TM1 Forum

Hello,

We are having trouble with installing PAW on Docker on a Windows 2016 Server that McAfee installed.
There is a note from McAfee in https://kc.mcafee.com/corporate/index?p ... id=KB90041 about this issue.
But I just wanted to check if anyone managed to get it working? Are there any workaround to this solution without removing McAfee? Is there any config or exception that we can make in McAfee to avoid having this issue?

Any comment or help will be appreciated. Thanks in advance.

Regards

What is your issue anyway?

After we execure start.ps1, we keep getting "PAW Loading Image Error - Access is Denied" error.
But in different environments we got different errors at different stages.

I have not specifically had that error, but I can tell you McAfee and PAW/Docker do not play well together. We are consistently seeing 80-100% CPU on McAfee services and oftentimes it prevents PAW from even starting all of the services...due to timeouts.

I have never had great experiences with McAfee. In my opinion it is one of the most resource intensive and intrusive virus software I have ever seen. Norton at one point claimed that title, but now it seems McAfee has taken the lead.

While I think AV apps have their place, I generally avoid using them on servers that are data providers or internal web application servers. #1, the users don't access them directly anyway. #2, they are not externally exposed to the internet. Yeah, I am sure there is someone out there who will argue against this, but if a virus comes through your main lines of defense (routers, firewalls, end-users machines, vpn), likely the AV on the server won't do any good anyway. It has already penetrated your primary barriers; meaning your current AV couldn't detect it yet anyway.

If you can't disable or remove McAfee, see if you can temporarily turn it off while startup and then turn it back on afterwards. This has worked for us (as we have had no luck with IT in removing it from the server).

blackhawk wrote: ↑Sat May 04, 2019 4:40 pm If you can't disable or remove McAfee, see if you can temporarily turn it off while startup and then turn it back on afterwards. This has worked for us (as we have had no luck with IT in removing it from the server).

Are you sure that disabling it guarantees that McAfee will not prevent PAW or Docker? We tried disabling it temporarily, but still got the same error.

Does it work in your environment, by only disabling McAfee at installation stage and keeping it on on regular server PROD time?

Disabling AV software may not be effective as often file system drivers are installed at boot time.

You can run the command to see active filter drivers.

For us, it is not at install time (I think we have put in the filters for that part), it is primarily at startup time for PAW.

Anytime the PAW server needs to be restarted or if we have to upgrade it or just reboot, we run into this issue. What we end up doing is disabling the scanner, and that (sometimes) gives us enough CPU breather to get the PAW containers up and running without timeout problems. It doesn't always work, but it does work more often than not. I wish we could remove McAfee altogether.

Running PAW in general on a Windows host, I am increasingly recommending against for our customers. I find that the linux version is SOOO much faster, less resource intensive, just more nimble overall. It also is less prone to these kinds of issues. That said, you have to be able to support a linux OS in your server ecosystem, and that is where we run into challenges with some customers. If you can support it, I would definitely consider going the linux route.

One other thing to note....as of Windows 2019, containerized services are now part of the OS and no longer require a Docker EE license to be purchased separately. Unfortunately only PA (TM1 Server) 2.0.7 supports Windows 2019....PAW does not....the one that could really use Windows 2019. I checked with product development team, and Windows 2019 for PAW is not even on the roadmap yet. I would like to see if Windows 2019 plays better with PAW than 2016 with Docker EE, but until then, if you can go to linux, you will find it much less problematic.

Good luck!

Hi Blackhawk,

Just some queries / comments.

One other thing to note....as of Windows 2019, containerized services are now part of the OS and no longer require a Docker EE license

Our understanding is that the Windows Server OS 2016 does not require an additional docker licence. Do you have anything definitive to the contrary? (my reference the end of this page but plenty of other places mention an agreement being in place.

What performance testing have you done on a windows vs Linux loadout? We've done some and found that whilst linux is better it is pretty marginal. Not enough to recommend one environment over the other unless you are talking large scale? Agree there is certainly a perception that Linux is much better but when we tested we couldn't demonstrate it. (Except for logging in which on windows takes longer).

Linux then attracts the additional licence costs of Docker EE which seems to be the major differentiator between the approaches.

Hi,

We considered running PAW on Linux Red Hat for a client, and checked with Docker about Docker EE licensing. They said it costs 500$ per core per year with minimum purchase requirement of 40 cores. This means 20.000$ per year minimum we have to pay to Docker to be able to use PAW on a Linux Red Hat Server with Docker EE. On long term, this means paying more license fee to Docker than we pay to IBM for PAW. Did anyone find or offer a solution to this problem?

Should not it be the case that Docker EE licenses must have been included in IBM PA licenses? IBM can probably make a good deal with Docker to cover Docker EE licensing for use with PAW.

Regards,

Through the docker website the minimum core count is 5, so sounds like someone is trying to gouge you? Its still more costs than it should be (i.e. =0).

Well I was 100% sure of my facts on this but I'm now struggling to find earlier references.

This may have something to do with it https://searchitoperations.techtarget.c ... questions

I'm not sure this is the same product as Docker EE but is at least indicative that the minimum license count was 5.
https://hub.docker.com/pricing

Couldn't you just run the CE edition? Do you really need the EE edition?

Also new editions of Windows Server will actually have a little Linux core in them. Its going to be interesting to see how this affects deployment. I want to think it will allow for a best of both worlds.

Hi Bakkone, you could run CE but it is not formally supported. When IBM removed support for Ubuntu this also removed support Docker CE (since RHEL only supports Docker EE).

FYI this is the link for docker ee pricing you need a log in though.

https://hub.docker.com/editions/enterpr ... l/purchase

From memory when you get to the last page you can drop the core count from the default of 10 down to 5.

Steve Rowe wrote: ↑Tue May 21, 2019 10:00 am FYI this is the link for docker ee pricing you need a log in though.

https://hub.docker.com/editions/enterpr ... l/purchase

From memory when you get to the last page you can drop the core count from the default of 10 down to 5.

Hi Steve, This is Docker hup pricing. As per my understanding this is their cloud offering. Hence the prices there are offered for cloud hosted docker as per my understanding. I was looking for on-premise license.

Hi mce, Did you log-in and fill in the forms? I don't think that just because the path starts with hub, this relates to hub specifically.

For example this page is talking about RHEL on prem installs (I think!)

https://hub.docker.com/editions/enterpr ... erver-rhel

@Mce

Did you manage to get Docker working with McAfee, on WinSer 2016 ? or did you have to another route ?

We're in the same hell hole at the moment, trying to figure this one out, so any help would be appreciated

Cheers
Ajay

There’s a McAfee tech note, do not use it with Docker.

Thanks Wim.

We are seeing conflicting information in these two URLs.

McAfee basically telling us that we can't use Endpoint 10.x because it is not supported
https://kc.mcafee.com/corporate/index?p ... id=KB90041

and Docker tell us it is !!!!
https://success.docker.com/article/endp ... containers

All very confusing....who to believe ?

Hello,

https://kc.mcafee.com/corporate/index?p ... id=KB90041

As per this tech note, Endpoint Security 10.6.1/10.7.0 November 2020 Update and later should support Docker on host Windows Server 2016 machine. Hence this should solve our problem. Are there anyone who tried this? Does it work?

Regards,