I am not aware of a docker management app. What are you looking for from one? I think even now the tie in to ClearOS is complex. As an example, if you are in the webconfig ClearGLASS page you will not succeed in stopping docker from the command line - or, at least, docker will automatically restart which seems a somewhat different approach than what you might expect. Peter did explain why. Something to do that you could not show the the ClearGLASS status without docker running.

BTW, in order to solve a similar problem to what I was seeing with ClearGLASS not starting properly, I believe Peter upgraded successfully to Docker CE and it solved his problem. I fixed mine by moving the docker folder onto a partition with the required option set in the filesystem.

More issues:

1 - Is ClearGlass hijacking my server FQDN and forcing an http -> https rewrite as I can no longer access the transmission webconfig on port 9090 (I had to switch it because of Openfire), but it is still available on http if I use another FQDN which resolves to the same IP. If so it is a bit antisocial and should only be rewriting on port 9443.
2 - In the settings section of the webconfig, you appear to be able to choose the ClearGlass SSL certificate, but the "Go to ClearGLASS" button link stays pointing to the server name. Shouldn't the link follow the certificate? If it does not, you get an Insecure Connection warning in the browser. I am trying to get round the problem in 1 above, but if I create a new certificate for clearglass.howitts.co.uk and tell the webconfig to use it and to all the DNS mapping, the Go To button still points to server.howitts.co.uk. and http to server.howitts.co.uk still gets rewritten to https.
3 - The log files are horrendous between docker and ClearGlass. 13MB in under 3 days and I have not yet done anything in ClearGlass. Half the lines have " INFO " or "level=info" in them but this would still only cut the log in by half. Most of these are ClearGLASS logs and a few are docker. Can anything be done to cut this down without resorting too filtering in rsyslog?
4 - I have a recurring error:
It looks like it may just be update checking for a new version of ClearGlass, but the error repeats every 2 seconds generating over 31,000 lines of logs in under 3 days.

I had a feeling that there would be a load of variables automatically attached to the ip-up script. Searching around the internet I quickly bumped into this which indicates the IP address should be directly available using the variable $4 rather than the big ifconfig command. If you had MultiWAN you'd also want to log the interface with $1 so you knew which interface was coming up.

If you then google around you'll find many variants of how to get the date and time in bash - perhaps google "date time bash". I already have it in one of by scripts:So how about for your command something like:You can make the command more complex if you want to filter bits and so on.

I can't check any of this as my external connection is DHCP and not PPPoE.

The answer I gave you is wrong for NAT'd traffic (so gateway mode). You'd just need to monitor ssh traffic between the source and target machines because it gets NAT'd in ClearOS, so something liker for pings change "port 22" to "icmp". you should see two outbound entries as it passes through the LAN and WAN interfaces and two as it comes back, but the LAN IP can be changing as it gets NAT'd to the ClearOS WAN IP in gateway mode.

After your first couple of posts you are allowed to post without approval so you should be OK now.

No you don't have to do what you are proposing, but you can if you insist. If you run your program from the /etc/ppp/ip-up/local file just by adding a line to the file. /etc/ppp/ip-up and /etc/ppp/ip-up.local should only fire each time PPPoE gets a new IP. No need to have something sitting in memory looping.

Have a look at bash scripting. If all you want to do is add an IP address to a file, you can do it in a single line:
You could add the line to the end of the /etc/ppp/ip-up/local file or to a separate file and call the file from /etc/ppp/ip-up/local.

I have a feeling you may want more than that, perhaps at a minimum with a date/timestamp. Also that is only building a text file of IP's rather than some sort of conventional database.

Bruce Shiu wrote:

I'm not familiar how to do traffic sniffing, but I'm thinking that when I just switching between "gateway"(blocked WAN --> LAN) and "trustedgateway"(blocked LAN --> WAN) without changing anything else, traffic can pass thru between WAN and LAN vice versa, is that mean the the route is working correctly on the internet gateway?

Not necessarily because internet traffic is not returning to the ClearOS LAN.

Remember I have no experience of the trustedgateway solution so I am trying to piece together what is going on. Google for "tcpdump example". A couple of links are here and here. Perhaps you want something like:Tcpdump is a complex tool and I have to use a lot of trial and error to get it to work. Try testing the above by doing an SSH from the ClearOS LAN to anywhere on the 10.4.0.0/15 LAN. You should at least see outbound traffic. If it is to a valid destination with a running SSH server you should see a reply. If you don't, you have a routing problem in your gateway or a firewalling problem on your target device. If you see some traffic, even if it is one way, try SSH'ing to the ClearOS LAN. If you see nothing you have a routing problem on your gateway. If you see no outbound or return traffic when SSH'ing from the ClearOA LAN then you probably have a problem with the tcpdump command.

Note when testing to Windoze devices, their firewall often only allows local LAN traffic through. 10.2.0.0/15 is not considered local to 10.4.0.0/15 and vice-versa.

I have a suggestion for the mail server Trusted Networks. I am very uncomfortable about adding a 172.16/12 subnet to Trusted Networks as it adds the whole 172.16/12 address space when it really only needs a /16 subnet within it. All ClearOS recommendations to date are not to use Trusted Networks, but to use authentication, then suddenly we are trusting a huge address space.

My suggestion is to add another parameter to /etc/postfix/main.cf, lets say "clearglassnetwork" and set it to the ClearGlass network. This can be set from the br-????????? interface. Then change the "mynetworks" to something like172.17.2.0/23 is my own network)

The SMTP Server Webconfig still works and you can change, add and delete networks, but you now also have a separate parameter which can be maintained programatically and is clearly distinguishable in the webconfig so it won't be mistaken for a user added subnet.

Apcupsd e-mails to root. It can be changed in/etc/apcupsd/apccontrol but it is not worth it. Really you should have root aliased to a valid user so you get some of the other system e-mails. To do that edit /etc/aliases. I have a couple of lines:Put in your equivalent and run the command "newaliases" from the command line for the change to take effect.

Hmm. It looks like a possible solution to the docker DNS issue is to add a line to /etc/docker/daemon.json:
Where the IP is that of the docker0 interface. Is it possible to do that automatically and maintain it in ClearOS or does the IP not exist if docker is not running? Having stopped docker I can see the still interface exists, but does it always?


I am also seeing in the logs:Should the group exist ans is there any harm creating it?

I don't know. I was only commenting on the initial installation.