Category: English

Docker vs Cloud Foundry

First of all, let me start by saying that I am a big fan of Docker and container technology in general. But I see to often people comparing Docker with full PaaS stacks which is comparing apples with pears.

Cloud Foundry is a PaaS, part of the PaaS is container technology like Docker but in Cloud Foundry this is called Warden (or Garden in the next gen impl).

Docker is not a PaaS, for docker you need something like Flynn: https://flynn.io/ for Docker to start to look like a PaaS.

There are a lot of misconceptions about Docker: http://www.infoq.com/news/2014/07/top-docker-misconceptions

In the end, docker fills a gap that other tools are not filling. But for application development / deployments you want to have a PaaS with a nicely defined API to make application deployments easy. In the end the users should not care about the underlying container technology but just about scaling application instances and flexibility in setting up the container runtime.

 

WIP

 

Java and Wildcard SSL certificate issues

Today I faced a nasty issue using a valid signed wildcard SSL certificate from symantec.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
	at SSLTest.<init>(SSLTest.java:20)
	at SSLTest.main(SSLTest.java:34)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
	at sun.security.validator.Validator.validate(Validator.java:260)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
	... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
	... 23 more

Since the certificate is valid and the ROOT CA was actually in the Java cacerts keystore, it still did not work. First I tried to run my java application with ***-Djavax.net.debug=SSL*** to see what is really going on. I noticed the the intermediate certificate was not in the cacerts keystore.

I had to importing the intermediate certificate to the keystore was causing the cert chain to break. I downloaded the missing intermediate cert from symantec (you can see the download link to the missing cert in the ssl handshake log: http://svrintl-g3-aia.verisign.com/SVRIntlG3.cer in my case).

And I imported the cert in the java keystore. After importing the intermediate certificate my wildcard ssl cert finally started working:

keytool -import -keystore ../jre/lib/security/cacerts -trustcacerts -alias "VeriSign Class 3 International Server CA - G3" -file /pathto/SVRIntlG3.cer

And voila!

Hooking up Cloud Foundry app to New Relic

How to integrate Cloud Foundry and New Relic

New Relic provides indepth insight into your apps. Now how can you befit from it using Cloud Foundry and the Java buildpack? This is easy, read on!

If you are using the hosted version you can easily add new relic to your application using the marketplace.

newrelic_marketplace

After the new relic services has been bound to your application it takes a few minutes before data starts to appear. Eventually your dashboard will show data like this:

image2013-11-15 16-44-40

Users that run a private Cloud Foundry installation or want to hookup and existing New Relic account to their application can do the following. Create a user-provided service (see New Relic contraints described here: https://github.com/cloudfoundry/java-buildpack/blob/master/docs/framework-new-relic.md#configuration). Make sure that the service name contains newrelic. Next, specify your New Relic licenseKey.

cf create-service user-provided
Name?> newrelic-some_unique_string
What credential parameters should applications use to connect to this service instance?
(e.g. hostname, port, password)> licenseKey
licenseKey> newrelic_license_key
Creating service newrelic-some_unique_string... OK

Now bind the service to your app:

cf bind-service newrelic-some_unique_string
1: helloworld
Which application?> 1

Restart your app and you are done!

cf restart helloworld
Using manifest file manifest.yml
Stopping helloworld... OK
Preparing to start helloworld... OK
-----> Downloaded app package (5.5M)
-----> Downloaded app buildpack cache (39M)
Initialized empty Git repository in /tmp/buildpacks/java-buildpack.git/.git/
-----> Downloading OpenJDK 1.7.0_45 from http://download.pivotal.io.s3.amazonaws.com/openjdk/lucid/x86_64/openjdk-1.7.0_45.tar.gz (0.2s)
       Expanding JRE to .java (0.8s)
-----> Downloading New Relic Agent 3.1.1 from http://download.pivotal.io.s3.amazonaws.com/new-relic/new-relic-3.1.1.jar (7.3s)
-----> Downloading Spring Auto-reconfiguration 0.7.2 from http://download.pivotal.io.s3.amazonaws.com/auto-reconfiguration/auto-reconfiguration-0.7.2.jar (0.2s)
       Modifying /WEB-INF/web.xml for Auto Reconfiguration
-----> Downloading Tomcat 7.0.47 from http://download.pivotal.io.s3.amazonaws.com/tomcat/tomcat-7.0.47.tar.gz (0.2s)
       Expanding Tomcat to .tomcat (0.1s)
-----> Downloading Buildpack Tomcat Support 1.1.1 from http://download.pivotal.io.s3.amazonaws.com/tomcat-buildpack-support/tomcat-buildpack-support-1.1.1.jar (0.2s)
-----> Uploading droplet (48M)

After a few minutes data starts appearing in New Relic:

image2013-11-15 16-22-20

You are now ready to do awesome stuff with all this information (smile)

More info on user provided services: http://docs.cloudfoundry.com/docs/using/services/user-provided.html

Some background info for New Relic: https://newrelic.com/about

Funny job requests

Today I received this email, in dutch paas haas means: Easter bunny.

Dear Stephan

We are currently searching for a Cloud Consultant to work in Den Haag, The Netherlands  for 2 months plus extensions. This is a fantastic contract opportunity for a large multi-national client.

The ideal candidate must have the following skills:

Investigate opportunities to develop a PAAS/HAAS service for GF IT projects that allows projects to quickly build up project systems in the cloud that can be easily dismantled once the project is completed or does not require the system any longer.

Git detached head? What the hell??

Watch this video for 5 minutes:

Then read this stackoverflow answer which explains it pretty good:

http://stackoverflow.com/questions/5772192/git-how-can-i-reconcile-detached-head-with-master-origin/5772882#5772882

Now you know :-)