Minimize a Docker image

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Docker is great to get you started with a solution or to share your setup. A problem you may not be aware of at the beginning is the size of a Docker image. You start with a small base image like Debian, add your stuff and ready. This works perfectly when you only add a “simple” solution, like one that is available via apt-get. When you install a solution from scratch, with downloading code from GitHub, and do this using a Docker image, your image can grow to a significant large size. You will notice this when using a Dockerfile. Each RUN command creates a new layer. You are adding files to a previous layer, and to have a running Docker image, all layers are needed. This is great when you work intensively with Dockerfiles and images, as you can also revert to a previous layer, but when your resulting product is just having a solution installed and runnable, you can end up having an image too large for your needs.

You can see the different layers of an image when you pull it form Docker hub.

In my case, the pulled image had a size of 2.321 GB.

Minimize Docker image

A nice feature of Docker is that each container can also be an image. You can export a container to an image, without its history of layers attached to it. Therefore, this container serves as a minimized Docker image.

Start container

docker run –d –t tobiashofmann/openui5-rt:1.28

Container is started using the image tobiashofmann/openui5-rt:1.28 and the container ID is displayed. Next step is to transform the container to an image. To not type in the ID, I`ll get the human readable name of the container. Note: use option –name when starting the container and you can specify your own name

docker ps –l

Here the name of my running container is modest_lalande. To transform the container to an image, to command docker export is used. To create the image, the output is piped to docker import.

docker export modest_lalande | docker import – tobiashofmann/openui5-rt:1.28-min

The final size of the minimized docker image 2.118 GB. Close to 200 MB less. Not much here, given also to the content of the image and already low number of RUN commands in my Dockerfile. But when you have a human readable Dockerfile with several RUN commands, you can achieve a very good size reduction.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

NetWeaver ABAP, SICK and UUID on Linux

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Situation

Newly installed NetWeaver ABAP 7.5 system on top of SUSE Enterprise Linux 12. Installation via sapinst was executed without errors. NetWeaver system is up and running, first logon into SAP system via SAPGui. Some programs are compiled when logging in, and all ends in a runtime error message.

Error screen

Analysis

Error message contains a hint to SAP note 1391070. The SAP Note states that the UUID service on the Linux server is broken and needs to be fixed. A shell script (check-libuuid.sh) that you need to run to get a better error analysis is included in the note. Copy the script to your Linux computer and make it executable:

chmod u+x check-libuuid.sh

Output

The output of the script will tell you what you did wrong and how to fix it.

./check-libuuid.sh

Output

In the output the steps to solve the problem are given.

Solution: activate UUID daemon

See also SAP Note 1984787 on how to configure the UUID service.

  1. Enable the daemon: systemctl enable uuidd
  2. Run the daemon: systemctl start uuid

  3. Check status of deamon: systemctl status uuidd.socket

  4. Final check of uuidd using script from SAP Note

It seems normal to be able to simply use a Linux distribution to run a SAP system that has the name “for SAP” in its name, but that`s obviously a newbie assumption. The UUID daemon delivered with SLES for SAP SP12 does not create unique id. Not sure how this wasn`t discovered – or more precisely, how this was discovered – but it is as it is. No need to panic, a solution is available. Moreover, this means that you cannot simply go out there and install an SAP system and expect it to work, you have to read the documentation (didn`t find the uuidd error there) and even more important, the SAP notes.

Erroneous libuuid and uuidd

SEL12 comes with a bug in uuidd. The generated numbers are not unique (yes, testing is not everyone strength). To find out if this bug and therefore, target of an imminent upgrade affects your uuidd, use the shell script.

./check-libuuid.sh

Output

The output states clearly that you need to update your libuuid and uuidd.

Solution: update libuuid and uuidd

The solution is simple. Do as advised by the given SAP note. If you are not a customer of SUSE for their enterprise distribution, you can register for a 60 day trial which gives you access to the update server at no cost. I tried to compile a newer version, without success. It seems the script checks the rpm version and not the actual version of uuidd in use.

Register at SUSE (for trial)

To be able to update the UUIDD package, you need to be registered at SUSE. I was using Yast2 and wasn`t able to update the packages; I got an error when registering. No luck at all. Using the command line tool, however, I was able to register my server.

SUSEConnect –r <code> -e <email> -u https://scc.suse.com

Output

Checking the dashboard at SUSE customer center shows the system is registered.

Now Yast2 let me connect to the update server and I could update the program.

Result

The check tool is OK with the newly installed version of uuidd.

Reinstall the system?

The original error message stated that an installation error occurred. The root cause is now solved, however, installation error sounds pretty much like: system screwed up beyond all repair. Do you now have to reinstall the whole SAP NetWeaver ABAP system? Not a hard task, but time consuming. I do believe that the SAP team responsible for the installer knows what they are doing and in case the UUIDD bug would have prevented a successful installation, the installer would have told me so. Therefore, I did not reinstall the system (hey, only for demo anyway) and started NetWeaver. And logged on. And finally got no error message, but this:

To be sure, I ran SICK (transaction SM28):

Will keep you posted in case the system is FUBAR. For now it looks good. And is fast.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Verify certificate chain with OpenSSL

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

A good TLS setup includes providing a complete certificate chain to your clients. This means that your web server is sending out all certificates needed to validate its certificate, except the root certificate. This is best practice and helps you achieving a good rating from SSL Labs. In a normal situation, your server certificate is signed by an intermediate CA. With this, your complete certificate chain is composed of the Root CA, intermediate CA and server certificate.

You do get signed your certificate by an intermediate CA and not the Root CA, because the Root CA is normally an offline CA. As the name suggests, the server is offline, and is not capable of signing certificates. Its certificate is included into the build-in root CA list of clients (browsers).The intermediate CA is online, and it`s task is to sign certificates. Compared to the root CA, its own certificate is not included in the built-in list of certificates of clients. Of course, the web server certificate is also not part of this list. For a client to verify the certificate chain, all involved certificates must be verified. Server certificate by intermediate CA, which is verified by Root CA. Client already has the root CA certificate, and at least gets the server certificate. Missing certificate therefore is the one of the intermediate CA.

When a client connects to your server, it gets back at least the server certificate. To validate this certificate, the client must have the intermediate CA. For this, he will have to download it from the CA server. The root CA is pre-installed and can be used to validate the intermediate CA. Well, it should download. But not all server certificates include the necessary information, or the client cannot download the missing certificate (hello firewall!). In that case, it is not possible to validate the server`s certificate. Therefore the server should include the intermediate CA in the response.

Now the client has all the certificates at hand to validate the server. In case more than one intermediate CAs are involved, all the certificates must be included. The chain is N-1, where N = numbers of CAs.

Verify certificate chain with OpenSSL

Enough theory, let`s apply this IRL. Use OpenSSL to connect to a HTTPS server (using my very own one here in the example).

openssl.exe s_client -connect www.itsfullofstars.de:443

Output

Loading 'screen' into random state - done
CONNECTED(000001EC)
depth=1 C = IL, O = StartCom Ltd., OU = StartCom Certification Authority, CN = StartCom Class 1 DV Server CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/CN=www.itsfullofstars.de
i:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class1 DV Server CA
1 s:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class1 DV Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGJjCCBQ6gAwIBAgIQEH6ZTKIfC5k6iN7ERWeE9zANBgkqhkiG9w0BAQsFADB4sH+ryHeVQVMe4WxKH2nUKbTtE0ppeCQqXL1ExXXDCD1jANVy0pjlVNHbJJJq9voViyYWxhBveiaEJ02N/gOfgkawwIhYiE3Ur6DLlJh0ynXVuXSsRrV5zCI0
-----END CERTIFICATE-----
subject=/CN=www.itsfullofstars.de
issuer=/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4041 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 2D5[…]2F0
Session-ID-ctx: Master-Key: 9D8[…]DCF
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 3d 21 23 92 67 cc 97 a5-17 c5 09 9e 69 da ea 6d =!#.g.......i..m[…]
00b0 - ac fb 79 22 fc c6 fa 9b-ef c8 0e cb 6c 27 72 83 ..y"........l'r.
Start Time: 1455216192
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---

If you cannot interpret the result: it failed. Verify return code:20 means that openssl is not able to validate the certificate chain. The certificate chain can be seen here:

  • 0: the certificate of the server
  • 1: the certificate of the CA that signed the servers certificate (0)
  • s: is the name of the server, while I is the name of the signing CA. To get a clearer understanding of the chain, take a look at how this is presented in Chrome:

The certificates send by my server include its own and the StartCom Class 1 DV Server CA.

Server certificate:

StartCom Class 1 DV Server CA

Missing: Root CA: StartCom Certificate Authority. This is the Root CA and already available in a browser. It`s not available in OpenSSL, as the tool comes without a list of trusted CAs. To “install” the root CA as trusted, OpenSSL offers two paramters:

  • CAfile. Point to a single certificate that is used as trusted Root CA
  • CApath. Point to a directory with certificates going to be used as trusted Root CAs.

I will use the CAfile parameter. For this, I`ll have to download the CA certificate from StartSSL (or via Chrome).

openssl.exe s_client -connect www.itsfullofstars.de:443 -CAfile startssl_rootca.cer

Output

Loading 'screen' into random state - done
CONNECTED(000001EC)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN =StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = StartCom Certification Authority, CN = StartCom Class 1 DV Server CA
verify return:1
depth=0 CN = www.itsfullofstars.de
verify return:1
---
Certificate chain
0 s:/CN=www.itsfullofstars.de
i:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class1 DV Server CA
1 s:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class1 DV Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGJjCCBQ6gAwIBAgIQEH6ZTKIfC5k6iN7ERWeE9zANBgkqhkiG9w0BAQsFADB4sH+ryHeVQVMe4WxKH2nUKbTtE0ppeCQqXL1ExXXDCD1jANVy0pjlVNHbJJJq9voViyYWxhBveiaEJ02N/gOfgkawwIhYiE3Ur6DLlJh0ynXVuXSsRrV5zCI0
-----END CERTIFICATE-----
subject=/CN=www.itsfullofstars.de
issuer=/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4041 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 9[…]43
Session-ID-ctx: Master-Key: 4C[…]2D
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 3d 21 23 92 67 cc 97 a5-17 c5 09 9e 69 da ea 6d =!#.g.......i..m
0010 - fc 05 be 96 ce bd 98 d6-d0 80 f9 67 1c 09 8c 4a ...........g...J
00b0 - 3a c2 73 77 e3 40 ab 22-84 1b f2 6a 5a 4a 8e 68 :.sw.@."...jZJ.h
Start Time: 1455217879
Timeout : 300 (sec)
Verify return code: 0 (ok)
---

Return code is 0. Now it worked. OpenSSL was able to validate all certificates and the certificate chain is working.

More resources

https://community.qualys.com/docs/DOC-1931

https://www.openssl.org/docs/manmaster/apps/verify.html

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Get an A rating from SSL labs

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

You should secure your web site using TLS. No, that`s not a typo, it`s TLS and not SSL. SSL is dead and should not be used anymore. Praise TLS. This may sound complicated at first, but it`s not. First step is to deactivate HTTP and activate HTTPS. How to do this depends on your web server. Luckily, there are a lot of good documentations on this available. For free. Thanks Internet. To help you evaluate your setup, there is an online service available that tests your HTTPS setup: ssllabs.com. Just enter your server name and you get a result: A to F. You have a secure site when you get an A. Problem with this documentation is that is shows you how to activate TLS, but not how to get to a setup secure enough to earn you an A rating from SSL labs. Now, what is a secure setup for TLS? You can argue here for eternity. So (too?) many parameters available. Let me try to show you what I did to get an A rating.

First, let`s take a look at the SSL labs service and check some sites to get an understanding of how the service works. SAP`s site (sap.com) get`s an A rating:

If something is wrong, the rating is downgraded and a justification of the rating is given. For instance, if you run a check against service.sap,com (155.56.89.225), you get a C rating.

The problems that caused the C rating are all related to protocol support. Don`t worry, service.sap.com is the old support site, support.sap.com get an A rating. Only showing this here to demonstrate the impact the supported protocols have on the rating. The other 3 criteria were rated equally. Some sites can get an even worse result (that site is not related to SAP).

While it is nice to know that an A rating is possible, how to get one for your own server? Let me show this using my very own web server as an example: https://www.itsfullofstars.de:8081

Request certificate

First step is to get a valid certificate. This is done by creating a CSR and send it to a CA. To create the CSR, you can use openssl.

openssl req -new -newkey rsa:4096 -nodes -keyout itsfullofstars.de.key -out itsfullofstars.de.csr -sha256

The output is a key file and a CSR file. The certificate is of 4096 bit strength and uses SHA-256 as signature. Send the CSR to your CA (I use StartSSL) and you get back the certificate (CRT), and normally also the intermediate certificate.

The server certificate is the CRT file. It is already in PEM format. To make this clear, I renamed it to .PEM. Uploading the certificate to the web server and activating it in the Apache configuration for HTTPS.

Base Apache configuration

SSLEngine on
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLCipherSuite HIGH:MEDIUM:-RC4:-EXP:!kEDH:!aNULL
SSLCertificateFile /etc/ssl/certs/www.itsfullofstars.de.2016.pem
SSLCertificateKeyFile /etc/ssl/private/itsfullofstars.de.2016.key

Running SSL Labs test gives now a B rating.

Certificate chain

The rating is capped to B because of an incomplete certificate chain. Remember the 1_root_bundle.crt file delivered by the CA? That`s the intermediate CA certificate. That`s the certificate the web server is not providing, but should. Add the parameter SSLCertificateChainFile to Apache`s conf file.

SSLCertificateChainFile /etc/ssl/1_root_bundle.crt

Running SSL Labs test gives now an A- rating.

Already A- for just fixing the certificate chain problem. The report shows that I do get an A- and not better because the web server is not supporting forward secrecy (PFS). It’s not like I`ll need to have forward secrecy. I do not run an e-commerce site or let people log on.

What is PFS? It protects your users as it makes it really hard to decrypt the traffic. To decrypt the session, the session key must be known. In case the session key was created using a weak algorithm (e.g. RC4, RSA), all it takes is the server’s private key. If someone gets access to my server private key, an attacker can decrypt all traffic (even recorded one). Changing the algorithm to ephemeral Diffie Hellman makes this more secure, as the attacker needs to crack the session key. In my case the session key is exchanged with a 4096 bit certificate, should take them some time. As the session key is unique per session, the attacker will have to decrypt the key for each session. Just having the server’s private key is not enough.

Forward secrecy

While forward secrecy is a little bit of an overkill for my site, it`s possible to do and “it`s too much” does not count in regards to security. Therefore, I will activate forward secrecy on my server. Basically, PFS is done by activating the correct cipher suites and instruct the web server to ignore what the browser wants to do. This enforces the browser to use the ephemeral DH ciphers send by the server and those allow PSF.

SSLEngine on
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH EDH+AESGCM EDH+aRSA HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS"
SSLCertificateFile /etc/ssl/certs/www.itsfullofstars.de.2016.pem
SSLCertificateKeyFile /etc/ssl/private/itsfullofstars.de.2016.key
SSLCertificateChainFile /etc/ssl/1_root_bundle.crt
 

Running SSL Labs test gives now an A rating.

Mission accomplished, my web site is now rated A by SSL labs.

 

 

 

Some resources

https://support.microsoft.com/en-us/kb/257591

https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm

https://blog.qualys.com/ssllabs/2013/06/25/ssl-labs-deploying-forward-secrecy

http://www.heise.de/security/artikel/Forward-Secrecy-testen-und-einrichten-1932806.html

https://blog.qualys.com/ssllabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

https://scotthelme.co.uk/perfect-forward-secrecy/

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn