Docker & McAfee on Windows Server
- mce
- Community Contributor
- Posts: 352
- Joined: Tue Jul 20, 2010 5:01 pm
- OLAP Product: Cognos TM1
- Version: Planning Analytics Local 2.0.x
- Excel Version: 2013 2016
- Location: Istanbul, Turkey
Docker & McAfee on Windows Server
Hello,
We are having trouble with installing PAW on Docker on a Windows 2016 Server that McAfee installed.
There is a note from McAfee in https://kc.mcafee.com/corporate/index?p ... id=KB90041 about this issue.
But I just wanted to check if anyone managed to get it working? Are there any workaround to this solution without removing McAfee? Is there any config or exception that we can make in McAfee to avoid having this issue?
Any comment or help will be appreciated. Thanks in advance.
Regards
We are having trouble with installing PAW on Docker on a Windows 2016 Server that McAfee installed.
There is a note from McAfee in https://kc.mcafee.com/corporate/index?p ... id=KB90041 about this issue.
But I just wanted to check if anyone managed to get it working? Are there any workaround to this solution without removing McAfee? Is there any config or exception that we can make in McAfee to avoid having this issue?
Any comment or help will be appreciated. Thanks in advance.
Regards
- macsir
- MVP
- Posts: 782
- Joined: Wed May 30, 2012 6:50 am
- OLAP Product: TM1
- Version: PAL 2.0.9
- Excel Version: Office 365
- Contact:
Re: Docker & McAfee on Windows Server
What is your issue anyway?
- mce
- Community Contributor
- Posts: 352
- Joined: Tue Jul 20, 2010 5:01 pm
- OLAP Product: Cognos TM1
- Version: Planning Analytics Local 2.0.x
- Excel Version: 2013 2016
- Location: Istanbul, Turkey
Re: Docker & McAfee on Windows Server
After we execure start.ps1, we keep getting "PAW Loading Image Error - Access is Denied" error.
But in different environments we got different errors at different stages.
But in different environments we got different errors at different stages.
Re: Docker & McAfee on Windows Server
I have not specifically had that error, but I can tell you McAfee and PAW/Docker do not play well together. We are consistently seeing 80-100% CPU on McAfee services and oftentimes it prevents PAW from even starting all of the services...due to timeouts.
I have never had great experiences with McAfee. In my opinion it is one of the most resource intensive and intrusive virus software I have ever seen. Norton at one point claimed that title, but now it seems McAfee has taken the lead.
While I think AV apps have their place, I generally avoid using them on servers that are data providers or internal web application servers. #1, the users don't access them directly anyway. #2, they are not externally exposed to the internet. Yeah, I am sure there is someone out there who will argue against this, but if a virus comes through your main lines of defense (routers, firewalls, end-users machines, vpn), likely the AV on the server won't do any good anyway. It has already penetrated your primary barriers; meaning your current AV couldn't detect it yet anyway.
If you can't disable or remove McAfee, see if you can temporarily turn it off while startup and then turn it back on afterwards. This has worked for us (as we have had no luck with IT in removing it from the server).
I have never had great experiences with McAfee. In my opinion it is one of the most resource intensive and intrusive virus software I have ever seen. Norton at one point claimed that title, but now it seems McAfee has taken the lead.
While I think AV apps have their place, I generally avoid using them on servers that are data providers or internal web application servers. #1, the users don't access them directly anyway. #2, they are not externally exposed to the internet. Yeah, I am sure there is someone out there who will argue against this, but if a virus comes through your main lines of defense (routers, firewalls, end-users machines, vpn), likely the AV on the server won't do any good anyway. It has already penetrated your primary barriers; meaning your current AV couldn't detect it yet anyway.
If you can't disable or remove McAfee, see if you can temporarily turn it off while startup and then turn it back on afterwards. This has worked for us (as we have had no luck with IT in removing it from the server).
- mce
- Community Contributor
- Posts: 352
- Joined: Tue Jul 20, 2010 5:01 pm
- OLAP Product: Cognos TM1
- Version: Planning Analytics Local 2.0.x
- Excel Version: 2013 2016
- Location: Istanbul, Turkey
Re: Docker & McAfee on Windows Server
Are you sure that disabling it guarantees that McAfee will not prevent PAW or Docker? We tried disabling it temporarily, but still got the same error.
Does it work in your environment, by only disabling McAfee at installation stage and keeping it on on regular server PROD time?
-
- MVP
- Posts: 160
- Joined: Wed Aug 17, 2011 3:51 pm
- OLAP Product: TM1
- Version: 10.2.2
- Excel Version: Excel 2007
Re: Docker & McAfee on Windows Server
Disabling AV software may not be effective as often file system drivers are installed at boot time.
You can run the command to see active filter drivers.
You can run the
Code: Select all
fltmc
Re: Docker & McAfee on Windows Server
For us, it is not at install time (I think we have put in the filters for that part), it is primarily at startup time for PAW.
Anytime the PAW server needs to be restarted or if we have to upgrade it or just reboot, we run into this issue. What we end up doing is disabling the scanner, and that (sometimes) gives us enough CPU breather to get the PAW containers up and running without timeout problems. It doesn't always work, but it does work more often than not. I wish we could remove McAfee altogether.
Running PAW in general on a Windows host, I am increasingly recommending against for our customers. I find that the linux version is SOOO much faster, less resource intensive, just more nimble overall. It also is less prone to these kinds of issues. That said, you have to be able to support a linux OS in your server ecosystem, and that is where we run into challenges with some customers. If you can support it, I would definitely consider going the linux route.
One other thing to note....as of Windows 2019, containerized services are now part of the OS and no longer require a Docker EE license to be purchased separately. Unfortunately only PA (TM1 Server) 2.0.7 supports Windows 2019....PAW does not....the one that could really use Windows 2019. I checked with product development team, and Windows 2019 for PAW is not even on the roadmap yet. I would like to see if Windows 2019 plays better with PAW than 2016 with Docker EE, but until then, if you can go to linux, you will find it much less problematic.
Good luck!
Anytime the PAW server needs to be restarted or if we have to upgrade it or just reboot, we run into this issue. What we end up doing is disabling the scanner, and that (sometimes) gives us enough CPU breather to get the PAW containers up and running without timeout problems. It doesn't always work, but it does work more often than not. I wish we could remove McAfee altogether.
Running PAW in general on a Windows host, I am increasingly recommending against for our customers. I find that the linux version is SOOO much faster, less resource intensive, just more nimble overall. It also is less prone to these kinds of issues. That said, you have to be able to support a linux OS in your server ecosystem, and that is where we run into challenges with some customers. If you can support it, I would definitely consider going the linux route.
One other thing to note....as of Windows 2019, containerized services are now part of the OS and no longer require a Docker EE license to be purchased separately. Unfortunately only PA (TM1 Server) 2.0.7 supports Windows 2019....PAW does not....the one that could really use Windows 2019. I checked with product development team, and Windows 2019 for PAW is not even on the roadmap yet. I would like to see if Windows 2019 plays better with PAW than 2016 with Docker EE, but until then, if you can go to linux, you will find it much less problematic.
Good luck!
- Steve Rowe
- Site Admin
- Posts: 2410
- Joined: Wed May 14, 2008 4:25 pm
- OLAP Product: TM1
- Version: TM1 v6,v7,v8,v9,v10,v11+PAW
- Excel Version: Nearly all of them
Re: Docker & McAfee on Windows Server
Hi Blackhawk,
Just some queries / comments.
What performance testing have you done on a windows vs Linux loadout? We've done some and found that whilst linux is better it is pretty marginal. Not enough to recommend one environment over the other unless you are talking large scale? Agree there is certainly a perception that Linux is much better but when we tested we couldn't demonstrate it. (Except for logging in which on windows takes longer).
Linux then attracts the additional licence costs of Docker EE which seems to be the major differentiator between the approaches.
Just some queries / comments.
Our understanding is that the Windows Server OS 2016 does not require an additional docker licence. Do you have anything definitive to the contrary? (my reference the end of this page but plenty of other places mention an agreement being in place.One other thing to note....as of Windows 2019, containerized services are now part of the OS and no longer require a Docker EE license
What performance testing have you done on a windows vs Linux loadout? We've done some and found that whilst linux is better it is pretty marginal. Not enough to recommend one environment over the other unless you are talking large scale? Agree there is certainly a perception that Linux is much better but when we tested we couldn't demonstrate it. (Except for logging in which on windows takes longer).
Linux then attracts the additional licence costs of Docker EE which seems to be the major differentiator between the approaches.
Technical Director
www.infocat.co.uk
www.infocat.co.uk
- mce
- Community Contributor
- Posts: 352
- Joined: Tue Jul 20, 2010 5:01 pm
- OLAP Product: Cognos TM1
- Version: Planning Analytics Local 2.0.x
- Excel Version: 2013 2016
- Location: Istanbul, Turkey
Re: Docker & McAfee on Windows Server
Hi,
We considered running PAW on Linux Red Hat for a client, and checked with Docker about Docker EE licensing. They said it costs 500$ per core per year with minimum purchase requirement of 40 cores. This means 20.000$ per year minimum we have to pay to Docker to be able to use PAW on a Linux Red Hat Server with Docker EE. On long term, this means paying more license fee to Docker than we pay to IBM for PAW. Did anyone find or offer a solution to this problem?
Should not it be the case that Docker EE licenses must have been included in IBM PA licenses? IBM can probably make a good deal with Docker to cover Docker EE licensing for use with PAW.
Regards,
We considered running PAW on Linux Red Hat for a client, and checked with Docker about Docker EE licensing. They said it costs 500$ per core per year with minimum purchase requirement of 40 cores. This means 20.000$ per year minimum we have to pay to Docker to be able to use PAW on a Linux Red Hat Server with Docker EE. On long term, this means paying more license fee to Docker than we pay to IBM for PAW. Did anyone find or offer a solution to this problem?
Should not it be the case that Docker EE licenses must have been included in IBM PA licenses? IBM can probably make a good deal with Docker to cover Docker EE licensing for use with PAW.
Regards,
- Steve Rowe
- Site Admin
- Posts: 2410
- Joined: Wed May 14, 2008 4:25 pm
- OLAP Product: TM1
- Version: TM1 v6,v7,v8,v9,v10,v11+PAW
- Excel Version: Nearly all of them
Re: Docker & McAfee on Windows Server
Through the docker website the minimum core count is 5, so sounds like someone is trying to gouge you? Its still more costs than it should be (i.e. =0).
Technical Director
www.infocat.co.uk
www.infocat.co.uk
- Steve Rowe
- Site Admin
- Posts: 2410
- Joined: Wed May 14, 2008 4:25 pm
- OLAP Product: TM1
- Version: TM1 v6,v7,v8,v9,v10,v11+PAW
- Excel Version: Nearly all of them
Re: Docker & McAfee on Windows Server
Well I was 100% sure of my facts on this but I'm now struggling to find earlier references.
This may have something to do with it https://searchitoperations.techtarget.c ... questions
I'm not sure this is the same product as Docker EE but is at least indicative that the minimum license count was 5.
https://hub.docker.com/pricing
This may have something to do with it https://searchitoperations.techtarget.c ... questions
I'm not sure this is the same product as Docker EE but is at least indicative that the minimum license count was 5.
https://hub.docker.com/pricing
Technical Director
www.infocat.co.uk
www.infocat.co.uk
-
- Posts: 119
- Joined: Mon Oct 27, 2014 10:50 am
- OLAP Product: TM1
- Version: 10.2.2
- Excel Version: 2013
Re: Docker & McAfee on Windows Server
Couldn't you just run the CE edition? Do you really need the EE edition?
Also new editions of Windows Server will actually have a little Linux core in them. Its going to be interesting to see how this affects deployment. I want to think it will allow for a best of both worlds.
Also new editions of Windows Server will actually have a little Linux core in them. Its going to be interesting to see how this affects deployment. I want to think it will allow for a best of both worlds.
- Steve Rowe
- Site Admin
- Posts: 2410
- Joined: Wed May 14, 2008 4:25 pm
- OLAP Product: TM1
- Version: TM1 v6,v7,v8,v9,v10,v11+PAW
- Excel Version: Nearly all of them
Re: Docker & McAfee on Windows Server
Hi Bakkone, you could run CE but it is not formally supported. When IBM removed support for Ubuntu this also removed support Docker CE (since RHEL only supports Docker EE).
FYI this is the link for docker ee pricing you need a log in though.
https://hub.docker.com/editions/enterpr ... l/purchase
From memory when you get to the last page you can drop the core count from the default of 10 down to 5.
FYI this is the link for docker ee pricing you need a log in though.
https://hub.docker.com/editions/enterpr ... l/purchase
From memory when you get to the last page you can drop the core count from the default of 10 down to 5.
Technical Director
www.infocat.co.uk
www.infocat.co.uk
- mce
- Community Contributor
- Posts: 352
- Joined: Tue Jul 20, 2010 5:01 pm
- OLAP Product: Cognos TM1
- Version: Planning Analytics Local 2.0.x
- Excel Version: 2013 2016
- Location: Istanbul, Turkey
Re: Docker & McAfee on Windows Server
Hi Steve, This is Docker hup pricing. As per my understanding this is their cloud offering. Hence the prices there are offered for cloud hosted docker as per my understanding. I was looking for on-premise license.Steve Rowe wrote: ↑Tue May 21, 2019 10:00 am FYI this is the link for docker ee pricing you need a log in though.
https://hub.docker.com/editions/enterpr ... l/purchase
From memory when you get to the last page you can drop the core count from the default of 10 down to 5.
- Steve Rowe
- Site Admin
- Posts: 2410
- Joined: Wed May 14, 2008 4:25 pm
- OLAP Product: TM1
- Version: TM1 v6,v7,v8,v9,v10,v11+PAW
- Excel Version: Nearly all of them
Re: Docker & McAfee on Windows Server
Hi mce, Did you log-in and fill in the forms? I don't think that just because the path starts with hub, this relates to hub specifically.
For example this page is talking about RHEL on prem installs (I think!)
https://hub.docker.com/editions/enterpr ... erver-rhel
For example this page is talking about RHEL on prem installs (I think!)
https://hub.docker.com/editions/enterpr ... erver-rhel
Technical Director
www.infocat.co.uk
www.infocat.co.uk
- Ajay
- Regular Participant
- Posts: 183
- Joined: Wed May 14, 2008 8:27 am
- OLAP Product: TM1
- Version: 10.2.0, PA 2.0.9
- Excel Version: 2016
- Location: London
Re: Docker & McAfee on Windows Server
@Mce
Did you manage to get Docker working with McAfee, on WinSer 2016 ? or did you have to another route ?
We're in the same hell hole at the moment, trying to figure this one out, so any help would be appreciated
Cheers
Ajay
Did you manage to get Docker working with McAfee, on WinSer 2016 ? or did you have to another route ?
We're in the same hell hole at the moment, trying to figure this one out, so any help would be appreciated
Cheers
Ajay
-
- MVP
- Posts: 3105
- Joined: Mon Dec 29, 2008 6:26 pm
- OLAP Product: TM1, Jedox
- Version: PAL 2.0.9.18
- Excel Version: Microsoft 365
- Location: Brussels, Belgium
- Contact:
Re: Docker & McAfee on Windows Server
There’s a McAfee tech note, do not use it with Docker.
Best regards,
Wim Gielis
IBM Champion 2024
Excel Most Valuable Professional, 2011-2014
https://www.wimgielis.com ==> 121 TM1 articles and a lot of custom code
Newest blog article: Deleting elements quickly
Wim Gielis
IBM Champion 2024
Excel Most Valuable Professional, 2011-2014
https://www.wimgielis.com ==> 121 TM1 articles and a lot of custom code
Newest blog article: Deleting elements quickly
- Ajay
- Regular Participant
- Posts: 183
- Joined: Wed May 14, 2008 8:27 am
- OLAP Product: TM1
- Version: 10.2.0, PA 2.0.9
- Excel Version: 2016
- Location: London
Re: Docker & McAfee on Windows Server
Thanks Wim.
We are seeing conflicting information in these two URLs.
McAfee basically telling us that we can't use Endpoint 10.x because it is not supported
https://kc.mcafee.com/corporate/index?p ... id=KB90041
and Docker tell us it is !!!!
https://success.docker.com/article/endp ... containers
All very confusing....who to believe ?
We are seeing conflicting information in these two URLs.
McAfee basically telling us that we can't use Endpoint 10.x because it is not supported
https://kc.mcafee.com/corporate/index?p ... id=KB90041
and Docker tell us it is !!!!
https://success.docker.com/article/endp ... containers
All very confusing....who to believe ?
- mce
- Community Contributor
- Posts: 352
- Joined: Tue Jul 20, 2010 5:01 pm
- OLAP Product: Cognos TM1
- Version: Planning Analytics Local 2.0.x
- Excel Version: 2013 2016
- Location: Istanbul, Turkey
Re: Docker & McAfee on Windows Server
Hello,
https://kc.mcafee.com/corporate/index?p ... id=KB90041
As per this tech note, Endpoint Security 10.6.1/10.7.0 November 2020 Update and later should support Docker on host Windows Server 2016 machine. Hence this should solve our problem. Are there anyone who tried this? Does it work?
Regards,
https://kc.mcafee.com/corporate/index?p ... id=KB90041
As per this tech note, Endpoint Security 10.6.1/10.7.0 November 2020 Update and later should support Docker on host Windows Server 2016 machine. Hence this should solve our problem. Are there anyone who tried this? Does it work?
Regards,