docker clean up
by John Mazzitelli
Just a little set of tricks that might be helpful to others.
If you want to clean up your docker:
* Delete all containers: docker ps -q -a | xargs docker rm
* Delete all images: docker rmi $(docker images --filter dangling=true)
* Another way of removing all images is: docker images -q | xargs docker rmi
* If images have dependent children, forced removal is via the -f flag: docker images -q | xargs docker rmi -f
* Delete untagged images: docker rmi $(docker images | grep "^<none>" | awk '{print $3}')
8 years, 5 months
New Hawkular Blog Post: Connecting Hawkular Agent to Hawkular Services over SSL
by Thomas Heute
New Hawkular blog post from noreply(a)hawkular.org (Josejulio Martínez): http://ift.tt/2fiy8ZH
SSL provides identification of the communicating parties, confidentiality and integrity of the information being shared.
In production environments, network eavesdropping could be a concern. You can use SSL to provide a secure communication channel between servers.
Hawkular Services expects Hawkular Agents to connect, push information and listen for commands. These commands also include server credentials that could be vulnerable to a man-in-the-middle attack.
A previous article shows how to configure your Hawkular Services with SSL and have Hawkular Agents connect to it trough SSL. This guide will show how is done for Dockerized Hawkular Services Agents.
Preparing your certificates
Before starting we need to prepare the certificates that we are going to use. Your public and private key for Hawkular Services need to be on PEM or PKC12 format. For this guide we will use PEM.
We can create self-signed certificates (in PEM format) using:
keytool -genkey -keystore hawkular.keystore -alias hawkular -dname "CN=hawkular-services" -keyalg RSA -storepass hawkular -keypass hawkular -validity 36500 -ext san=ip:127.0.0.1,dns:hawkular-services
keytool -importkeystore -srckeystore hawkular.keystore -destkeystore hawkular.p12 -deststoretype PKCS12 -srcalias hawkular -deststorepass hawkular -destkeypass hawkular -srcstorepass hawkular
openssl pkcs12 -in hawkular.p12 -password pass:hawkular -nokeys -out hawkular-services-public.pem
openssl pkcs12 -in hawkular.p12 -password pass:hawkular -nodes -nocerts -out hawkular-services-private.key
Important
When creating the certificates, remember to include the host that Hawkular will use (as Common Name(CN) and Subject Alternative Name(SAN)), else the certificate validation will fail. Through this guide, host will be set to hawkular-services.
Warning
Always include san=ip:127.0.0.1 in your certificate, as this will be used internally by Hawkular Services.
Starting Cassandra
Hawkular Services requires a cassandra instance, you can start one by doing:
docker run --name hawkular-cassandra -e CASSANDRA_START_RPC=true -d cassandra:3.0.12
Starting Hawkular Services on SSL
Now that there is a cassandra ready, Hawkular Services can be started, it will be linked to the cassandra instance (hawkular-cassandra)
docker pull hawkular/hawkular-services
docker run --name hawkular-services --link=hawkular-cassandra -e CASSANDRA_NODES=hawkular-cassandra -e HAWKULAR_HOSTNAME=hawkular-services -e HAWKULAR_USE_SSL=true -p 8443:8443 -v `pwd`/hawkular-services-private.key:/client-secrets/hawkular-services-private.key:z -v `pwd`/hawkular-services-public.pem:/client-secrets/hawkular-services-public.pem:z hawkular/hawkular-services
Note
To avoid guessing the host, we explicitly set it to hawkular-services using HAWKULAR_HOSTNAME environmental variable.
Warning
If you don’t specify any certificate, Hawkular services will create one, but we won’t be able to connect agents unless we export the certificate.
Starting a Hawkular Agent
By now there should be a Hawkular Services listening on default secure port 8443, if any agent wants to connect, it will need to know and trust its certificate. If you are self-signing your certificate, you will need to pass Hawkular Service’s certificate when starting the agent.
docker pull hawkular/wildfly-hawkular-javaagent
docker run --name hawkular-agent-01 --link=hawkular-services -e HAWKULAR_SERVER_PROTOCOL=https -e HAWKULAR_SERVER_ADDR=hawkular-services -e HAWKULAR_SERVER_PORT=8443 -v `pwd`/hawkular-services-public.pem:/client-secrets/hawkular-services-public.pem:z hawkular/wildfly-hawkular-javaagent
Note
Host must match with the one specified in the certificate, thus setting HAWKULAR_SERVER_ADDR to hawkular-services is required. Update as needed if using other value.
Testing the setup
Any Hawkular client that supports connecting using SSL can be used. Curl, ManageIQ and HawkFX will be show below.
Note
If using self-signed certificates, the client machine needs to trust Hawkular Services certificate or the client should support to specify which certificate to trust. See here for more info.
Curl
Simplest way to test, we only need to tell curl how to resolve hawkular-services and pass the public certificate.
curl -H "Hawkular-Tenant: hawkular" --resolve "hawkular-services:8443:127.0.0.1" --cacert hawkular-services-prd -X GET https://hawkular-services:8443/hawkular/metrics/metrics
It will output metrics stored on Hawkular Services.
ManageIQ
It can be quickly tested using the dockerized ManageIQ as follow:
docker run --link=hawkular-services --privileged -d -p 8444:443 manageiq/manageiq:fine-3
Once ManageIQ has started, add a Middleware Provider, there is three secured ways to do that:
SSL — Requires that the client box trusts Hawkular Services certificate.
SSL trusting custom CA — Requires to provide the certificate to trust.
SSL without validation — No validation is performed.
We will focus on (2) and (3) as (1) will require to trust the certificates on the machine itself.
Before going onto details, navigate to https://localhost:8444/, login with default username admin and password smartvm. Click on Middleware → Configuration → Add a New Middleware Provider.
SSL trusting custom CA
We need to select SSL trusting custom CA in Security Protocol and copy the certificate from the contents of hawkular-services-public.pem. Fill the Hostname with the one used in the certificate and complete the required information.
Figure 1: Middleware Provider SSL trusting custom ca
SSL without validation
We need to select SSL without validation in Security Protocol. No validation regarding the certificate is made with this option, only fill the required information.
Figure 2: Middleware Provider SSL without validation
HawkFX
One can connect using HawkFx by either installing the certificate on the machine or disabling the verification as show in the image. You will also need to update your /etc/hosts to resolve hawkular-services.
sudo su -c "echo '127.0.0.1 hawkular-services' >> /etc/hosts"
Alternatively, if no verification is used, one could use localhost instead of hawkular-services.
Figure 3: HawkFX without validation
Conclusion
Securing communications between a dockerized Hawkular Agent and Hawkular Services is possible with self-signed certificates. Connecting clients is also possible with the additional step of providing the certificate.
from Hawkular Blog
8 years, 6 months
Grafana datasource release: 1.1.0
by Joel Takvorian
The Hawkular grafana datasource has been released today to 1.1.0.
This release contains:
- Allow per-query tenant configuration [feat. #62 / PR #85]
- Annotations can now be configured out of Availability metrics [PR #85]
and Hawkular Alerts events [PR #88] in addition to string metrics
- Issue #86 / PR #87 : allow dot character in tag names
IMPORTANT INFORMATION:
Because now this datasource is able to fetch not only Hawkular Metrics but
also Hawkular Alerts, the server URL in the datasource configuration must
be updated:
*http://myserver:123/hawkular/metrics
<http://myserver:123/hawkular/metrics>* must be changed to
*http://myserver:123/hawkular
<http://myserver:123/hawkular>*
Release link:
https://github.com/hawkular/hawkular-grafana-datasource/releases/tag/v1.1.0
DockerHub registry updated as well.
8 years, 6 months
New Hawkular Blog Post: Hawkular Alerts with OpenTracing
by Thomas Heute
New Hawkular blog post from noreply(a)hawkular.org (John Mazzitelli): http://ift.tt/2xc8MUQ
Two recent blogs discuss how OpenTracing instrumentation can be used to collect application metrics:
http://ift.tt/2rX1NbW
http://ift.tt/2vWrA6Y
A further interesting integration can be the addition of Hawkular Alerts to the environment.
As the previous blog and demo discuss, Hawkular Alerts is a generic, federated alerts system that can trigger events, alerts, and notifications from different, independent systems such as Prometheus, ElasticSearch, and Kafka.
Here we can combine the two. Let’s follow the directions for the OpenTracing demo (using the Jaeger implementation) and add Hawkular Alerts.
What this can show is OpenTracing application metrics triggering alerts when (as in this example) OpenTracing spans encounter a larger-than-expected error rates.
(Note: these instructions assume you are using Kubernetes / Minikube - see the Hawkular OpenTracing blogs linked above for more details on these instructions)
START KUBERNETES
Here we start minikube giving it enough resources to run all of the pods necessary for this demo. We also start up a browser pointing to the Kubernetes dashboard, so you can follow the progress of the remaining instructions.
minikube start --cpus 4 --memory 8192
minikube dashboard
DEPLOY PROMETHEUS
kubectl create -f http://ift.tt/2wHvySK
kubectl create -f http://ift.tt/2tgfO8q
(Note: the last command might not work depending on your version - if you get errors, download a copy of prometheus-kubernetes.yml and edit it, changing “v1alpha1” to “v1”)
DEPLOY JAEGER
kubectl create -f http://ift.tt/2tfYiRY
The following will build and deploy the Jaeger example code that will produce the OpenTracing data for the demo:
mkdir -p ${HOME}/opentracing ; cd ${HOME}/opentracing
git clone git@github.com:objectiser/opentracing-prometheus-example.git
cd opentracing-prometheus-example/simple
eval $(minikube docker-env)
mvn clean install docker:build
kubectl create -f services-kubernetes.yml
(Note: The last command might not work depending on your version - if you get errors, edit services-kubernetes.yml, changing “v1alpha1” to “v1”)
DEPLOY HAWKULAR-ALERTS AND CREATE ALERT TRIGGER
The following will deploy Hawkular Alerts and create the trigger definition that will trigger an alert when the Jaeger OpenTracing data indicates an error rate that is over 30%
kubectl create -f http://ift.tt/2w86alD
Next use minikube service hawkular-alerts --url to determine the Hawkular Alerts URL and point your browser to the path “/hawkular/alerts/ui” at that URL (i.e. http://host:port/hawkular/alerts/ui).
>From the browser page running the Hawkular Alerts UI, enter a tenant name in the top right text field (“my-organization” for example) and click the “Change” button.
Navigate to the “Triggers” page (found in the left-hand nav menu).
Click the kabob menu icon at the top and select “New Trigger”.
In the text area, enter the following to define a new trigger that will trigger alerts when the Prometheus query shows that there is a 30% error rate or greater in the accountmgr or ordermgr servers:
{
"trigger":{
"id":"jaeger-prom-trigger",
"name":"High Error Rate",
"description":"Data indicates high error rate",
"severity":"HIGH",
"enabled":true,
"autoDisable":false,
"tags":{
"prometheus":"Test"
},
"context":{
"prometheus.url":"http://prometheus:9090"
}
},
"conditions":[
{
"type":"EXTERNAL",
"alerterId":"prometheus",
"dataId":"prometheus-test",
"expression":"(sum(increase(span_count{error=\"true\",span_kind=\"server\"}[1m])) without (pod,instance,job,namespace,endpoint,transaction,error,operation,span_kind) / sum(increase(span_count{span_kind=\"server\"}[1m])) without (pod,instance,job,namespace,endpoint,transaction,error,operation,span_kind)) > 0.3"
}
]
}
Figure 1: Create New Alert Trigger
Figure 2: Alert Trigger
Now navigate back to the “Dashboard” page (again via the left-hand nav menu). From this Dashboard page, look for alerts when they are triggered. We’ll next start generating the data that will trigger these alerts.
GENERATE SOME SAMPLE OPEN TRACING APPLICATION DATA
export ORDERMGR=$(minikube service ordermgr --url)
${HOME}/opentracing/opentracing-prometheus-example/simple/genorders.sh
Once the data starts to be collected, you will see alerts in the Hawkular Alerts UI as error rates become over 30% in the past minute (as per the Prometheus query).
Figure 3: Alerts Dashboard
Figure 4: Alert
If you look at the alerts information in the Hawkular Alerts UI, you’ll see the conditions that triggered the alerts. For example, one such alert could look like this:
Time: 2017-09-01 17:41:17 -0400
External[prometheus]: prometheus-test[Event [tenantId=my-organization,
id=1a81471d-340d-4dba-abe9-5b991326dc80, ctime=1504302077288, category=prometheus,
dataId=prometheus-test, dataSource=none, text=[1.504302077286E9, 0.3333333333333333],
context={service=ordermgr, version=0.0.1}, tags={}, trigger=null]] matches
[(sum(increase(span_count{error="true",span_kind="server"}[1m])) without
(pod,instance,job,namespace,endpoint,transaction,error,operation,span_kind) /
sum(increase(span_count{span_kind="server"}[1m])) without
(pod,instance,job,namespace,endpoint,transaction,error,operation,span_kind)) > 0.3]
Notice the “ordermgr” service (version "0.0.1") had an error rate of 0.3333 (33%) which caused the alert since it is above the allowed 30% threshold.
At this point, the Hawkular Alerts UI provides the ability for system admins to log notes about the issue, acknowledge the alert and mark the alert resolved if the underlying issue has been fixed. These lifecycle functions (also available as REST operations) are just part of the value add of Hawkular-Alerts.
You could do more complex things such as only trigger this alert if this Prometheus query generated results AND some other condition was true (say, ElasticSearch logs match a particular pattern, or if a Kafka topic had certain data). This demo merely scratches the surface, but does show how Hawkular Alerts can be used to work with OpenTracing to provide additional capabilities that may be found useful by system administrators and IT support personnel.
from Hawkular Blog
8 years, 6 months
