Made to Order Software Corporation Logo

C/C++

Docker, an advanced chroot utility


Chasm—just like a Docker creates a chasm between two sets of software

SECURITY WARNING

Before installing Docker and containers with services on your Linux system, make sure to read and understand the risks as mentioned on this Docker and iptables page. Especially, Docker will make all your containers visible to the entire world through your Internet connection. This is great if you want to indeed share that service with the rest of the world, it's very dangerous if you are working on that container service since it could have security issues that need patching and such. Docker documents a way to prevent that behavior by adding the following rule to your firewall:

iptables -I DOCKER-USER -i eth0 ! -s 192.168.1.0/24 -j DROP

This means that unless the IP address matches 192.168.1.0/24, the access is refused. The `eth0` interface name should be replaced with the interface name you use as the external ethernet connection. During development, you should always have such a rule.

That has not worked at all for me because my local network includes many other computers on my LAN and this rule blocks them all. So really not a useful idea.

Instead, I created my own entries based on some other characteristics. That includes the following lines in my firewall file:

*filter
:DOCKER-USER - [0:0]

-A DOCKER-USER -j early_forward
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 80 --ctdir ORIGINAL -j DROP
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8080 --ctdir ORIGINAL -j DROP
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8081 --ctdir ORIGINAL -j DROP

My early_forward allows my LAN to continue to work. These are my firewall rules that allow my LAN computers to have their traffic forwarded as expected.

Then I have three rules that block port 80, 8080, and 8081 from Docker.

Docker will add new rules that will appear after (albeit not within the DOCKER-USER list) and will open ports for whatever necessary service you install in your Dockers.

Note that the only ports you have to block are ports that Docker will share and that you have otherwise open on your main server. If Docker opens port 5000 and your firewall does not allow connections to port 5000 from the outside, then you're already safe. On my end I have Apache running so as a result I block quite usual HTTP ports from Docker.

Docker

As we are helping various customers, we encounter new technologies.

In the old days, we used chroot to create a separate environment where you could have your own installation and prevent the software from within that environment access to everything on your computer. This is particularly useful for publicly facing services liek Apache, Bind, etc.

Appendix A — The geometry in SWF — Edges

Edges are used to define a shape vector based and also coordinates where images need to be drawn. The edges are always coordinates from where ever your last point was to where ever you want the next point to be (a little like a turtle in LOGO).

A new concept: Throwaway Software.

More and more, people are learning new software as they go. A few will stick to one software for a long time simply because it is easier, but changing is easy too, especially if the new system is easy to use.

But how do you produce throwaway software? And is it worth the trouble?

As we see things evolving, more and more, people want to use software anywhere they go. This means software that runs on the Internet in some ways. For instance, you can use Google Map anywhere you go, as long as you have a computer to access the Internet.

Skills at Made to Order Software Corp.

Since 1999, Made to Order Software has served its customers using its extensive set of skills. The following is an incomplete list of our skills. Please, feel free to Contact Us if you have any question.

AJAX, CSS, HTML, XML, SOAP, LAMP… and now Web 2.0?

Dear reader,

Yes. With all these terms, it is quite easy to get lost.

As a developer, my skills are quite extensive. I started with Logo, learned assembly language, BASIC, C, C++… and all these other languages in between, those that most people pass by such as Ada, Eiffel, Icon… And the languages you kind of have to learn because you’re in it: Bourne Shell, configuration files for 100 different software, Makefile, etc.

And once you know all of these languages, you think you’re done. Well… Not quite!

The web has got it’s own set of languages! It

The assert() macro in C/C++

 

This is a subject that comes back all the time in C/C++ boards.

Should you use assertions?

The answer is clearly yes. But the C/C++ assert() function is usually defined using a macro. Macros have several problems. The most common ones are: they offer no type checking, they do not warn you about weird side effects, they have a different syntax than the C/C++ language itself.

One good thing: for a fast program, the debug code used to check parameters, results, etc. is gone.

One really bad thing: if the expression in the macro has a side effect, the release program is different from ...