Nethserver-portainer needs testers AND ideas :D

(Stéphane de Labrusse) #41

what is

config show pki

I only tested with the default certificate, but letsencrypt should be handed

(Stéphane de Labrusse) #42

for all of this we run a modified systemd service, it is just a matter to add them

Please let me test it, thank again

(EnzoC) #43
[root@samba ~]# config show pki
Organization=Domain Srl

(Stéphane de Labrusse) #44

ok I understand my issue, innocently I believed that letsencrypt put certificate in a common path

I need the review of @giacomo and @davidep where I can find all possible certificates and how I can determine if we use letsencrypt or a custom certificate stored in pki folder

We can find an issue on portainer with letsencrypt, could you please check it:

for your problem, change my action

vim /etc/e-smith/events/actions/nethserver-portainer_container



pid=`/usr/sbin/pidof portainer`

#default pki
crtFile=`/sbin/e-smith/config getprop pki CrtFile`
keyFile=`/sbin/e-smith/config getprop pki KeyFile`

#default certificate value
crt=${crtFile} #:-/etc/pki/tls/certs/NSRV.crt}
key=${keyFile} #:-/etc/pki/tls/private/NSRV.key}


if [[ $pid -ne '' ]]; then
    /usr/bin/docker container stop portainer-container || exit 1
    /usr/bin/docker rm -f portainer-container || exit 1

if [[ $event == 'portainer-upgrade' ]]; then
    /usr/bin/docker image pull portainer/portainer:latest || exit 1

/usr/bin/docker run -d -p 9000:9000 --restart unless-stopped --name portainer-container \
    -v portainer-data:/data -v "/var/run/docker.sock:/var/run/docker.sock" \
    -v /etc/letsencrypt/live/ portainer/portainer --ssl --sslcert "${crt}" \
    --sslkey "${key}" -H unix:///var/run/docker.sock || exit 1

then (you can check if portainer-container is running by docker ps

docker rm -f portainer-container
signal-event nethserver-portainer-update

if something goes bad, please do docker inspect portainer-container and check if the path to certificate is good

(Davide Principi) #45

Letsencrypt/Uploaded/Self-signed does not matter!

This is similar to you’re recent PR for Postfix. You have to expand the certificate/key certificate/crt templates in a location reserved to Portainer.

(Stéphane de Labrusse) #46

thank :smiley:
yes of course

(Stéphane de Labrusse) #47

I worry that we have to pass some parameters to the kernel to enable username spaces

it is a technology preview…


The user namespaces kernel feature is fully supported (generally available) in RHEL 7.4. However, the specific implementation of user namespaces related to the docker service is identified as a technology preview while Red Hat locks down a few security issues associated with non-root user mounts.

I don’t know if we can enable it @dev_team

maybe we can start docker with a non root user, does it sounds enough for you ?

(Davide Principi) #48

Just live on the bleeding edge :stuck_out_tongue_winking_eye:

(Giacomo Sanchietti) #49

I don’t know …

I agree with @JOduMonT that docker has some known security problems, but I’d prefer to ease the life of the user.

IMHO, just choose the option with hassle-free for the end user.
If possible, provide documentation to hardening a bit the installation.

(Stéphane de Labrusse) #50

I will do a dedicated ssl certificate for portainer, please wait a bit

(Patrick Garrett Smith) #51

Hi what line of progress

(EnzoC) #52

thank you! i have try, with various path…but dosent work. the problem is only with ssl certificate, because if launch it without ssl work perfectly.

(Stéphane de Labrusse) #53

new version to test :smiley:

yum install -y

we run a specific certficate by template, a certificate-update event will change it

(EnzoC) #54

Perfect! But link in application dashboard link to http:// :smile:

(Stéphane de Labrusse) #55

Yes next step, now if you go to network service you can choose the interface you need to run the container

By default it is green

(Stéphane de Labrusse) #56

the new version should correct it

(James Taylor) #57

I just installed this. Both Docker and Portainer. Install both, went to network services and enabled red network on the docker service. Browse to and i get connection refused. If I ssh tunnel to server, I get invalid http response. docker ps shows portainer running on port 9000. netstat -anptu | grep 9000 shows docker-proxy listening. Just let me know anymore details you need

(Stéphane de Labrusse) #58

what is the output of docker ps please

(Stéphane de Labrusse) #59

just tested again on my server, it works

what is the output of rpm -qa | grep -e 'docker' -e 'portainer'

(James Taylor) #60