Benefits using the Domino community container project to build your container images

Domino is running in a (Docker) container for quite some time as a community image.
It all started at IBM when Thomas Hampel initiated the Domino on Docker project for Domino 9 at IBM.

Meanwhile the container image moved to the HCL Open Source repositories and HCL is shipping a ready to go image to customers based on this image.
The project provides an own GitHub pages based documentation page (https://opensource.hcltechsw.com/domino-container/).

You can download the ready to go image from MyHCL Software aka MHS (https://my.hcltechsw.com/) or the HCL Harbor registry (https://hclcr.io).
But it is only available with the standard build for Domino including Verse, Nomad server and OnTime. And also a separate image for Traveler.

The ready to use container image is built based on the Domino and Traveler web-kits using the same community build script by HCL.
But there are a couple of benefits using the open source container image build script on your own.

The build script in the project is easy to use and provides MHS software download automation and comes with a build menu.

Below are some differences and benefits when building the container image on your own.
A standard vendor build image can't provide the same flexibility and has to focus on the functionality of the product itself.

When running the open source container image you are running the same HCL provided software with the same level of support.
It's just built on your own in your own environment with software packages downloaded from the MHS.

Specially container environments require flexibility building and enhancing images.
I would be interested to get your feedback. And I want to specially understand which reasons you might have to use the HCL pre-build images.

Would you want to move to the community image based on those additional benefits highlighted below?
What is missing or more difficult using the community image? What can we improve?

The container project wants to offer full flexibility without making it more complicated.
If you have feedback, we want to hear from you either here by mail or as an issue in the GitHub project (https://github.com/HCL-TECH-SOFTWARE/domino-container).


-- Daniel


Main differences and benefits using the community image

• Building the image on your own ensures you have the latest Redhat UBI image 9.x version included. HCL only updates the image at release time
• The container image supports Domino add-on packages like the Domino Leap, the REST API and the language pack
• It allows to install the latest version of all add-on products of HCL Verse, Nomad Server, Traveler, REST API,  Domino Leap as soon they are available
  You can build an all in one image or separate images for different server types
   
• The HCL container image only supports the English locale. The community image allows to build with any locale support and adds your build machines locale as the default
• The community image comes with full timezone support. The HCL Container image is intended to run in UTC locale.
• A shipping container image can only include the bare minimum software needed to run the application.
  To install additional software you would need to create your own container build environment and build a derived image
  The community project supports to define your own add-on packages, which can be installed during the build process
   
• By default the community image is built on the latest Redhat UBI 9.x minimum only selecting the packages needed for Domino and adds a couple of additional useful packages
  The HCL image is built on the bigger Redhat UBI 9.1 standard image (see details here: https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
• The community image also supports to build on other Domino supported base images.
  This allows full flexibility and also helps you on software testing if you want to run Domino on a different Linux flavor
  (See https://opensource.hcltechsw.com/domino-container/concept_environments/#supported-base-images).
• If you are a C-API developer you can create a build container which allows you to build for different Domino versions using different versions of the C-API SDK.
  When selecting the C-API option the container provides a ready to use build environment.
• In case you need additional Linux packages,  the container build script allows to specify those packages when building the image.

• Comments [0]

First look -- Windows 2025 Server

Windows 2025 server is available. It very much looks like Windows 11 with Windows server admin interface we all know and "love".

What's new?

Here is a list of new features for you to get your own impression -> https://learn.microsoft.com/en-us/windows-server/get-started/whats-new-windows-server-2025

There are no big surprises for a Domino admin.
But Windows admins will have to look carefully into the new features.
Specially to check for default installed applications.


Disabling Windows Definder Antivirus

The first service I disabled was Windows Defender. It took a lot of system resources on my small NUC server.
I even disabling all options the service took quite some CPU.

It's not that straightforward to uninstall unless you have this Powershell command at hand:

Powershell:

Uninstall-WindowsFeature -Name Windows-Defender

After a reboot your machine works much smoother. This is specially important for test environments with small CPU capacity and machines on your desk which are expected to stay silent.
What I also noticed on the virus scanner, that sending samples to the internet was enabled.


OpenSSH Server installed by default

A positive surprise for me was that OpenSSH server is installed by default but set to manual.
This can be convenient for secure remote access if you don't need a GUI.


Winget is installed by default

It's a tool to install and manage software. It's quite convenient. But your Windows admin might not like it.

In addition to installing software, Winget is also an easy way to list installed software packages.


Windows 2025 works on Proxmox

It is already listed as a supported platform when you create a machine.

I have installed Windows 2025 on my Proxmox server using Virtio drivers and SCSI.
That's probably how a Proxmox admin would expect it.
To get it working you have to add the Virtio Driver ISO during install to have Windows detect the disk during installation.
Afterwards you just install the driver package from ISO as well to get network access etc.


Windows container image ltsc2025

I also quickly looked at the new container image. It's good for testing and I am using Windows containers for testing Domino.
The new image also works in the same way the previous 2022 image worked.

docker pull mcr.microsoft.com/windows/servercore:ltsc2025


There is no official support for Domino on Windows 2025.
But we can't expect Windows admins will introduce this brand new version in production soon.

There is still some homework to for a Windows admin to find out about new standards and functionality enabled and to secure the machine.


My first conclusion

All my favorite add-on tools still work and my Domino container image also still works with some minor changes (but this isn't for production use, just for local testing).

The new package manager is a welcome tool in my environment. But maybe corporate admins don't like it.
Ubuntu LTS on WSL and containers continue to work in the same way they did.

Not that this update made me a huge Windows fan. But this is an improvement.
This was a first look only! Not a detailed walk thru. Just to show you what I have seen so far.

All in all I like the new Windows 2025 and prefer it over previous versions.
I just ordered new hardware for a new Proxmox server. So I can do more testing.

Feedback

Does anyone already planning to run Windows 2025 in production?
Which type of applications would you update first? Which applications do already support Windows 2025?

Usually Domino should get support for a new major OS version at it's next feature release.
This would be Domino 14.5. So I raised this question in the Domino 14.5 EA forum today.


Example Winget list


As you can see I already installed my favorite Windows helper tools.
Some of them are already managed by winget by default from what it looks like.


Name                                                               Id                                                                       Version           Available     Source
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
7-Zip 24.08 (x64)                                                  7zip.7zip                                                                24.08                           winget
Git                                                                ARP\Machine\X64\Git_is1                                                  2.47.0.2
HCL Domino                                                         ARP\Machine\X64\HCL Domino                                               14.5.0.0
Mozilla Firefox (x64 en-US)                                        Mozilla.Firefox                                                          132.0.1                         winget
Mozilla Maintenance Service                                        ARP\Machine\X64\MozillaMaintenanceService                                132.0.1
Notepad++ (64-bit x64)                                             Notepad++.Notepad++                                                      8.7.1                           winget
QEMU guest agent                                                   SoftwareFreedomConservancy.QEMUGuestAgent                                108.0.2                         winget
Virtio-win-driver-installer                                        ARP\Machine\X64\{ECC9556E-D54A-457E-86FE-4D555DA605DF}                   0.1.262
MobaXterm                                                          Mobatek.MobaXterm                                                        24.3.0.5248                     winget
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33135 Microsoft.VCRedist.2015+.x64                                             14.38.33135.0     14.40.33816.0 winget
Ubuntu 24.04.1 LTS                                                 Canonical.Ubuntu.2404                                                    2404.1.24.0                     winget
App Installer                                                      Microsoft.AppInstaller                                                   1.24.25180.0                    winget
English (United States) Local Experience Pack                      MSIX\Microsoft.LanguageExperiencePacken-US_26100.20.23.0_neutral__8weky… 26100.20.23.0
Windows Security                                                   MSIX\Microsoft.SecHealthUI_1000.26100.1.0_x64__8wekyb3d8bbwe             1000.26100.1.0
Microsoft.UI.Xaml.2.8                                              Microsoft.UI.Xaml.2.8                                                    8.2310.30001.0                  winget
Microsoft.UI.Xaml.2.8                                              Microsoft.UI.Xaml.2.8                                                    8.2310.30001.0                  winget
Microsoft Visual C++ 2015 UWP Desktop Runtime Package              Microsoft.VCLibs.Desktop.14                                              14.0.33728.0                    winget
Microsoft Visual C++ 2015 UWP Desktop Runtime Package              Microsoft.VCLibs.Desktop.14                                              14.0.33728.0                    winget
Microsoft Visual C++ 2015 UWP Runtime Package                      MSIX\Microsoft.VCLibs.140.00_14.0.33519.0_x64__8wekyb3d8bbwe             14.0.33519.0
Microsoft Visual C++ 2015 UWP Runtime Package                      MSIX\Microsoft.VCLibs.140.00_14.0.33519.0_x86__8wekyb3d8bbwe             14.0.33519.0
Windows Terminal                                                   Microsoft.WindowsTerminal                                                1.21.2911.0                     winget
Windows Package Manager Source (winget) V2                         MSIX\Microsoft.Winget.Source_2024.1110.1517.48_neutral__8wekyb3d8bbwe    2024.1110.1517.48
Windows Subsystem for Linux                                        MSIX\MicrosoftCorporationII.WindowsSubsystemForLinux_2.3.24.0_x64__8wek… 2.3.24.0
Notepad++                                                          MSIX\NotepadPlusPlus_1.0.0.0_neutral__7njy0v32s6xk6                      1.0.0.0

• Comments [0]

Building NGINX on Redhat UBI minimal vs. Alpine

Redhat UBI minimal image

The Redhat UBI minimal is a small image with all the packages you need to run Domino.
It is smaller then the standard image and you can install additional packages to keep the image small.
The minimal image uses the micro-dnf stack, which is smaller than the yum/dnf stack used by the standard image.
Here is a blog describing the differences:

https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image

Alpine Linux

But when building other applications like NGINX you have another choice. Alpine is an amazing Linux and a great base image to use.
It's not fully supporting glibc applications like Domino. But it's great for NGINX and other Linux applications.

I have written a NGINX stream module a while go which needs a matching container image with the same NGINX version.
It's a multi stage docker build where the first step builds NGINX and the stream module.
The second build stage copies it into a base container without the build environment.

When you build it on Redhat UBI minimal, the image is almost 150 MB. On Alpine Linux it's around 30 MB.
It's not just size issue. But also contains less packages with less dependencies and is also available on ARM architecture.

docker images
REPOSITORY         TAG      IMAGE ID       CREATED          SIZE
domino-nrpc-sni    latest   cc7fb31ff24a   10 seconds ago   29.7MB
domino-nrpc-sni    latest   faee6825892d   30 seconds ago   146MB

• Comments [0]

Running the Domino Download script on Windows

The Domino download script is written in bash.
It is mainly intended for Linux with special options for automating downloads for example for the Domino Container image.

But did you know it can also run int GitBash on Windows?
And it also runs in any WSL based Linux on your Windows machine.

On Windows I am mostly using it in combination with WSL. But GitBash which comes with the Git client also works well.

https://nashcom.github.io/domino-startscript/domdownload/

Of course it also works on MacOS beside most Linux distributions.

Tip: If you know what to download, you can specify the file name directly.
Also the info command or the -curl command works this way.


Git Bash example




Specifying a webkit file name directly

• Comments [0]

Consuming GitHub projects - Don’t use Download ZIP

Git and Github are one of the very common ways to consume software today.

The best way to consume it would be to use the Git client on Linux.
If you don't have Linux or at least a WSL based Linux on your Windows machine, you should install the Windows Git client.
The Windows Git client also brings many helpful Linux tools and a very current OpenSSL command line version to your Windows machine.

Usually GutHub projects provide releases which can be downloaded directly.
But not all software puts the latest changes always directly into a release.

For example the HCL Domino Container project constantly changes to add new functionality and also to update software information for Domino and companion products.
Changes go first into the develop branch and are merged in to the main branch when completely tested.


Cloning a Git repository is the preferred way

With the Git client you just clone the git repository to a local directory.
The big benefit is that you can switch between branches of the repository (like main and develop).
But the bigger benefit is that you can pull changes to your local instance of the repository.


Git works with a proxy

In corporate environments you can't connect to the internet directly.
But the Git client supports proxies. If you can connect to GitHub directly, you should always use "git clone".


Git GUI clients

Personally I am not a big fan of Git clients with a UI. And they are not needed when consuming Git projects.
But you could also use a graphical Git client. This might help you to understand changes and look into details of the repository.

Usually the command-line makes most sense.


Domino ZIP option isn't the right way

Beside the clone button GitHub shows a "Download ZIP" button.
This option provides the latest version of the selected branch as a ZIP file.

Sadly specially for Linux software a ZIP isn't the best format, because it does not preserve file permissions.
When using the Nash!Com start script project or the HCL container project it is essential that the script keep their execute permissions.


Get a GitHub project as a tarball

There is another option you don't find in the web GUI as a button.
You can download a branch as a tarball instead. This would preserve the file permissions and is the better way to download a GitHub project if you really need to and can't clone it.

The general format looks like this

curl -L https://github.com/{username}/{repository}/tarball/{branch_name} -o repository.tar.gz

For the HCL Domino container project it would look like this downloaded via curl command line.

curl -sL https://github.com/HCL-TECH-SOFTWARE/domino-container/tarball/main -o domino-container.tar.gz


If downloading via browser, Git generates a file name for you. The URL would look like this:

https://github.com/HCL-TECH-SOFTWARE/domino-container/tarball/main

• Comments [0]

Modern Notes desktop and current projects

In the last four years I have been working on more projects than ever.
I am using Notes applications for all kind of solutions.

This includes a couple of open source applications I am working on.

Like a DKIM management database. A database icon management catalog to organize, pull and push 64x64 icons.
A database to generate QR codes and many useful tools like a ACME HTTP-01 challenge check and troubleshooting database.

Modernizing the desktop and applications isn't as complicated as it looks.
Most of my new templates have current HCL design including modern icons.

Notes can look modern and applications can be still build much faster than in most other applications.
The blue icons are based on the IBM Carbon design. A free 930 icon set.
The IBM Carbon design project is also used by HCL for icons in templates included in Notes/Domino (https://carbondesignsystem.com/elements/icons/library/).

-- Daniel

• Comments [1]

Generating QR Codes in Lotus Script

For a new project I need to generate QR codes.
There are many tools around to generate nice looking QR codes.

But I can't use an external service for security reasons.
In my case I need to send data to register users.

One of the most promising projects is https://www.nayuki.io/page/qr-code-generator-library

It comes with multiple implementations including C, C++, Java and JavaScript.
I took the fast Java implementation and put it into a Java Script Lib and wrote a small Lotus Script Script Lib to consume it.

In a first step I implemented the following three functions:


Function WriteFilePNG (filename As String, payload As String, scale As Integer, boarder  As Integer) As Boolean

Write a PNG QR image to disk. This is helpful when you need to attach it somewhere or serve it directly from that location -- like HTML directory.


Function GetBase64PNG (payload As String, scale As Integer, boarder  As Integer) As String

Generate a QR code in base64 encoded PNG format returned as a string.
This is useful if you want to use it in passthru HTML with a data source image directly inline from the document.
But it is also useful for sending it around in mail.


Function SendMailWithImage (recipient As String, subject As String, bodyText As String, Base64PNG As String) As String

Sending a mail with an embedded image from memory not attaching it from disk might be a bit tricky.
So I wrote a small helper function to craft a MIME message with a data source image.

Those three functions are all I need for my use cases and I have many other ideas what to use this for.

Sample database

I have created a small database to generate QR codes and send them.
It's a test and demo application (I used Domino Restyle on Nomad Web to beef the UI up by the way).

The database can generate and send QR codes.
If this would be useful I can share the database.

I would be interested to hear how you create QR codes and what your requirements are.
This is not the replacement for nice and fancy QR codes. It's intended for system generated QR codes for technical reasons like a login link, Wifi networks etc.

But I would also interested to hear what other more fancy QR code services you use.
There are a lot of online services with nice looking QR codes.

-- Daniel

• Comments [3]

Nomad Web 1.0.13 IF2 - Important fix for Chrome and Edge

Web browsers often introduce changes in the way they operate in detail.
For complex applications this could mean that they don't work any more completely.
There are changes in the current browser versions, which make Nomad setup fail.

HCL just published a new IF addressing the issue. This is the 2nd short notice IF in a very short time.
Which is an awesome short time to publish a solution for a critical problem like this in my view.

You find details here -> https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0116973
The Domino container project has been already updated and I have rebuild most of my container images already.

-- Daniel

• Comments [0]

Key Rollover vs Certifier rollover

This is probably a topic many admins never really looked into and you might still run with your very old 630 key size.
Key size and certificate key size play an important role in your security and you should be aware of it.

Key Rollover

Rolling over keys is a quite normal operation.
It's a best practice to rotate keys at least when the recommended key strength changed.
Rolling over a key is client side initiated but requires an admin action.

When you rollover a key, the old key remains in your notes.id and you can still use it to decrypt existing data.
So it is important to use a key rollover and not just create a new ID!
The key is created by the user or for a server there are settings in the admin tab of the server document when to create a new key.
Once the key has been created, the key needs to be certified by the according Notes certifier.
The signed key is then added to the server document and is picked up by the Notes client or server and merged into the Notes.ID

For Notes clients the client takes care of updating the Notes.ID in ID Vault if configured.
This flow works well without having any physical ID Notes client or server ID in hand.
The certificate chain remains the same and you are just getting a new certificate issued.



Certifier Rollover

When rolling over certifiers you are creating a new key for your certifier and sign it with the right signing ID.
For your organization certifier this will be the organization certifier itself which signs itself.
Once that operation completes you have to re-sign all OU certifiers, server IDs and Notes.IDs step by step in this order.
You also have to take care of all cross certificates, Vault trust certificates.
The process is quite complex and needs planning:
https://help.hcl-software.com/domino/14.0.0/admin/conf_certificateauthoritykeyrollover_t.html


Don't perform Key rollover and certifier rollover at the same time

The most important part is that you should be aware of is that combining both operations are not a good idea.

You should either perform a key rollover or a certifier rollover at any given time.
Combining both could end up in an undesirable state.

Key rollovers are standard operations which are performed on a single client.id or server.id.
They are client driven and might be spread over weeks to avoid all operations starting at the same time.
The client side is triggered by the security policy. For the server side the trigger is the admin tab of the server document.

I just performed a key rollover last night for all my server keys. Which was a very straight forward process.
But it needed a reboot of the server.

Probably I would perform the key rollover first if you have very old server or client.ids.

Then look at your certifier and OU certifiers if you need to also roll them over.
But this needs planning and you should avoid client and server key rollover during that time.

You might also look into your existing trust like cross certificates.
I just cleaned up many old cross certificates last night as a preparation step.


Notes.ID encryption

Another component in security is also important but separate.
Notes.IDs with a password encrypt IDs locally with an encryption standard and a way to hash the password.

The encryption of a Notes.ID locally can be set when you change your password.
But you can also specify the Notes.ID file encryption and hash algorithm used in the security policy.

The most secure option you can select today in your security policy is:

Mandated encryption standard: 256 bit AES and SHA-512

Once set all your Notes.IDs should be changed step by step to this encryption standard.
This doesn't change the content of the Notes.ID, just the local encryption.

• Comments [0]

Notes intermittently hangs or opens mail or other database slowly after 30 minutes of inactivity

This might help you in some network situations and it came up today in the OpenNTF Discord chat.

TCP/IP keep alive is a functionality in the network stack to tell the server's TCP/IP stack and also the active components like firewalls, VPNs etc, that your session is still alive -- even the application is not sending any data.
The Windows default keep interval is 2 hours. This Windows sends a keep alive for a TCP/IP session only.

Linux and MacOS have a default keep alive interval of 75 seconds, which is a much more reasonable default.

On your Windows client you can change the value by adding a new registry value, specifying a shorter keep alive interval in milliseconds.
A good default value would be 75 seconds like on Linux and MacOS.

This is mainly important for clients, but might apply to servers as well for outbound connections.

Depending on your firewall, VPN and other active components on your way to your Domino server, this could cause those type of issues.

Value to set in registry

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
DWORD KeepAliveTime=75000


Technote describing the background and details.

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0079436


IMHO this should be highlighted more and I would wish Microsoft would come up with a better default after all those years.
I personally did not run into it, because my client always replicates.

Also it is still a good idea to set the Domino server's session timeout as suggested to properly close sessions when idle for a long time.
This resources server and also firewall resources.
The default value is 240 minutes. The recommended value is 30-45 minutes. I would set it to 30 minutes.

notes.ini Server_Session_Timeout=30

Reference: https://help.hcl-software.com/domino/14.0.0/admin/conf_server_session_timeout_r.html

-- Daniel

Historic side note: the XPC mentioned in documentation is for modem not TCP/IP connections that some of you might recall from the early days.

• Comments [1]