Made to Order Software Corporation Logo

regular

Docker, an advanced chroot utility


Chasm—just like a Docker creates a chasm between two sets of software

SECURITY WARNING

Before installing Docker and containers with services on your Linux system, make sure to read and understand the risks as mentioned on this Docker and iptables page. Especially, Docker will make all your containers visible to the entire world through your Internet connection. This is great if you want to indeed share that service with the rest of the world, it's very dangerous if you are working on that container service since it could have security issues that need patching and such. Docker documents a way to prevent that behavior by adding the following rule to your firewall:

iptables -I DOCKER-USER -i eth0 ! -s 192.168.1.0/24 -j DROP

This means that unless the IP address matches 192.168.1.0/24, the access is refused. The `eth0` interface name should be replaced with the interface name you use as the external ethernet connection. During development, you should always have such a rule.

That has not worked at all for me because my local network includes many other computers on my LAN and this rule blocks them all. So really not a useful idea.

Instead, I created my own entries based on some other characteristics. That includes the following lines in my firewall file:

*filter
:DOCKER-USER - [0:0]

-A DOCKER-USER -j early_forward
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 80 --ctdir ORIGINAL -j DROP
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8080 --ctdir ORIGINAL -j DROP
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8081 --ctdir ORIGINAL -j DROP

My early_forward allows my LAN to continue to work. These are my firewall rules that allow my LAN computers to have their traffic forwarded as expected.

Then I have three rules that block port 80, 8080, and 8081 from Docker.

Docker will add new rules that will appear after (albeit not within the DOCKER-USER list) and will open ports for whatever necessary service you install in your Dockers.

Note that the only ports you have to block are ports that Docker will share and that you have otherwise open on your main server. If Docker opens port 5000 and your firewall does not allow connections to port 5000 from the outside, then you're already safe. On my end I have Apache running so as a result I block quite usual HTTP ports from Docker.

Docker

As we are helping various customers, we encounter new technologies.

In the old days, we used chroot to create a separate environment where you could have your own installation and prevent the software from within that environment access to everything on your computer. This is particularly useful for publicly facing services liek Apache, Bind, etc.

US Zip Code overlay on Google Maps

Today I had a need to find out a set of zip codes that would match a delivery area for one of my customers. I was wondering how could I find out all the zip codes over a given area...

Searching a little bit I found a website named zipmap which actually does just that. The entire US is covered and you can navigate it just like you navigate a regular Google Map view. Very practical!

You can easily move around, zoom in and out, and you even see the map with street names in the background.

Protected Node Views Support

The Protected Nodes offers some additional supports to views 2.x and 3.x in Drupal 6.x.

The additional support includes fields, filters, and sort capabilities that are added to the Node type. The join between the regular node and the protected node data is the node identifier (nid). This means the revision identifier is ignored.

  • Password last changed

    This value is the date when the password was last modified. You can display this date, filter using the date, and sort by date.
     
  • Node is protected

    This value is a yes/no value (i.e. Boolean) which can be ...

Protected Node Password Fork Feature

Password Fork

The new module allows for a password fork.

This means you can send your users to one specific page, and tell them about a password to use on that one page. Depending on the password, they will be sent to one of several nodes.

This works in a very similar way as the other password form, except that there is no specific destination, and the users need to know any one of the passwords.

The feature uses a specific URL defined as follow:

/protected-nodes?protected_pages=<nid1>,<nid2>,...&back=<url>

  • protected_pages=<nid1>,<nid2>,...

This

Protected Node Global Settings

The protected node module has global settings found under:

Administer » Site configuration » Protected node

Protected node Statistics

The page starts with statistics to let you know how pages are protected on your website. All the counts include published and unpublished content.

  • Total nodes — the total number of nodes on your website
  • Unprotected nodes — number of nodes that do not have a password
  • Protected nodes — number of nodes that are current protected by a password
    • Showing title — number of nodes showing their title
    • ...

Insert Node Parameter: cck (6-1.2)

The CCK parameter let you insert one of your CCK field and some node fields that cannot otherwise be added without being themed.

We support CCK fields and several special field names as follow.

Fields that appeared after version 6-1.2 have a version specified between parenthesis (i.e. 6-1.3).

cck=field_<name>; [requires CCK]

The CCK parameter must be followed by a field name. An empty name is likely to generate an error. The name of a field that does not exist is likely to generate nothing.

For instance, if you have a field named see_also, you would write:

   cck=field_see_also;

Insert Node Parameter: comments (6-1.1) [no content]

Attach the comments at the bottom of the node data.

The comments will be shown just as in the regular page (i.e. flat, thread, expanded, collapsed.)

Note that this data is considered a [no content] because it does not affect the use of the "default" parameter. However, it definitively adds content to your output.

CSS Class: div.insert-node-comments

Theme: InsertNode_comments

IMPORTANT NOTES

The comments are appended to anything else that you have inserted. You cannot use the order of your parameters to put the comments in a different location. In order to do that, use multiple

Get URL

SWF Action
Action Category: 
Movie
Action Details: 
0
Action Identifier: 
131
Action Structure: 
string   f_url;
string   f_target;
Action Length: 
-1 byte(s)
Action Stack: 
n.a.
Action Operation: 
f_target.load(f_url);
Action Flash Version: 
1

Load the specified URL in the specified target window.

When the target is set as "_level0", the current SWF file is replaced by the file specified in the f_url field. The name in the f_url field should be a proper SWF file or the area will simply become black.

When the target is set as "_level1", something special is supposed to happen. I still don't know what it is...
Also the effect of _level1 + an empty URL is ... (to remove level1?)

PlaceObject2

Tag Info
Tag Number: 
26
Tag Type: 
Define
Tag Flash Version: 
3
Brief Description: 

Place, replace, remove an object in the current display list.

Tag Structure: 
struct swf_placeobject2 {	/* and swf_placeobject3 */
	swf_tag			f_tag;		/* 26 or 70 */
	/* NOTE: the following flags can be read as one or two bytes also */
	if(version >= 8) {
		unsigned	f_place_reserved : 5;
		unsigned	f_place_bitmap_caching : 1;
		unsigned	f_place_blend_mode : 1;
		unsigned	f_place_filters : 1;
	}
	if(version >= 5) {
		unsigned	f_place_has_actions : 1;
	}
	else {
		unsigned	f_place_reserved : 1;
	}
	unsigned		f_place_has_clipping_depth : 1;
	unsigned		f_place_has_name : 1;
	unsigned		f_place_has_morph_position : 1;
	unsigned		f_place_has_color_transform : 1;
	unsigned		f_place_has_matrix : 1;
	unsigned		f_place_has_id_ref : 1;
	unsigned		f_place_has_move : 1;
	unsigned short		f_depth;
	if(f_place_has_id_ref) {
		unsigned short		f_object_id_ref;
	}
	if(f_place_has_matrix) {
		swf_matrix		f_matrix;
	}
	if(f_place_has_color_transform) {
		swf_color_transform	f_color_transform;
	}
	if(f_place_has_morph_position) {
		unsigned short		f_morph_position;
	}
	if(f_place_has_name) {
		string			f_name;1
	}
	if(f_place_has_clipping_depth) {
		unsigned short		f_clipping_depth;
	}
	/* 3 next entries since v8.0 */
	if(f_place_filters) {
		unsigned char		f_filter_count;
		swf_any_filter		f_filter;
	}
	if(f_place_blend_mode) {
		unsigned char		f_blend_mode;
	}
	if(f_place_bitmap_caching) {
		/* WARNING: this is not defined in the Macromedia documentation
		 * it may be that it was part of the blend mode whenever the person
		 * who defined this byte was testing (I copied that from somewhere else!).
		 */
		unsigned char		f_bitmap_caching;
	}
	/* since v5.0 */
	if(f_place_has_actions) {
		unsigned short		f_reserved;
		if(version >= 6) {
			unsigned long	f_all_flags;
		}
		else {
			unsigned short	f_all_flags;
		}
		swf_event		f_event[<variable>];
		if(version >= 6) {
			unsigned long	f_end;	/* always zero */
		}
		else {
			unsigned short	f_end;	/* always zero */
		}
	}
};
  • 1. Assuming that this PlaceObject2 references a DefineSprite, this name becomes the name of this instance of the sprite. This feature enables you to place the same DefineSprite multiple times in your display list each time using a different name.

This tag will be used to specify where and how to place an object in the next frame. The PlaceObject is much different and is presented separately.

The f_depth field is used to indicate at which depth the character is inserted in the current frame. There can be only one object per depth value (thus a maximum of 65536 objects can appear on a single frame).

The f_place_has_move and f_place_has_id_ref flags are used to indicate what to do at the given depth. The following table presents what happens depending on the current value.

f_place_has_move ...

IEEE Standard 754

 

The original document by Steve Hollasch can be found at http://steve.hollasch.net/cgindex/coding/ieeefloat.html

IEEE Standard 754 Floating Point Numbers