[LINUX] Docker Compose can create network services in 5 minutes (dhcp / radius / proxy / tftp / syslog / dns)
Introduction
Memo (dhcp / radius / proxy / tftp / syslog) with basic settings for various network services on CentOS 7 Was rebuilt on CentOS 8. This time, each service is locked in a container with Docker.
When I used docker-compose for my own use, I was able to restore the environment in about 5 minutes, so I will record it.
update
DHCP didn't work well in an IP masquerading environment, so I modified network_mode to host. The IP address is embedded in the packet, and if it is a simple NAPT, the address in the container will be the DHCP server.
We also added DNS64 and DNS cache functionality (unbound).
What can i do
You can create the following environment.
Since it binds to the same port of docker-compose host, when you access host address: service port from an external terminal, it arrives at each container.
In addition, various logs are sent to the container that is listening for syslog on the same network.
The following container will be created.
| server | app | address | listen |
|---|---|---|---|
| proxy | squid | 172.20.0.2 | 8080/tcp |
| syslog | rsyslog | 172.20.0.3 | 514/udp |
| radius | freeRADIUS | 172.20.0.4 | 1812,1813/udp |
| dns | unbound | 172.20.0.5 | 53/udp,tcp |
| dhcp | ISC-Kea | - | 67,68/udp |
| tftp | tftp-server | - | 69/udp |
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3d7fec4d9ffd infraserv:dns "/usr/sbin/init" About a minute ago Up 58 seconds 0.0.0.0:53->53/tcp, 0.0.0.0:53->53/udp dns
c34f033b140c infraserv:radius "/usr/sbin/init" About a minute ago Up 57 seconds 0.0.0.0:1812-1813->1812-1813/udp radius
eb32cce0d7b9 infraserv:dhcp "/usr/sbin/init" About a minute ago Up 59 seconds dhcp
fedd69042ec3 infraserv:tftp "/usr/sbin/init" About a minute ago Up 59 seconds tftp
3e033a44c162 infraserv:syslog "/usr/sbin/init" About a minute ago Up 58 seconds 0.0.0.0:514->514/udp syslog
d2454fc12ae8 infraserv:proxy "/usr/sbin/init" About a minute ago Up 57 seconds 0.0.0.0:8080->8080/tcp proxy
A network with the following parameters is generated.
| key | value |
|---|---|
| name | infraserv_infranet |
| subnet | 172.20.0.0/24 |
| interface | docker1 |
Since tftp / dhcp operates in the environment of --net = host, docker network is in the following state.
# docker network inspect infraserv_infranet
[
{
"Name": "infraserv_infranet",
"Id": "58a9c3da443b49416003d4f3ed5192a521c728270826a18da293000ae4b1004e",
"Created": "2020-02-19T07:00:15.610028349+09:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.20.0.0/24"
}
]
},
"Internal": false,
"Attachable": true,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"3d7fec4d9ffd315a6fb087b6a7f28453d7009a8eecd60a5110a3f4f7c4e2564c": {
"Name": "dns",
"EndpointID": "537b189764340697c9ea4f727211df450226a09a65aa24f20f275f56346d52fc",
"MacAddress": "02:42:ac:14:00:05",
"IPv4Address": "172.20.0.5/24",
"IPv6Address": ""
},
"3e033a44c1625b7dd30a8a358f40c96594f462a6714caf39d726d4cb401ffcfd": {
"Name": "syslog",
"EndpointID": "3083640a976bd89e33d0f478eef9e6faa468cecccaea23729cf01f1ba24692f3",
"MacAddress": "02:42:ac:14:00:03",
"IPv4Address": "172.20.0.3/24",
"IPv6Address": ""
},
"c34f033b140cee61992bbc3f1d9d652155121a27462aa460413b7be646e0ab6e": {
"Name": "radius",
"EndpointID": "f3c7bdc9c08fb283681f412996949126fa5f73213f9a265b6371e028efdc0eb1",
"MacAddress": "02:42:ac:14:00:04",
"IPv4Address": "172.20.0.4/24",
"IPv6Address": ""
},
"d2454fc12ae861ff3e240ef26c95c55907382465148e1c4b829d48b5af91d60b": {
"Name": "proxy",
"EndpointID": "b81e9ea373b2fb7e0a68f1d24534fc6ebb78c01e24e6eb838ecd06127307a202",
"MacAddress": "02:42:ac:14:00:02",
"IPv4Address": "172.20.0.2/24",
"IPv6Address": ""
}
},
"Options": {
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker1"
},
"Labels": {
"com.docker.compose.network": "infranet",
"com.docker.compose.project": "infraserv_new",
"com.docker.compose.version": "1.25.3"
}
}
]
Initial setting
If you do not modify the configuration file in [Subsequent steps](# work content), each service will operate with the following parameters.
radius
In the initial state, the following 2 users and enable password can be used.
| User name | password | Remarks |
|---|---|---|
| foo | bar | Login as a normal user |
| hoge | fuga | Automatically promoted to privilege when logged in to a Cisco device |
| $enab15$ | fuga | Password when transitioning with the enable command of the Cisco device |
In MAC address bypass, the following MAC addresses are accepted with attributes for dynamic VLAN.
| MAC address | VLAN string |
|---|---|
| 112233445566 | default_seg |
| aabbccddeeff | default_seg |
DHCP Lease information
| item | value |
|---|---|
| Lease time | 10 hours |
| DNS server | 8.8.8.8 |
Leased segment
| segment | range | GW |
|---|---|---|
| 10.1.20.0/24 | 10.1.20.33 - 10.1.20.62 | 10.1.20.1 |
| 10.1.22.0/24 | 10.1.22.33 - 10.1.20.230 | 10.1.22.1 |
Controller address sent to the access point by Option 43
| Target | VCI string | Controller address |
|---|---|---|
| Cisco | Cisco AP | 10.254.10.201,10.254.10.202 |
| Aruba | ArubaAP | 10.254.10.206 |
The IF that accepts requests is described in the configuration file kea-dhcp4.conf, but it defaults to ʻens192`.
If the IF notation is different, the configuration file needs to be modified.
Advance preparation
If you have CentOS, Docker, and Docker Compose, skip this step and start with Work (# Work).
CentOS8 (10 minutes)
CentOS 8 has no problem with the minimum configuration. If you don't have it, see Building CentOS 8 on ESXi 6.7 with minimal configuration.
Docker (5 minutes)
dnf -y update
dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
dnf -y --nobest install docker-ce docker-ce-cli containerd.io
dnf -y update https://download.docker.com/linux/centos/7/x86_64/stable/Packages/containerd.io-1.2.10-3.2.el7.x86_64.rpm
dnf -y update
systemctl enable docker
systemctl start docker
Docker Compose (1 minute)
curl -L "https://github.com/docker/compose/releases/download/1.25.3/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
Work content
Add firewall policy (10 seconds)
firewall-cmd --add-service=dns --zone=public --permanent
firewall-cmd --add-service=tftp --zone=public --permanent
firewall-cmd --add-masquerade --zone=public --permanent
firewall-cmd --reload
Create a Docker container for each service (5 minutes)
Use the Dockerfile and configuration file for each service, and the docker-compose.yml that puts them together in GitHub.
git clone https://github.com/bashaway/infraserv
If you want to change from the default settings, see the entries below. The build will not be affected without modification of the configuration file. It's okay to fix it after the build.
DHCP Build Kea DHCP with Docker. Option 43 can now be passed to Cisco and Aruba at the same time.
RADIUS Cisco login authentication + MAC authentication + dynamic VLAN with Docker's Free RADIUS (CentOS8)
Proxy Proxy server with Docker
Syslog Aggregated logs transferred between containers and from other servers with Docker's rsyslog
After modifying the configuration file, create a container.
cd infraserv
docker-compose build
docker-compose up -d
When you don't need it
Delete container
docker-compose stop
docker-compose rm -f
If you don't need an image
docker-compose rmi -f
Explanation of the contents
docker-compose.yml
docker-compose.yml is configured as follows:
docker-compose.yml
version: '3'
services:
proxy:
build: ./proxy
image: infraserv:proxy
container_name: proxy
hostname: proxy
restart: always
networks:
infranet:
ipv4_address: 172.20.0.2
ports:
- 8080:8080
cap_add:
- SYS_ADMIN
security_opt:
- seccomp:unconfined
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
environment:
TZ: 'Asia/Tokyo'
syslog:
build: ./syslog
image: infraserv:syslog
container_name: syslog
hostname: syslog
restart: always
networks:
infranet:
ipv4_address: 172.20.0.3
ports:
- 514:514/udp
cap_add:
- SYS_ADMIN
security_opt:
- seccomp:unconfined
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
environment:
TZ: 'Asia/Tokyo'
radius:
build: ./radius
image: infraserv:radius
container_name: radius
hostname: radius
restart: always
networks:
infranet:
ipv4_address: 172.20.0.4
ports:
- 1812:1812/udp
cap_add:
- SYS_ADMIN
security_opt:
- seccomp:unconfined
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
environment:
TZ: 'Asia/Tokyo'
dns:
build: ./dns
image: infraserv:dns
container_name: dns
hostname: dns
restart: always
networks:
infranet:
ipv4_address: 172.20.0.5
ports:
- 53:53/udp
- 53:53/tcp
cap_add:
- SYS_ADMIN
security_opt:
- seccomp:unconfined
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
environment:
TZ: 'Asia/Tokyo'
tftp:
build: ./tftp
image: infraserv:tftp
container_name: tftp
hostname: tftp
restart: always
network_mode: host
cap_add:
- SYS_ADMIN
security_opt:
- seccomp:unconfined
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
environment:
TZ: 'Asia/Tokyo'
dhcp:
build: ./dhcp
image: infraserv:dhcp
container_name: dhcp
hostname: dhcp
restart: always
network_mode: host
cap_add:
- SYS_ADMIN
security_opt:
- seccomp:unconfined
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
environment:
TZ: 'Asia/Tokyo'
networks:
infranet:
driver: bridge
driver_opts:
com.docker.network.bridge.enable_ip_masquerade: "true"
com.docker.network.bridge.host_binding_ipv4: "0.0.0.0"
com.docker.network.bridge.name: "docker1"
ipam:
config:
- subnet: 172.20.0.0/24
at the end
If you make it a container with Docker, it feels good because the host machine does not get dirty
Source
http://docs.docker.jp/engine/reference/commandline/toc.html