Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

 Alpine  Redhat 

Building NGINX on Redhat UBI minimal vs. Alpine

Daniel Nashed – 8 November 2024 22:51:29

Redhat UBI minimal image

The Redhat UBI minimal is a small image with all the packages you need to run Domino.
It is smaller then the standard image and you can install additional packages to keep the image small.

The minimal image uses the micro-dnf stack, which is smaller than the yum/dnf stack used by the standard image.
Here is a blog describing the differences:

https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image

Alpine Linux

But when building other applications like NGINX you have another choice. Alpine is an amazing Linux and a great base image to use.
It's not fully supporting glibc applications like Domino. But it's great for NGINX and other Linux applications.

I have written a NGINX stream module a while go which needs a matching container image with the same NGINX version.
It's a multi stage docker build where the first step builds NGINX and the stream module.
The second build stage copies it into a base container without the build environment.

When you build it on Redhat UBI minimal, the image is almost 150 MB. On Alpine Linux it's around 30 MB.
It's not just size issue. But also contains less packages with less dependencies and is also available on ARM architecture.

docker images
REPOSITORY         TAG      IMAGE ID       CREATED          SIZE
domino-nrpc-sni    latest   cc7fb31ff24a   10 seconds ago   29.7MB
domino-nrpc-sni    latest   faee6825892d   30 seconds ago   146MB

Running the Domino Download script on Windows

Daniel Nashed – 3 November 2024 14:39:02
The Domino download script is written in bash.
It is mainly intended for Linux with special options for automating downloads for example for the Domino Container image.

But did you know it can also run int GitBash on Windows?
And it also runs in any WSL based Linux on your Windows machine.

On Windows I am mostly using it in combination with WSL. But GitBash which comes with the Git client also works well.

https://nashcom.github.io/domino-startscript/domdownload/

Of course it also works on MacOS beside most Linux distributions.

Tip: If you know what to download, you can specify the file name directly.
Also the info command or the -curl command works this way.



Git Bash example

Image:Running the Domino Download script on Windows


Specifying a webkit file name directly


Image:Running the Domino Download script on Windows





 GitHub 

Consuming GitHub projects - Don’t use Download ZIP

Daniel Nashed – 31 October 2024 07:58:16

Git and Github are one of the very common ways to consume software today.

The best way to consume it would be to use the Git client on Linux.
If you don't have Linux or at least a WSL based Linux on your Windows machine, you should install the Windows Git client.
The Windows Git client also brings many helpful Linux tools and a very current OpenSSL command line version to your Windows machine.

Usually GutHub projects provide releases which can be downloaded directly.
But not all software puts the latest changes always directly into a release.

For example the HCL Domino Container project constantly changes to add new functionality and also to update software information for Domino and companion products.
Changes go first into the develop branch and are merged in to the main branch when completely tested.



Cloning a Git repository is the preferred way

With the Git client you just clone the git repository to a local directory.
The big benefit is that you can switch between branches of the repository (like main and develop).
But the bigger benefit is that you can pull changes to your local instance of the repository.


Git works with a proxy

In corporate environments you can't connect to the internet directly.
But the Git client supports proxies. If you can connect to GitHub directly, you should always use "git clone".


Git GUI clients

Personally I am not a big fan of Git clients with a UI. And they are not needed when consuming Git projects.
But you could also use a graphical Git client. This might help you to understand changes and look into details of the repository.

Usually the command-line makes most sense.


Domino ZIP option isn't the right way

Beside the clone button GitHub shows a "Download ZIP" button.
This option provides the latest version of the selected branch as a ZIP file.

Sadly specially for Linux software a ZIP isn't the best format, because it does not preserve file permissions.
When using the Nash!Com start script project or the HCL container project it is essential that the script keep their execute permissions.


Get a GitHub project as a tarball

There is another option you don't find in the web GUI as a button.
You can download a branch as a tarball instead. This would preserve the file permissions and is the better way to download a GitHub project if you really need to and can't clone it.

The general format looks like this

curl -L https://github.com/{username}/{repository}/tarball/{branch_name} -o repository.tar.gz

For the HCL Domino container project it would look like this downloaded via curl command line.

curl -sL https://github.com/HCL-TECH-SOFTWARE/domino-container/tarball/main -o domino-container.tar.gz


If downloading via browser, Git generates a file name for you. The URL would look like this:

https://github.com/HCL-TECH-SOFTWARE/domino-container/tarball/main


 Notes  Domino 

Modern Notes desktop and current projects

Daniel Nashed – 31 October 2024 23:34:10

In the last four years I have been working on more projects than ever.
I am using Notes applications for all kind of solutions.

This includes a couple of open source applications I am working on.

Like a DKIM management database. A database icon management catalog to organize, pull and push 64x64 icons.
A database to generate QR codes and many useful tools like a ACME HTTP-01 challenge check and troubleshooting database.


Modernizing the desktop and applications isn't as complicated as it looks.
Most of my new templates have current HCL design including modern icons.


Notes can look modern and applications can be still build much faster than in most other applications.
The blue icons are based on the IBM Carbon design. A free 930 icon set.
The IBM Carbon design project is also used by HCL for icons in templates included in Notes/Domino (
https://carbondesignsystem.com/elements/icons/library/).

-- Daniel


Image:Modern Notes desktop and current projects



 Notes 

Generating QR Codes in Lotus Script

Daniel Nashed – 29 October 2024 11:02:12

For a new project I need to generate QR codes.

There are many tools around to generate nice looking QR codes.


But I can't use an external service for security reasons.
In my case I need to send data to register users.

One of the most promising projects is
https://www.nayuki.io/page/qr-code-generator-library

It comes with multiple implementations including C, C++, Java and JavaScript.

I took the fast Java implementation and put it into a Java Script Lib and wrote a small Lotus Script Script Lib to consume it.


In a first step I implemented the following three functions:



Function WriteFilePNG (filename As String, payload As String, scale As Integer, boarder  As Integer) As Boolean


Write a PNG QR image to disk. This is helpful when you need to attach it somewhere or serve it directly from that location -- like HTML directory.



Function GetBase64PNG (payload As String, scale As Integer, boarder  As Integer) As String


Generate a QR code in base64 encoded PNG format returned as a string.

This is useful if you want to use it in passthru HTML with a data source image directly inline from the document.

But it is also useful for sending it around in mail.



Function SendMailWithImage (recipient As String, subject As String, bodyText As String, Base64PNG As String) As String


Sending a mail with an embedded image from memory not attaching it from disk might be a bit tricky.

So I wrote a small helper function to craft a MIME message with a data source image.


Those three functions are all I need for my use cases and I have many other ideas what to use this for.


Sample database


I have created a small database to generate QR codes and send them.
It's a test and demo application (I used Domino Restyle on Nomad Web to beef the UI up by the way).


The database can generate and send QR codes.
If this would be useful I can share the database.


I would be interested to hear how you create QR codes and what your requirements are.

This is not the replacement for nice and fancy QR codes. It's intended for system generated QR codes for technical reasons like a login link, Wifi networks etc.


But I would also interested to hear what other more fancy QR code services you use.
There are a lot of online services with nice looking QR codes.

-- Daniel



Image:Generating QR Codes in Lotus Script


 Nomad 

Nomad Web 1.0.13 IF2 - Important fix for Chrome and Edge

Daniel Nashed – 29 October 2024 09:40:20

Web browsers often introduce changes in the way they operate in detail.
For complex applications this could mean that they don't work any more completely.

There are changes in the current browser versions, which make Nomad setup fail.


HCL just published a new IF addressing the issue. This is the 2nd short notice IF in a very short time.
Which is an awesome short time to publish a solution for a critical problem like this in my view.

You find details here ->
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0116973
The Domino container project has been already updated and I have rebuild most of my container images already.

-- Daniel

Key Rollover vs Certifier rollover

Daniel Nashed – 25 October 2024 10:36:17

This is probably a topic many admins never really looked into and you might still run with your very old 630 key size.
Key size and certificate key size play an important role in your security and you should be aware of it.

Key Rollover


Rolling over keys is a quite normal operation.

It's a best practice to rotate keys at least when the recommended key strength changed.

Rolling over a key is client side initiated but requires an admin action.

When you rollover a key, the old key remains in your notes.id and you can still use it to decrypt existing data.
So it is important to use a key rollover and not just create a new ID!

The key is created by the user or for a server there are settings in the admin tab of the server document when to create a new key.

Once the key has been created, the key needs to be certified by the according Notes certifier.
The signed key is then added to the server document and is picked up by the Notes client or server and merged into the Notes.ID


For Notes clients the client takes care of updating the Notes.ID in ID Vault if configured.
This flow works well without having any physical ID Notes client or server ID in hand.

The certificate chain remains the same and you are just getting a new certificate issued.



Certifier Rollover


When rolling over certifiers you are creating a new key for your certifier and sign it with the right signing ID.
For your organization certifier this will be the organization certifier itself which signs itself.

Once that operation completes you have to re-sign all OU certifiers, server IDs and Notes.IDs step by step in this order.
You also have to take care of all cross certificates, Vault trust certificates.

The process is quite complex and needs planning:

https://help.hcl-software.com/domino/14.0.0/admin/conf_certificateauthoritykeyrollover_t.html


Don't perform Key rollover and certifier rollover at the same time


The most important part is that you should be aware of is that combining both operations are not a good idea.


You should either perform a key rollover or a certifier rollover at any given time.
Combining both could end up in an undesirable state.

Key rollovers are standard operations which are performed on a single client.id or server.id.
They are client driven and might be spread over weeks to avoid all operations starting at the same time.

The client side is triggered by the security policy. For the server side the trigger is the admin tab of the server document.


I just performed a key rollover last night for all my server keys. Which was a very straight forward process.

But it needed a reboot of the server.


Probably I would perform the key rollover first if you have very old server or client.ids.

Then look at your certifier and OU certifiers if you need to also roll them over.
But this needs planning and you should avoid client and server key rollover during that time.

You might also look into your existing trust like cross certificates.
I just cleaned up many old cross certificates last night as a preparation step.



Notes.ID encryption

Another component in security is also important but separate.

Notes.IDs with a password encrypt IDs locally with an encryption standard and a way to hash the password.


The encryption of a Notes.ID locally can be set when you change your password.

But you can also specify the Notes.ID file encryption and hash algorithm used in the security policy.


The most secure option you can select today in your security policy is:


Mandated encryption standard: 256 bit AES and SHA-512


Once set all your Notes.IDs should be changed step by step to this encryption standard.
This doesn't change the content of the Notes.ID, just the local encryption.


 Notes  Domino  Network 

Notes intermittently hangs or opens mail or other database slowly after 30 minutes of inactivity

Daniel Nashed – 25 October 2024 09:23:37

This might help you in some network situations and it came up today in the OpenNTF Discord chat.

TCP/IP keep alive is a functionality in the network stack to tell the server's TCP/IP stack and also the active components like firewalls, VPNs etc, that your session is still alive -- even the application is not sending any data.
The Windows default keep interval is 2 hours. This Windows sends a keep alive for a TCP/IP session only.


Linux and MacOS have a default keep alive interval of 75 seconds, which is a much more reasonable default.


On your Windows client you can change the value by adding a new registry value, specifying a shorter keep alive interval in milliseconds.

A good default value would be 75 seconds like on Linux and MacOS.


This is mainly important for clients, but might apply to servers as well for outbound connections.

Depending on your firewall, VPN and other active components on your way to your Domino server, this could cause those type of issues.

Value to set in registry


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
DWORD KeepAliveTime=75000



Technote describing the background and details.


https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0079436


IMHO this should be highlighted more and I would wish Microsoft would come up with a better default after all those years.

I personally did not run into it, because my client always replicates.

Also it is still a good idea to set the Domino server's session timeout as suggested to properly close sessions when idle for a long time.
This resources server and also firewall resources.

The default value is 240 minutes. The recommended value is 30-45 minutes. I would set it to 30 minutes.


notes.ini Server_Session_Timeout=30


Reference:
https://help.hcl-software.com/domino/14.0.0/admin/conf_server_session_timeout_r.html

-- Daniel


Historic side note: the XPC mentioned in documentation is for modem not TCP/IP connections that some of you might recall from the early days.


 Notes 

Check the minimum client version for your Notes application

Daniel Nashed – 24 October 2024 17:55:14

Notes provides new functionality in Lotus Script and there also Java classes added to the client.
Lotus Script Named documents have been introduced in Notes/Domino 12.0.1.
I have just written an application which needs a Java class which is introduced in Notes 12.0.2 as it turned out.

So I came up with a simple check I am going to add to all my applications which use more current functionality.

You can drop this code into the PostOpen script of any database and switch to the right constant


Image:Check the minimum client version for your Notes application


Function CheckRequiredVersion As Boolean
       
        Const  BuildVersion1201 = "12.0.1|470"
        Const  BuildVersion1202 = "12.0.2|475"
        Const  BuildVersion1400 = "14.0|485"
        Const  BuildVersion1450 = "14.5|495"
       
        Const RequiredVersion = BuildVersion1202
       
        Const TXT_TITLE = "Please upgrade your Notes Client"
       
        Dim  CR  As String
        CR = Chr(10)
       
        Dim session As New NotesSession
        Dim CurrentBuildVersion As Long
        Dim CurrentNotesReleaseStr As String
        Dim CurrentNotesBuildDateStr As String
       
        Dim RequiredBuildVersion As Long
        Dim RequiredNotesReleaseStr As String
       
        CheckRequiredVersion = False
       
        RequiredNotesReleaseStr = Strtoken (RequiredVersion, "|",1)
        RequiredBuildVersion = Clng(Strtoken (RequiredVersion, "|",2))
       
        CurrentBuildVersion = session.NotesBuildVersion
        CurrentNotesReleaseStr = Strtoken (session.NotesVersion, "|",1)
        CurrentNotesBuildDateStr = Strtoken (session.NotesVersion, "|",2)
       
        If (CurrentBuildVersion >= RequiredBuildVersion) Then
                CheckRequiredVersion = True
                Exit Function
        End If
       
        Messagebox " You are running:  " +  CurrentNotesReleaseStr  + CR + CR + " This application requires:  " +  "Release " + RequiredNotesReleaseStr, 48, TXT_TITLE
       
End Function




 DAOS 

DAOS Tune 2.0 available for download on MHS

Daniel Nashed – 22 October 2024 09:59:15

The DAOS Estimator was a separate download to analyze attachments to estimate the size and deduplication of attachments before you enable DAOS.
Starting with Domino 14.5 EA1 HCL provides a new completely rewritten tool which is now also available for Domino 12.0.1 and higher.

The documentation is available as a PDF on MHS download site as well.

You find the latest documentation in the EAP beta here ->https://help.hcl-software.com/domino/14.5.0/admin/admn_daostune_c.html.

The new DAOS Tune can be used to analyze servers before enabling DAOS and also to check if the DAOS settings could be optimized for an existing DAOS configuration.

The new tool provides more detailed information and recommendations.
You can also scan on one server and analyze the result file on another server.
But the most important point is that the new tool is dramatically faster.


If you have feedback or questions you should join the Domino Early Access program -->
https://hclsw.co/domino-14-5-eap-forum

Note:
I also had to accept a new license agreement before I was able to download the software.
So if you use the download script, you have to visit the MHS site first.

-- Daniel


Image:DAOS Tune 2.0 available for download on MHS


Here are the two new binaries for Windows and Linux



--------------------------------------------------------------------------------

WebKit   :  DAOSTune Estimation Tool 2.0 for Linux

Name     :  daostune

Version  :  2.0

Platform :  linux

Size     :  808640

SHA256   :  4b9e7af34f3cbba9a699b4288e0e10088659c5b271b0abb58907630736107793

ID       :  vwWWuh6yyudOuRjutaHnW

--------------------------------------------------------------------------------

WebKit   :  DAOSTune Estimation Tool 2.0 for Windows

Name     :  daostune.exe

Version  :  2.0

Platform :  windows

Size     :  121904

SHA256   :  fd701f71fe9db9e6750ce9d209e12d1f81775b4c87721877e3e8f7a0b605eb73

ID       :  0tKnEMt0jLK0LZhxuWve8

--------------------------------------------------------------------------------


Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]