Nethserver-portainer needs testers AND ideas :D


(Stéphane de Labrusse) #41

what is

config show pki

I only tested with the default certificate, but letsencrypt should be handed


(Stéphane de Labrusse) #42

for all of this we run a modified systemd service, it is just a matter to add them

Please let me test it, thank again


(EnzoC) #43
[root@samba ~]# config show pki
pki=configuration
CertificateDuration=3650
ChainFile=/etc/letsencrypt/live/samba.domain.it/chain.pem
CommonName=NethServer
CountryCode=IT
CrtFile=/etc/letsencrypt/live/samba.domain.it/cert.pem
EmailAddress=it@domain.it
KeyFile=/etc/letsencrypt/live/samba.domain.it/privkey.pem
LetsEncrypt=disabled
LetsEncryptDomains=samba.domain.it
LetsEncryptMail=it@domain.it
LetsEncryptRenewDays=30
Locality=City
Organization=Domain Srl
OrganizationalUnitName=Main
State=Italy
SubjectAltName=*.domain.it

(Stéphane de Labrusse) #44

ok I understand my issue, innocently I believed that letsencrypt put certificate in a common path

I need the review of @giacomo and @davidep where I can find all possible certificates and how I can determine if we use letsencrypt or a custom certificate stored in pki folder

We can find an issue on portainer with letsencrypt, could you please check it: https://github.com/portainer/portainer/issues/986

for your problem, change my action

vim /etc/e-smith/events/actions/nethserver-portainer_container

then

 #!/usr/bin/bash

event=$1
pid=`/usr/sbin/pidof portainer`

#default pki
crtFile=`/sbin/e-smith/config getprop pki CrtFile`
keyFile=`/sbin/e-smith/config getprop pki KeyFile`

#default certificate value
crt=${crtFile} #:-/etc/pki/tls/certs/NSRV.crt}
key=${keyFile} #:-/etc/pki/tls/private/NSRV.key}

#substitution
crt=${crt//'/etc/letsencrypt/live/samba.domain.it/'/'/certs/live/samba.domain.it/'}
key=${key//'/etc/letsencrypt/live/samba.domain.it/'/'/certs/live/samba.domain.it/'}

if [[ $pid -ne '' ]]; then
    /usr/bin/docker container stop portainer-container || exit 1
    /usr/bin/docker rm -f portainer-container || exit 1
fi

if [[ $event == 'portainer-upgrade' ]]; then
    /usr/bin/docker image pull portainer/portainer:latest || exit 1
fi

/usr/bin/docker run -d -p 9000:9000 --restart unless-stopped --name portainer-container \
    -v portainer-data:/data -v "/var/run/docker.sock:/var/run/docker.sock" \
    -v /etc/letsencrypt/live/samba.domain.it/:/certs/live/samba.domain.it/:ro portainer/portainer --ssl --sslcert "${crt}" \
    --sslkey "${key}" -H unix:///var/run/docker.sock || exit 1

then (you can check if portainer-container is running by docker ps

docker rm -f portainer-container
signal-event nethserver-portainer-update

if something goes bad, please do docker inspect portainer-container and check if the path to certificate is good


(Davide Principi) #45

Letsencrypt/Uploaded/Self-signed does not matter!

This is similar to you’re recent PR for Postfix. You have to expand the certificate/key certificate/crt templates in a location reserved to Portainer.


(Stéphane de Labrusse) #46

thank :smiley:
yes of course


(Stéphane de Labrusse) #47

I worry that we have to pass some parameters to the kernel to enable username spaces

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/getting_started_with_containers/get_started_with_docker_formatted_container_images#user_namespaces_options

it is a technology preview…

Note

The user namespaces kernel feature is fully supported (generally available) in RHEL 7.4. However, the specific implementation of user namespaces related to the docker service is identified as a technology preview while Red Hat locks down a few security issues associated with non-root user mounts.

I don’t know if we can enable it @dev_team

maybe we can start docker with a non root user, does it sounds enough for you ?


(Davide Principi) #48

Just live on the bleeding edge :stuck_out_tongue_winking_eye:


(Giacomo Sanchietti) #49

I don’t know …

I agree with @JOduMonT that docker has some known security problems, but I’d prefer to ease the life of the user.

IMHO, just choose the option with hassle-free for the end user.
If possible, provide documentation to hardening a bit the installation.


(Stéphane de Labrusse) #50

I will do a dedicated ssl certificate for portainer, please wait a bit


(Patrick Garrett Smith) #51

Hi what line of progress


(EnzoC) #52

thank you! i have try, with various path…but dosent work. the problem is only with ssl certificate, because if launch it without ssl work perfectly.


(Stéphane de Labrusse) #53

new version to test :smiley:

yum install -y http://mirror.de-labrusse.fr/NethDev/docker/docker-ce-17.12.1.ce-1.el7.centos.x86_64.rpm http://mirror.de-labrusse.fr/NethDev/docker/nethserver-docker-0.1.3-1.ns7.sdl.noarch.rpm http://mirror.de-labrusse.fr/NethDev/docker/nethserver-portainer-0.1.3-1.ns7.noarch.rpm

we run a specific certficate by template, a certificate-update event will change it


(EnzoC) #54

Perfect! But link in application dashboard link to http:// :smile:


(Stéphane de Labrusse) #55

Yes next step, now if you go to network service you can choose the interface you need to run the container

By default it is green


(Stéphane de Labrusse) #56

the new version should correct it


(James Taylor) #57

I just installed this. Both Docker and Portainer. Install both, went to network services and enabled red network on the docker service. Browse to https://domain.com:9000 and i get connection refused. If I ssh tunnel to server, I get invalid http response. docker ps shows portainer running on port 9000. netstat -anptu | grep 9000 shows docker-proxy listening. Just let me know anymore details you need


(Stéphane de Labrusse) #58

what is the output of docker ps please


(Stéphane de Labrusse) #59

just tested again on my server, it works

what is the output of rpm -qa | grep -e 'docker' -e 'portainer'


(James Taylor) #60