Forums

Resolved
0 votes
I have besides my ClearOS server a unRAID server running because i need the Docker part. So I use my unRAID server the most, but I rather use my ClearOS server. I really like to focus me on ClearOS..

What is the status of Docker on ClearOS 7.6 and is there still the issue that container can't communicate with each other?

..and Nick what do you use the Community version or the Professional version?
Monday, April 22 2019, 07:04 AM
Share this post:
Responses (15)
  • Accepted Answer

    Wednesday, April 24 2019, 08:19 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    There is a macvlan reference here. It looks like by design, it could be on the same subnet as the parent interface so care must be taken over the addressing and I think you need to reserve the IP addresses it can assign using the --ip-range switch so it does not clash with DHCP or other manual IP addresses. It also looks like the macvlan interface cannot communicate with the parent interface at all. You may be able to get round this by creating a virtual interface and attaching the macvlan interface to the virtual interface.

    [edit]
    There is a macvlan tutorial here
    [/edit]


    Yes, I found that tutorial yesterday.

    My findings on the issue are the same as you. Thank you for confirming. Nice to do this with 2 persons. 2 people know more as 1. If you scroll down you can see that I use that in my "Docker network create" command.

    I was trying this yesterday on a live machine. No so smart.., so I reverted back all changes yesterday. Today I want to try this in a virtual machine.

    The virtual interface part is new to me. How is this done?
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, April 24 2019, 07:51 AM - #Permalink
    Resolved
    0 votes
    There is a macvlan reference here. It looks like by design, it could be on the same subnet as the parent interface so care must be taken over the addressing and I think you need to reserve the IP addresses it can assign using the --ip-range switch so it does not clash with DHCP or other manual IP addresses. It also looks like the macvlan interface cannot communicate with the parent interface at all. You may be able to get round this by creating a virtual interface and attaching the macvlan interface to the virtual interface.

    [edit]
    There is a macvlan tutorial here
    [/edit]
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 23 2019, 07:46 PM - #Permalink
    Resolved
    0 votes
    What is the output of "ifconfig"?
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 23 2019, 02:49 PM - #Permalink
    Resolved
    0 votes
    The Docker network now connects to "eno2"


    docker network create -d macvlan --subnet=192.168.100.0/24 --ip-range=192.168.100.200/24 --gateway=192.168.100.1 -o parent=eno2 LAN


    There must be something wrong...
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 23 2019, 02:23 PM - #Permalink
    Resolved
    0 votes

    [root@voyager ~]# iptables -nvL
    Chain INPUT (policy DROP 1960 packets, 106K bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_INGRESS src
    102 7752 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state RELATED,ESTABLISHED
    15 783 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
    51 3109 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
    0 0 DROP all -- eno1 * 127.0.0.0/8 0.0.0.0/0
    6785 778K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
    14381 1049K ACCEPT all -- eno2 * 0.0.0.0/0 0.0.0.0/0
    109 3161 ACCEPT icmp -- eno1 * 0.0.0.0/0 0.0.0.0/0 icmptype 0
    0 0 ACCEPT icmp -- eno1 * 0.0.0.0/0 0.0.0.0/0 icmptype 3
    3 148 ACCEPT icmp -- eno1 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
    0 0 ACCEPT icmp -- eno1 * 0.0.0.0/0 0.0.0.0/0 icmptype 11
    0 0 ACCEPT udp -- eno1 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
    0 0 ACCEPT tcp -- eno1 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
    21 1559 ACCEPT tcp -- * * 0.0.0.0/0 62.195.190.190 tcp dpt:443
    4903 730K ACCEPT udp -- eno1 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
    9 4241 ACCEPT tcp -- eno1 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
    0 0 ACCEPT all -- docker0 * 0.0.0.0/0 0.0.0.0/0

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_SELF src,dst,dst
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_EGRESS dst
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_INGRESS src
    267K 18M ACCEPT tcp -- * eno2 0.0.0.0/0 192.168.100.30 tcp dpt:32400
    16M 56G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
    23820 1488K ACCEPT all -- eno2 * 0.0.0.0/0 0.0.0.0/0
    0 0 DOCKER-ISOLATION all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- docker0 * 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_SELF src,dst,dst
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_EGRESS dst
    6823 780K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * pptp+ 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
    11128 1366K ACCEPT all -- * eno2 0.0.0.0/0 0.0.0.0/0
    190 15647 ACCEPT icmp -- * eno1 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT udp -- * eno1 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
    0 0 ACCEPT tcp -- * eno1 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
    11 3624 ACCEPT tcp -- * eno1 62.195.190.190 0.0.0.0/0 tcp spt:443
    5086 342K ACCEPT all -- * eno1 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0

    Chain DOCKER (1 references)
    pkts bytes target prot opt in out source destination

    Chain DOCKER-ISOLATION (1 references)
    pkts bytes target prot opt in out source destination

    Chain DROP-lan (0 references)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0





    [root@voyager ~]# iptables -nvL -t nat
    Chain PREROUTING (policy ACCEPT 43467 packets, 3768K bytes)
    pkts bytes target prot opt in out source destination
    186 11400 DNAT tcp -- * * 0.0.0.0/0 62.195.190.190 tcp dpt:32400 to:192.168.100.30:32400
    13661 875K DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

    Chain INPUT (policy ACCEPT 11889 packets, 845K bytes)
    pkts bytes target prot opt in out source destination

    Chain OUTPUT (policy ACCEPT 8748 packets, 585K bytes)
    pkts bytes target prot opt in out source destination
    0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

    Chain POSTROUTING (policy ACCEPT 3024 packets, 202K bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
    3 156 SNAT tcp -- * * 192.168.100.0/24 192.168.100.30 tcp dpt:32400 to:192.168.100.1
    30618 1891K MASQUERADE all -- * eno1 0.0.0.0/0 0.0.0.0/0
    0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0

    Chain DOCKER (2 references)
    pkts bytes target prot opt in out source destination




    [root@voyager ~]# docker network ls
    NETWORK ID NAME DRIVER SCOPE
    df967c4d3bbf LAN macvlan local
    61660ee85b70 bridge bridge local
    456687a7bfb1 host host local
    b83a709639c7 none null local





    [root@voyager /]# docker network inspect LAN
    [
    {
    "Name": "LAN",
    "Id": "df967c4d3bbff894404f610432bfe1244cdfe07374020ee03f8a88cf930ba67d",
    "Created": "2019-04-23T13:30:06.703937523+02:00",
    "Scope": "local",
    "Driver": "macvlan",
    "EnableIPv6": false,
    "IPAM": {
    "Driver": "default",
    "Options": {},
    "Config": [
    {
    "Subnet": "192.168.100.0/24",
    "IPRange": "192.168.100.200/24",
    "Gateway": "192.168.100.1"
    }
    ]
    },
    "Internal": false,
    "Attachable": false,
    "Containers": {
    "d5740b986200451320e6e86a4cfc5767f180d7bc08028b766fa5a344df5c3a0d": {
    "Name": "sabnzbd",
    "EndpointID": "8b572c83ab2cc1cc5c01cf41672d10bf9d1563c82cf9e34322c876d3498e439a",
    "MacAddress": "02:42:c0:a8:64:c9",
    "IPv4Address": "192.168.100.201/24",
    "IPv6Address": ""
    }
    },
    "Options": {
    "parent": "eno2"
    },
    "Labels": {}
    }
    ]
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 23 2019, 01:21 PM - #Permalink
    Resolved
    0 votes
    I used a slightly different approach here with my Samba DC, but it does not mean it is right. I have not understood what a macvlan interface is and, if you can explain, I'd love to know.

    Docker, when it starts, normally self-assigns a subnet to the docker0 interface, and app-docker sets up some basic firewall rules. I then set up more for the docker/samba based on what docker was trying to do when it was allowed to create its own firewall rules.

    I wonder if your route is the better way to go if it allows the container to run on a different exposed subnet. because it will sidestep the issues I had with port bindings with samba/winbind.

    You could, perhaps try adding a firewall rule to allow all traffic from 192.168.100.0/24 through the FORWARD chain, but I think it is already allowed (because it is from docker0). What do your filter and nat tables look like:
    iptables-nvL
    iptables-nvL -t nat
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 23 2019, 11:39 AM - #Permalink
    Resolved
    0 votes
    There seems one problem the Docker container has no route to the outside thus no connection to the internet...
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 23 2019, 11:07 AM - #Permalink
    Resolved
    0 votes
    @Nick, good info!

    I tried to figure out how to give every container it's own ip address thus for example 192.168.100.201. So it is accessible on it own ip address in your local lan.

    @Nick can you try if it works for you?

    I edited /etc/sysconfig/network-scripts/ifcfg-docker0:


    DEVICE=LAN
    TYPE="Bridge"
    ONBOOT="yes"
    USERCTL="no"
    BOOTPROTO="none"


    I created a new docker network with the following command:


    docker network create -d macvlan --subnet=192.168.100.0/24 --ip-range=192.168.100.200/24 --gateway=192.168.100.1 -o parent=eno2 LAN


    I created a Docker container with the following command:


    docker run \
    --detach \
    --net=LAN \
    --ip=192.168.100.201 \
    --name=sabnzbd \
    -e TZ=Europe/Amsterdam \
    -e PUID=1000 \
    -e PGID=1000 \
    -p 8080:8080 \
    -p 9090:9090 \
    -v /usr/docker/sabnzbd:/config \
    -v /var/flexshare/shares/downloads:/downloads \
    -v /var/flexshare/shares/downloads-incomplete:/incomplete-downloads \
    --restart unless-stopped \
    linuxserver/sabnzbd


    I created the necessary directories on my server. Also created the config directory for sabnzbd with the necessary rights. As a test I copied my whole "/config directory what exists outside the container from my unRAID server to my ClearOS server. Yes!!! the container is now running on my ClearOS server with all setting and history from the old container from the unRAID server and it has his own ip address! :)
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 23 2019, 08:33 AM - #Permalink
    Resolved
    0 votes
    I am not sure why I have clearos-centos-extras enabled. It does not seem to be on the default installation. I'll ping the devs on this one as there are lots of later packages in clearos-centos-extras and centos-extras-unverified.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 23 2019, 08:26 AM - #Permalink
    Resolved
    0 votes
    App-docker does not have a webconfig, but has some underlying stuff like firewall integration and the systemd unit file (to start and stop docker). It also has a couple of settings such as disabling docker apps from creating their own firewall rules. In my opinion it is also missing DNS settings so it uses the default GoogleDNS and not your server's DNS. To use the server's DNS, in /etc/docker/daemon.json, add lines:
    {
    "dns": ["172.18.0.1", "172.17.2.1"]
    }
    In my case, 172.18.0.1 id the IP of the docker0 interface and 172.17.2.1 is my ClearOS LAN IP. You can specify any DNS severs here.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 23 2019, 08:18 AM - #Permalink
    Resolved
    0 votes
    The private repo's generally contain the same as the public (community) ones. It it just that the release into the private repo's is more controlled and, in the normal run of things, is about 2 weeks in arrears of the community repos. This gives the developers a chance to fix any un-caught bugs that were shipped to the community before they are shipped to the paying customers. One of the features for the paying customers is that should get more stable packages that have already been tested in the community, just as where we are in the 7.6 update cycle at the moment. This is why the Home/Business customers would also need to do an "--enablerepo=clearos-updates,clearos-centos-clearos-centos-extras" if they wanted to pre-test 7.6. Those are community repos which are normally disabled to the Home/Business customers.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 23 2019, 08:14 AM - #Permalink
    Resolved
    0 votes
    @Nick do you know what "app-docker" and "app-docker-core" does? I can't seem to find a new app in the webui..
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 23 2019, 07:09 AM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    I think I'm going to mess a round a bit today if time permits.

    For your information there is a Docker package in the "clearcenter-verified-updates" but I assume this is only accessible for paid customers.

    docker.x86_64                                   2:1.13.1-53.git774336d.el7.centos                           private-clearcenter-verified-updates
    docker-client.x86_64 2:1.13.1-53.git774336d.el7.centos private-clearcenter-verified-updates
    docker-common.x86_64 2:1.13.1-53.git774336d.el7.centos private-clearcenter-verified-updates
    docker-compose.noarch 1.18.0-2.el7 clearos-epel-verified


    and like you said in the "clearos-centos-extras".

    docker.x86_64                                                            2:1.13.1-75.git8633870.el7.centos                                       clearos-centos-extras
    docker-client.x86_64 2:1.13.1-75.git8633870.el7.centos clearos-centos-extras
    docker-client-latest.x86_64 1.13.1-58.git87f2fab.el7.centos clearos-centos-extras
    docker-common.x86_64 2:1.13.1-75.git8633870.el7.centos clearos-centos-extras
    docker-compose.noarch 1.18.0-2.el7 clearos-epel-verified
    docker-devel.x86_64 1.3.2-4.el7.centos clearos-centos-extras
    docker-distribution.x86_64 2.6.2-2.git48294d9.el7 clearos-centos-extras
    docker-forward-journald.x86_64 1.10.3-44.el7.centos clearos-centos-extras
    docker-latest.x86_64 1.13.1-58.git87f2fab.el7.centos clearos-centos-extras
    docker-latest-logrotate.x86_64 1.13.1-58.git87f2fab.el7.centos clearos-centos-extras
    docker-latest-v1.10-migrator.x86_64 1.13.1-58.git87f2fab.el7.centos clearos-centos-extras
    docker-logrotate.x86_64 2:1.13.1-75.git8633870.el7.centos clearos-centos-extras
    docker-lvm-plugin.x86_64 2:1.13.1-75.git8633870.el7.centos clearos-centos-extras
    docker-novolume-plugin.x86_64 2:1.13.1-75.git8633870.el7.centos clearos-centos-extras
    docker-python.x86_64 1.4.0-115.el7 clearos-centos-extras
    docker-registry.x86_64 0.9.1-7.el7 clearos-centos-extras
    docker-unit-test.x86_64 2:1.13.1-68.gitdded712.el7.centos clearos-centos-extras
    docker-v1.10-migrator.x86_64 2:1.13.1-75.git8633870.el7.centos clearos-centos-extras


    This are the same Docker versions. Docker 1.13.1

    I indeed remember that we tried before to make this work for me. I also remember the problem with the firewall. I will lookup that old thread!
    The reply is currently minimized Show
  • Accepted Answer

    Monday, April 22 2019, 07:08 PM - #Permalink
    Resolved
    0 votes
    Hi Marcel,
    I just use the docker from clearos-centos-extras repo which is 1.13.1-75.git8633870, so not DockerCE or the paid for version.
    As previously discussed, one of the issues is firewalling where you'd need to create your own firewall rules which will work with the ClearOS firewall.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, April 22 2019, 12:51 PM - #Permalink
    Resolved
    0 votes
    Investigated a bit but I think nothing has changed what is of course obvious. I have to be more patience I guess. ;)
    The reply is currently minimized Show
Your Reply