Domino Container Environment Install Script

It has been a round for a while. I am too lazy to do the same installations over and over again manually.
In addition it helps me to get customer environments all setup in the same way.

This script clones the Domino container project and Domino start script.
It also installs Docker from the official repository along with the Domino download script and also the container control script.
This is the fastest way to setup a container environment.

I have just added a documentation page for the script:

https://nashcom.github.io/domino-startscript/install_container_env/

• Comments [0]

DACHNUG Vienna DNUG Lab preparation done

There are many interesting new features in Domino 14.5.
And I am working on a couple projects.


Beside updating the DNUG Lab to Domino 14.5, I also setup a lot of components on my demo notebook.

• Notebook with Windows 11 (https://blog.nashcom.de/nashcomblog.nsf/dx/black-friday-getting-some-new-ai-ready-hardware.htm)
• NVIDIA GeForce RTX GPU with 8 GB RAM.
• Latest Docker Desktop
   
• The NVIDIA GPU is running native on Windows, on Docker Desktop and also in WSL and inside Docker containers running on WSL Linux like Ubuntu.
• WSL with Ubuntu 24.04, Alma Linux 10, Kali Linux
• Docker container on Linux in different modes (Docker Desktop, native Linux in WSL, ...)
   
• The new Docker model runner
• VMware Workstation 17 Pro with Windows 2025
• NGINX on Linux and Windows as a host for the Domino IQ workshop on Monday

There is a lot to discover and we can show a lot of new functionality.

• Comments [0]

Let’s Encrypt stops OCSP support

Let's Encrypt is stopping OCSP support and goes back to a classical CRL.
You find details about this change here -> https://letsencrypt.org/2024/12/05/ending-ocsp/

I blogged about OCSP stampling a while ago. And just updated the post with this new information.

https://blog.nashcom.de/nashcomblog.nsf/dx/ocsp-stapling-and-why-it-matters-improve-your-https-performance.htm

The Domino TLS Cache supports OCSP caching and provides OCSP data to the HTTP task,
but the back-end code does not distinct between certificates with or without OCSP information.

The TLS Cache will re-check the status every 10 minutes. So it's just a small overhead in the back-end thread.
But it's still good to disable when your certificates have no OCSP responder available in the certificate.

Here is how to check if a certificate has OCSP responder.
Either check the full openssl -text output or just query the OCSP URI as shown below.

I have disabled OCSP stapling on my servers a while ago.

If you never enabled it on Domino, there is nothing to change.
But this information might be also important for other server type that might use OCSP in combination with Let's Encrypt.

openssl x509 -in buypass.pem -noout -text

Authority Information Access:
                OCSP - URI:http://ocsp.buypass.com
                CA Issuers - URI:http://crt.buypass.no/crt/BPClass2CA5.cer


openssl x509 -in buypass.pem -noout -ocsp_uri
http://ocsp.buypass.com

• Comments [0]

Domino IQ -- Paraphrasing explained

Domino IQ 14.5 GA introduces a paraphrasing request invoked before the actual request (added post 14.5 EA3).
This additional request is intended to protect against ticking the LLM to perform other operations then intended by the system prompt.
The idea is to send a request to the same LLM to sanitize and refine the request.

The functionality is documented here -> https://help.hcl-software.com/domino/14.5.0/admin/conf_security_considerations_for_iq.html

The additional request adds overhead and depending on the LLM model it might introduce undesired results.
My personal recommendation is to disable this additional check, because most LLMs today already provide protection and also contain guard functionality for additional protection.

To disable the functionality add the following notes.ini

DOMIQ_DISABLE_PROMPT_PARAPHRASE=1

In my simple example, the meaning of the query slightly changed ("sense" vs "purpose").
I have seen other requests where a German question got translated to English, which causes the response to be returned in English in some cases.

The red part is the system prompt and prefix in front of the actual query.
The actual request uses the configured system prompt with the query returned by the LLM from the first request.


Paraphrasing request is send to the same LLM

{"model":"Qwen2.5","messages":[{"role":"system","content":"Paraphrase the following text:"},{"role":"user","content":"Paraphrase the following text:What is the sense of life?"}],"max_tokens":1024,"temperature":0.0}


Actual request

{"model":"Qwen2.5","messages":[{"role":"system","content":"You are a knowledgeable and helpful assistant. Provide clear and accurate answers to user questions in a concise and friendly manner."},{"role":"user","content":"What is the purpose of life?"}],"max_tokens":1024,"temperature":0.0}

• Comments [0]

Domino 14.5 Design task comes with some pretty useful new functionality

First of all the design task is now leveraged for updating all system databases during template setup for a new release.
The only important detail to know is that the database needs to have the admin server set to that server.

The background is that an automated process should not run wild on all replicas in your domain trying to upgrade the design multiple times.

There is also a new list of system databases automatically maintained: dominosystemdbs.ind.
The file is updated when the server starts and is leveraged by the design task.
I blogged about it before, but now here it is live in action.

The design task now writes a separate log file IBM_TECHNICAL_SUPPORT/design_upgrade.log.
The file is automatically rotated like other system files with a date and cleaned up like other system logs when configured.

In this file you find additional information like if the admin server is set right or what got updated.
The file also contains run-time information per database and also information about the template version update.

In my case I had to run it again manually after server update, because my admin server was set to a different server for autoupdate.nsf.

Probably you don't want to look into the file on the server. Here is another option you might like.
You can run the design task on all system databases ( -sd ) and get them updated + get a mail with the log file ( -mt ).

If you want to use the standard design task operation only taking into account the admin server settings of the design task, just run the -sd switch.
In case you want the same behavior template setup uses, you can specify the new -adm option.
This would run the design task only on system database (or in general database) with the admin server set to this server also if the "Refresh on admin server only" option not set in the database.

In any case you would get warnings in design_upgrade.log if no admin server is set or "Refresh on admin server only" is not set.

Here is what I just did to upgrade my autoupdate.nsf design after I realized the admin server was wrong and I corrected it.

lo design -sd -mt "daniel nashed"

Refreshing design [autoupdate.nsf]
Updating 'ac Download' into database 'Domino Auto Update' from template 'Domino Auto Update'
Updating 'ac Edit' into database 'Domino Auto Update' from template 'Domino Auto Update'
Updating 'ac Enable' into database 'Domino Auto Update' from template 'Domino Auto Update'
Updating 'ac Formula Check' into database 'Domino Auto Update' from template 'Domino Auto Update'
...
Design refresh completed (1 sec) [autoupdate.nsf] 14.5 (02.01.2025 21:21:08) -> 14.5 (10.04.2025 16:57:53)


Mail example from production today




New Design Task Switches in Domino 14.5


-sd        Refresh design of System Databases in dominosystemdbs.ind.
-adm       Refresh design only if current server is Administration Server of database.
-mt name   Mail design update log to the Internet Address name.

• Comments [0]

Notes/Domino/Traveler 14.5 is available

Domino 14.5 is out and there is not much to say ...
... because if you are running Domino 14.0 and have Auto Notify enabled, you should see the ProductInfo updated already.

Inside the Notes, Domino and Traveler Product Info documents you find details + links to release notes, what's new and other resources.
See the screen shot below.

There are exciting new features specially on the Domino side.
Some of them will need some detailed info later and I am covering most of it in my sessions at DACHNUG conference next week.

Domino Container project update

I have also pushed out the Domino Container project and I have updated all my servers already.
The Windows machines use AutoUpdate. Most of the Linux machines use the container image.

Along with the Domino 14.5 update, I added the REST API 1.1.4 to the container build.

Adding software means not only changing the software.txt, but also running an end to end automation test after building an image.
This ensures, software is downloadable, installs and runs.
Most of this process is fully automated and is executed before any Git hub repository update -- not just for software updates, but also changes in the project.

To upgrade a container based server, you just build a new image. The build menu remembers the selected software when you save the selection and picks the latest versions automatically for you at build time.
Below I have an example how that looked for me today when updating one of the DNUG Lab servers including all the add-on software.






Domino container inspect example switching from 14.5 EA3 to the release + Updating the Domino REST API


Info: New Image Version available!


------------------------------------------------------------------------------------------
 Runtime        :  docker 27.5.1
 Compose        :  docker-compose 1.29.2, build unknown
 Status         :  running
 Health         :  healthy
 Started        :  04.06.2025 09:43:03

 Name           :  /domino
 Image          :  hclcom/domino:latest
 Version CNT    :  14.5EA3
 Version IMG    :  14.5
 Domino Ver CNT :  14.5EA3
 Domino Ver IMG :  14.5
 Add-ons CNT    :  ontime=11.1.1,verse=3.2.4,nomad=1.0.16,traveler=14.5EA3,domrestapi=1.1.3.1-14
 Add-ons IMG    :  ontime=2.3.0,verse=3.2.4,nomad=1.0.16,traveler=14.5,domrestapi=1.1.4-14
 Base Image     :  registry.access.redhat.com/ubi10/ubi-minimal
 BuildTime CNT  :  03.06.2025 16:28:46
 BuildTime IMG  :  17.06.2025 06:45:16

 Hostname       :  ray
 Volumes        :  /local/docker
 Mounts         :  /local

------------------------------------------------------------------------------------------
 Container ID   :  bbf67511762b
 Image-ID CNT   :  90e39ef92404
 Image-ID IMG   :  59f7ca155342
------------------------------------------------------------------------------------------

 Image Size     :  2180 MB
 Network Name   :  host
 Driver         :  overlay2
 Restart Policy :  always
 Restart Retries:  3

• Comments [0]

Windows vs Linux update experience

The internet is running on Linux for good reasons.
Updating Linux on all distributions I know is a very straightforward operation with a single reboot if needed at all.
In contrast on Windows the download and installation is really painful.

I am running Windows mainly for test and development.
All my Domino servers are running on Linux.
Mainly as a Docker container, but also Domino native on Linux is easy to setup and maintain.

Windows 2025 seems to use more system resources than the previous versions.

Now that Domino 14.5 ships, maybe a good idea for your upgrade plan could be to think about moving to Linux...

• Comments [4]

Getting the Domino 14.5 container image ready

Domino 14.5 is about to ship this week in time for the Domino 14.5 launch event.
For the launch event register here -> https://www.linkedin.com/events/7323258890261868544/

I have just prepared the container image waiting for the MHS download to be available to publish it.
The container image contains all the logic for dependency checking for versions. Like Traveler and the OnTime version shipped with the Domino web-kit.

The default is switched to 14.5. The 14.5 EA releases are removed and the selection allows to switch between 14.5, the latest 14.0 FP and the latest 12.0.2 FP.
Running a container image is the fastest track to Domino 14.5 on Linux.
Most of my servers are container based, which allow me to update by just restarting with a new image.

• Comments [0]

Lotus Script detach files not part of an embedded attachment

Usually you navigate thru embedded attachments which are part of a richtext item.
But there is also a way to detach files which are not part of an richtext item.

Here is the documentation:

https://help.hcl-software.com/dom_designer/14.0.0/basic/H_GETATTACHMENT_METHOD.html

You can navigate thru the items to find the $File items and extract all of them.

Here is an example:


Dim embedded As NotesEmbeddedObject
...

Forall x In doc.Items
      Set item = x
      If item.Name = "$FILE" Then
              Set embedded = doc.GetAttachment(item.Values(0))
              If Not embedded Is Nothing Then
                      Call embedded.ExtractFile (GitProjectDir + "\json\" + embedded.Name)
                      count = count + 1
              End If
      End If
End Forall

• Comments [0]

Nomad Web LS2CAPI

There isn't documentation for LS2CAPI (C-API from Lotus Script) yet.
But I did some research and asked around.

On Nomad Web the declares are expected to be for Win32 and Linux32.
For Nomad Mobile the declarations are expected to be Linux64.

To check for the Nomad platform you can use @Platform ([Specific]);

On Nomad Web it returns a text list where the first entry is "WebBrowser";
The second entry is "Windows" or "Linux".

On iOS the first entry shows "iOS";

LS2CAPI on Nomad only supports public C-API calls listed in the SDK.
You can't use calls which are not exposed.
So for example checking the delivery sequence number would not work.

• Comments [0]