The post Using APK for Alpine Linux with Docker appeared first on Justin Silver.
]]>Some quick tips on how to use apk
for Alpine Linux in a Docker environment. Some common use cases might be to install command line tools you will use in scripts, or to compile a PHP extension. In the former you will often be able to access a binary, and not need to worry about polluting much of your Docker layer with extra files. When you need to compile something however – like a PHP extension – you may need several build tools as well as libraries that you don’t need to keep around after you compile the module.
This first example is common for installing command line tools:
RUN apk add --no-cache --update \ bash curl findutils sed sudo
The next example shows how to compile PHP modules and remove their dependencies after compilation.
RUN set -xe; \ apk add --no-cache --virtual .build-deps $PHPIZE_DEPS \ # build tools autoconf g++ gcc make \ # lib tools bzip2-dev freetype-dev gettext-dev icu-dev imagemagick-dev libintl libjpeg-turbo-dev \ # libmcrypt-dev libpng-dev libxslt-dev libzip-dev \ ; \ docker-php-ext-configure \ gd --with-freetype-dir=/usr/include/ --with-jpeg-dir=/usr/include/ --with-png-dir=/usr/include/ \ ; \ docker-php-ext-install -j$(nproc) \ bcmath bz2 calendar exif gettext gd intl mysqli opcache pcntl pdo_mysql soap xsl zip \ ; \ pecl channel-update pecl.php.net && \ pecl install -o -f \ redis \ ; \ docker-php-ext-enable \ redis \ ; \ runDeps="$( \ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \ | tr ',' '\n' \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ apk add --virtual .phpexts-rundeps $runDeps; \ apk del .build-deps
The post Using APK for Alpine Linux with Docker appeared first on Justin Silver.
]]>The post Monitor IPSec VPN Tunnel appeared first on Justin Silver.
]]>I have an IPSec Tunnel built from one of my servers to an integration partner which is used to secure our web service calls. It uses a IPSec, OpenSwan, and Pluto to maintain a private network. Unfortunately I was seeing that this tunnel would for some reason collapse, requiring me to manually restart IPSec to rebuild the tunnel and re-enable our web services. This usually seemed to happen around 1am so despite many, many (MANY), emails, I wouldn’t actually fix it for several hours.
To aid in the process of stopping and then restarting the services, I wrote a bash script to handle all the comments. I only have one IPSec interface of ipsec0
which is used in my script. Make sure to chmod +x /usr/local/bin/ipsec-restart.sh
.
#!/bin/bash # get the -i or --interface argument value while [[ $# > 1 ]] do key="$1" case $key in -i|--interface) INTERFACE="$2" shift # past argument ;; esac shift # past argument or value done # show an error if the interface isn't specified if [ -z "$INTERFACE" ] then echo "You must provide an interface argument with -i or --interface" exit fi # restart ipsec, then bring up the IPSec tunnel /sbin/service ipsec restart /usr/sbin/ipsec whack --shutdown /usr/sbin/ipsec setup --restart /usr/sbin/ipsec auto --add $INTERFACE sleep 5 /usr/sbin/ipsec auto --up $INTERFACE
Next step is to have the system automatically run the script when the tunnel goes down. Using NetCat (nc
) is a good option for this – it can actually do a crazy number of things I won’t go into here. Basically we want to test the hostname of our service to see if we can open port 80, and if not, run the restart script. Passing in -w 10
tells it to wait 10 seconds to time out. By redirecting the output we can have this show nothing if it connects successfully, but email the address specified in the MAILTO
with the ipsec-restart.sh
output. Run this script every 5 minutes (and as root) by adding it to crontab while logged in as root, or using sudo crontab -e
to edit.
# Monitor VPN MAILTO="[email protected]" */5 * * * * ( nc -w 10 -z hostname.webservice.com 80 ) >& /dev/null || /usr/local/bin/ipsec-restart.sh -i ipsec0
The post Monitor IPSec VPN Tunnel appeared first on Justin Silver.
]]>