts me up for seconds at a time.

So while I move stuff around, and get ready for a re-install of my base OS, as I can’t seem to figure out why the bridge has freaked out, if you can read this, then the sloppy.io container thing is actually working.  And at least on the surface, moving container persistent storage, along with a DNS update looks pretty quick.

1.1.1.1

So cloudflare decided to launch their own DNS, on 1.1.1.1 and 1.0.0.1 .  Apparently in a bid to fix global censorship.  I’m on the road, out of China right now, so I can’t test at the moment, but later in the week I’ll be back, and check out how the Great Firewall handles it.

I’m guessing this is another bid to increase their case for being a content neutral safe harbour, although their CEO personally screwed that up last year showing that they can and will police content when it suits them….  Talk about oops.

As always that is the consequence of speech, some people are really secret assholes.  Although by teyitr to go all cultural revolution on them, you end up not only making them maryters, but also prove that they cannot be countered with words, but only through censorship.

This to me is the scary consequence of everything being commercial, and the right of free association.  Even some moron who thinks the moon is made of cheese can still get mail delivery, but will they be able to work, open a bank account, get internet, or even get food?

I other news, dumping Facebook drops cortisol levels after 5 days.  Turns out that hippy paradise of everyone being able to instantly communicate and share is actually a living hell.

Dump Facebook, hit the gym, get a life.

Life moves pretty fast. If you don’t stop and look around once in a while, you could miss it.” — Ferris

Happy April fool’s day.

Update, turns out the DNS works from China.  Naturally none of the sites load.

 

$ nslookup
> www.google.com
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
Name: www.google.com
Address: 69.63.180.173
> youtube.com
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
Name: youtube.com
Address: 203.98.7.65
>

Fun with Docker

Well it’s not really all that fun.

SO… in the start of the year I had decided I didn’t want to play site admin all day, and went to a hosted platform.  Things went well for a few months, then things didnt go well with constant database issues.

Then we went down hard for over 24 hours.  I was going to move back, but then everything started to work again.  But things had been spiraling down to unusability again.

So instead of just making a big VM like I had done before , I thought I’d try using Docker to host my website, with a few containers, namely each tier separate.

And oh boy does everyone love edge case docker stuff, but when it comes to actually moving something *INTO* docker, its basically you are on your own.

So yes, the http-https redirect is brokenMy categories are all missing. lots of stuff is busted.  And the supergloblamegacorp.com redirect stuff is missing. I’ll have to re-create that one after I get more stuff sorted out.

I haven’t given up yet…

Half of the fun was setting up the haproxy container, which in itself wasn’t so bad, although some times it wouldn’t pick up any config file changes, so I had to destroy it a few times, but naturally once I ask someone to look, and it’s working fine now.

So for the hell of it, here is my haproxy.cfg


global
maxconn 256
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

frontend http-in
bind *:80
bind *:443 ssl crt /etc/haproxy/haproxy.pem
http-request set-header Host virtuallyfun.com if { hdr(host) -i virtuallyfun.superglobalmegacorp.com }
http-request set-header Host virtuallyfun.com if { hdr(host) -i superglobalmegacorp.com }
redirect scheme https code 301 if !{ ssl_fc }
mode http
acl host_virtuallyfun hdr(host) -i virtuallyfun.com
acl host_virtuallyfun hdr(host) -i virtuallyfun.superglobalmegacorp.com
acl host_virtuallyfun hdr(host) -i superglobalmegacorp.com
use_backend virtuallyfun if host_virtuallyfun

backend virtuallyfun
balance leastconn
option httpclose
option forwardfor
reqadd X-Forwarded-Proto:\ https
server node1 172.17.0.3:80

I wanted to use Let’s Encrypt to ‘secure’ access to the domains I have, and running the certbot manually…. in a ‘dry run’ I always got this fun and informative error:

NewIdentifier : ACMESharp.AcmeClient+AcmeWebException: Unexpected error
+Response from server:
+ Code: BadRequest
+ Content: {
“type”: “urn:acme:error:malformed”,
“detail”: “Error creating new authz :: DNS name does not have enough labels”,
“status”: 400
}

Which of course got me absolutely nowhere searching.  I thought it may be docker screwing things up, so I shut it down, and fire up an old fashioned standalone copy of Apache, and run the following:

certbot certonly –dry-run –non-interactive –register-unsafely-without-email –agree-tos –expand –webroot –webroot-path /docker/wordpress/html –domain virtuallyfun.com –domain virtuallyfun.superglobalmegacorp.com –domain superglobalmegacorp.com

And get the same result.

I get to the point of absolute frustration, and just decide to forget the dry run all together, as I know I can run it at least 5 times a day before I get banned, for a while, but maybe I’ll get something more useful.

# certbot certonly –non-interactive –register-unsafely-without-email –agree-tos –expand –webroot –webroot-path /var/www/html –domain virtuallyfun.com –domain virtuallyfun.superglobalmegacorp.com –domain superglobalmegacorp.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for virtuallyfun.com
http-01 challenge for virtuallyfun.superglobalmegacorp.com
http-01 challenge for superglobalmegacorp.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/virtuallyfun.com/fullchain.pem. Your cert
will expire on 2018-06-26. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run “certbot
renew”
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Except it actually worked.

Creating the needed haproxy.pem is simple as:

cd /etc/letsencrypt/live/virtuallyfun.com/
cat fullchain.pem privkey.pem > /docker/haproxy.pem

To put the needed key along with the certs.  Naturally when this expires I’ll have to scramble to figure out how I did this.

Managing docker is fun as well. I went ahead and tried out portainer.io, which  naturally deploys as a container.  And it can manage remote servers, which I though was a plus as that means I could deploy it in my office, then simply connect to my server.  But that is where I found out that the config files for Debian are hard coded to always listen on a local socket, which breaks setting the proper JSON file to tell it to listen on a socket, and TCP/IP.  So just edit /etc/systemd/system/docker.service.d/docker.conf and either hard code it all there, or remove it from there and place it in /etc/docker/daemon.json

As always documentation is conflicting and all over the place.

My current feelings about docker…

Crimson Editor and Metapad for Alpha AXP NT

(This is a guest post by Antoni Sawicki aka Tenox)

I was doing some work on my Alpha AXP with Windows NT and needed a decent text editor. I realized there wasn’t really anything beyond Notepad, until now, that is.

Crimson Editor for Windows NT AXP

http://www.tenox.net/get/cedt-ntaxp.zip

Metapad for Windows NT AXP

http://www.tenox.net/get/metapad-ntaxp.zip

 

Enjoy

Calamus for Windows NT RISC

(This is a guest blog post by Antoni Sawicki aka Tenox)

A Christmas gift for those who run Windows NT on Alpha AXP, MIPS or PowerPC. These ports of Windows are really lacking some good applications. Yes, there are utilities and games, Alpha even has Microsoft Word, Excel and Oracle DB, but apart from that there are just no serious apps available.

Calamus is a professional DTP (Desktop Publishing) software. It’s still actively developed and sold by German company Invers. If you want to play around with the latest version you can download a 30 day trial and even purchase the Lite version for 99 Euro on calamus.net. There are versions for Windows, Mac and Atari ST.

Atari ST ?! Well yes, the original Calamus was born some 30 years ago on Atari ST:

I had pleasure of using Calamus professionally on Atari for several years in early 90s. At the time when 486 could have max 64MB RAM and 640×480 VGA, a high end Atari TT packed 256MB Magnum card and 1280×1024 framebuffer and it was much cheaper than Mac. The memory and high resolution displays were really needed to process large images and complex page layouts.  You can read more about my Atari TT restoration efforts.

In the mid ’90s DMC decided to port Calamus to Windows in order to expand to other hardware platforms. An interesting fact is that the port isn’t really a full source code rewrite, which would be impossible due codebase size. Even that Calamus has 100% native Windows GUI and a lot of functionality has been rewritten, inside the software lives a small embedded Atari ST emulator that does on fly translation of some of the Atari/m68k ABI. You can read a bit about it here.

Calamus on Windows NT Alpha AXP

At the time of the port, Windows NT was still being actively developed on RISC platforms, so thankfully Calamus has been compiled on all of the available NT CPUs. Alpha version was probably the most popular choice because of performance. High end Alphas were the fastest machines capable of running Windows among all hardware. When publishing firms were thinking about upgrades they naturally looked at DEC as a first choice as regular PCs weren’t powerful enough.

And this is how I finally found a copy Calamus NT with support for RISC CPUs. It took me quite a lot of time and resources to track down and obtain copy of surviving media from owner of a publishing studio. This is how it looks when you first install it:

Calamus NT Install Wizard

Note that there were separate builds for 386/485 and Pentium CPUs. Also as you can see the disk contains a demo version which now Santa is delivering to you. This is a fully functional trial that expires after some time. If you ever lacked serious apps for your RISC NT machine, you can how play with one! The demo version is distributed with permission of Invers Software.

If you don’t have one of these machines you can still run Windows NT MIPS on Qemu:

Calamus on Windows NT MIPS

And finally to the goods. You can download following files:

Calamus NT v1.5 DEMO for DEC Alpha AXP

Calamus NT v1.5 DEMO for MIPS

Calamus NT v1.5 DEMO for PowerPC

386 and Pentium builds are not available. Please do not ask. For Intel build download the latest version from Invers Software.