What about Docker on NethServer 7?


(Jonathan Dumont) #41

Hi it’s me again :stuck_out_tongue:

I just understood @davidep made it happen, I mean Docker on Nethserver 7

But like @indra

How We could fix this ?


(Davide Principi) #42

That package was just an experiment and is now obsolete, since Shorewall implemented a builtin support for Docker net filter chain.


(Jonathan Dumont) #43

Doh I just force the installation with yum --nogpgcheck :sandal:


(Indra) #44

How did this go, not breaking to much other things? I would do it too, but mine is a production server with 50+ email accounts, file sharing, etc . Breaking it would be hell (and mess up my holiday).


(Jonathan Dumont) #45

Never be too prudent, so you could try it in a VM and have validate backup
but it when surprisingly very well I instead of using apache as proxy I dockerise it with HAProxy.

O btw, @stephdl; Portainer run well on Nethserver with Docker.

The only thing is the package is not maintained so it’s not a viable solution for production.

PS: I also stop the services and uninstall it, without any issue or need to reboot


(Stéphane de Labrusse) #46

Are you talking that you installed portainer by a rpm…you have a docker image for that. Does portainer is merely used ?


(Stéphane de Labrusse) #47

easy to play with portainer, on a NS7

curl -fsSL https://get.docker.com/ | sh
systemctl enable docker
systemctl start docker
docker run -d -p 9000:9000 -v "/var/run/docker.sock:/var/run/docker.sock" portainer/portainer

then go to http://IP:9000

create the first user admin, then set to run portainer ond the localhost. That’s all

Probably a zillion things more to do, but I can create a basic httpd ‘hello word’ reachable on port 32768


(Jonathan Dumont) #48

hum to clarify my tough, and following what “Discourse” propose, which means talking about one idea per post

the package is not maintained was related to nethserver-doker

so now my turn to ask you to clarify
you means if I install docker [quote=“stephdl, post:47, topic:1127”]
curl -fsSL https://get.docker.com/ | sh
systemctl enable docker
systemctl start docker
docker run -d -p 9000:9000 -v “/var/run/docker.sock:/var/run/docker.sock” portainer/portainer
[/quote]

I will have no firewall issue ?


(Giacomo Sanchietti) #49

You can try this after installing portainer:

config setprop firewall Docker enabled
signal-event firewall-adjust

I know you will have some troubles, but I don’t rember exactly when. Usually a firewall-adjust is enough to fix it.


(Jonathan Dumont) #50

Guys; @stephdl & @giacomo
I love both of you so much, and everyone in this forum, but specially both of you :wink:

I’m going to get ride of my CoreOS VM to put everything at the Nethserver level.


(Alessio Fattorini) #51

I’ll love you more once you will share with us your achievements! :kissing_heart:
I’m eager to know what are you working on


(Stéphane de Labrusse) #52

The road is long but the way is free…please wait a bit, it is even not an alpha stage.


(Stéphane de Labrusse) #53

something more workable with the portainer container (persistent data and start at boot if not stopped)

yum update -y
curl -fsSL https://get.docker.com/ | sh

the service docker must be tricked with shorewall

cp /lib/systemd/system/docker.service /etc/systemd/system/docker.service
vim /etc/systemd/system/docker.service

then change

    -After=network.target firewalld.service
    +After=network.target shorewall.service

and to bind the 0.0.0.0 IP to your real IP, like this you will be able to reach the tcp port of your container directly in portainer (set the IP of your server)

-ExecStart=/usr/bin/dockerd 
+ExecStart=/usr/bin/dockerd --ip=xxx.xxx.xxx.xxx

then update the docker service

systemctl daemon-reload
systemctl enable docker
systemctl start docker

create default entries

mkdir /etc/e-smith/db/configuration/defaults/docker
echo 'service' > /etc/e-smith/db/configuration/defaults/docker/type
echo 'enabled' > /etc/e-smith/db/configuration/defaults/docker/status

/etc/e-smith/events/actions/initialize-default-databases

config setprop firewall Docker enabled
signal-event firewall-adjust

create and launch the portainer docker

mkdir /var/lib/portainer
docker run -d -p 9000:9000 --restart unless-stopped --name portainer-container -v /var/lib/portainer:/data -v "/var/run/docker.sock:/var/run/docker.sock" portainer/portainer

a good article to read : https://media-glass.es/portainer-the-ui-for-docker-d067f6335f23

to update portainer, you need to update the image, then remove the container and create it again. Since the data is persistent on the host, you will found all your settings.

  • update all your images

docker images | awk '/^REPOSITORY|\<none\>/ {next} {print $1}' | xargs -n 1 docker pull

  • stop portainer

docker kill portainer-container

  • remove portainer

docker rm portainer-container

  • create again portainer

docker run -d -p 9000:9000 --restart unless-stopped --name portainer-container -v /var/lib/portainer:/data -v "/var/run/docker.sock:/var/run/docker.sock" portainer/portainer


So, what are you working on? - 26 Apr
(Stéphane de Labrusse) #56

@JOduMonT some news and feedbacks to share on docker and specially portainer…I love it :wink:


(Rob Bosch) #57

What I would be interested in to know is how docker containers vs local install of an application relate in terms of resources needed. Anyone has any documentation or hands-on experience with that?
I’d love to see some comparison data.


(Stéphane de Labrusse) #58

I’m not sure the interest about the ressources is what you search with docker. In fact the possibility to install/kill/reinstall the container is a killer feature.

The data are safe if you link the data folder to the host.

The case of nextcloud is a good example, it needs several dependencies not available on ns, but with a container you can install it easily. Even if it is a container, you can configure it like if it is a real instance

docker exec -u www-data nextcloud php occ status

Actually docker is usable by the command line, and it is not really fun…but with portainer you can be safe of cli.


(Giacomo Sanchietti) #59

AFAIK the overhead of KVM hypervisor is less then 5%, in case of LXC container I think the overhead can be considered almost null.
I like very much the idea of portainer, we need only a safe way to integrate it with Shorewall.


(Stéphane de Labrusse) #60

For now I have just tested and played with container, create, link them together, kill them to test the persistent data…no really investigations with a security matter

this is what I did, following the advice of @filippo_carletti and your. Doesn’t it enough ?

Of course the docker is available by its specific port


(Giacomo Sanchietti) #61

It’s not enough: if docker or the firewall are restarted, all NAT chains are lost.


(Stéphane de Labrusse) #62

Thank I will test it