Tag: #Docker

Unexpected Changes Are Common For Most IT Teams

Lorin Olsen
Nginx Raided

When is it time to consider your next infrastructure change? Sometimes, you have a chance to plan for such changes. Other times, the imperative of such a change may be thrust upon you. While never welcome, unexpected changes are a normal part of the IT experience. But how many of us have had to deal with intellectual property issues that resulted in a police raid?

Last month, we learned that Russian authorities raided the Moscow offices of Nginx. Apparently, another Russian company (i.e., the Rambler Group) claimed that the intellectual property behind nginix belongs to them. So while hundreds of thousands of sites have been using nginx under the apparent misconception that nginx was open source, the Russian police have played a trump card on all of us. Whether the code belongs to Rambler or to Nginx/F5 is unclear. But what is known is altogether clear and inescapable: the long-term future of nginx is now in jeopardy.

The Search For Alternatives

Whenever I’m confronted with any kind of unexpected change, I start to perform my normal analysis: identification of the problem, validation of the inherency / causality of the problem, and an assessment of all of the alternatives. In this case, the political instability of another country has resulted in a dramatically increased risk to the core infrastructure of many of our clients. The long-term consequences of these risks could be dramatic. Fortunately, a number of alternatives are available.

First, you could always stand pat and wait to see what happens. After all, it costs little (or nothing) to keep the code running. And this raid may just be a tempest in a tea cup. The code is still available. And people could certainly fork the code and extend the current code based upon an established baseline. Unfortunately, this alternative probably won’t address the core problem: IP litigation can take a long time to determine final outcomes. And international litigation can take even longer. So the probability that the current code base (and any derivatives) could be in sustained jeopardy is relatively high. And while people are fighting over ownership, very few new developers will stake their reputation on an shaky foundation. So the safe bet is that the nginx code base will remain static for the foreseeable future.

Second, you could build your own solution. You and your team could take it upon yourselves to construct a purpose-built reverse proxy. Such an effort would result in a solution that meets all of your organization’s needs. Of course, it can be an unnecessarily expensive venture that might (or might not) deliver a solution when you need one. And if you need a solution right now, then building your own solution is probably out of the question.

Nevertheless, you could always speed up the process by hiring an “expert” to code a solution to your specific needs. Again, this will take time. Realistically, building a custom solution is only necessary if you want to maintain a competitive advantage over other people and organizations. So if you need something that is generic and that already exists in the market, then building it makes little (or no) sense.

Third, you could assay the field and determine if an alternative already exists. And in the case of reverse proxies, there are several alternatives that you could consider. And the most notable of these alternative is the traefik (pronounce traffic) reverse proxy.

Like nginx, traefik can (and usually is) implemented as a micro-service. It is available on GitHub and it can be downloaded (and run) from Docker Hub (https://hub.docker.com). We’ve been eyeing traefik for quite some time now. It has been gaining some serious traction both for personal use and for commercial uses. Consequently, traefik has been in our roadmap as a possible future path.

What We’re Building

Once the news broke concerning the raid on the Moscow offices of Nginx, we decided to build some prototypes using traefik. Like many other groups, we were using nginx. And like many other groups, we wanted to get ahead of the wave and start our own migration to traefik. So over the past few days, we’ve worked with the code and put together a few prototypes for its use.

Our first prototypical implementation is of a home entertainment complex. We mashed together Plex, LetsEncrypt, MariaDB, and a few other containers to build a nifty little home entertainment complex. We build a variation of this using Jellyfin – if you don’t want to support the closed source Plex code base.

While that prototype was fun, we only learned so much from its assembly. So we decided to build a Nextcloud-based document repository. This document server uses traefik, nextcloud, postgresql, redis, and a bitwarden_rs instance. The result is something that we are labeling the LoboStrategies Document repository (i.e., the LSD repo). And yes, we do think that it is trippy.

Bottom Line

Change is fun. And when you are planning the changes, you can mix vision and fun into something marvelous. But sometimes, you are forced to respond to unexpected changes. In our case, we knew that a micro-services application router was needed. And we always knew that traefik could very well be the future code base for some of our products/designs. But when Rambler Group (and the Moscow police) threatened nginx, we were already a few steps ahead. So we simply accelerated some of our plans.

The key takeaway for us was that we had already put together a strategy. So we simply needed to build the tactical plan that implemented our vision. Because we had a long-range strategy, we were able to be far more nimble when the storm clouds came upon us.

Wire-to-Wire Technology Adoption Isn’t The Only Option

Lorin Olsen
The winner surges at the right time.
The Winner Surges At The Right Time

The annual “Run For The Roses” horse race has been held since 1875. In that time, there have been only 22 wire-to-wire race leaders/winners. Indeed, simple statistics favor the jockey and horse who can seize the lead at the right moment. For the strongest horses, that may be the start. But for most horses, the jockey will launch his steed forward when it best suits the horse and its racing profile. This simple (and complicated) approach is also true for technology adoption.

Docker And Early Technology Adoption

Five years ago, Docker exploded onto the IT scene. Originally, Docker was being adopted exclusively by tech savvy companies. And some of these early adopters have taken keen advantage of their foresight. But like horses that leap too soon, many companies have already flashed into existence – and then been extinguished by an inability to deliver on their promised value.

Docker adoption has moved from large enterprises to the boutique service industry.

Now that Docker is over five years old, how many companies are adopting it? According to some surveys, Docker use in the marketplace is substantially over 25%. And I would be willing to bet that if you include businesses playing with Docker, then the number is probably more than 40%. But when you consider that five years is a normal budget/planning horizon, then you must expect that this number will do nothing but increase in the next few years. One thing is certain, the majority of applications in use within businesses are not yet containerized.

So there is still time to take advantage of Docker (and containers). If you haven’t yet jumped on board, then it’s time to get into the water. And if you are already invested in containers, then it’s time to double-down and accelerate your investment. [By the way, this is the “stay competitive” strategy. The only way to truly leap ahead is to use Docker (and other containers) in unique and innovative ways.]

Technology Adoption At Home

Adoption of containers at home is still nascent. Yes, there have been a few notable exceptions. Specifically, one of the very best uses of containers is the Hass.io infrastructure that can be used to host Home Assistant on a Raspberry Pi. Now that the new Raspberry Pi 4 is generally available, it is incredibly simple (and adorably cheap) to learn about – and economically exploit – containers at home.

My Personal Experiences
Containers can and should be used at home.

I’ve been using Docker at home for over a year. And now that I’ve switched all of my traditional computing platforms from Windows to Linux, I’m now using Docker (and other containers) for nearly all of my personal and professional platforms. And this past week, I finally cut over to Docker for all of my web-based systems. My new Docker infrastructure includes numerous images (and containers). I have a few containers for data collection (e.g., glances, portainer). I have moved my personal entertainment systems to Docker containers (e.g. plex, tautulli). And I’ve put some infrastructure in place for future containers (e.g., traefik, watchtower). And in the upcoming months, I’ll be moving my entire TICK stack into Docker containers.

Bottom Line

If you haven’t started to exploit containers, then it’s not too late. Your employer is probably using containers already. But they will be moving even more swiftly towards widespread adoption. Therefore, it’s not too late to jump onto the commercial bandwagon. And if you want to do something really new and innovative, I’d suggest using containers at home. You’ll learn a lot. And you may find a niche where you could build a highly scalable appliance that exploits highly containerized building blocks.

Reducing Threat Surface – Windows Minimization

Lorin Olsen
Breaking the Cycle of Addiction
Let Go of the Past

Last year, my household quit cable TV. The transition wasn’t without its hiccups. But leaving cable has had some great benefits. First, we are paying less money per month. Second, we are watching less TV per month. Third, I have learned a whole lot of things about streaming technologies and about over-the-air (OTA) TV options. Last year was also the year that I put a home automation program into effect. But both of these initiatives were done in 2018. Now I’ve decided that security and Windows minimization will be the key household technology initiatives for 2019.

How Big Is Your Threat Surface?

What is “Windows minimization”? That is simple. “Windows minimization” is the intentional reduction of Windows instances within your organization. Microsoft Windows used to be the platform for innovation and commercialization. Now it is the platform for running legacy systems. Like mainframes and mini-computers before them, Windows is no longer the “go to” platform for new development. C# and .Net are no longer the environment for new applications. And SQL server never was the “go to” platform for most databases. And if you look at the total number of shipped operating systems, it is clear that Android and IOS have clearly become the only significant operating systems on the mobile platform.

Nevertheless, Microsoft products remain the most vulnerable operating system products (based upon the total number of published CVE alerts). Adobe remains the most vulnerable “application” product family. But these numbers only reflect the total number of “announced” vulnerabilities. They don’t take the total number of deployed or exploited systems into account. Based upon deployed instances, Android and iOS remain the most exploited platforms.

Microsoft’s vulnerable status isn’t because their products are inherently less safe. To be candid, all networked computing platforms are unsafe. But given the previous predominance of Windows, Microsoft technologies were the obvious target for most malware developers.

Of course, Windows dominance is no longer the case. Most people do the majority of their casual computing on their phones – which use either Linux (Android) or Unix (iOS). And while Microsoft’s Azure platform is a fine web/cloud platform, most cloud services use Linux and/or cloud services like OpenStack or AWS. So the demand for Windows is declining while the security of all other platforms is rapidly improving.

The Real Reason For Migrating

It is possible to harden your Windows systems. And it is possible to fail to harden your Linux systems. However, it is not possible to easily port a product from one OS to another – unless the software vendor did that for you already. In most cases, if the product you want isn’t on the platform that you use, then you either need to switch your operating platform or you need to convince your software supplier to support your platform.

Heading To The Tipping Point

It is for this reason that I have undertaken this Windows minimization project. New products are emerging every day. Most of them are not on Windows. They are on alternative platforms. Every day, I find a new widget that won’t run on Windows. Of course, I can always run a different operating system on a Windows-host.  But once the majority of my applications run on Linux, then it will make more sense to run a Linux-hosted vitualization platform and host a Windows guest system for the legacy apps.

And I am rapidly nearing that point. My Home Assistant runs on a Raspberry Pi. It has eleven application containers running within Docker (on HassOS). My DNS system runs on a Raspberry Pi. My OpenVPN system is hosted on a Pi.

Legacy Anchors

But a large number of legacy components remain on Windows. Cindy and I use Microsoft Office for general documents – though PDF documents from LibreOffice are starting to increase their share of total documents created. My podcasting platform (for my as yet unlaunched podcast) runs on Windows. And my Plex Media Server (PMS) runs on Windows.

Fortunately, PMS runs on Linux. So I built am Ubuntu 18.10 system to run on VirtualBox. And just as expected, it works flawlessly. Yes, I had to figure a few things out along the way – like using the right CIFS file system to access my NAS. But once I figured these minor tweaks out, I loaded all of my movies onto the new Plex server. I fully expect that once I transition my remaining apps, I’ll turn my Windows Server into an Ubuntu 18.04 LTS server.

Final Takeaways

I have taken my first steps. I’ve proven that Plex will run on Linux. I know that I can convert mobile print services from Windows to Linux. And I can certainly run miscellaneous apps (like TurboTax) on a Windows guest running on Linux. But I want to be sure before I convert my Windows server to Linux. So I will need to complete a software usage survey and build my data migration plan

I wonder how long it will be before I flip the switch – once and for all.