Simple syslog setup for Docker

There are a lot of complex posts about logging from Docker containers – but there is a much simpler way.

On Linux, your syslog daemon, be it rsyslog, syslog-ng or the original bsd syslog, accepts messages via the /dev/log socket file.

If you want your app running inside your container to deliver log messages to the syslog daemon running on your host, just share /dev/log as a volume:

docker run -v /dev/log:/dev/log

And all messages sent to syslog inside your container will be sent to your main syslog daemon.

j j j

List of Hexadecimal Baby Names

For prospetive geek parents, here is the list of baby names that only contain the letters A B C D E F:

Ada
Becca
Bea
Eda
Fae
Cadee
Abcde
Dea
Febe
Bae
Edda
Adea
Dae
Bebe
Cece
Ebba
Edee
Cade
Ace
Abe
Dade
Efe
Dace
Dee
Cabe
Cace
Ab
Abba
Ed
Ac
Acea
Abed
Bae
Ebaad
Ebba

There are at least five kids born in the USA in 2013 who have these names, according to the SSA: http://www.ssa.gov/oact/babynames/limits.html

If you want leet-speak names, there are 120 of them:

Ad4
Abb13
Add13
A1d4
Ed13
Ac4c14
B3cc4
A01f3
B0bb13
C0c0
D14
B0bb1
Ac4d14
Ad14
Eff13
Abb1
A1d3
Ad1
C414
D3bb13
B0
C0d1
Add1
B34
Ed4
F14
C41
C0b13
C0d13
F43
C4d33
Ab1
Af14
Abcd3
C4d13
A1d33
C1c1
D34
Ab14
A01
D4c14
D4c13
A1
F3b3
B43
Edd4
Ad34
B1b1
B03
C3c14
C0b1
D43
A4d1
Ab1d4
Ad41
Ad1b4
B3b3
C3c3
D044
Ac13
Ad13
A14
C0d4
C0d33
D4c1
Ebb4
Ed33
Ed1
C4d3
Ac3
Edd13
B0
B0d13
B0d3
A4d1
Ab3
C41
F4b10
B03
C0d4
C410
D4d3
Ad1
B0d33
C0b3
Abd1
B0b
B40
B0d1
Ef3
C0d1
F4d1
D4c3
C0d13
D33
C0b1
C0b13
D0c
Ab1d
C4b3
C4c3
Ab
Abb4
C41d3
D30
Ed
Ac
Ac34
Ac13
Ad1b
C1d
C03
D10
Ed1
Ab3d
B43
C01
D4c0d4
Eb44d
Ebb4

j j j

Docker search images and tags in private registry

Here is how you can get a list of all docker images and all tags for each docker image using curl.

Docker as of 1.1.2 hasn’t yet implemented searching in private registries, although docker-registry supports it.

To list all images in a registry:

curl https://your.docker.server/v1/search

To list all tags for a given image in a registry:

curl https://your.docker.server/v1/repositories/YOUR_IMAGE/tags

H/T to sontags: private registry search

j j j

Docker private registry Error: certificate signed by unknown authority

Docker supports private registries and there are a few writeups on how to setup a private Docker registry.

You can switch docker to use your local registry with the “docker login” command:

docker login -u httpuser -p httppassword -e [email protected] https://docker.yourcompany.com

Since you run a private registry you most likely use a self-signed certificate. Docker insists on checking your certificate against a Certificate Authority.

If you are used to OpenSSL and put your CA certificate in /etc/ssl/certs and created a hash link and it still doesn’t work, here is the solution:

Docker is written in go, go looks up the CA certificates in the following files:

    /etc/ssl/certs/ca-certificates.crt
    /etc/pki/tls/certs/ca-bundle.crt
    /etc/ssl/ca-bundle.pem
    /etc/ssl/cert.pem
    /usr/local/share/certs/ca-root-nss.crt

Go crypto source reference

You have to attach your CA cert to one of those files as well.

H/T to Jérôme Petazzoni

j j j

Time does change

Time does change. Our common (civil) time is defined as a full rotation of our planet relative to our sun, but Earth wobbles a bit so every day is a little bit longer or shorter, and we are generally slowing down, ever so slowly.
The International Earth Rotation and Reference Systems Service publishes the Earth’s daily rotation speeds, and they decide when we should have leap seconds snuck into the official clocks of the world to account for the wobbliness.
If you want to learn more about leap seconds, there is a great article about them here: http://queue.acm.org/detail.cfm?id=1967009
j j j

Amazon VPN and Broken Pipe errors

I run a VPC on Amazon and have a VPN connection to my office network using a Cisco ASA firewall.  My team keeps getting their SSH connections dropped with “Write failed: Broken pipe” at quite frequent intervals.  Since this doesn’t happen when we connect directly to VPC instances, I set out to investigate.

Helpful commands:

debug crypto condition peer IPADDRESS <- limit your crypto debug output to a given vpn endpoint

debug crypto ipsec 7

debug crypto isakmp 7

I found that the Amazon Virtual Private Gateway frequently doesn’t answer the dead peer detection queries!  Cisco decides to terminate the VPN session with “Lost Service”, and starts a new session.  If you see “Received encrypted packet with no matching SA, dropping” in your ASA logs, this could also be the culprit.

Put “isakmp keepalive disable” in your tunnel-group config and see if it fixes your issue.  You will have to reset your connection.

NOTE: On the Cisco ASA keepalives are enabled by default. If you don’t have an “isakmp keepalive disable” then the default settings will be in effect, which is threshold 10 retry 2

j j j

NoSQL in PostgreSQL

If you like your database loosely defined, take a look at PostgreSQL’s hstore module, starting around version 8.3:

http://www.postgresql.org/docs/8.3/static/hstore.html

After enabling this module, you can add an “hstore” type column to your table, then store any number of key/value pairs in that column, as long as each key and each value is smaller than 64k.

This in itself is not that big of a deal, you have always been able to store stuff in columns, but hstore allows searching on keys!

j j j

Practice losing fast

Matt Ringel (@ringel) says this frequently about Go: “lose your first 3,000 games as fast as you can.” You learn a lot from your failures. If you take this literally, the Android app Hactar Go Lite is a perfect way to learn go.

Hactar starts you out with simple Go problems and as you find your own solutions it lets you advance gradually. By the time you finish all the problems you will have developed your own strategy and what’s equally important you will recognize an unwinnable situation early on! Because knowing when to stop doing something is key to overall success.

Now apply this thought to other areas of your life. Is this relevant anywhere else?

j j j