What about Docker on NethServer 7?

JOduMonT · March 31, 2017, 7:10am

hum to clarify my tough, and following what “Discourse” propose, which means talking about one idea per post

the package is not maintained was related to nethserver-doker

so now my turn to ask you to clarify
you means if I install docker [quote=“stephdl, post:47, topic:1127”]
curl -fsSL https://get.docker.com/ | sh
systemctl enable docker
systemctl start docker
docker run -d -p 9000:9000 -v “/var/run/docker.sock:/var/run/docker.sock” portainer/portainer
[/quote]

I will have no firewall issue ?

giacomo · March 31, 2017, 7:18am

You can try this after installing portainer:

config setprop firewall Docker enabled
signal-event firewall-adjust

I know you will have some troubles, but I don’t rember exactly when. Usually a firewall-adjust is enough to fix it.

JOduMonT · March 31, 2017, 7:42am

Guys; @stephdl & @giacomo
I love both of you so much, and everyone in this forum, but specially both of you

I’m going to get ride of my CoreOS VM to put everything at the Nethserver level.

alefattorini · March 31, 2017, 10:15am

I’ll love you more once you will share with us your achievements!
I’m eager to know what are you working on

stephdl · March 31, 2017, 7:40pm

The road is long but the way is free…please wait a bit, it is even not an alpha stage.

stephdl · April 3, 2017, 10:13pm

something more workable with the portainer container (persistent data and start at boot if not stopped)

yum update -y
curl -fsSL https://get.docker.com/ | sh

the service docker must be tricked with shorewall

cp /lib/systemd/system/docker.service /etc/systemd/system/docker.service
vim /etc/systemd/system/docker.service

then change

    -After=network.target firewalld.service
    +After=network.target shorewall.service

and to bind the 0.0.0.0 IP to your real IP, like this you will be able to reach the tcp port of your container directly in portainer (set the IP of your server)

-ExecStart=/usr/bin/dockerd 
+ExecStart=/usr/bin/dockerd --ip=xxx.xxx.xxx.xxx

then update the docker service

systemctl daemon-reload
systemctl enable docker
systemctl start docker

create default entries

mkdir /etc/e-smith/db/configuration/defaults/docker
echo 'service' > /etc/e-smith/db/configuration/defaults/docker/type
echo 'enabled' > /etc/e-smith/db/configuration/defaults/docker/status

/etc/e-smith/events/actions/initialize-default-databases

config setprop firewall Docker enabled
signal-event firewall-adjust

create and launch the portainer docker

mkdir /var/lib/portainer
docker run -d -p 9000:9000 --restart unless-stopped --name portainer-container -v /var/lib/portainer:/data -v "/var/run/docker.sock:/var/run/docker.sock" portainer/portainer

a good article to read : https://media-glass.es/portainer-the-ui-for-docker-d067f6335f23

to update portainer, you need to update the image, then remove the container and create it again. Since the data is persistent on the host, you will found all your settings.

update all your images

docker images | awk '/^REPOSITORY|\<none\>/ {next} {print $1}' | xargs -n 1 docker pull

stop portainer

docker kill portainer-container

remove portainer

docker rm portainer-container

create again portainer

docker run -d -p 9000:9000 --restart unless-stopped --name portainer-container -v /var/lib/portainer:/data -v "/var/run/docker.sock:/var/run/docker.sock" portainer/portainer

stephdl · June 25, 2017, 10:06am

@JOduMonT some news and feedbacks to share on docker and specially portainer…I love it

robb · June 25, 2017, 12:50pm

What I would be interested in to know is how docker containers vs local install of an application relate in terms of resources needed. Anyone has any documentation or hands-on experience with that?
I’d love to see some comparison data.

stephdl · June 25, 2017, 4:20pm

I’m not sure the interest about the ressources is what you search with docker. In fact the possibility to install/kill/reinstall the container is a killer feature.

The data are safe if you link the data folder to the host.

The case of nextcloud is a good example, it needs several dependencies not available on ns, but with a container you can install it easily. Even if it is a container, you can configure it like if it is a real instance

docker exec -u www-data nextcloud php occ status

Actually docker is usable by the command line, and it is not really fun…but with portainer you can be safe of cli.

giacomo · June 25, 2017, 7:49pm

AFAIK the overhead of KVM hypervisor is less then 5%, in case of LXC container I think the overhead can be considered almost null.
I like very much the idea of portainer, we need only a safe way to integrate it with Shorewall.

stephdl · June 26, 2017, 5:35am

For now I have just tested and played with container, create, link them together, kill them to test the persistent data…no really investigations with a security matter

this is what I did, following the advice of @filippo_carletti and your. Doesn’t it enough ?

Of course the docker is available by its specific port

giacomo · June 26, 2017, 7:06am

It’s not enough: if docker or the firewall are restarted, all NAT chains are lost.

stephdl · June 26, 2017, 8:38am

Thank I will test it

stephdl · June 26, 2017, 7:07pm

for what I tested

signal-event nethserver-firewall-base-save
signal-event nethserver-firewall-base-update
systemctl restart shorewall

no effects, docker containers run

systemctl restart docker

here the effect is different, if your containers are started with the option ‘–restart unless-stopped’, then when you restart docker, only the containers with this option are restarted with the docker service. I have not tested with other options https://docs.docker.com/engine/admin/start-containers-automatically/.

My concern is that the VM freeze when I restart docker, not all the time, but I saw it. It is not a network problem, the vm was not reachable even with the proxmox console

stephdl · June 27, 2017, 5:43pm

not reproducible with another VM, probably tied to a container I installed, or all other developments/tricks I made on it. The service starts normally…nothing to say

JOduMonT · July 4, 2017, 3:48am

Hi Steph;

I still using Portainer because it’s light and able to manage multi server
but I found seagull https://github.com/tobegit3hub/seagull
which also answer to those two criteria
and is graphically, a little bit more straight forward to hang on.

Still hoping using docker on nethserver
But the Go or No Go is hard to follow between you and giacomo.

I still in Thailand and lost access to my swiss server (where all my VM … are)
so for now I just have access to my productions environment
which for sure i’ll keep stable.

alefattorini · July 4, 2017, 9:57am

Looks interesting. Are you using it in production yet or just for test?

ohhh sorry I missed something. What are you doing there?

JOduMonT · July 4, 2017, 11:01am

###Portainer vs Seagull
I use portainer in prod

but I think seagull might be more appropriate for nethserver mostly because it’s going direct to the point which is managing docker, container, image, …

I think, If you’re new, in seagull you’re will find faster what you want.
(see the screenshot (https://github.com/tobegit3hub/seagull))

The big advantage of Portainer it is offer authentication

Seagull is proposed on Yunohost and DPlateform (in prod or pseudoprod)

###Thailand
My wife have a 3month (extendable) contract;
we hope moving here in long term

Still managing my Swiss and Canadian client remotely

stephdl · July 4, 2017, 7:26pm

seagull doesn’t seem so active in github…last commit in december 16

Jclendineng · July 25, 2017, 8:14pm

Is docker an appropriate use for a firewall/router? Wouldnt it be better to use this as a router server, and leave the nas/webapp stuff for freenas or another server? That way you dont have docker images/files etc on a internet facing server, but I realize everyone is different. I love docker though