Nethserver-portainer needs testers AND ideas :D


(Stéphane de Labrusse) #21

check the template (from head)

/etc/systemd/system/docker.service.d/nethserver.conf

and adjust the NIC

restart docker


(Tim Carroll) #22

Excellent. It work’s.
for your info though. I could not connect using the
nethserver - applications - portainer - open button.
I think it tried to make an http connection.
when I manually entered the url https://192.168.2.1:9000 I logged in no problem.
Thanks again…


(Stéphane de Labrusse) #23

ok, like said it is a beta, we can go to red if ONLY no green interface is available


(Stéphane de Labrusse) #24

new version of docker and portainer

  • bridge over green, failback on red if no green NIC
  • ssl certificate change aware for portainer

@davidep @all I first decided (on my own) to go to docker-ce instead of the centos version (in extras) because you have a gap of one year of development. However I used the stable docker-ce and not the edge version, it is a different release about three months older.

If you prefer the centos version, please let your thoughts


(Giacomo Sanchietti) #25

Since docker is already a bleeding edge technology (and not so much stable on some scenarios IMHO), I don’t see any issue on using docker-ce packages.


(Stéphane de Labrusse) #26

Working on portainer, todays

  • restrict IP following access prop
  • allow docker to reach the host

It drives us to be able to use the mysql of the host if required, of course you can use a container for this purpose, but the mysqldb is automatically saved in NS.

For this I need to create a user, the root is only allowed to localhost.
Do I :

  • allow root to external remote client
  • create a specific user allowed to all db in mysql

what is the best security practice ?


(Giacomo Sanchietti) #27

I think you can do it safely, if you just restrict access from Docker network address.


(Davide Principi) #28

Manually create a dedicated account for each application and grant minimal permissions.

Or start a containerized DB for exclusive access… :thinking:


(Stéphane de Labrusse) #29

I thought about this, allow for 172.17.0.1/16, but it is relevant only for the default bridge docker0, although it can match a lot of case. Of course for a new bridge network it won’t work


(Stéphane de Labrusse) #30

yep, phpmyadmin, or we could imagine a script, create user, set permission, create table, however I don’t know if it is in the nethserver way of mind : do easy and secure things for less skilled people.


(Stéphane de Labrusse) #31

the problem with docker, and probably with any other container platforms, it is you give to other the security concern of your application. I do not know if I could trust a docker container for storing data, somehow you must develop after the backup, and the disaster backup recover.

Therefore for me I’d prefer to go to mysql on the host, but sure other skill, other administrator, other methods to do.


(Stéphane de Labrusse) #32

but after thinking, it is the better approach for security, and with my module (phpmyadmin) it is easy, so We should not allow the root account to the docker bridge


(Davide Principi) #33

Existing NethServer packages do it automatically with esmith actions and templates. We’d need a similar (or the same) thing for containerized apps… But I don’t want to go too far now. Let’s see how to integrate the engine. Then we’ll find the way to configure applications automatically!


(Emiliano Vavassori) #34

Sounds great to me.

What about the third one, which is: creating a db and a user which is owner only of this new db for usage with a single container? A lot of images on Docker Hub permits the customization of db host, username, password and db name via environment variables and I think this is still the best practice.


(Stéphane de Labrusse) #35

yes better security approach, but what about when the IP of the container will change, a container has a short time of life, it is not something for long.

Therefore I believe when we create a database/user we need the ‘%’ or a netmask to allow more hosts. I did not succed with the netmask method, I do not know if it is possible


(Emiliano Vavassori) #36

Two considerations:

  • Which network will the container take it really depends on how you will create the container. With docker-compose you may have a container with a B-class network for itself. You may also create the network beforehand with docker and assign it to the single container. I know, all stuff that has to be investigated. Plus, with docker inspect <container> and some parsing you can retrieve information for each container;
  • I am a fan of '%' in this specific case, if we really want to simplify things.

(Stéphane de Labrusse) #37

yes we use for instant docker0 which is 172.17.0.0/16

A nice network :slight_smile:


(Jonathan Dumont) #38

nice work @stephdl
has I saw the news in the mailing list I jump in…
but still not acceptable for me ;(
I’ll try to explain :

Of course for a close environment and or a dev environment it could be fine,

Peace and Love era

but many projects, Nethserver is not alone, are in the Peace and Love era of Docker.
… everyone share with everyone …

  1. first via the hub or store.docker
  2. than by running docker daemon as root
  3. to finish, but this point is less and less true; running Process as Root inside the docker.

Security. Security! Security ?

Docker offer different level of security and could be very secure, at least as jail or lxc but as most people simply unaware about it, it also impact the portability but that’s another story.

So; on CentOS, as Nethserver; and others OS
you, we, they should at least run the daemon with this options
–no-new-privileges Set no-new-privileges by default for new containers
–userns-remap string User/Group setting for user namespaces
ref: https://docs.docker.com/engine/reference/commandline/dockerd/

the biggest one is userns-remap

  • If you don’t use it, it’s like running apache or nginx as root ( who still do that these days );

anyway the userns-remap will probably also help to migrate nextcloud in the docker because it could help to abstract uid and gid.

If you’re welling to implement userns-remap; I’ll probably give a try, again to Nethserver, but without this docker will become a big breach for your unaware user who will expose service on the internet.

Oh! BTW userns-remap is incompatible with SELinux, but Nethserver don’t use SELinux so :wink:

docker-compose and portainer

I confirm portainer don’t manage docker-compose; if you want a GUI compatible with docker-compose, which is another league you have rancher.

Question for @stephdl : why not running portainer inside docker via portainer/portainer ?

Please keep me in touch and again
congrat @stephdl, the teams and the community for this big step.


(EnzoC) #39

Good Morning,
today is a day for docker.

I have existent installation on my nethserver of docker-engine with a gitlab dockerized

now i have run

yum install http://mirror.de-labrusse.fr/NethDev/docker/nethserver-docker-0.1.4-1.ns7.noarch.rpm http://mirror.de-labrusse.fr/NethDev/docker/docker-ce-17.12.1.ce-1.el7.centos.x86_64.rpm http://mirror.de-labrusse.fr/NethDev/docker/nethserver-portainer-0.1.2-1.ns7.noarch.rpm

i find

docker-ce                                              x86_64                                   17.12.1.ce-1.el7.centos                                     /docker-ce-17.12.1.ce-1.el7.centos.x86_64                                   123 M
     replacing  docker-engine.x86_64 17.05.0.ce-1.el7.centos
     replacing  docker-engine-selinux.noarch 17.05.0.ce-1.el7.centos

inevitably!
and

Running transaction
  Installing : 2:container-selinux-2.42-1.gitad8f0f7.el7.noarch                                                                                                                                                                            1/6 
setsebool:  SELinux is disabled.

only refer to docker, i suppose…?

now in /var/log/messages

samba esmith::event[221528]: Event: portainer-upgrade
Mar 28 10:21:07 samba esmith::event[221528]: latest: Pulling from portainer/portainer
Mar 28 10:21:07 samba esmith::event[221528]: Digest: sha256:c7d065f721266e24342f1b2d6fa6e5b451a0057f55df1a62dbf4d4513b629c8d
Mar 28 10:21:07 samba esmith::event[221528]: Status: Image is up to date for portainer/portainer:latest
Mar 28 10:21:07 samba esmith::event[221528]: /usr/bin/docker: Error response from daemon: Conflict. The container name "/portainer-container" is already in use by container "8febba1dfb2447536134cae9c4058734329a8401fe93dcd77cec3c0b8d1d2435". You have to remove (or rename) that container to be able to reuse that name.
Mar 28 10:21:07 samba esmith::event[221528]: See '/usr/bin/docker run --help'.
Mar 28 10:21:07 samba esmith::event[221528]: Action: /etc/e-smith/events/portainer-upgrade/S10nethserver-portainer_container FAILED: 1 [2.441105]

i have an existent version of portainer

yum remove nethserver-portainer    
docker stop portainer-container
docker rm portainer-container
yum install http://mirror.de-labrusse.fr/NethDev/docker/nethserver-portainer-0.1.2-1.ns7.noarch.rpm

with docker logs container

2018/03/28 08:59:07 Instance already has defined endpoints. Skipping the endpoint defined via CLI.
2018/03/28 08:59:07 Starting Portainer 1.16.4 on :9000
2018/03/28 08:59:07 open /etc/letsencrypt/live/samba.domain.it/cert.pem: no such file or directory

sorry @stephdl
probably my error depend from

#default certificate value
crt=${crtFile:-/etc/pki/tls/certs/NSRV.crt}
key=${keyFile:-/etc/pki/tls/private/NSRV.key}

i use letsencrypt for https


(Stéphane de Labrusse) #40

thank for commenting, just a quick hint. We use portainer as a docker container, the rpm is just here to create/update it

let me read your comment and answer point by point :slight_smile: