Made to Order Software Corporation Logo

book

Docker, an advanced chroot utility


Chasm—just like a Docker creates a chasm between two sets of software

SECURITY WARNING

Before installing Docker and containers with services on your Linux system, make sure to read and understand the risks as mentioned on this Docker and iptables page. Especially, Docker will make all your containers visible to the entire world through your Internet connection. This is great if you want to indeed share that service with the rest of the world, it's very dangerous if you are working on that container service since it could have security issues that need patching and such. Docker documents a way to prevent that behavior by adding the following rule to your firewall:

iptables -I DOCKER-USER -i eth0 ! -s 192.168.1.0/24 -j DROP

This means that unless the IP address matches 192.168.1.0/24, the access is refused. The `eth0` interface name should be replaced with the interface name you use as the external ethernet connection. During development, you should always have such a rule.

That has not worked at all for me because my local network includes many other computers on my LAN and this rule blocks them all. So really not a useful idea.

Instead, I created my own entries based on some other characteristics. That includes the following lines in my firewall file:

*filter
:DOCKER-USER - [0:0]

-A DOCKER-USER -j early_forward
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 80 --ctdir ORIGINAL -j DROP
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8080 --ctdir ORIGINAL -j DROP
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8081 --ctdir ORIGINAL -j DROP

My early_forward allows my LAN to continue to work. These are my firewall rules that allow my LAN computers to have their traffic forwarded as expected.

Then I have three rules that block port 80, 8080, and 8081 from Docker.

Docker will add new rules that will appear after (albeit not within the DOCKER-USER list) and will open ports for whatever necessary service you install in your Dockers.

Note that the only ports you have to block are ports that Docker will share and that you have otherwise open on your main server. If Docker opens port 5000 and your firewall does not allow connections to port 5000 from the outside, then you're already safe. On my end I have Apache running so as a result I block quite usual HTTP ports from Docker.

Docker

As we are helping various customers, we encounter new technologies.

In the old days, we used chroot to create a separate environment where you could have your own installation and prevent the software from within that environment access to everything on your computer. This is particularly useful for publicly facing services liek Apache, Bind, etc.

Best C++ Books

Once in a while someone will ask me which book is best to start learning programming. The fact is that I do not know because I'm already an advanced programmer and it's rather difficult for me to get back to the basics (it feels like a waste of my time, sorry...)

That being said, at Made to Order Software, we've mainly been a C++ shop. We also do a lot of C, PHP, JavaScript and touch many other languages as required by the tasks we perform (bash, cmake, perl, C#, Java, etc.)

That being said, I wanted to underline some of the best C++ books available today. Especially, in the last ...

Insert Node Parameter: plain (6-1.2) [no content]

The plain keyword is used to avoid having the content being inserted put inside a tag. By default, the content is inserted inside a <span> or a <div> tag (<span> is used if the output does not include <div>, <p> and other such tags.)

Although one could overload the theme_InsertNode_node() theme function, it is at times practical to be able to use both methods.

The plain keyword does not otherwise generate any output.

This keyword primary use is for adding CCK parameters inside HTML code as proposed by one of our users (see here):

  <input ...

What are yellow pages good for?

Since I work a lot with the Internet, I often have people asking me whether the Yellow Pages are still useful...

The fact is, there are still many people using the Yellow Pages. Most advanced geek will use an online directory such as superpages.com. Yet, for certain things such as looking for a plumber, people still use the Yellow Pages.

So, how do I choose whether to have an ad in the Yellow Pages?

Simple! Take the latest Yellow Pages book you've received and look under your category and see what your competition does. If you have 1 or more full page advertiser, you bet that you have ...

Insert Node Parameter: booktree (6-1.2)

If you have books and you are using the booktree module, then you can insert a book tree in another node using the Insert node module with the booktree parameter.

The book tree will start with the specified node.

See Also: Insert Node Parameter: cck (6-1.2)

IMPORTANT NOTE

This parameter is an extension that should be part of the booktree module and not of the Insert Node. It made not be supported in future versions (3.x, D7...)

The Insert Node module verifies that the user has permission to view that book tree. If not, nothing is output which means that the tag may instead generate ...

Insert Node Parameter: cck (6-1.2)

The CCK parameter let you insert one of your CCK field and some node fields that cannot otherwise be added without being themed.

We support CCK fields and several special field names as follow.

Fields that appeared after version 6-1.2 have a version specified between parenthesis (i.e. 6-1.3).

cck=field_<name>; [requires CCK]

The CCK parameter must be followed by a field name. An empty name is likely to generate an error. The name of a field that does not exist is likely to generate nothing.

For instance, if you have a field named see_also, you would write:

   cck=field_see_also;

IEEE Standard 754

 

The original document by Steve Hollasch can be found at http://steve.hollasch.net/cgindex/coding/ieeefloat.html

IEEE Standard 754 Floating Point Numbers

SWF File Format Reference

The Flash File Format Explained

Stay up to date,
register to receive the
SSWF Newsletter

The SWF file format is used for Flash. SWF stands for Shockwave Format1, the very first company that created the Flash animation format later bought by Macromedia and now owned by ...

  • 1. There are many people who found other names for the acronym such as Shockwave Flash, Shock Wave File, Small Web Format, Serious Wow Factor, and SWIFF. History of man kind is confronted with the same problems, unfortunately. And no... it really has nothing to do with the Swiss Wrestling Federation!

About Us

Here you will find a few of the software solutions that have been made possible by Made to Order Software Corporation. Feel free to contact us for more information.

Snap! Websites

Made to Order Software created Snap! Websites, a CMS system, which allows customers to create their own websites, hosted on our servers.

The new version of Snap! is actually Open Source. You can find more information about Snap! Websites Open Source on the Snap! Website a C+ CMS website.

A few customers using our old Snap! offer include:

Order ...

Creating Turn Watcher — An Adventure Unto Itself

I think I'm like just about everyone else. I have the work 'me' and the play 'me'. Only difference is, the two once merged, and what was born was Turn Watcher.

I have played in D&D campaigns for many years, but never thought of running my own campaign until I got a very unusual present for my 40th birthday — the Dungeon Master's Guide. I started reading the book and was hooked. How fun I thought it would be to create encounters and intriguing situations and worlds for my players. It wasn't until I ran my first game that I realized that it would take more ...