Docker Swarm Overlay Encryption

Hi Guys!

I have set up a Docker Swarm cluster on the new Hetzner Cloud. First things first – the Hetzner Cloud is really amazing: Super simple, super cheap and performs as expected. It is not a bloated cloud provider that has 100x services and features that you can use for your servers, this keeps the costs and complexity down – I am really a big fan of it.

Now to the topic: Because the feature-set is simple, the Hetzner Cloud does not provide private networking (yet!). With only public IP addresses, we need to secure the overlay traffic between our docker containers!

Continue reading

VMware: Broken snapshot, last resort solution

Hey Guys!

So, imagine you are in the following situation:

You have a “enterprise” backup software like Veeam┬árunning. Now, for some reason the file level restore doesn’t work at 2 a.m. and you start to slightly panic. You don’t notice that you have a snapshot running on the virtual machine and the next thing you do, is a disk file restore to just completely replace the disk with the wrong or faulty data.

With that, you have fucked up. Sadly, this enterprise level software doesn’t recognize that there is an active snapshot running on the vm, and just replaces the faulty disk. This results in a broken snapshot chain because you replace the disk running an active snapshot with the same disk from an earlier time, which didn’t have a snapshot running. What does that lead to?

  • You cannot remove any snapshot anymore
  • Veeam depends on snapshots and thus, you won’t be able to backup anymore
  • This is a productive system, very dangerous not to have any backup

Now, how do you remove that snapshot without any risk of data loss and/or corruption?

Continue reading

Changing signature algorithm for CSR generation on Plesk

Hi Webhosters!

If you are running a Plesk, commercially, for fun or whatever other reason, this information might be for you.

When you want to order a certificate from a CA, there are now several CA’s that stop taking orders from CSRs that are using SHA1 as signature algorithm. Google also wants to accelerate the end of SHA1 by stopping marking a connection as secure if a certificate is used that is signed with SHA1. You can read more about that here.

Sadly, Plesk generates the CSR with SHA1 by default.

Continue reading