Fixing Markdown Ediror preview not working on IDEA on WSL2

 This sorted it for me - https://stackoverflow.com/questions/74523328/markdown-plugin-for-intellij-not-showing-preview

TL;DR;

add ide.browser.jcef.gpu.disable=true in Help | Edit Custom Properties and restart the IDE

possibly

ensure you are using an IDEA VM using

possibly

File > Invalidate Caches... > Check only Delete embedded browser engine cache and cookies > Invalidate and Restart

possibly 

sudo apt install libnss3-dev libgdk-pixbuf2.0-dev libgtk-3-dev libxss-dev 

sudo apt-get install libasound2 

restart

Fix PNG files that are corrupted by Git

From https://stackoverflow.com/questions/55330848/how-to-recover-corrupted-png-files-due-to-improper-gitattributes

 lines=`wc -l < image.corrupted.png`

for x in `seq 1 $((lines+1))`; do 

   echo -n $x ''

   perl -pe 's/$/$1\r/ if ($. == 1 || $. =='$x')' < image.corrupted.png > image.fixed.png

   if pngcheck image.fixed.png; then

      echo Valid file substituting newline numbers 1 and $x

      break

   fi

done

Shrink Disk in WSL2

Ensure Hyper-V installed so you have Optimize-VHD

Shutdown WSL2 with 

wsl --shutdown

In powershell PS  as admin cd into wsl2 dir - e.g. 

[user]\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu20.04onWindows_79rhkp1fndgsc\LocalState

Run: Optimize-VHD -Path ext4.vhdx -Mode full

OR - Look at GitHub - okibcn/wslcompact: Compacts the size of the ever-growing WSL vhdx images.

Kill a service that is stuck on "stopping"

In Admin CMD:

sc queryex [serviceName]

This willl give you the PID

Then 

taskkill /f /pid [PID]

Git and core.filemode - Issues on Windows with executable bits in Git repos

 I've seen this where you check out source in WSL2 (Linux) and a file has an executable bit set.

Then you look at it in Windows using something like SourceTree and the file that it not reporting as modified in Linux is reporting a modified in SourceTree.

The issue is the core.filemode that is set in the repo's .git/config file is determined by the Git running on the OS that did the clone - it'll be "true" for Linux, and "false" if you cloned using a Windows Git.

If you want to avoid problems, after cloning in WSL2, edit the filemode value to false and Windows Got will behave.

If you do that, in order to ass executable attributes to a file you need to use git update-index chmod +x as filesystem changes made in WSL2 won't be picked up.

Running Rancher Desktop and WSL2 on Windows

This guide was written by taking a laptop that had been reset to factory conditions.  You may not need to do all of them depending on the starting state of your laptop

Enable Hyper-V

In BIOS make sure Hyper-V support is enabled

Make sure Hyper-V feature is turned on in Windows:

• Use search bar find 'Turn Windows features on or off'
• In the dialog that is displayed, turn on Hyper-V

Update Windows 

Do Windows update to make sure you got the latest version

Install WSL2

If you haven't installed WSL2 before, in a Windows Command Prompt, run as Administrator, run 'wsl --install'.  You will be required to reboot.

Update WSL2

Check WSL2 is up to date.  Do this even if you just installed WSL2.

To do this, in a Windows Command Prompt, run as Administrator, run:

wsl --update

 You may be required to reboot.

Install Ubuntu

If you haven't installed WSL2 before, visit the Windows app store and install Ubuntu version 20.04 

Validate Connection Between WSL2 and Windows

Make sure you can connect from an Ubuntu shell in WSL2 to a process running in Windows by allowing stuff through the firewall.  

First find a port running on Windows by running in a Windows command prompt

netstat -an | find "LISTENING"

Ensure you have telnet installed in Windows - if you don't use 'Turn Windows features on or off' to install 'Telnet Client'

Prove you can connect to the running port on Windows, by running the below in a Windows Command Prompt, replacing [port] with the listening port you found:

telnet localhost [port]

Run the following in a PowerShell Administrator console to open the Windows WSL network to calls from the Linux OS:

New-NetFirewallRule -DisplayName "_WSL" -Direction Inbound -InterfaceAlias "vEthernet (WSL)" -Action Allow

Find the ip address of your 'WSL' network in windows by in a Windows command prompt running 'ipconfig /all', and looking for the IP address assigned to the 'WSL' network

In an Ubuntu shell run the below, replacing [ipAddress] with the address you found above:

nc -v [ipAddress]

You should see a response saying the connection succeeded. If you do not then you either not opened the firewall, got the ip address wrong, or the specified port is listening anymore

Install Rancher Desktop

Download Rancher Desktop from https://rancherdesktop.io  You need at least version 1.6.2.

Install Rancher Desktop, when prompted:

•      Pick dockerd and moby as the containr runtime
•      Pick the version of Kubernetes (K8s) that matches one that you regularly use

Run Rancher Desktop and use the File / Preferences menu item to hook Rancher Desktop up to WSL2.

Restart your machine

Start Rancher Desktop and wait for it to start

Validate Docker Availability in WSL2

Check that you can use docker commands in WSL. In a Ubuntu shell, run:

docker --version

to see that docker CLI is available.  Run

docker ps

to show you can view docker processes running in Rancher Desktop

If you get a permission problem accessing the docker socket when you run the above then you may have to add some permissions.  In which case do the following in an Ubuntu shell:

sudo addgrp docker

sudo adduser $USER docker

sudo chown root:docker /var/run/docker.sock

sudo chmod g+w /var/run/docker.sock

newgrp docker

Try the command again, and you should see the docker processes.

Validate host.docker.internal Works

You can check that host.docker.internal behaves the way you expect by following the steps below.

As per above, in a Windows command prompt, run the following to find a listening Windows port:

netstat -an | find "LISTENING"

 In an Unbuntu shell run the following to get a container shell:

docker run -it busybox

In the container shell run the below, replacing [port] with the port you found

nc -v host.docker.internal [port]

If this doesn't work, it most likely because you rebooted and the Windows firewall is blocking access. To fix, run the following in a PowerShell, and retry afterwards.

New-NetFirewallRule -DisplayName "_WSL" -Direction Inbound -InterfaceAlias "vEthernet (WSL)" -Action Allow

Useful Links

If you have problems then consult FAQs at https://docs.rancherdesktop.io/faq/

WSL2 Related Network Problems

The WSL2 network is placed in the "Public" category by Microsoft (even though its an internal network), which block access.  So by default WSL2 cannot access ports running in Windows.

In particular DNS doesn't work, so you may find that you can't for example run the following from an Ubuntu shell:

ping www.bbc.co.uk

To make things worse, the network is recreated after a reboot, so any firewall changes you add to allow traffic from WSL2 to Windows may not work following the reboot.

To get around this you need to run the following after every reboot in a Adminostrator Powershell:

New-NetFirewallRule -DisplayName "_WSL" -Direction Inbound -InterfaceAlias "vEthernet (WSL)" -Action Allow

Another issue that can occur is that subnet used by WSL2 comes from the 172.x.x.x range, and that conflicts with some routing that is handed out by the VPN client when you connect to some VPNs.

You most likely see this as an intermittent problem with Ubuntu being able to reach the Internet when you are not connected to the VPN, and that stops working as soon as you connect to the VPN.

Its intermittent because the problem only occurs if the IP address Microsoft assigns to the WSL network on reboot clashes with the subnet range used by the VPN.  Sometimes it will, and sometimes it won't and there is no way to force WSL to use a particular 172.x.x.x subnet in Windows 10.

The easiest way to work around this is to add a dummy network interface into Windows that uses the 172.x.x.x subnet.  If you do that, and reboot then WSL2 is forced of that network and picks an address in the 192.168.x.x range instead

Have a look at the comment from https://github.com/microsoft/WSL/issues/4467 from naruco on 31st March for details of what to do:

https://github.com/microsoft/WSL/issues/4467#issuecomment-810894433

Essentially though its the following in a Powershell run as Administrator, followed by a reboot:

New-VMSwitch -SwitchName “DummySwitch” -SwitchType Internal

New-NetIPAddress -IPAddress 172.16.0.1 -PrefixLength 12 -InterfaceAlias “vEthernet (DummySwitch)”

Its worth noting a lot of this is not a problem in Windows 11 as you can set up proper bridged networks for WSL2 there, so you can pick the ip address range and have a network that is not "Public"

WSL2 On Windows 10 Running WSLg

This is now possible with Windows 10 and solves some problems that occur with firewalls and WSL2.

The problems are:

• https://github.com/microsoft/WSL/issues/5256
• https://github.com/microsoft/WSL/issues/4139
• https://github.com/microsoft/WSL/issues/4585

In particular:

New-NetFirewallRule -DisplayName "_WSL" -Direction Inbound -InterfaceAlias "vEthernet (WSL)" -Action Allow

didn't appear to allow DNS, but I had already set up DNS as below which works.

What I did:

1. Follow instructions here - https://github.com/epomatti/wsl2-dns-fix-config to set a DNS server - I am using the internal one for the company that I find using ipconfig /all
2. Update Windows 10 to latest UBR (must be at least 2311)
3. If version is not at least UBR 2311 then it should now be possible to install via Windows Update the latest 22H2 Cumulative Update to get the version up to 10.0.19045.2364.
4. If you can't get to at least UBT 2311 you can try getting KB5020030 from the Microsoft update catalog and install manually, although proceed at your own risk.
5. Try in command prompt wsl –update
6. 4) If that doesn’t work try installing Ubuntu WSL2 from the App Store

Useful Links

Microsoft Update Catalog for KB5020030

Running WSL that was installed from the Microsoft Store results in "Windows version 10.0.19045.2251 does not support the packaged version of ..." - Super User

https://learn.microsoft.com/en-us/windows/wsl/tutorials/gui-apps

Hiberate Performance

 https://vladmihalcea.com/why-you-should-always-use-hibernate-connection-provider_disables_autocommit-for-resource-local-jpa-transactions/

Use dumb-init in docker images

Why

https://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/

https://petermalmgren.com/signal-handling-docker/

https://medium.com/@BeNitinAgarwal/an-init-system-inside-the-docker-container-3821ee233f4b#:~:text=The%20init%20process%20is%20responsible,for%20the%20top%2Dmost%20process.

Solution

 https://github.com/Yelp/dumb-init

Useful Article About Windows Containers With Rancher Desktop

 https://jason.agostoni.net/2022/01/27/rancher-desktop-with-both-windows-and-linux-containers/

https://lippertmarkus.com/2021/09/04/containers-without-docker-desktop/

https://devblogs.microsoft.com/commandline/systemd-support-is-now-available-in-wsl/

IIS - Configuring X-ARR-ClientCert for server farms

Looked around for ages for this.

If you are using IIS as a reverse proxy server, you have ARR installed and are using server farms to load balance incoming requests to multiple back end services, the configuration for some things is done at the server farm level rather than at the default server level.

My problem as how to change the name of the HTTP header that contained the client certificate used by IIS when it was doing Mutual TLS authentication.

So - the IIS server has mutual TS configured and client cert required and it terminates the SSL endpoint.

Without  a server farm you can use the configuration editor at the IIS server level to and configure the system.webServer/proxy entry.  There is a setting clientCertHeaderName that has a default value of X-ARR-ClientCert, and you can change it to something else to get the IIS to send the authenticated client cert downstream.

If you use server farms however, you have to set up a URL Rewrite rule at the IIS server level to pass matching incoming requests to the server farm, and in that case, the X-ARR-ClientCert header name is not affected by the system.webServer/proxy setting.

Instead, at the server level you have to use the configuration manager and look at the "webfarms" confiration.  There will be a collection of the configured server farms.  So pick the one that you want to change.

Modify the "applicationRequestRouting.protocol.clientCertHeaderName" property of that server farm to the value you want to get the desired behaviour.

Oracle and ODBC

For some reason on Oracle 12 at least I having trouble getting the ODBC call SQLColumns to work . I was using it as an existance test for a database table, and Oracle kept returning 942 (table does not exist) even though the table was owned by the schema associated with the user that was being used in the ODBC call. It turned out that the user needed the SELECT ANY DICTIONARY system privilege. Not sure why, but granting that to the user allowed me to make the call successfully.

Getting an IIS reverse proxy via ARR to use IIS custom error pages

This took a while to discover!

The problem - you have  IIS configured with ARR and you have rewrite rules set up to pass incoming requests from IIS to a back office machine, e.g. Tomcat.

You would like to leverage IIS to display customer error pages when either IIS can't find a page, or the server behind the reverse proxy can't.

In the first case (404 coming from IIS directly) you can use the "Error Pages" feature of an IIS site (or the defaults set at the server level).  Just double click the "Error Pages" feature and then in the Actions pane on the right, select "Edit Feature Settings".  Pick "Custom error pages" get IIS to server up the files pointed to in the feature list for each status code.

You can then edit the file to or create a new file and point at it instead for a given error code.

However, by default,  IIS assumes that if a request a reverse proxied then the remote server will handle setting the HTML for error scenarios, so if, e.g.  404 is returned from the reverse proxied server, IIS will display that response, and not interject with the custom page.

To change that behaviour, execute the following in an admin command prompt:
%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpErrors -existingResponse:Replace

Hey presto, the reverse proxied reponse are now replaced as well.

I found this, after much searching here:
http://forums.iis.net/t/1157934.aspx?Web+farms+with+URL+rewrite+and+error+pages

Connecting SqlServer to Oracle

Install Oracle ODAC

ensure the tnsnames.ora on your widnows PATH has the alias you want to connect to

create a linked server using oracle OLE Provider

  When you link the users:

     The datasource is the name of the tns alias

     If you get a username/password issue - check the radio buttons to be sure your current sql server connection is not using a user that you have not mapped

You can then use the export data tool to make a reasonable job at copying data over (does noyt do a good job with triggers)

   

Totally Useful Test For MTU

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/A_3110-Setting-WAN-MTU-Size-For-Sonicwall-Appliances.html

Run
ping www.google.com -f -l 1500

and reduce 1500 in increments of 100 until it stops saying packets can't be fragmented
then increase again until you find the max number that doesn't give this error
then add 28

Import PEM into .P12

OpenSSL> pkcs12 -export -in certFile.pem -inkey keyFile.key -out p12File.p12 -certfile intermediateCertFile.pem

JCE and Thales nCipher HSM

This was an education in JCE.  The task was to:

1) Get a private key on a nCipher HSM

2) Use the key to produce a pkcs7 detached signature for a some content

3) Get the public certificate corresponding to the key so that it could be supplied to an external party to verify the signature.

Some terminology:

.pem file - a file that contains a base64 encoded private key or public key certificate, or certificate chain.  Often used to pass public certificates / certificate chains around

.p12 file - a file that contains a private key and public certificate.  Encrypted so you need passwords to get access to it.

Some JCE terminology

KeyStore - interface that allows you get access to files like .pems and .p12s.  You load a keystore with a file, and specific its type, which then allows you to do stuff like gernate keys, obtains keys, certificates etc

Certificate - Represents a certificate! :-)

Provider - abstraction for the implementation classes that provide the implementation of the JCE interfaces like KeyStore.  When you want to do s

Some providers, like the nCipher implement the interfaces in such a way that operations are performed on hardware devices.  Others, like the SUN and BouncyCastle providers do stuff in memory.  The former is more secure because the private key used for encryption does not exist outside the hardware device.

The BouncyCastle provider does stuff in memory, but it also has convenience classes that do translation from one format to another.

So the trick is to use the HSM provider to do all the key generation and signing stuff and then BC to do format changes.

See my private testSign git project for examples of signing.

To get a key into the HSM:

java -Dprotect=module -DignorePassphrase=true sun.security.tools.KeyTool -genkey -storetype nCipher.sworld -keyalg RSA -sigalg SHA1withRSA  -keystore d:/temp/neilltest.dat

This will create the .dat file that contains a reference to the private key in the HSM (but not the key itself). The .dat file is then used as a keystore like a normal JKS file, using keytools

You can use keytool to generate a csr to sign a certificate request that generates a cert that can be used to verify signatures created using the private key

http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

If you want to list certificates in a HSM then:
keytool -list -v -providername ncioherKM -storetype ncipher.sworld -keystore neilltest.dat -storepass [whatever it is]

Java trust store, Mule HTTPS how to

Occasionally you need to connect to an HTTPS server using java where the public certificate protecting the host is not siogned by a trusted 3rd party CA.

For example self-signed certificates.

This would be the case for example in Mule where you use the HTTPS connector with no trust store configuration.

In order to get the certificate trusted it has to be imported into the trust store of the java runtime being used.
 That's held in a file [jre]\lib\security\cacerts

There is an open source tool called InstallCert that can be used to import a certificate into the trust store.

I've got a copy locally in my d:\tools folder, but you can get it and compile it if you want.
Useful links about this


This is also useful:
http://www.dekho.com.au/help/32/default.htm?turl=Documents%2Faddingacertificateintothejavacertificatestore.htm

https://code.google.com/p/java-use-examples/source/browse/trunk/src/com/aw/ad/util/InstallCert.java
http://miteff.com/install-cert

http://forums.visokio.com/discussion/1365/ssl-certificate-error-use-your-trusted-certificate

http://stackoverflow.com/questions/373295/digital-certificate-how-to-import-cer-file-in-to-truststore-file-using

Import .p12 file into .jks (assuming the .p12 has a password)

If it doesn't have a passwod use previous post to add one first.

Obtain the name of the alias for the tomcat key in the certificate file using the following command:
keytool -v -list -storetype pkcs12 -keystore FILE_PFX

Next plug in the source file, alias name, new .jks file name keystore password and new alias into this command:
keytool -importkeystore -srckeystore [MY_FILE.p12] -srcstoretype pkcs12
-srcalias [ALIAS_SRC] -destkeystore [MY_KEYSTORE.jks]
-deststoretype jks -deststorepass [PASSWORD_JKS] -destalias [ALIAS_DEST]

Add a password to a .p12 file

openssl
pkcs12 -in [file.p12] -out [file.pem] -info
pkcs12 -export -in [file.pem] -out [fileOut.p12]

Debugging tests in gradle

Found this out after a bunch of hacking around.

Gradle starts tests in a separate process form the main build script process, so if you want to debug them you have to configure the test task with jvm debug args.

For example:

test.doFirst {
    jvmArgs '-Xdebug', '-Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=5005'
}

If you "gradle test" the build process will run and suspend on the test task.You can then attach a remote debugger to see what is going on

Wrapped and Bare and JaxBElement

More web service binding stuff.

I had a wsdl that was declared elements as both nillable and minOccurs="0" (so that the elements were wrapped in JaxBElement)

AND it was of doc/lit wrapped form, but had an input type that was also an output type.  This was causing the parameters to get wrapped in javax.xml.ws.Holder objects.

I managed to turn both off with the following binding file:

also had an input and output param
<jaxws:bindings wsdlLocation="[LOCATION OF WSDL]"
      xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"
      xmlns:xjc="http://java.sun.com/xml/ns/jaxb/xjc"
      xmlns:xs="http://www.w3.org/2001/XMLSchema"
      xmlns:jxb="http://java.sun.com/xml/ns/jaxb"
      xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">
         <jaxws:enableWrapperStyle>false</jaxws:enableWrapperStyle>

    <jaxws:bindings  node="wsdl:definitions/wsdl:types/xs:schema[@targetNamespace='[NAMESPACE OF WSDL TYPES]">
      <jxb:globalBindings xmlns:jxb="http://java.sun.com/xml/ns/jaxb" xmlns:xs="http://www.w3.org/2001/XMLSchema">
            <xjc:generateElementProperty>false</xjc:generateElementProperty>
      </jxb:globalBindings>  
  </jaxws:bindings>

</jaxws:bindings>

Stopping Chrome complaining about an internal certificate with "Server's certificate is signed using a weak signature algorithm"

http://my.galagzee.com/2012/04/07/chrome-weak-signature-algorithm/

Migrating data using oracle

http://www.oracle-base.com/articles/10g/oracle-data-pump-10g.php

Useful web tools

https://webcheck.me/
www.browserstack.com

HTTP explained
http://www.jmarshall.com/easy/http/

Sql Server Performance Sending Unicode To Non Unicode DBs

http://server.pramati.com/blog/2010/06/02/perfissues-jdbcdrivers-mssqlserver/

Adding Complex SOAP Headers

Good articles on how to add SOAP headers when you are using CXF and the headers are complex XML rather than simple strings.

http://stackoverflow.com/questions/3807922/with-cxf-actually-groovyws-how-do-i-generate-a-soap-header-with-one-child-nod

http://blog.bemoko.com/2010/08/12/groovyws-cxf-and-net-webservices-with-an-authheader-pain/

Wrapped vs Bare in Doc/Lit web services

Best explanation that I have seen to date.  Includes a description of the constraints that need to be applied to wsdl to make it work

http://atmanes.blogspot.co.uk/2005/03/wrapped-documentliteral-convention.html

PermGen In Grails

Found this useful tidbit on Grails Facebook page - how to fix Grails permgen issues

• Hi ,default ram size occupied by jvm is 64MB you can increase it manually by the code given by santosh CATALINA_OPTS="-Xms256m -Xmx1024m -XX:MaxPermSize=256m". configure the above code in tomcat config file.

  Friday at 09:40 ·  ·  1
• 

  Prabhat Roy ‎2)Some time memory leak causes this problem, than abome wont work use profiler and chekout the code , dont include unnecessary jars and check the code module by module remove unneccessary object creation , if required call garbage collection explicitly to kill the useless objects. its bit difficult to debug.

  Friday at 09:44 ·  ·  1
• 

  Prabhat Roy ‎3)(a)Put JDBC driver in common/lib (as tomcat documentation says) and not in WEB-INF/lib
  (b)Don't put commons-logging into WEB-INF/lib since tomcat already bootstraps it

  Friday at 09:46 · 
• 

  Prabhat Roy new class objects get placed into the PermGen and thus occupy an ever increasing amount of space. Regardless of how large you make the PermGen space, it will inevitably top out after enough deployments. What you need to do is take measures to flush the PermGen so that you can stabilize its size. There are two JVM flags which handle this cleaning:
  
  -XX:+CMSPermGenSweepingEnabled
  This setting includes the PermGen in a garbage collection run. By default, the PermGen space is never included in garbage collection (and thus grows without bounds).
  
  -XX:+CMSClassUnloadingEnabled
  This setting tells the PermGen garbage collection sweep to take action on class objects. By default, class objects get an exemption, even when the PermGen space is being visited during a garabage collection.

  Friday at 09:47 · 
• 

  Prabhat Roy finally , in rare condition if nothing works than restart the server :)

  Friday at 09: