[LINUX] Docker Compose can create network services in 5 minutes (dhcp / radius / proxy / tftp / syslog / dns)

Introduction

Memo (dhcp / radius / proxy / tftp / syslog) with basic settings for various network services on CentOS 7 Was rebuilt on CentOS 8. This time, each service is locked in a container with Docker.

When I used docker-compose for my own use, I was able to restore the environment in about 5 minutes, so I will record it.

update

DHCP didn't work well in an IP masquerading environment, so I modified network_mode to host. The IP address is embedded in the packet, and if it is a simple NAPT, the address in the container will be the DHCP server.

We also added DNS64 and DNS cache functionality (unbound).

What can i do

You can create the following environment.

Screenshot from Gyazo

Since it binds to the same port of docker-compose host, when you access host address: service port from an external terminal, it arrives at each container. In addition, various logs are sent to the container that is listening for syslog on the same network.

The following container will be created.

server app address listen
proxy squid 172.20.0.2 8080/tcp
syslog rsyslog 172.20.0.3 514/udp
radius freeRADIUS 172.20.0.4 1812,1813/udp
dns unbound 172.20.0.5 53/udp,tcp
dhcp ISC-Kea - 67,68/udp
tftp tftp-server - 69/udp
# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED              STATUS              PORTS                                    NAMES
3d7fec4d9ffd        infraserv:dns       "/usr/sbin/init"    About a minute ago   Up 58 seconds       0.0.0.0:53->53/tcp, 0.0.0.0:53->53/udp   dns
c34f033b140c        infraserv:radius    "/usr/sbin/init"    About a minute ago   Up 57 seconds       0.0.0.0:1812-1813->1812-1813/udp         radius
eb32cce0d7b9        infraserv:dhcp      "/usr/sbin/init"    About a minute ago   Up 59 seconds                                                dhcp
fedd69042ec3        infraserv:tftp      "/usr/sbin/init"    About a minute ago   Up 59 seconds                                                tftp
3e033a44c162        infraserv:syslog    "/usr/sbin/init"    About a minute ago   Up 58 seconds       0.0.0.0:514->514/udp                     syslog
d2454fc12ae8        infraserv:proxy     "/usr/sbin/init"    About a minute ago   Up 57 seconds       0.0.0.0:8080->8080/tcp                   proxy

A network with the following parameters is generated.

key value
name infraserv_infranet
subnet 172.20.0.0/24
interface docker1

Since tftp / dhcp operates in the environment of --net = host, docker network is in the following state.

# docker network inspect infraserv_infranet
[
    {
        "Name": "infraserv_infranet",
        "Id": "58a9c3da443b49416003d4f3ed5192a521c728270826a18da293000ae4b1004e",
        "Created": "2020-02-19T07:00:15.610028349+09:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.20.0.0/24"
                }
            ]
        },
        "Internal": false,
        "Attachable": true,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "3d7fec4d9ffd315a6fb087b6a7f28453d7009a8eecd60a5110a3f4f7c4e2564c": {
                "Name": "dns",
                "EndpointID": "537b189764340697c9ea4f727211df450226a09a65aa24f20f275f56346d52fc",
                "MacAddress": "02:42:ac:14:00:05",
                "IPv4Address": "172.20.0.5/24",
                "IPv6Address": ""
            },
            "3e033a44c1625b7dd30a8a358f40c96594f462a6714caf39d726d4cb401ffcfd": {
                "Name": "syslog",
                "EndpointID": "3083640a976bd89e33d0f478eef9e6faa468cecccaea23729cf01f1ba24692f3",
                "MacAddress": "02:42:ac:14:00:03",
                "IPv4Address": "172.20.0.3/24",
                "IPv6Address": ""
            },
            "c34f033b140cee61992bbc3f1d9d652155121a27462aa460413b7be646e0ab6e": {
                "Name": "radius",
                "EndpointID": "f3c7bdc9c08fb283681f412996949126fa5f73213f9a265b6371e028efdc0eb1",
                "MacAddress": "02:42:ac:14:00:04",
                "IPv4Address": "172.20.0.4/24",
                "IPv6Address": ""
            },
            "d2454fc12ae861ff3e240ef26c95c55907382465148e1c4b829d48b5af91d60b": {
                "Name": "proxy",
                "EndpointID": "b81e9ea373b2fb7e0a68f1d24534fc6ebb78c01e24e6eb838ecd06127307a202",
                "MacAddress": "02:42:ac:14:00:02",
                "IPv4Address": "172.20.0.2/24",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker1"
        },
        "Labels": {
            "com.docker.compose.network": "infranet",
            "com.docker.compose.project": "infraserv_new",
            "com.docker.compose.version": "1.25.3"
        }
    }
]

Initial setting

If you do not modify the configuration file in [Subsequent steps](# work content), each service will operate with the following parameters.

radius

In the initial state, the following 2 users and enable password can be used.

User name password Remarks
foo bar Login as a normal user
hoge fuga Automatically promoted to privilege when logged in to a Cisco device
$enab15$ fuga Password when transitioning with the enable command of the Cisco device

In MAC address bypass, the following MAC addresses are accepted with attributes for dynamic VLAN.

MAC address VLAN string
112233445566 default_seg
aabbccddeeff default_seg

DHCP Lease information

item value
Lease time 10 hours
DNS server 8.8.8.8

Leased segment

segment range GW
10.1.20.0/24 10.1.20.33 - 10.1.20.62 10.1.20.1
10.1.22.0/24 10.1.22.33 - 10.1.20.230 10.1.22.1

Controller address sent to the access point by Option 43

Target VCI string Controller address
Cisco Cisco AP 10.254.10.201,10.254.10.202
Aruba ArubaAP 10.254.10.206

The IF that accepts requests is described in the configuration file kea-dhcp4.conf, but it defaults to ╩╗ens192`. If the IF notation is different, the configuration file needs to be modified.

Advance preparation

If you have CentOS, Docker, and Docker Compose, skip this step and start with Work (# Work).

CentOS8 (10 minutes)

CentOS 8 has no problem with the minimum configuration. If you don't have it, see Building CentOS 8 on ESXi 6.7 with minimal configuration.

Docker (5 minutes)

dnf -y update
dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
dnf -y --nobest install docker-ce docker-ce-cli containerd.io
dnf -y update https://download.docker.com/linux/centos/7/x86_64/stable/Packages/containerd.io-1.2.10-3.2.el7.x86_64.rpm
dnf -y update
systemctl enable docker
systemctl start docker

Docker Compose (1 minute)

curl -L "https://github.com/docker/compose/releases/download/1.25.3/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

Work content

Add firewall policy (10 seconds)

firewall-cmd --add-service=dns   --zone=public --permanent
firewall-cmd --add-service=tftp   --zone=public --permanent
firewall-cmd --add-masquerade   --zone=public --permanent
firewall-cmd --reload

Create a Docker container for each service (5 minutes)

Use the Dockerfile and configuration file for each service, and the docker-compose.yml that puts them together in GitHub.

git clone https://github.com/bashaway/infraserv

If you want to change from the default settings, see the entries below. The build will not be affected without modification of the configuration file. It's okay to fix it after the build.

DHCP Build Kea DHCP with Docker. Option 43 can now be passed to Cisco and Aruba at the same time.

RADIUS Cisco login authentication + MAC authentication + dynamic VLAN with Docker's Free RADIUS (CentOS8)

Proxy Proxy server with Docker

TFTP Tftp server with Docker

Syslog Aggregated logs transferred between containers and from other servers with Docker's rsyslog

After modifying the configuration file, create a container.

cd infraserv
docker-compose build
docker-compose up -d

When you don't need it

Delete container
docker-compose stop
docker-compose rm -f

If you don't need an image
docker-compose rmi -f

Explanation of the contents

docker-compose.yml docker-compose.yml is configured as follows:

docker-compose.yml


version: '3'

services:

  proxy:
    build: ./proxy
    image: infraserv:proxy
    container_name: proxy
    hostname: proxy
    restart: always
    networks:
      infranet:
        ipv4_address: 172.20.0.2
    ports:
      - 8080:8080
    cap_add:
      - SYS_ADMIN
    security_opt:
      - seccomp:unconfined
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    environment:
      TZ: 'Asia/Tokyo'

  syslog:
    build: ./syslog
    image: infraserv:syslog
    container_name: syslog
    hostname: syslog
    restart: always
    networks:
      infranet:
        ipv4_address: 172.20.0.3
    ports:
      - 514:514/udp
    cap_add:
      - SYS_ADMIN
    security_opt:
      - seccomp:unconfined
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    environment:
      TZ: 'Asia/Tokyo'

  radius:
    build: ./radius
    image: infraserv:radius
    container_name: radius
    hostname: radius
    restart: always
    networks:
      infranet:
        ipv4_address: 172.20.0.4
    ports:
      - 1812:1812/udp
    cap_add:
      - SYS_ADMIN
    security_opt:
      - seccomp:unconfined
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    environment:
      TZ: 'Asia/Tokyo'

  dns:
    build: ./dns
    image: infraserv:dns
    container_name: dns
    hostname: dns
    restart: always
    networks:
      infranet:
        ipv4_address: 172.20.0.5
    ports:
      - 53:53/udp
      - 53:53/tcp
    cap_add:
      - SYS_ADMIN
    security_opt:
      - seccomp:unconfined
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    environment:
      TZ: 'Asia/Tokyo'

  tftp:
    build: ./tftp
    image: infraserv:tftp
    container_name: tftp
    hostname: tftp
    restart: always
    network_mode: host
    cap_add:
      - SYS_ADMIN
    security_opt:
      - seccomp:unconfined
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    environment:
      TZ: 'Asia/Tokyo'

  dhcp:
    build: ./dhcp
    image: infraserv:dhcp
    container_name: dhcp
    hostname: dhcp
    restart: always
    network_mode: host
    cap_add:
      - SYS_ADMIN
    security_opt:
      - seccomp:unconfined
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    environment:
      TZ: 'Asia/Tokyo'

networks:
  infranet:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.enable_ip_masquerade: "true"
      com.docker.network.bridge.host_binding_ipv4: "0.0.0.0"
      com.docker.network.bridge.name: "docker1"
    ipam:
      config:
        - subnet: 172.20.0.0/24

at the end

If you make it a container with Docker, it feels good because the host machine does not get dirty

Source

http://docs.docker.jp/engine/reference/commandline/toc.html

Recommended Posts

Docker Compose can create network services in 5 minutes (dhcp / radius / proxy / tftp / syslog / dns)
[Docker] Create a jupyterLab (python) environment in 3 minutes!