Docker & McAfee on Windows Server

Post Reply
User avatar
mce
Community Contributor
Posts: 352
Joined: Tue Jul 20, 2010 5:01 pm
OLAP Product: Cognos TM1
Version: Planning Analytics Local 2.0.x
Excel Version: 2013 2016
Location: Istanbul, Turkey

Docker & McAfee on Windows Server

Post by mce »

Hello,

We are having trouble with installing PAW on Docker on a Windows 2016 Server that McAfee installed.
There is a note from McAfee in https://kc.mcafee.com/corporate/index?p ... id=KB90041 about this issue.
But I just wanted to check if anyone managed to get it working? Are there any workaround to this solution without removing McAfee? Is there any config or exception that we can make in McAfee to avoid having this issue?

Any comment or help will be appreciated. Thanks in advance.

Regards
User avatar
macsir
MVP
Posts: 782
Joined: Wed May 30, 2012 6:50 am
OLAP Product: TM1
Version: PAL 2.0.9
Excel Version: Office 365
Contact:

Re: Docker & McAfee on Windows Server

Post by macsir »

What is your issue anyway?
In TM1,the answer is always yes though sometimes with a but....
http://tm1sir.blogspot.com.au/
User avatar
mce
Community Contributor
Posts: 352
Joined: Tue Jul 20, 2010 5:01 pm
OLAP Product: Cognos TM1
Version: Planning Analytics Local 2.0.x
Excel Version: 2013 2016
Location: Istanbul, Turkey

Re: Docker & McAfee on Windows Server

Post by mce »

After we execure start.ps1, we keep getting "PAW Loading Image Error - Access is Denied" error.
But in different environments we got different errors at different stages.
blackhawk
Community Contributor
Posts: 136
Joined: Thu May 29, 2008 2:29 pm

Re: Docker & McAfee on Windows Server

Post by blackhawk »

I have not specifically had that error, but I can tell you McAfee and PAW/Docker do not play well together. We are consistently seeing 80-100% CPU on McAfee services and oftentimes it prevents PAW from even starting all of the services...due to timeouts.

I have never had great experiences with McAfee. In my opinion it is one of the most resource intensive and intrusive virus software I have ever seen. Norton at one point claimed that title, but now it seems McAfee has taken the lead.

While I think AV apps have their place, I generally avoid using them on servers that are data providers or internal web application servers. #1, the users don't access them directly anyway. #2, they are not externally exposed to the internet. Yeah, I am sure there is someone out there who will argue against this, but if a virus comes through your main lines of defense (routers, firewalls, end-users machines, vpn), likely the AV on the server won't do any good anyway. It has already penetrated your primary barriers; meaning your current AV couldn't detect it yet anyway.

If you can't disable or remove McAfee, see if you can temporarily turn it off while startup and then turn it back on afterwards. This has worked for us (as we have had no luck with IT in removing it from the server).
User avatar
mce
Community Contributor
Posts: 352
Joined: Tue Jul 20, 2010 5:01 pm
OLAP Product: Cognos TM1
Version: Planning Analytics Local 2.0.x
Excel Version: 2013 2016
Location: Istanbul, Turkey

Re: Docker & McAfee on Windows Server

Post by mce »

blackhawk wrote: Sat May 04, 2019 4:40 pm If you can't disable or remove McAfee, see if you can temporarily turn it off while startup and then turn it back on afterwards. This has worked for us (as we have had no luck with IT in removing it from the server).
Are you sure that disabling it guarantees that McAfee will not prevent PAW or Docker? We tried disabling it temporarily, but still got the same error.

Does it work in your environment, by only disabling McAfee at installation stage and keeping it on on regular server PROD time?
dr.nybble
MVP
Posts: 160
Joined: Wed Aug 17, 2011 3:51 pm
OLAP Product: TM1
Version: 10.2.2
Excel Version: Excel 2007

Re: Docker & McAfee on Windows Server

Post by dr.nybble »

Disabling AV software may not be effective as often file system drivers are installed at boot time.

You can run the

Code: Select all

fltmc
command to see active filter drivers.
blackhawk
Community Contributor
Posts: 136
Joined: Thu May 29, 2008 2:29 pm

Re: Docker & McAfee on Windows Server

Post by blackhawk »

For us, it is not at install time (I think we have put in the filters for that part), it is primarily at startup time for PAW.

Anytime the PAW server needs to be restarted or if we have to upgrade it or just reboot, we run into this issue. What we end up doing is disabling the scanner, and that (sometimes) gives us enough CPU breather to get the PAW containers up and running without timeout problems. It doesn't always work, but it does work more often than not. I wish we could remove McAfee altogether.

Running PAW in general on a Windows host, I am increasingly recommending against for our customers. I find that the linux version is SOOO much faster, less resource intensive, just more nimble overall. It also is less prone to these kinds of issues. That said, you have to be able to support a linux OS in your server ecosystem, and that is where we run into challenges with some customers. If you can support it, I would definitely consider going the linux route.

One other thing to note....as of Windows 2019, containerized services are now part of the OS and no longer require a Docker EE license to be purchased separately. Unfortunately only PA (TM1 Server) 2.0.7 supports Windows 2019....PAW does not....the one that could really use Windows 2019. I checked with product development team, and Windows 2019 for PAW is not even on the roadmap yet. I would like to see if Windows 2019 plays better with PAW than 2016 with Docker EE, but until then, if you can go to linux, you will find it much less problematic.

Good luck!
User avatar
Steve Rowe
Site Admin
Posts: 2410
Joined: Wed May 14, 2008 4:25 pm
OLAP Product: TM1
Version: TM1 v6,v7,v8,v9,v10,v11+PAW
Excel Version: Nearly all of them

Re: Docker & McAfee on Windows Server

Post by Steve Rowe »

Hi Blackhawk,

Just some queries / comments.
One other thing to note....as of Windows 2019, containerized services are now part of the OS and no longer require a Docker EE license
Our understanding is that the Windows Server OS 2016 does not require an additional docker licence. Do you have anything definitive to the contrary? (my reference the end of this page but plenty of other places mention an agreement being in place.

What performance testing have you done on a windows vs Linux loadout? We've done some and found that whilst linux is better it is pretty marginal. Not enough to recommend one environment over the other unless you are talking large scale? Agree there is certainly a perception that Linux is much better but when we tested we couldn't demonstrate it. (Except for logging in which on windows takes longer).

Linux then attracts the additional licence costs of Docker EE which seems to be the major differentiator between the approaches.
Technical Director
www.infocat.co.uk
User avatar
mce
Community Contributor
Posts: 352
Joined: Tue Jul 20, 2010 5:01 pm
OLAP Product: Cognos TM1
Version: Planning Analytics Local 2.0.x
Excel Version: 2013 2016
Location: Istanbul, Turkey

Re: Docker & McAfee on Windows Server

Post by mce »

Hi,

We considered running PAW on Linux Red Hat for a client, and checked with Docker about Docker EE licensing. They said it costs 500$ per core per year with minimum purchase requirement of 40 cores. This means 20.000$ per year minimum we have to pay to Docker to be able to use PAW on a Linux Red Hat Server with Docker EE. On long term, this means paying more license fee to Docker than we pay to IBM for PAW. Did anyone find or offer a solution to this problem?

Should not it be the case that Docker EE licenses must have been included in IBM PA licenses? IBM can probably make a good deal with Docker to cover Docker EE licensing for use with PAW.

Regards,
User avatar
Steve Rowe
Site Admin
Posts: 2410
Joined: Wed May 14, 2008 4:25 pm
OLAP Product: TM1
Version: TM1 v6,v7,v8,v9,v10,v11+PAW
Excel Version: Nearly all of them

Re: Docker & McAfee on Windows Server

Post by Steve Rowe »

Through the docker website the minimum core count is 5, so sounds like someone is trying to gouge you? Its still more costs than it should be (i.e. =0).
Technical Director
www.infocat.co.uk
User avatar
Steve Rowe
Site Admin
Posts: 2410
Joined: Wed May 14, 2008 4:25 pm
OLAP Product: TM1
Version: TM1 v6,v7,v8,v9,v10,v11+PAW
Excel Version: Nearly all of them

Re: Docker & McAfee on Windows Server

Post by Steve Rowe »

Well I was 100% sure of my facts on this but I'm now struggling to find earlier references.

This may have something to do with it https://searchitoperations.techtarget.c ... questions

I'm not sure this is the same product as Docker EE but is at least indicative that the minimum license count was 5.
https://hub.docker.com/pricing
Technical Director
www.infocat.co.uk
Bakkone
Posts: 119
Joined: Mon Oct 27, 2014 10:50 am
OLAP Product: TM1
Version: 10.2.2
Excel Version: 2013

Re: Docker & McAfee on Windows Server

Post by Bakkone »

Couldn't you just run the CE edition? Do you really need the EE edition?

Also new editions of Windows Server will actually have a little Linux core in them. Its going to be interesting to see how this affects deployment. I want to think it will allow for a best of both worlds.
User avatar
Steve Rowe
Site Admin
Posts: 2410
Joined: Wed May 14, 2008 4:25 pm
OLAP Product: TM1
Version: TM1 v6,v7,v8,v9,v10,v11+PAW
Excel Version: Nearly all of them

Re: Docker & McAfee on Windows Server

Post by Steve Rowe »

Hi Bakkone, you could run CE but it is not formally supported. When IBM removed support for Ubuntu this also removed support Docker CE (since RHEL only supports Docker EE).

FYI this is the link for docker ee pricing you need a log in though.

https://hub.docker.com/editions/enterpr ... l/purchase

From memory when you get to the last page you can drop the core count from the default of 10 down to 5.
Technical Director
www.infocat.co.uk
User avatar
mce
Community Contributor
Posts: 352
Joined: Tue Jul 20, 2010 5:01 pm
OLAP Product: Cognos TM1
Version: Planning Analytics Local 2.0.x
Excel Version: 2013 2016
Location: Istanbul, Turkey

Re: Docker & McAfee on Windows Server

Post by mce »

Steve Rowe wrote: Tue May 21, 2019 10:00 am FYI this is the link for docker ee pricing you need a log in though.

https://hub.docker.com/editions/enterpr ... l/purchase

From memory when you get to the last page you can drop the core count from the default of 10 down to 5.
Hi Steve, This is Docker hup pricing. As per my understanding this is their cloud offering. Hence the prices there are offered for cloud hosted docker as per my understanding. I was looking for on-premise license.
User avatar
Steve Rowe
Site Admin
Posts: 2410
Joined: Wed May 14, 2008 4:25 pm
OLAP Product: TM1
Version: TM1 v6,v7,v8,v9,v10,v11+PAW
Excel Version: Nearly all of them

Re: Docker & McAfee on Windows Server

Post by Steve Rowe »

Hi mce, Did you log-in and fill in the forms? I don't think that just because the path starts with hub, this relates to hub specifically.

For example this page is talking about RHEL on prem installs (I think!)

https://hub.docker.com/editions/enterpr ... erver-rhel
Technical Director
www.infocat.co.uk
User avatar
Ajay
Regular Participant
Posts: 183
Joined: Wed May 14, 2008 8:27 am
OLAP Product: TM1
Version: 10.2.0, PA 2.0.9
Excel Version: 2016
Location: London

Re: Docker & McAfee on Windows Server

Post by Ajay »

@Mce

Did you manage to get Docker working with McAfee, on WinSer 2016 ? or did you have to another route ?

We're in the same hell hole at the moment, trying to figure this one out, so any help would be appreciated

Cheers
Ajay
Wim Gielis
MVP
Posts: 3105
Joined: Mon Dec 29, 2008 6:26 pm
OLAP Product: TM1, Jedox
Version: PAL 2.0.9.18
Excel Version: Microsoft 365
Location: Brussels, Belgium
Contact:

Re: Docker & McAfee on Windows Server

Post by Wim Gielis »

There’s a McAfee tech note, do not use it with Docker.
Best regards,

Wim Gielis

IBM Champion 2024
Excel Most Valuable Professional, 2011-2014
https://www.wimgielis.com ==> 121 TM1 articles and a lot of custom code
Newest blog article: Deleting elements quickly
User avatar
Ajay
Regular Participant
Posts: 183
Joined: Wed May 14, 2008 8:27 am
OLAP Product: TM1
Version: 10.2.0, PA 2.0.9
Excel Version: 2016
Location: London

Re: Docker & McAfee on Windows Server

Post by Ajay »

Thanks Wim.

We are seeing conflicting information in these two URLs.

McAfee basically telling us that we can't use Endpoint 10.x because it is not supported
https://kc.mcafee.com/corporate/index?p ... id=KB90041

and Docker tell us it is !!!!
https://success.docker.com/article/endp ... containers

All very confusing....who to believe ?
User avatar
mce
Community Contributor
Posts: 352
Joined: Tue Jul 20, 2010 5:01 pm
OLAP Product: Cognos TM1
Version: Planning Analytics Local 2.0.x
Excel Version: 2013 2016
Location: Istanbul, Turkey

Re: Docker & McAfee on Windows Server

Post by mce »

Hello,

https://kc.mcafee.com/corporate/index?p ... id=KB90041

As per this tech note, Endpoint Security 10.6.1/10.7.0 November 2020 Update and later should support Docker on host Windows Server 2016 machine. Hence this should solve our problem. Are there anyone who tried this? Does it work?

Regards,
Post Reply