Wednesday, October 18, 2017

OWASP Dependency Check maven plugin

just run

mvn dependency-check:check

and you get a great report with all the vulnerabilities in your dependencies.... fantastic! Even a Jenkins plugin is available, so you don't need to modify all your poms.

To install it as Jenkins Plugin, install these plugins:

Interesting post on how to configure a separate jenkins task just to update the NIST repos in a common folder to avoid checking for updates at every build.

A similar post goes here

A good test is to run it against the WebGoat but the repo is heavy and you need a good internet connection

Here a presentation of the plugin by Jeremy Long (OWASP)

Swagger automatically generated console, documenting the interfaces and allowing you to test them.... better than the WSDL-based test client generator... but I wonder how much work is needed, I would hate to have to manually edit YAML files to generate this UI...

short and sweet presentation (skip first 3 minutes)

A live example here, using Spring Boot

git clone
cd spring-boot-swagger-example
mvn spring-boot:run

in your browser put http://localhost:8088/swagger-ui.html

Main annotations are:

io.swagger.annotations.Api (class level)

io.swagger.annotations.ApiOperation , io.swagger.annotations.ApiResponses, io.swagger.annotations.ApiResponse at method level

io.swagger.annotations.ApiModelProperty at field level

and to document the Site:
etc etc

all the rest are org.springframework.web.bind.annotation annotations (GetMapping, PathVariable, RequestMapping, RestController)

Valle d'Aosta photostream

autumn colors are embarassingly beautiful... but the lack of snow on the mountains, and the state of the glaciers, is distressing... go on burning fossil fuels, in any at this point case there is no tomorrow

The pictures were takes in 2 places, and

Monday, October 16, 2017


"Simplicity is the ultimate sophistication" (probably Leonardo never said this sentence anyway)

Wildfly Swarm

"packaging and running Java EE applications by packaging them with just enough of the server runtime to "java -jar" your application."

home page here

"Stinky Maven" instructions to incorporate the product in your build:




This will import a BOM in $M2_HOME\repository\org\wildfly\swarm\bom-all\2017.9.5\bom-all-2017.9.5.pom

At this point you simply have to use the Swarm "fractions":

<!-- Wildfly Swarm Camel Fractions -->
    <!-- Wildfly Swarm Fractions -->

each of these fractions will simply consist of a JAR with a module.xml, this one is for the camel-cdi fraction:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<module xmlns="urn:jboss:module:1.3" name="org.apache.camel.component.cdi">
  <artifact name="org.apache.camel:camel-cdi:2.19.0"/>
  <module name="javax.annotation.api"/>
    <module name="javax.enterprise.api"/>
    <module name="javax.xml.bind.api"/>
    <module name="org.apache.camel.core.xml"/>
    <module name="org.jboss.weld.core"/>
    <module name="org.jboss.weld.spi"/>
    <module name="org.slf4j"/>
    <module name="javax.el.api"/>
    <module name="org.apache.camel.core"/>

All this looks like Matrovshka матрёшка ...

This page is similar to the Spring Initializr

To add health monitoring, follow these instructions

Sunday, October 15, 2017

Camel in Action, Second Edition

I have just purchased the book from Manning (if you google for "manning discount code" you should find a coupon to get a 40% discount on these EXTREMELY (52 USD) expensive books ...)

I am a bit disappointed by the book, it's extremely verbose and it repeats a lot of concepts that - unless this is the first IT book you read in your life - are very well known to anybody. You have to wade across a lot of verbosity to extract useful practical info "how to solve this kind of problem".

Also, the choice to cover at the same depth the XML DSL and the Java DSL, the Spring XML configuration and the Spring Java configuration leaves me astonished.... Spring XML is almost extinct, in favor of Java.

Also, some frightening basic English mistakes like using "whom" instead of "who" , together with incredibly complicated sentences, makes you wonder about the literary skills of the authors.

I also dislike embedding a lot of incomplete code in a book.... a coding book should only provide a link to a github repository, I can't understand code if I don't see ii in its completeness... for instance something frustrating is when the import statements are omitted.

The examples associated to the book are here:
git clone

Here a simple Camel - Spring Boot example

run it like this:

git clone
cd camel
mvn install
cd examples\camel-example-spring-boot
mvn spring-boot:run

Wednesday, October 11, 2017

JAX-RS tutorials and documentation

Here a reasoned discussion about CacheControl and ETag

Here all the HTTP 1.1 headers specifications

deploy it in a PVRestRS project and hit it with http://localhost:8080/PVRestRS/users

it's an excellent simple example showing the use of:

specifically, here some explanations on the use of an ETag.

Some explanations on "what ETag is for?" here

I open Chrome, STRL-SHIFT.I (developer tools) , Networks, select "users", right-click, console / Headers/all (it took me a lot of clicking to find it...) and I see this:

Request URL:http://localhost:8080/PVRestRS/users
Request Method:GET
Status Code:304 Not Modified
Remote Address:
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
Date:Wed, 11 Oct 2017 00:31:57 GMT
Request Headers
view source
Accept-Encoding:gzip, deflate, br
Cookie:Idea-f3d396f=f1a96b31-981d-4574-a116-314fe061816e; __utma=111872281.364080227.1506531800.1506531800.1506531800.1; __utmc=111872281; __utmz=111872281.1506531800.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
If-Modified-Since:Tue, 19 Sep 2017 22:00:00 GMT
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

If I request http://localhost:8080/PVRestRS/users/pippo , I see also ETag:"version1" and (the second time only) If-None-Match:"version1"

"The If-None-Match request-header field is used with a method to make it conditional. A client that has one or more entities previously obtained from the resource can verify that none of those entities is current by including a list of their associated entity tags in the If-None-Match header field. The purpose of this feature is to allow efficient updates of cached information with a minimum amount of transaction overhead. It is also used to prevent a method (e.g. PUT) from inadvertently modifying an existing resource when the client believes that the resource does not exist. "

"1. If the response includes the "s-maxage" cache-control
directive, the cache MAY use that response in replying to a
subsequent request. But (if the specified maximum age has
passed) a proxy cache MUST first revalidate it with the origin
server, using the request-headers from the new request to allow
the origin server to authenticate the new request. (This is the
defined behavior for s-maxage.) If the response includes "s-
maxage=0", the proxy MUST always revalidate it before re-using

If a response includes an s-maxage directive, then for a shared cache (but not for a private cache), the maximum age specified by this directive overrides the maximum age specified by either the max-age directive or the Expires header. The s-maxage directive also implies the semantics of the proxy-revalidate directive (see section 14.9.4), i.e., that the shared cache must not use the entry after it becomes stale to respond to a subsequent request without first revalidating it with the origin server. The s- maxage directive is always ignored by a private cache. "

This book is on my to-read list

The excellent article about JAX-RS on Java Magazine jan/feb 2016 by Abishek is available here

Sunday, October 8, 2017

Wildfly quickstarts part 1

git clone

helloworld technologies=CDI,Servlet


mvn wildfly:deploy
mvn wildfly:undeploy
mvn dependency:sources

helloworld-ws technologies=JAX-WS has Arquillan tests


#to run arquillan tests
mvn clean verify -Parq-remote


helloworld-rs technologies=CDI,JAX-RS

http://localhost:8080/helloworld-rs/rest/json @ApplicationPath("rest") @Produces({ "application/json" }) @Produces({ "application/xml" })

helloworld-singleton technologies=EJB,Singleton,JSF



@Named = @Component in Spring. @Inject = @Autowired in Spring

helloworld-ssl technologies: SSL,Undertow


helloworld-mutual-ssl-secured technologies=Mutual SSL, Security, Undertow

BTW it's very similar to helloworld-mutual-ssl

helloworld-classfiletransformer technologies: EJB, javassist it's about byte code manipulation and intercepting method calls


helloworld-html5 Technologies: CDI, JAX-RS, HTML5


curl -i -X POST http://localhost:8080/helloworld-html5/hello/json/pierluigi
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    29  100    29    0     0     29      0  0:00:01 --:--:--  0:00:01   142HTTP/1.1 200 OK
Connection: keep-alive
X-Powered-By: Undertow/1
Server: WildFly/11
Content-Type: application/json
Content-Length: 29
Date: Sat, 07 Oct 2017 21:36:41 GMT


remarkable the Arquillan functional tests to be found in the embedded helloworld-html5-test-webdriver

mvn clean verify -Parq-remote // to run tests on an already started remote server
mvn clean verify -Parq-managed // to start a server and run tests in it

tests will probably fail because they take too long...

helloworld-jms Technologies: JMS



Since the JBoss console doesn't have a tool to browse JMS queues (WebLogic console is sooo much better) one can use HermesJMS or this little tool available here

git clone
cd mastertheboss/JMSBrowser
mvn clean install wildfly:deploy

and then http://localhost:8080/JMSBrowser/ (in my case, it can't find the test queue, no idea why)

HermesJMS really stinks and I can't make it works (maybe not meant to run with Java 8)... another tools is jmstoolbox

helloworld-mbean Technologies: CDI, JMX, MBean









helloworld-mdb-propertysubstitution Technologies: JMS, EJB, MDB


about "MDB annotation property substitution" :

the MDB connection properties are given in the standalone.xml in the system-properties, and you use variable substitution
@ActivationConfigProperty(propertyName = "destinationLookup", propertyValue = "${property.helloworldmdb.queue}")

HermesJMS fails to start with Java 8

HermesJMS silently fails.

in hermes.bat I remove "echo off" and replace "javaw" with "java", to discover that the error is:

org.xml.sax.SAXNotRecognizedException: Feature 'http://javax.xml.XMLConstants/feature/secure-processing' is not recognized.

I replace the HermesJMS/lib/xercesImpl.jar with a new one and it works!

Here how to connect HermesJMS to JBoss

Onboarding a new team member

I know someone who had recently gone through a very traumatic experience of joining a new team. Although he considers himself a really tough guy, who is not easily scared by challenge, within his first few days he had immediately taken the decision to quit at all costs - he did all he could to quickly learn the technologies and understand the environment, he simply believed that the team he was in was SEVERELY lacking in communication. Too bad: big trauma for the poor guy, big loss of time and money for the organization, all could have been prevented with some communication.

Here is some advice to properly handle a new on-boarder.

1) tell him/her in advance what technologies he will be working on. Since normally it takes minimum one month before you can join the team, you can learn that stuff at home and reduce the initial sense of "fremdheit" (alienation, alienness, disorientation.... in Italian we say "spaesamento", which is "feeling you have when you leave your village (paese) and enter into foreign territory)

2) since day one, spend regularly time (say minimum 30 minutes a day) talking and mentoring the new guy

3) invite often the new guy to participate in the resolution of a problem on the actual applications you are developing/maintaining - nothing better than "learning in action".... later he can read the documents, he will understand them much better when he can attach them to some living application he has seen before.

4) avoid by all means to assign tasks by email/chat. Talk to the guy to explain him the task, and answer to all his questions, make him very clear that communication is open at all time and he is very welcome to ask questions

5) give the new guy a "play environment" (ideally a VM or docker container) where he can experiment without fear of breaking the existing code

6) don't make the poor guy go through the pain of applying himself for all the rights he need to access the different environments. All this account creation and rights is an activity that should be started BEFORE the guy arrives. It's painful, it's boring, in some large organizations it means using half a dozen tools and clicking like crazy.

7) even if everybody is very busy, find the time to say good morning, how are you feeling, etc

8) document, in a written form, the requirements you give to the guy. You won't believe how much still today people believe that you can actually work on something like "please write me the tests on this application" without even giving the specifications, without having any javadoc, without even documenting the DB structure.... and sometimes they don't even say "please"

9) make sure that the guy knows BEFORE JOINING what exactly is expected from him

10) if the guy gives explicit signs of being uneasy, don't ignore them!

And remember, you you think something (requirements, implementation details) is reckoned not being worth to be written, then most likely it's not even worth to be implemented.

Even if all this sounds simply common sense, you won't believe how multi-million projects still rely on a "swim or sink" approach - maybe someone particularly macho is even happy if you sink.

Wonderful (?!) pictures of military training available here , but remember, IT requires you to be smart and knowledgeable, not to be a hero.

Eclipse CHE

Sadly, CHE is not dedicated to greatly inspiring revolutionary leader Che Guevara, but to the city of Cherkasy (Ukraine) where most of the development is done.

docker run eclipse/che start

Since I run from a VirtualBox VM on my Windows PUEAH host, I get this:

INFO: Welcome to Eclipse Che!
INFO: You are missing a mandatory parameter:
INFO:    1. Mount 'docker.sock' for accessing Docker with unix sockets.
INFO:    2. Or, set DOCKER_HOST to Docker's location (unix or tcp).
INFO: Mount Syntax:
INFO:    Start with 'docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock' ...
INFO:    Start with 'docker run -it --rm -e DOCKER_HOST= ...'
INFO: Possible root causes:
INFO:    1. Your admin has not granted permissions to /var/run/docker.sock.
INFO:    2. You passed '--user uid:gid' with bad values.
INFO:    3. Your firewall is blocking TCP ports for accessing Docker daemon.

now I try running this

[centos@localhost ~]$ docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock eclipse/che start

WARN: Bound 'eclipse/che' to 'eclipse/che:5.18.0'
 WARNING: Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
INFO: Welcome to Eclipse Che!
INFO: We could not detect a location to save data.
INFO: Volume mount a local directory to ':/data'.
INFO: Simplest syntax:
INFO:   docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock
INFO:                       -v :/data
INFO:                          eclipse/che start
INFO: Or, run with additional overrides:
INFO:   docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock
INFO:                       -v :/data
INFO:                       -v :/data/instance
INFO:                       -v :/data/backup
INFO:                          eclipse/che start

so I do

mkdir chedata
docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock -v /home/centos/chedata:/data eclipse/che start

if you run "docker run --help", you learn that "-it" means "interactive tty" , "--rm" means "--rm , the container is removed when it exits", -v bind mount a volume

at this point I still get an error:

INFO: (che init): Installing configuration and bootstrap variables:
INFO: (che init):   CHE_HOST=
INFO: (che init):   CHE_VERSION=5.18.0
INFO: (che init):   CHE_CONFIG=/home/centos/chedata
INFO: (che init):   CHE_INSTANCE=/home/centos/chedata/instance
INFO: (che config): Generating che configuration...
INFO: (che config): Customizing docker-compose for running in a container
INFO: (che start): Preflight checks
 WARNING: Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
         mem (1.5 GiB):           [OK]
         disk (100 MB):           [OK]
         port 8080 (http):        [AVAILABLE]
         conn (browser => ws):    [NOT OK]
         conn (server => ws):     [NOT OK]

ERROR: Try 'docker run  eclipse/che info --network' for more tests.

so I run

docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock -v /home/centos/chedata:/data eclipse/che info --network

and I get this

INFO: (che cli): 5.18.0 - using docker 17.09.0-ce / native
INFO: ---------------------------------------
INFO: --------   CONNECTIVITY TEST   --------
INFO: ---------------------------------------
INFO: (che network): eclipse/che-ip:5.18.0:
INFO: (che network): Browser => Workspace Agent (localhost): Connection failed
INFO: (che network): Browser => Workspace Agent ( Connection failed
INFO: (che network): Server  => Workspace Agent (External IP): Connection failed
INFO: (che network): Server  => Workspace Agent (Internal IP): Connection succeeded

Probably I have to work a little on my VM network settings ... maybe some other time...

Saturday, October 7, 2017

Install Openshift Container Platform on Ubuntu 16.4

download oc here

untar the oc executable and put it somewhere in the path (e.g. /usr/local/bin )

install docker:

sudo apt install
#sudo groupadd docker // this should not be necessary!
sudo usermod -aG docker $(whoami)
sudo reboot now
sudo service docker start
docker ps

oc cluster up

if it comes up with an error related to --insecure-registry, you can start with "oc cluster up --skip-registry-check=true"

It's really a struggle to make all this work... the whole integration Openshift-Docker is very environment-dependent, for instance on Ubuntu 17.4 I could not even install Docker... .pathetic... always something going wrong...

Friday, October 6, 2017

Fixing a currupt (or corrupted? ) USB drive

I open (in Windows) the disk management tool, and I keep getting this message when trying to format the USB drive:

usb drive windows cannot format the volume because the volume is offline

this video explain how to "brutally fix" the USB drive:

run diskpart in admin mode

list disk

select disk N (N depends on your system)

list partition

select partition M (M depends on your system)

delete partition override

All this happened because I was preparing a USB drive to boot Centos 7 as per and using the win32diskimager ... apparently I have stopped it while it was writing, and this corrupted the USB disk.... scary...

Here a useful list of commands.... priceless.... much better than the Disk Management UI tool

Adam Bien The Great, and how to monitor health of a Docker Container

git clone

git clone

docker build -t airhacks/payara-ping .

Sending build context to Docker daemon  14.85kB
Step 1/5 : FROM airhacks/payara
latest: Pulling from airhacks/payara
785fe1d06b2d: Pull complete 
b6ea41613b27: Pull complete 
164939690f71: Pull complete 
5cd0a8d28e0b: Pull complete 
1fa1008aa8f7: Pull complete 
4fe8b3142e9d: Pull complete 
Digest: sha256:f550a096b325f467155a462069bddd54f8d365fdb285271b9b2fdbfec4464018
Status: Downloaded newer image for airhacks/payara:latest
 ---> d2d4659c3fbb
Step 2/5 : MAINTAINER Adam Bien,
 ---> Running in 36c695b80088
 ---> 8d417d79b693
Removing intermediate container 36c695b80088
Step 3/5 : COPY ping.war ${DEPLOYMENT_DIR}
 ---> 3b2a6278d76e
Step 4/5 : ENV WAR ping.war
 ---> Running in fa4484344c05
 ---> 14d72ab44a73
Removing intermediate container fa4484344c05
Step 5/5 : HEALTHCHECK --interval=15s CMD curl --fail http://localhost:8080/ping/resources/pings/echo/+ || exit 1
 ---> Running in 26f9dd4b7d01
 ---> d97945495493
Removing intermediate container 26f9dd4b7d01
Successfully built d97945495493
Successfully tagged airhacks/payara-ping:latest

What does a "docker build -t bla" do? "This will build like the previous example, but it will then tag the resulting image. "

docker inspect payara-ping

docker exec -it payara-ping /bin/bash

cd ../domains/domain1/autodeploy/

Thursday, October 5, 2017

Nexus Repository Health Check (RHC) unauthorized proxy

"The components in the repository were inspected, but their identity could not be confirmed. This may have happened for the following reasons:

The repository does not contain enough identified components for the results to be meaningful
The components were built from source instead of pulled from the Central Repository
The components were obtained from a repository other than the Central Repository

The connection to the Sonatype server is at port 443, that is IP address, which corresponds also to and

Apparently for the PRO version it's 443 which is

Apparently one can have only ONE health check every 24 hours.

Incidentally, if you are using a proxy, and you are not authenticated, you get this error message

org.apache.http.impl.execchain.TunnelRefusedException pxpool-1-thread-4 CONNECT refused by proxy: HTTP/1.1 407 Proxy Authentication Required

with this stacktrace

java.lang.Throwable.(String) 1
java.lang.Exception.(String) 1
org.apache.http.HttpException.(String) 1
org.apache.http.impl.execchain.TunnelRefusedException.(String, HttpResponse) 1
org.apache.http.impl.execchain.MainClientExec.createTunnelToTarget(AuthState, HttpClientConnection, HttpRoute, HttpRequest, HttpClientContext) 1
org.apache.http.impl.execchain.MainClientExec.establishRoute(AuthState, HttpClientConnection, HttpRoute, HttpRequest, HttpClientContext) 1
org.apache.http.impl.execchain.MainClientExec.execute(HttpRoute, HttpRequestWrapper, HttpClientContext, HttpExecutionAware) 1
org.apache.http.impl.execchain.ProtocolExec.execute(HttpRoute, HttpRequestWrapper, HttpClientContext, HttpExecutionAware) 1
org.apache.http.impl.execchain.RetryExec.execute(HttpRoute, HttpRequestWrapper, HttpClientContext, HttpExecutionAware) 1
org.apache.http.impl.execchain.RedirectExec.execute(HttpRoute, HttpRequestWrapper, HttpClientContext, HttpExecutionAware) 1
org.apache.http.impl.client.InternalHttpClient.doExecute(HttpHost, HttpRequest, HttpContext) 1
org.apache.http.impl.client.CloseableHttpClient.execute(HttpUriRequest, HttpContext) 1
org.apache.http.impl.client.CloseableHttpClient.execute(HttpUriRequest) 1
org.apache.http.impl.client.CloseableHttpClient.execute(HttpUriRequest) 1 1 1 1 1 1 1 1 1 1 1 1 1
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor$ScheduledFutureTask) 1
java.util.concurrent.ScheduledThreadPoolExecutor$ 1
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor$Worker) 1
java.util.concurrent.ThreadPoolExecutor$ 1 1

So you have to talk to the proxy administrator

Wednesday, October 4, 2017

Nexus 2.14 not starting "No such file or directory"

scary, all of a sudden I get in the wrapper.log file:

jvm 1 | wrapper | Unable to start JVM: No such file or directory (2)

this is really unimpressive, a decent coder would AT LEAST tell you "WHICH file or directory" could not be found.... but most developers are just selfish jerks who don't care about operations.

I edit the "bin/nexus" script to put a "set -x" at the beginning, and I discover that the command used to execute the wrapper is

/u01/app/admrun/nexus-java/bin/../bin/jsw/linux-x86-64/wrapper /u01/app/admrun/nexus-java/bin/../bin/jsw/conf/wrapper.conf wrapper.syslog.ident=nexus wrapper.pidfile=/u01/app/admrun/nexus-java/bin/../bin/jsw/linux-x86-64/ wrapper.daemonize=TRUE

if you run the command with wrapper.daemonize=FALSE you can see the errors directly in the console - which is easier to debug.

useful post here

there I discover that there is an extra parameter, and in fact in wrapper.conf I see

# Set the JVM executable
# (modify this to absolute path if you need a Java that is not on the OS path)

in fact, I don't have "java" in my path:

which java
/usr/bin/which: no java in (/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/u01/app/admrun/bin)

I try to set it to "" and it magically works

All this is really, really sad. A start script should CLEARLY validate all preconditions and give a very explanatory message stating what is wrong and how to fix it. Pathetic.

Tuesday, October 3, 2017

I have deleted my Facebook account

I was wasting way too much time simply browsing through a lot of endless chatter, sometimes almost neurotically/compulsively.

And some times I found myself intervening in other people conversations, gratuitously. And sometimes also polemically.

I feel now a liberated person, I have more free time and I have regained control of the time spent on a PC.

Also, I believe that true friendship can only stem from shared experiences, common values and ideals, and you can't really know someone via an interposed screen and keyboard. So, real friends stay in contact by email; the rest, I don't really care, just like they don't care about me.

Haha I will open a Facebook Closed Group "Facebookist Anonymous" for those who are intoxicated with Facebook - Alcoholic Anonymous style.

Incidentally, group therapies like AA really work - I have quit smoking thanks to a similar group. Maybe the idea of a group therapy to stop wasting a life on internet can be very effective.

Sunday, October 1, 2017

CentOS VM in VirtualBox connection to Internet

Panic, my new CentOS VM was unable to connect to internet, no clue what I had done wrong.

Eventually this post gave me the solution

This is how the Network section is setup (pardon my German)

sudo vi /etc/sysconfig/network-scripts/ifcfg-enp0s3

I am adding


and changing this to yes


and "sudo reboot now"

Now I can happily ping

Thursday, September 28, 2017

Installing Openshift Origin on your CentOS 7 VM

sudo yum install centos-release-openshift-origin

sudo yum install wget git net-tools bind-utils iptables-services bridge-utils bash-completion origin-clients

sudo oc cluster up

at this point, you get a terrifying

-- Checking Docker daemon configuration ... FAIL
   Error: did not detect an --insecure-registry argument on the Docker daemon

     Ensure that the Docker daemon is running with the following argument:

after some googling, I start with :

oc cluster up --skip-registry-check=true

Starting OpenShift using openshift/origin:v3.6.0 ...
OpenShift server started.

The server is accessible via web console at:

You are logged in as:
    User:     developer

To login as administrator:
    oc login -u system:admin

I open the console at (add security exception) and login with system/admin

go to overview

If you see an error in the logs "Could not resolve host:", you are screwed !
Haha no, just "sudo systemctl restart docker" , then "oc start-build --from-build=yourbuildid"

create a new project, java, wildfly, copy git url, create project pvproject01

oc login


oc project pvproject01

oc status

If you get this

[centos@localhost ~]$ oc cluster up --skip-registry-check=true 
-- Checking OpenShift client ... OK
-- Checking Docker client ... OK
-- Checking Docker version ... FAIL
   Error: Minor number must not contain leading zeroes "09"

it simply means that OpenShift developers are morons, and you have to wait the next release 1.5 for a fix. What a pathetic mess.

Wednesday, September 27, 2017

Maven deploy-file for batch upload

Unfortunately in the Nexus 3.5 and 3.6 version there is no batch upload of artifacts (in Nexus 2.X it was much easier: just rsync your Maven repo and "rebuild index"

git clone

git clone

I start nexus with

sample command:

mvn -e -X deploy:deploy-file -q -DpomFile=/home/centos/myrepo/org/vafer/jdependency/1.1/jdependency-1.1.pom -Dfile=/home/centos/myrepo/org/vafer/jdependency/1.1/jdependency-1.1.jar -DrepositoryId=nexus -Durl=http://localhost:8081/repository/maven-releases/ -Dpackaging=jar

maven's settings.xml should contain


If you get "ReasonPhrase: Repository does not allow updating assets: maven-releases." , make sure you set "allow redeploy" in the Deployment policy"

If you get "Cannot deploy artifact from the local repository:" it's because your source file is inside the .m2/repository folder - which is forbidden

See Sonatype help on this topic

Tuesday, September 26, 2017

Books: Docker in Action

It's an excellent book, highly recommended, Jeff Nickoloff is a great author.

Here some notes from the exercises

docker run dockerinaction/hello_world

docker help

Usage: docker COMMAND

A self-sufficient runtime for containers

--config string Location of client config files (default "/home/centos/.docker")
-D, --debug Enable debug mode
--help Print usage
-H, --host list Daemon socket(s) to connect to
-l, --log-level string Set the logging level ("debug"|"info"|"warn"|"error"|"fatal") (default "info")
--tls Use TLS; implied by --tlsverify
--tlscacert string Trust certs signed only by this CA (default "/home/centos/.docker/ca.pem")
--tlscert string Path to TLS certificate file (default "/home/centos/.docker/cert.pem")
--tlskey string Path to TLS key file (default "/home/centos/.docker/key.pem")
--tlsverify Use TLS and verify the remote
-v, --version Print version information and quit

Management Commands:
config Manage Docker configs
container Manage containers
image Manage images
network Manage networks
node Manage Swarm nodes
plugin Manage plugins
secret Manage Docker secrets
service Manage services
stack Manage Docker stacks
swarm Manage Swarm
system Manage Docker
volume Manage volumes

attach Attach local standard input, output, and error streams to a running container
build Build an image from a Dockerfile
commit Create a new image from a container's changes
cp Copy files/folders between a container and the local filesystem
create Create a new container
diff Inspect changes to files or directories on a container's filesystem
events Get real time events from the server
exec Run a command in a running container
export Export a container's filesystem as a tar archive
history Show the history of an image
images List images
import Import the contents from a tarball to create a filesystem image
info Display system-wide information
inspect Return low-level information on Docker objects
kill Kill one or more running containers
load Load an image from a tar archive or STDIN
login Log in to a Docker registry
logout Log out from a Docker registry
logs Fetch the logs of a container
pause Pause all processes within one or more containers
port List port mappings or a specific mapping for the container
ps List containers
pull Pull an image or a repository from a registry
push Push an image or a repository to a registry
rename Rename a container
restart Restart one or more containers
rm Remove one or more containers
rmi Remove one or more images
run Run a command in a new container
save Save one or more images to a tar archive (streamed to STDOUT by default)
search Search the Docker Hub for images
start Start one or more stopped containers
stats Display a live stream of container(s) resource usage statistics
stop Stop one or more running containers
tag Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
top Display the running processes of a container
unpause Unpause all processes within one or more containers
update Update configuration of one or more containers
version Show the Docker version information
wait Block until one or more containers stop, then print their exit codes

Run 'docker COMMAND --help' for more information on a command.

interesting demo of Portainer , I have installed and run locally to manage my environment

docker run --detach --name web nginx:latest

docker run --interactive --tty --link web:web --name web_test busybox:latest /bin/sh

wget -O - http://web:80/

(CTRL-P CTRL-Q to run interactively a process and then detach)

#this example is WRONG in the book!
docker run -d --name mailer dockerinaction/ch2_mailer

docker run -it --name agent --link web:insideweb --link mailer:insidemailer dockerinaction/ch2_agent

#connect to a running instance in interactive mode
docker start -i "CID"

docker restart web
docker restart mailer
docker restart agent

docker run -d --name namespaceA busybox:latest /bin/sh -c "sleep 30000"
docker run -d --name namespaceB busybox:latest /bin/sh -c "nc -l -p"

docker exec namespaceA ps
docker exec namespaceB ps

#creating a conflict by NOT using namespaces
docker run -d --name webConflict nginx:latest
docker logs webConflict
docker exec webConflict nginx -g 'daemon off;'

#avoiding conflicts by using namespaces
docker run -d --name webA nginx:latest
docker logs webA
docker run -d --name webB nginx:latest
docker logs webB

docker rename webA webPippo

#create is like run, but it's created in stopped state
CID=$(docker create nginx)
echo $CID

docker create --cidfile /tmp/web.cid nginx

#running 3 containers linked to each other - in reverse order
MAILER_CID=$(docker run -d dockerinaction/ch2_mailer)
WEB_CID=$(docker run -d nginx)
AGENT_CID=$(docker run -d --link $WEB_CID:insideweb --link $MAILER_CID:insidemailer dockerinaction/ch2_agent)

#check status of container
docker inspect $CID

docker search postgres

docker pull busybox:latest
docker save -o myfile.tar busybox:latest
docker rmi busybox
docker load -i myfile.tar

Saturday, September 23, 2017

Installing Docker on CentOS 7

from the excellent guide

sudo yum remove docker docker-common docker-selinux docker-engine
sudo yum install -y yum-utils   device-mapper-persistent-data   lvm2
sudo yum-config-manager --add-repo
sudo yum-config-manager --enable docker-ce-edge
sudo yum-config-manager --enable docker-ce-test
sudo yum install docker-ce
yum list docker-ce.x86_64  --showduplicates | sort -r
sudo systemctl start docker
sudo docker run hello-world
sudo docker run -it ubuntu bash
sudo yum makecache fast
sudo groupadd docker
echo $USER
sudo usermod -aG docker $USER
#(perform logout/login here)
#"centos docker"
sudo systemctl enable docker
#"Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/docker.service."
sudo chkconfig docker on
env | grep DOCKER_HOST
#DOCKER_HOST should not be defined if you want to connect to local daemon
#to restart daemon:
sudo service docker restart

useful commands (from the presentation below):
docker ps -a
docker version
docker info
docker images

docker run ubuntu echo "hello world"

docker run -i -t ubuntu

docker diff 82af4da88bd7
docker rm 042cbb043587

docker run -d ubuntu /bin/sh -c "while true; do echo hello world; date; sleep 2; done"
docker logs 7939ad46d57c
docker attach 7939ad46d57c
docker stop 7939ad46d57c

docker inspect 7939ad46d57c

docker commit -m "installed apache" 7939ad46d57c mynamespace/myimage
docker images

#login into
docker login
docker push mynamespace/myimage

docker rmi 77bde6a39eda

#execute the Dockerfile in myfolder and build a new image
docker build -t mynamespace/myimage

#run assigning a non default port
docker run -d -p :8000 mynamespace/myimage

here the link to shipyard

Cool Tools (from JBoss Hacks)

be aware that the Kindle edition is royally up, missing ALL the sample script in the text... what a pity... maybe the PDF version available here is better, no idea. to analyze gc logs thread dump analysis jboss/wildfly bash completion web console rich of managing plugins byteman , bytecode manipulation tool dockerhub wildfly image docker jboss images wildfly maven plugin

Jboss Forge
examples available here

Wildfly Swarm Project Generator windup / migration tool to migrate from other AS to JBoss

Friday, September 22, 2017

JBoss CLI sucks

Frankly the CLI hurts the eyes... someone should make it a bit more groovish... oh in fact here there is a guide how to do it but it's a bit raw...

some recipes here:

at the end of the book "WildFly Configuration, Deployment, and Administration - Second Edition" there is also a useful CLI cheat sheet.

All Day DevOps on October 24, 2017 starting at 8:00am GMT

register here

you can even watch the recorded session later (2016 recordings are available on their side...)

Sunday, September 10, 2017

Nexus Repository Migration

MIGRATING FROM 2.12.1 TO 2.14.5

Migrating from Nexus Repository Manager OSS 2.12.1-01 to the latest 3.0 version:

beware: upgrade agent is part of 2.14 only! You should first upgrade to 2.14 then migrate to 3.0, as shown here

Very detailed instructions here

Download old releases here

I have installed Nexus 2.12 here: /home/centos/nexus2/nexus-2.12.0-01/bin

cd /home/centos/nexus2/nexus-2.12.0-01/bin
./nexus start

The URL is http://localhost:8081/nexus/ (in 3.X it's simply http://localhost:8081 )

In maven's settings.xml I had this
        <!--This sends everything else to /public -->

this was valid for 3.5, in 2.12 the URL should be changed to http://localhost:8081/nexus/content/repositories/central/

I run a sample "mvn package" from "" and I can observe that the repository "Maven Central" is filled with stuff: http://localhost:8081/nexus/service/local/feeds/recentlyCachedReleaseArtifacts, then I select the "Central" repo, "Browse Index" and I can see stuff in it (junit, hamcrest, codehaus...)

I want now to upgrade from 2.12.1 to 2.14.5, which is the supported version to late upgrade to 3.5

I extract the 2.14.5 zip file in a temporary location and I copy the nexus-2.14.5-02 folder (NOT the sonatype-work folder!!!) to /home/centos/nexus2, so that the nexus-2.12 and nexus-2.14 share the same sonatype-work folder.

[centos@localhost nexus2]$ pwd

[centos@localhost nexus2]$ ls -ltra
total 4
drwxr-xr-x.  8 centos centos  113 Dec 16  2015 nexus-2.12.0-01
drwxr-xr-x.  3 centos centos   37 Dec 16  2015 sonatype-work
drwxr-xr-x.  8 centos centos  113 Jul 25 12:39 nexus-2.14.5-02
drwx------. 33 centos centos 4096 Sep 10 19:28 ..
drwxrwxr-x.  5 centos centos   73 Sep 10 19:34 .

apparently the sonatype-work format is binary compatible among the 2.12 and 2.14.5 versions.

I stop nexus, make a backup copy of the conf folder:

cd /home/centos/nexus2
cp -R nexus-2.12.0-01/conf/ nexus-2.12.0-01/confBACKUP

apparently no further manual steps are required

and now I start the new version of Nexus

cd nexus-2.14.5-02/bin
./nexus start
At a quick look, the content of the repository and an extra user I had created are preserved in the migration...


Now I start nexus 3.5 side by side, on the same host, making sure I use a different number:

cd /home/centos/nexus3
grep -R 8081 *

and I change that port to 18081

cd /home/centos/nexus3/nexus-3.5.1-02/bin
./nexus start


things are working. I delete all pre-existing repositories

I follow all the steps as in and things work perfectly - using the "download" method (slowest)

I have tested the 3 methods and they all work, of course the file copy (hard link or not) is much faster than HTTP. If you wonder what a hard link is, read here

Saturday, September 9, 2017

Nexus and Maven (ST): setup

I have installed Maven (ST) in /home/centos/apache-maven-3.5.0/.

My m2 repo is in /home/centos/.m2/repository

To test the m2 repo, I "git clone", then "mvn package"

"ls /home/centos/.m2/repository" shows that stuff is actually pulled from the maven central repo , you should see plenty of this in the logs :


I edit the settings in /home/centos/apache-maven-3.5.0/conf/settings.xml to incorporate this setup

I have installed Nexus in /home/centos/nexus30/. Make sure you increase the file descriptors before you start.

"cd /home/centos/nexus30/nexus-3.5.1-02/bin/" and "./nexus start".

Login at http://localhost:8081 using admin/admin123 , go to http://localhost:8081/#admin/repository/repositories and check that "maven central" is already preconfigured with http://localhost:8081/repository/maven-central/ URL. You can browse the Nexus content at http://localhost:8081/#browse/browse/components:maven-central (it should be empty at this stage)

Clear the local Maven (ST) repo "rm -rf /home/centos/.m2/repository/*" and run again "mvn package". This time Maven should retrieve the artifacts from Nexus:

Downloaded: http://localhost:8081/repository/maven-public/org/apache/maven/plugins/maven-resources-plugin/2.5/maven-resources-plugin-2.5.pom

Browsing again http://localhost:8081/#browse/browse/components:maven-central should show that all artifacts are cached in Nexus.

In case of issues, check the logs /home/centos/nexus30/sonatype-work/nexus3/log (nexus.log, request.log, jvm.log) for details.

Of course you can use the nexus docker way

PS: (ST) stands for STINKS . Maven STINKS like a wet rotten dirty skunk. Use Gradle instead.

Friday, September 8, 2017

Software Vulnerability Control with Sonatype products

Interesting introductory vide on the topic of Security in Software Supply Chain

Software Factory | Sonatype from Sonatype Nexus on Vimeo.

A really detailed presentation of the "Nexus Lifecycle" and "Nexus IQ server"

Software Supply Chain
Continuous Integration
Continuous Delivery
Release Automation Tool
DevOps Native Software Development
Nexus Firewall
Public repositories: Maven Central,

Sonar Security Rules:

Software Weakness

Software Vulnerability Common Weakness Enumeration (common software security weaknesses) - very educational FAQ on Software Weakness here CVSS Common Vulnerability Scoring System, scores explained: Nexus lifecycle NVD is National Vulnerability Database - try searching for Bouncy Castle

Using "Application Health Check" to scan vulnerabilities:

I have read the devsecops Gartner report also available here

Very interesting also the 2017 State of the Open Software

See also the famous OWASP top 10 web application security risks. Number A9 says: "Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts."

Repository Health Check RHC demo video here

Result of a WebGoat Health Check

Comparison of Free and Opensource Software Licenses

more videos on:

Brian Fox, Integration of Nexus Health Check with Eclipse

Brian Fox, Nexus IQ Server email alerts on Weak Security

Brian Fox, Nexus IQ Server, Define security policies

Q: Do I really need IQ Server? Can't I simply do a "health check" on a Nexus Repository and check manually each software vulnerability?

When you run a Health Check on a Nexus Repository, all you get is a high level report,
flagging the vulnerabilities but without pointers to the Vulnerability Database, nor indication of the newest version without vulnerability. All you get is this:

" Last generated Tue Sep 19 2017 at 5:18:09 AM
Health report for your central repository
Out of 74 components in central, 74 (100%) are known, and of these, 2 (3%) are vulnerable.
Download trends
Insufficient trend data
As you download components from central, we will show the percentage of vulnerable downloads over time.
The most vulnerable downloads over the last 30 days are listed below.
Component Vulnerabilities Last 30 Days Suggestion
com.thoughtworks.xstream : xstream : 1.3.1 Critical (3)
Update version
org.codehaus.plexus : plexus-archiver : 2.1 Severe (1)
Update version"

and then you are on your own googling for a solution

Wednesday, September 6, 2017

Dependency trees in Nexus and Maven: who uses what ?

Nexus plugin to display who uses a given artifact (apparently the same info is built-in in Apache Archiva ). As suggested in SO, you should build a über-POM containing all your projects, then generate the dependency tree.

Useful commands:

mvn dependency:tree -DoutputType=graphml -DoutputFile=dependency.graphml

(use also --debug in case of errors)

Here the documentation on Dependency Management in Maven

Transitive Dependencies

Friday, September 1, 2017

Spring Framework Essentials course by Ken Kousen in Safari Books Online

Here is the code

Ken is a very talented teacher, who focuses on concepts rather than sheer data. Highly recommended.

The course is available only if you register in Safari Books Online, but there is a short term FREE evaluation account (no credit car required).

Monday, August 28, 2017

Wildfly quickstarts

Wildfly Example galore here:

JBOss EAP example galore here

Latest Wildfly documentation Wildfly can be downloaded here

Excellent book here

with associated code

This book can be useful: Advanced Java EE Development with WildFly

For Eclipse Oxygen, you might want to install (EClipse Marketplace) the JBoss Tools

Interesting book Wildfly cookbook

Saturday, August 26, 2017

Getting started with OpenShift

you can try installing on your local machine: install Vagrant

install virtualbox

clone this github repo and vagrant up... good luck! On Windows the clone fails because of a filename too long issue (hello Microsoft????  ) .

Another way is to test directly on AWS: , go through the AWS guide "red-hat-openshift-on-the-aws-cloud" and discover that this quickstart is no longer available (hello, Amazon??? Why don't you tell it on the home page?? ).

Check out on for available quickstarts - there is no Openshift quickstart! This world is a chaos, a Cambrian explosion of products which end up in a total mess, fish with wings and trunks like elephants, and survive only one generation or the space of a few months.

About AWS, I discover another document but it's a bit long reading...

Anyway in the meantime I discover that the Vagrantfile VirtualBox approach has been DROPPED in favour of Minishift (one more extinct species, whose fossil debris still clutter the digital space...)... too bad that the online book "OpenShift for developers" has not been updated, and I have wasted 3 hours of my life to discover that the "all in one" approach is dead...Grant Shipley and Graham Dumpleton, how about taking care of your creation?

Wednesday, August 23, 2017

DevOps with OpenShift

reblogging the from the excellent friend and mentor Jan:

Also interesting the OpenShift for Developers:

The price of changing job

I have recently changed company. I had the opportunity to stay as permanent, moving to another department with people I already knew, but I wanted to explore new worlds and also make some more money.

The change has been devastating, essentially for social reasons.

Humans are tribal animals, and to be happy they must build a web of trust and friendship around them.

Trust can be built only in action. You work with the guy, you know that he is responsible, helpful, skilled, he stops doing his work to come to your rescue. Only then you trust him and like him.

I don't trust someone for his smiles and handshakes and how are you. I trust someone because I know he will do his best to help me. The first thing I tell a new joiner is "whatever problem you have, please don't hesitate to contact me at any time". And if he has a problem that I can't solve, then I ask around until I find someone who can help. By no means a new joiner should be left alone with a problem.

IT industry is not a happy state of nature, where people spend maybe 5 hours a day chasing food, then the rest of the day socializing and having fun. This is a tough world, with tight deadlines, rough competition, people are always under pressure to get things done and acquire new skills. It's a permanent state of semi-war, unfortunately sometimes also internal to the same team. Sadly, some people will rejoice at your failure. Being able to build a team where everyone is really sympathetic to each other, is a real miracle that happens very rarely.

Don't expect a warm welcome. Don't expect to be helped. Most of the time you are absolutely on your own, in a new environment that you don't know. Getting to know the new environment (the 1000 "how to" that are different from company to company) is alone a huuuuge stress and drain on your energies, because you must constantly ask for help and expose you as a "weak" individual. Not everybody understand that it's absolutely normal that they have to invest some of their time to make you comfortable. Many people will consider you only a nuisance and a handicap. It's painful, very painful.

So, changing job is a jump in the dark. And don't believe to those who tell you "don't worry, everything will be fine". Sorry, this is not a Disney movie, this is Planet Earth, not all will be fine, there will be a lot of terrible stress, of shocks, of pain.

So, are you really really sure you want to change job? If you feel bored at work, or you feel that your skills are not improving, start your own project in the evening and weekends. Get certified on something. If you need extra money, you can join Toptal and get an extra part-time job.

But, think twice before you leave a company where you are trusted and you know the internal process. I did, and I am suffering A LOT.

Tuesday, August 22, 2017

Imperative vs Functional programming, a simple example

Today a colleague was asking me the difference between functional and traditional programming in Java... I made a simple example to show how a FUNCTION can be used as a parameter, and the importance of Streams.... of course, in this example the traditional programming is much simpler and readable! Often functional programs can be really hard to decipher!

import java.util.Arrays;

public class HelloWorld
  static String[] theStrings = new String[] {"Pippo", "Pluto", "Paperino"};

  public static void main(String[] args) {

  static void theTraditionalWay() {
    for (int i = 0; i < theStrings.length; i++) System.out.println(theStrings[i].toUpperCase());

  static void theFunctionalWay() {;

You can run it here