mvn: Automagically create a Docker image

Maven conjures Docker images
Maven conjures Docker images

Having a Docker image of your software projects may make things easier for you, but will for sure lower the barrier for users to use your tools — at least in many cases ;-)

I am developing many tools in Java using Maven to manage dependencies. Thus, I’ve been looking for means to generate corresponding Docker files using the very same build management. There are already a few approaches to build Docker images through Maven, e.g. alexec’s docker-maven-plugin, and fabric8io’s docker-maven-pluginand so on — just to name a few. However, all theses solutions seem super-heavy and they require learning new syntax and stuff, while it is so easy and doesn’t require any third party plugins.

Build Docker images using maven-antrun

Maven’s antrun plugin allows for execution of external commands. That means, you just need to maintain a proper Dockerfile along with your sources and after building the tool with maven you can call the docker-build command to create a Docker image of the current version of your tool.

I did that for a Java web application. The Dockerfile is stored as a resource in src/main/docker/Dockerfile is actually very simple:

FROM tomcat:8-jre8
MAINTAINER martin scharm

# remove the default tomcat application
RUN rm -rf /usr/local/tomcat/webapps/ROOT /usr/local/tomcat/webapps/ROOT.war

# add the BiVeS-WebApp as the new default web app
COPY BiVeS-WS-${project.version}.war /usr/local/tomcat/webapps/ROOT.war

Using Maven we can make sure (i) that the Dockerfile is copied next to the compiled and packaged tool in the target directory, (ii) that the placeholder ${project.version} in the Dockerfile is replaced with the current version of your tool, and (iii) that the docker-build command is invoked.

Copy the Dockerfile to the right place

Maven’s resources-plugin is ideally suited to deal with resources. To copy all Docker related resources to the target directory you can use the following snippet:

<plugin>
    <artifactId>maven-resources-plugin</artifactId>
    <executions>
        <execution>
            <id>copy-resources</id>
            <phase>validate</phase>
            <goals>
                <goal>copy-resources</goal>
            </goals>
            <configuration>
                <outputDirectory>${basedir}/target</outputDirectory>
                <resources>
                    <resource>
                        <directory>src/main/docker</directory>
                        <filtering>true</filtering>
                    </resource>
                </resources>
            </configuration>
        </execution>
    </executions>
</plugin>

In addition, the <filtering>true</filtering> part also makes sure to replace all Maven-related placeholders, just like the ${project.version} that we’ve been using. Thus, this solves (i) and (ii) and after the validate phase we’ll have a proper target/Dockerfile.

Build a Docker image

Using Maven’s antrun-plugin we can call the docker tool:

<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-antrun-plugin</artifactId>
<version>1.6</version>
<executions>
  <execution>
      <phase>deploy</phase>
      <configuration>
          <target>
              <exec executable="docker">
                  <arg value="build"/>
                  <arg value="-t"/>
                  <arg value="binfalse/bives-webapp:${project.version}"/>
                  <arg value="target"/>
              </exec>
          </target>
      </configuration>
      <goals>
          <goal>run</goal>
      </goals>
  </execution>
</executions>
</plugin>

This executes a command like

docker build -t binfalse/bives-webapp:1.6.2 target

after the deploy phase. Thus, it builds a docker image tagged with the current version of your tool. The build’s context is target, so it will use the target/Dockerfile which COPYs the new version of your tool into the image.

Automatically build images using a Maven profile

I created a docker profile in Maven’s configuration file that is active per default if there is a src/main/docker/Dockerfile in your repository:

<profile>
    <id>docker</id>
    <activation>
        <file>
            <exists>src/main/docker/Dockerfile</exists>
        </file>
    </activation>
    <build>
        <plugins>
            <plugin>
                <artifactId>maven-resources-plugin</artifactId>
                <!-- ... see above ... -->
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-antrun-plugin</artifactId>
                <!-- ... see above ... -->
            </plugin>
        </plugins>
    </build>
</profile>

Bonus: Also push the new image to the Docker Hub

To also push the image you need to execute the push command:

docker push binfalse/bives-webapp:1.6.2

And due to the latest-confusion of Docker you also should create the latest-alias and also push that:

docker tag -f binfalse/bives-webapp:1.6.2 binfalse/bives-webapp:latest
docker push binfalse/bives-webapp:latest

However, both is easy. Just append a few more exec calls in the antrun-plugin! The final pom.xml snippet can be found on GitHub.

Supplement

The image for this article was derived from Wikipedia’s Apache Logo and Wikipedia’s Docker logo, licensed under the Apache License, Version 2.0.

Create an Unscanable Letter

The EURion constallation on a letter
The EURion constallation on a letter

Some time ago I’ve heard about the EURion constellation. Never heard about it? Has nothing to do with stars or astrology. It’s the thing on your money! :)

Take a closer look at your bills and you’ll discover plenty of EURions, as shown in the picture on the right. Just a few inconspicuous dots. So what’s it all about? The EURion constellation is a pattern to be recognized by imaging software, so that it can recognize banknotes. It was invented to prevent people from copying money :)

But I don’t know of any law that prohibits using that EURion, so I’ve been playing around with it. Took me some trials to find the optimal size, but I was able to create a document that includes the EURion. That’s the essential tex code:

wanna scan my letter?
\includegraphics[width=7mm]{EURion.pdf}

The whole environment can be found on GitHub, together with the EURion image and stuff. I also provide the resulting letter.

Of course I immediately asked some friends to try to scan the letter, but it turns out, that not all scanners/printers are aware of the EURion… So it’s a bit disappointing, but I learned another thing. Good good. And to be honest, I do not have a good use case. Why should I prevent someone from printing my letters? Maybe photographers can use the EURion in their images. Copyright bullshit or something…

Monitoring of XOS devices

Monitor Relocation of Hardware
Monitor Relocation of Hardware

This week I developed some plugins for Nagios/Icinga to monitor network devices of the vendor Extreme Networks. All these plugins receive status information of, eg. switches, via SNMP.

The Basic: Check Mem, CPU, and Fans

Checking for available memory, for the device’s temperature, for the power supplies, and for fan states is quite straight forward. You just ask the switch for the values of a few OIDs, evaluate the answer, and tell Nagios/Icinga what to do.

The Simple Network Management Protocol (SNMP) is actually a very easy to use protocol. There is an SNMP server, such as a router or a switch, which exposes management data through the SNMP protocol. To access these data you just send an object identify (OID) to an SNMP server and receive the corresponding value. So called management information bases (MIB) can tell you what a certain OID stands for.

On the command line, for example, you could use snmpwalk to iterate over an OID subtree to, e.g., obtain information about the memory on a device:

usr@srv $ snmpwalk -v 2c -c publicCommunityString switch.address.com 1.3.6.1.4.1.1916.1.32.2.2.1
1.3.6.1.4.1.1916.1.32.2.2.1.1.1 = Gauge32: 1
1.3.6.1.4.1.1916.1.32.2.2.1.2.1 = STRING: "262144"
1.3.6.1.4.1.1916.1.32.2.2.1.3.1 = STRING: "116268"
1.3.6.1.4.1.1916.1.32.2.2.1.4.1 = STRING: "7504"
1.3.6.1.4.1.1916.1.32.2.2.1.5.1 = STRING: "138372"

The OID 1.3.6.1.4.1.1916.1.32.2.2.1 addresses the memory information table of the SNMP provider at switch.address.com. The value at *.2.1 shows how much memory is installed, *.3.1 shows how much memory is free, *.4.1 shows how much is consumed by the system, and *.5.1 shows how much is consumed by user processes. Basic calculations tell us there are 262144/1024 = 256KB in total and 100*116268/262144 = 44.35% is free. A bit more logic for a warning/critical switch and the plugin is done.

The Feature: Monitoring of the FDB

But I would probably not write about that basic stuff if there was not an extra feature! I implemented a script to also monitor the FDB. FDB is and abbreviation for forwarding databases: The switch maintains a forwarding database (FDB) of all MAC addresses received on all of its ports. It, for example, uses the information in this database to decide whether a frame should be forwarded or filtered. Each entry consists of

  • the MAC address of the device behind the port
  • the associated VLAN
  • the age of the entry – depending on the configuration the entries age out of the table
  • some flags – e.g. is the entry dynamic or static
  • the port

The table may look like the following:

> show fdb
Mac                     Vlan       Age  Flags         Port / Virtual Port List
------------------------------------------------------------------------------
01:23:45:67:89:ab    worknet(0060) 0056 n m           9
01:23:42:67:89:ab     mobnet(0040) 0001 n m           21

Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP,
        x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole,
        b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN translation,
        D - drop packet, h - Hardware Aging, o - IEEE 802.1ah Backbone MAC,
        S - Software Controlled Deletion, r - MSRP

As soon as the switch gets a frame on one port it learns the corresponding MAC address, port number, etc. into this table. So if a frame for this MAC address arrives it know where to send it to.

However, that content of a networking class. All we need to know is that a switch can tell you which device which MAC address is is connected to which port. And that’s the idea of check_extreme_fdb.pl! It compares the entries of the FDB with some expected entries in an CSV file. The CSV is supposed to contain three coloumns:

mac,port,vlan

If a MAC address in the FDB matches the MAC address in the CSV file it checks the ports and vlans. If those do not match, it will raise an error.

For the CSV: Feel free to leave port or vlan empty if you do not care about this detail. That means, if you just want to make sure that the device with the MAC 01:23:45:67:89:ab is in vlan worknet you add an entry such as:

01:23:45:67:89:ab,,worknet

Use -e <FILE> to pass the CSV file containing expected entry to the program and call it like beckham:

perl -w check_extreme_fdb.pl -s <SWITCH> -C <COMMUNITY-STRING> -e <EXPECTED>

Here, SWITCH being the switch’s address and COMMUNITY-STRING beeing the SNMP “passphrase”. You may also want to add -w to raise a warning if one of the entries in the CSV file wasn’t found in the FDB. To create a sample CSV file that matches the current FDB you can call it with --print.

To get the script have a look at the check_extreme_fdb.pl software page.

More Extreme Stuff

In addition there are some other scripts to monitor Extreme Networks devices:

Do I have a CD-RW?

You don’t know whether the CD drive on your machine is able to burn CDs? And too lazy to go off with your head under your table? Or you’re remote on the machine? Then that’s your command line:

$ cat /proc/sys/dev/cdrom/info
CD-ROM information, Id: cdrom.c 3.20 2003/12/17

drive name:             sr0
drive speed:            32
drive # of slots:       1
Can close tray:         1
Can open tray:          1
Can lock tray:          1
Can change speed:       1
Can select disk:        0
Can read multisession:  1
Can read MCN:           1
Reports media changed:  1
Can play audio:         1
Can write CD-R:         1
Can write CD-RW:        1
Can read DVD:           1
Can write DVD-R:        1
Can write DVD-RAM:      1
Can read MRW:           1
Can write MRW:          1
Can write RAM:          1

Works on Debian based systems :)

Docker Jail for Skype

A jail for skype powered by Docker!
A jail for skype powered by Docker!

As I’m now permanently installed at our University (yeah!) I probably need to use skype more often than desired. However, I still try to avoid proprietary software, and skype is the worst of all. Skype is an

obfuscated malicious binary blob with network capabilities

as jvoisin beautifully put into words. I came in contact with skype multiple times and it was always a mess. Ok, but what are the options if I need skype? So far I’ve been using a virtual box if I needed to call somebody who insisted on using skype, but now that I’ll be using skype more often I need an alternative to running a second OS on my machine. My friend Tom meant to make a joke about using Docker and … TA-DAH! … Turns out it’s actually possible to jail a usable skype inside a Docker container! Guided by jvoisin’s article Running Skype in docker I created my own setup:

The Dockerfile

The Dockerfile is available from the skype-on-docker project on GitHub. Just clone the project and change into the directory:

$ git clone https://github.com/binfalse/skype-on-docker.git
$ cd skype-on-docker
$ ls -l
total 12
-rw-r--r-- 1 martin martin   32 Jan  4 17:26 authorized_keys
-rw-r--r-- 1 martin martin 1144 Jan  4 17:26 Dockerfile
-rw-r--r-- 1 martin martin  729 Jan  4 17:26 README.md

The Docker image is based on a Debian:stable. It will install an OpenSSH server (it exposes 22) and download the skype binaries. It will also install the authorized_keys file in the home directories of root and the unprivileged user. Thus, to be able to connect to the container you need to copy your public SSH key into that file:

$ cat ~/.ssh/id_rsa.pub >> authorized_keys

Good so far? Ok, then go for it! Build a docker image:

$ docker build -t binfalse/skype .

This might take a while. Docker will execute the commands given in the Dockerfile and create a new Docker image with the name binfalse/skype. Feel free to choose a different name.. As soon as that’s finished you can instantiate and run a new container using:

$ docker run -d -p 127.0.0.1:55757:22 --name skype_container binfalse/skype

This will start the container as a daemon (-d) with the name skype_container (--name skype_container) and the host’s port 55757 mapped to the container’s port 22 (-p 127.0.0.1:55757:22). Give it a millisecond to come up and then you should be able to connect to that container via ssh. From that shell you should be able to start an configure skype:

$ ssh -X -p 55555 docker@127.0.0.1

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Jan  4 23:07:37 2016 from 172.17.42.1
$ skype

You can immediately go and do your chats and stuff, but you can also just configure skype. Do setup everything just like you want to find it when starting skype, for example tick the auto-login button to get rid of the login screen etc. As soon as that’s done, commit the changes to build a new image reflecting your preferences:

$ docker commit skype_container binfalse/deb-skype

Now you’ll have an image called binfalse/deb-skype that contains a fully configured skype installation. Just kill the other container:

$ docker stop skype_container
$ docker rm skype_container

And now your typical workflow might look like:

docker run -d -p 127.0.0.1:55757:22 --name skype__ binfalse/deb-skype
sleep 1
ssh -X -p 55757 docker@127.0.0.1 skype && docker rm -f skype__

Feel free to cast it in a mould just as I did. The script is also available from my apt repo, it’s name is bf-skype-on-docker:

echo "deb http://apt.binfalse.de binfalse main" > /etc/apt/sources.list.d/binfalse.list
apt-get update && apt-get install bf-skype-on-docker

Getting into a new group

You know, … you just got this new floppy disk with very important material but you cannot access it because you’re not in the system’s floppy group and, thus, you’re not allowed to access the floppy device. Solution is easy: add your current user to the floppy group! Sounds easy, doesn’t it? The annoying thing is that those changes won’t take affect in the current session. You need to log out and log in again – quite annoying, especially if you’re into something with lots of windows and stuff. Just happened to me with docker again..

However, there are two methods to get into the new groups without the need to kill the current session:

  • su yourself: let’s say your username is myname you just need to su myname to get a prompt with the new group memberships.
  • ssh localhost: that also gives you a new session with updated affiliations.

That way, you do not need to start a new session. However, you still need to start all applications/tools from that terminal - might be odd to those who are used to the gnome/kde menues.. :)

Supplemental material

Display group membership:

 groups USERNAME

Add a new system group:

 groupadd GROUPNAME

Add a user to a group:

 useradd -G GROUPNAME USERNAME

CyanogenMod Updates and the firewall

Screenshot of the Update Tool
Screenshot of the Update Tool

I’m running CyanogenMod on my phone and I have the firewall AFWall+ installed.

Screenshot of the firewall with important rules
Screenshot of the firewall with important rules

To update the list of available updates the application CM Updater need to be able to connect to the internet. It will contact a website from within the google empire and ask for available images.

In order to download a new image the application Media Storage, Download Manager, Downloads needs internet access, as this app is in charge of downloading the actual image file.

To be remembered.

JavaDoc Cheat Sheet

  • The first sentence of each doc comment should be a summary sentence
  • Write the description to be implementation-independent, but specifying such dependencies where necessary. (what is required, what is allowed)
  • wrap keywords in <code>...</code>

typical meta annotations

  • @author is not critical, because it is not included when generating the API specification
  • @version SCCS string "%I%, %G%", which converts to something like “ 1.39, 02/28/97” (mm/dd/yy) when the file is checked out of SCCS
  • @since specify the product version when the Java name was added to the API specification (if different from the implementation)

typical method definition

  • @param parameter-name description
    • followed by the name (not data type) of the parameter, followed by a description of the parameter
    • the first noun in the description is the data type
  • @return description
    • omit for methods that return void and for constructors
    • include it for all other methods, even if its content is entirely redundant with the method description
  • @throws class-name description should be included for any checked exceptions (previously, it was @exception)

additional annotations

  • {@value package.class#field}
    • when {@value} is used (without any argument) in the doc comment of a static field, it displays the value of that constant: The value of this constant is {@value}.
    • otherwise it displays the value of the specified constant: Evaluates the script starting with {@value #SCRIPT_START}.
  • {@code text}
    • Equivalent to <code>{@literal}</code>.

linking

  • @see reference
    • Adds a "See Also" heading
    • reference is a string: Adds a text entry for string. No link is generated. The string is a book or other reference to information not available by URL.
    • reference is an <a href="URL#value">label</a>: Adds a link as defined by URL#value. The URL#value is a relative or absolute URL.
    • reference is an package.class#member label: Adds a link (with optional visible text label) that points to the documentation for the specified name in the Java Language that is referenced.
  • {@link package.class#member label}
    • in-line link with visible text label that points to the documentation for the specified package, class or member name of a referenced class
    • not necessary to add links for all API names in a doc comment
  • @serial (or @serialField or @serialData) for interoperability with alternative implementations of a Serializable class and to document class evolution

deprecation

  • @deprecated deprecated-text
    • the first sentence should at least tell the user when the API was deprecated and what to use as a replacement
    • a {@link} tag should be included that points to the replacement method

example

/**
 * The Class CombineArchive to create/read/manipulate/store etc.
 * CombineArchives.
 * <p>
 * We directly operate on the ZIP file, which will be kept open. Therefore, do
 * not forget to finally close the CombineArchive when you're finished.
 * 
 * @see <a href="https://sems.uni-rostock.de/projects/combinearchive/">
 *      sems.uni-rostock.de/projects/combinearchive</a>
 * @author martin scharm
 */
public class CombineArchive
    extends MetaDataHolder
    implements Closeable
{
    /* ... */

    /**
     * Gets the the first main entry of this archive, if defined. As of RC2 of the spec there may be more than one main entry, so you should use {@link #getMainEntries()} instead.
     * 
     * @return the first main entry, or <code>null</code> if there is no main entry
     * @deprecated as of version 0.8.2, replaced by {@link #getMainEntries()}
     */
    public ArchiveEntry getMainEntry ()
    {
        if (mainEntries == null)
            return null;
        return mainEntries.size () > 0 ? mainEntries.get (0) : null;
    }
    
    /**
     * Gets the main entries as defined in the archive.
     *
     * @return the main entries in this archive
     */
    public List<ArchiveEntry> getMainEntries ()
    {
        return mainEntries;
    }

    /**
     * Replace the file associated with a certain entry while keeping the meta
     * data.
     * 
     * @param toInsert
     *          the new file to insert
     * @param oldEntry
     *          the old entry whose file should be replaced
     * @return the new entry
     * @throws IOException If an input or output exception occurred
     */
    public ArchiveEntry replaceFile (File toInsert, ArchiveEntry oldEntry) throws IOException
    {
        addEntry (toInsert, oldEntry.getFilePath (), oldEntry.getFormat (), false);
        entries.put (oldEntry.getFilePath (), oldEntry);
        return oldEntry;
    }
}

References

Block URLs on phone using AdAway

List of hosts file resources for AdAway
List of hosts file resources for AdAway

Using AdAway on your Android phones it is very easy to block a set of URLs.

AdAway (available from F-Droid, source from GitHub) is an ad-blocker. The application basically maintains a list of resources containing lists to ad-servers, see figure for example, e.g.:

# dest ip   url
127.0.0.1   some.ad.server.com

This entry will redirect all traffic meant for some.ad.server.com to the server 127.0.0.1, which is your localhost. Entries from different resources are merged. Thus, all requests to typical ad-servers will fail → annoying advertisements won’t be delivered. It’s quite powerful and gives impressive results. However, I didn’t want to talk about ad-stuff. The cool thing is

AdAway allows for extensions with own hosts files!

You can simply add another link to a file containing further host entries. I created my own AdAway file, uploaded it to https://stuff.lesscomplex.org/adaway.txt and added it to AdAway, as you can see in the figure. The current version contains a few entries for:

  • facebook/yahoo/etc: I’m not using facebook or stuff, all these request shouldn’t leave my phone
  • captive portal detection: To detect captive portals the phone downloads a few bytes from a google server and checks if it is able to access the real internet or just a captive portal
  • swift key: I’m using swift key, but do not want it to communicate to the internet. Thus, I’m blocking a few URLs that swiftkey wants to talk to. As I’m already using a firewall this just adds another layer of privacy.

Feel free to use my “extension”, but I expect it to change over time. :)

Shortcomings

This method only works if applications load contents from URLs. As soon as the IPs are hard-coded the hosts file

Disable shutter sound on Cyanogenmod 12

Everyone knows that annoying shutter sound of the camera app on Android phones. It’s against the law to sell android phones which do not make sounds when taking pictures. And in general, it is a good feature as it improves other people privacies.

However, I still want to get rid of the sound. It’s a bit tricky, but having a rooted phone (with e.g. CyanogenMod) it’s very easy: Just delete the sound file /system/media/audio/ui/camera_click.ogg! :)

For the lazy: Get a root shell (eg. ssh or adb) and execute the following:

mount -o remount,rw /system
mv /system/media/audio/ui/camera_click.ogg /system/media/audio/ui/camera_click.ogg.backup
mv /system/media/audio/ui/camera_focus.ogg /system/media/audio/ui/camera_focus.ogg.backup
mount -o remount,ro /system

Problem solved.