How to install specific application to docker container

Sometimes we need to add some application to pre-configured docker container. We can do this with “docker build” in a few easy steps.

Step 1. Create Dockerfile. In it add source docker container to add requsted application installation procedure. Sampe Dockerfile

FROM Caddy/Caddy:latest

# Install mtr
USER root
RUN yum update -y
RUN yum install -y mtr

Step 2. Build docker container from Dockerfile.

#docker build --tag caddy-with-mtr .

Step 3. Modify docker-compose.yml file. replace original image with new one, you build on previous step. Fragment of modified docker-compose.yml file

services:
  caddy:
    image: caddy-with-mtr:latest
    restart: unless-stopped

Step 4. And finally start fresh-build docker container. 

/usr/local/sbin/docker-compose -f /opt/docker/docker-compose.yml up -d

HowTo Kill all Docker containers and remove all data

If you need for any reason to kill all docker containers and remove all docker-related data, use following procedure:

docker stop $(docker ps -a -q) && docker rm $(docker ps -a -q)
docker rmi $(docker images -q)
docker network rm $(docker network ls -q)
docker volume rm $(docker volume ls -q)
docker system prune --all --volumes --force

What this will do?

  1. Stop and delete all docker containers
  2. Remove all docker images
  3. Remove all docker interfaces
  4. Remove all docker volumes
  5. Clear-up Docker system leftovers…

This will not uninstall Docker and/or docker compose, but now your system will be clean like after initial docker installation.

VRRP on Linux. Use Keepalived for HA and load balancing.

VRRP – Virtual Redundancy Routing Protocol in Linux systems could be implemented with keepalived.

Also, keepalived could be used to implement High Availability (active/passive) or load balancing (active/active).

Four aspects need to be configured on a VRRP HA server: keepalived, iptables, sysctl and the service itself (rsyslog in this case).

Sysctl.

The host’s kernel needs to be configured to allow a process to bind to a non-local IP address and enable ip routing.

# in /etc/sysctl.conf or similar
net.ipv4.ip_nonlocal_bind=1
net.ipv4.ip_forward = 1

Keepalived.

Sample configuration for Keepalived at server Balance1.

vrrp_instance VI_S1 {
        state MASTER   # (optional) initial state for this server
        interface eth1 # interface where VRRP traffic will exist
        advert_int 5   # how often we will vote (sec).
        virtual_router_id 71 # unique identifier per VRRP instance (same across all servers on the instance)
        priority 100   # server priority - higher number == higher priority

        # authentication for VRRP messages
        authentication {
                auth_type PASS # simple authentication (plain)
                #auth_type AH    # good authentication
                auth_pass super_secure_password # password
        }
        virtual_ipaddress {
                10.10.10.10/24 dev eth0 # Virtual IP address and interface assignment
}
        track_script {
                check_rsyslog # tracking script
        }
vrrp_script check_rsyslog {
        script "/usr/local/sbin/checkrsyslog.sh"
        interval 5 # 5s per check
        fall 2 # 2 fails - 10s
        rise 2 # 2 OKs - 10s
        #timeout 15 # wait up to 15 seconds for script before assuming fail
        #weight 50 # Reduce priority by 10 on fall
}

Notes:

  1. VRRP instance will start as MASTER, meaning it will be an active server.
  2. VRRP traffic will go via eth1 interface. We can use other interfaces, including same interface on what Virtual IP live.
  3. virtual_router_id and authentication must match across all nodes in the VRRP instance.
  4. track_script, defined under ‘vrrp_script check_rsyslog’ points to a custom script that checks whether the HA service is live. If the script returns any value other than 0, the HA service is seems failed and the node will remove itself from the pool of eligible hosts that can be active. If it was the active server, then another node will become active.

Iptables.

iptables needs to be configured in a way that the server accepts incoming traffic on the VRRP interface (eth1 in the sample configuration) from the other VRRP instance nodes under protocols VRRP or AH respectively for auth_type PASS or AH:

-A <CHAIN> -s <OTHER_VRRP_INSTANCE_NODES> -p vrrp -j ACCEPT
-A <CHAIN> -s <OTHER_VRRP_INSTANCE_NODES> -p ah -j ACCEPT

Service.

Finally, the service needs to be setup to listen on the Virtual IP interface, in this case rsyslog was configured to bind to all interfaces.

And, of course we need to start keepalived service.

Sample configuration for Keepalived at server Balance2.

Configuration foe second server almost identical to server Balance1 with slight difference in keepalived configuration (indicate initial state as Backup and decreased priority to make sure this server will be backup server).

Here configuration fragment with differences:

vrrp_instance VI_S1 {
        state BACKUP   # (optional) initial state for this server
        interface eth1 # interface where VRRP traffic will exist
        advert_int 5   # how often we will vote (sec).
        virtual_router_id 71 # unique identifier per VRRP instance (same across all servers on the instance)
        priority 50   # server priority - higher number == higher priority

Case: revew firewall configuration

Case: Customer concerns about firewall configuration. Firewall implemented on Linux server. Firewall includes NAT.

Discovery: During review of firewall configuration I discovered following – total number of lines in configuration are ~5500. Some rules grouped in groups (chains). Some groups have no rules in them. Many rules never have had traffic passing through them.

Advice stage 1: Remove empty groups. Remove rules with no traffic passing through them. Create cpecific group for DROP rules.

Result of stage 1: reduction of lines in firewall configuratio to ~850 lines.

Advice stage 2: Migrate from per-host configuration to per-network configuration.

Results of stage 2: reduction of lines in firewall configuration to ~300 lines.

How to configure PAT on Mikrotik (RouterOS)

Download WinBox and connect to Mikrotik.

Select “IP” – > “Firewall”.

Select NAT.

Click on plus and select “Chain” -> “dsnat”.

Enter dst.address – this is tipically public IP address of Mikrotik router.

Enter protocol type (for HTTP this is “tcp”).

Enter dst.port – port, what will be NAT-ed.

Click “Atcion” tab.

Select “Action” -> “dst-nat”.

Enter value for “To address“ – this is private ip of internal server (web server in our case).

Enter value for “To ports“ – this is port on private server (80 for http).

Click “Ok”. All done.

Case: remote execution in Linux

Case: Customer have appliance from vendor running Linux. Customer have no access (restricted by agreement with vendor) to scheduler on server. Customer want periodically gather some information from applience and use it.

Solution: Create shell script on Linux server, owned by customer. Schedule it on customers server. In mentioned script use remote execution to gather required information from applience.

Shell script fragment:

sshpass -p 'pass1' ssh -t -p 2022 [email protected] 'echo pass2 | sudo -S python /usr/share/super_cool_script.py | grep some_data' | tr -s " " | cut -d " " -f 6 | sed 's/\.//g' > local_data_file

What script do: connect to remoter server via ssh and port 2022. Use user1 and pass1 to authenticate during this process. On remote server gain root-leve access with sudo command and password pass2. Execute python script on remote server and select only some rows from feedback and transfer them to local server. Get selected data and strip it from unnesessary columns. Save data to file.

Case: Separate call-center/support team from production network and from management network

Customer have one big network with all users in same network fragment. Customer want to improve security.

Problem description: All employee reside in one big network fragment and have some level of access to all corporate servers. Production and support team span acros entire building.

Proposed solution: Split network in 4 fragments: servers, support, production and management. Restrict access to corporate servers with Fortigate firewall. Restrict access to corporate resources with access groups at AD.

Initial schematic (fragment of network).

Implemented solution schematic (fragment of solution).

Note: Port-channel and spanning-tree were used for inter-switch connection for redundancy.

Configuration fragments.

DC switch:

interface Ethernet0/1
 description Connection to Fortigate FW
 switchport trunk encapsulation dot1q
 switchport mode trunk

Fortigate FW:

Create VLAN interfaces for connection to DC switch and to Distr switch 1.

Create firewall rules to allow traffic from end users to servers, connected to DC switch and to public network (internet).

Distrt switch 1:

interface Port-channel34
  description Port-Channel to Acc switch 1
interface Port-channel56
  description Port-Channel to Acc switch 2

interface Ethernet0/1
 description Connection to Fortigate FW
 switchport trunk encapsulation dot1q
 switchport mode trunk

interface Ethernet0/3
 description Connection to Acc switch 1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 34 mode active
interface Ethernet0/4
 description Connection to Acc switch 1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 34 mode active

interface Ethernet0/5
 description Connection to Acc switch 2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 56 mode active
interface Ethernet0/6
 description Connection to Acc switch 2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 56 mode active

Acc switch 1

interface Port-channel12
  description Port-Channel to Distr switch 1
interface Port-channel48
  description Port-Channel to Acc switch 2

interface Ethernet0/1
 description Connection to Distr switch 1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 12 mode active
interface Ethernet0/2
 description Connection to Distr switch 1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 12 mode active

interface Ethernet0/3 - Ethernet0/10
  description To support team
  switchport
  switchport access vlan 100
  no shutdown
interface Ethernet0/11 - Ethernet0/20
  description To management team
  switchport
  switchport access vlan 200
  no shutdown
interface Ethernet0/21 - Ethernet0/46
  description To production team
  switchport
  switchport access vlan 300
  no shutdown

interface Ethernet0/47
 description Connection to Acc switch 2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 48 mode active
interface Ethernet0/48
 description Connection to Acc switch 2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 48 mode active

Acc switch 2

interface Port-channel12
  description Port-Channel to Distr switch 1
interface Port-channel48
  description Port-Channel to Acc switch 1

interface Ethernet0/1
 description Connection to Distr switch 1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 12 mode active
interface Ethernet0/2
 description Connection to Distr switch 1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 12 mode active

interface Ethernet0/3 - Ethernet0/10
  description To support team
  switchport
  switchport access vlan 100
  no shutdown
interface Ethernet0/11 - Ethernet0/47
  description To production team
  switchport
  switchport access vlan 300
  no shutdown

interface Ethernet0/47
 description Connection to Acc switch 1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 48 mode active
interface Ethernet0/48
 description Connection to Acc switch 1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 48 mode active

Case: improve resilency and throughput of network.

Customer have issues with LAN. Customer do not want to spend money on new switches/routeres. Bottleneck – connection between datacenter switches and distribution/access level switches.

Problems description: low througput. No redundancy for access switches 1 & 2 for cases, when link from access witch to distribution switch fail.

Proposed solution: increase througput between DC switches and distibution level switches. Increase througput between distribution switches and access level switches. Introduce redundancy.

Initial schematic (fragment of network).

Implemented solution schematic (fragment of solution).

Solution description: Impement port-channel connection between DC switch 1 and distribution switch1. Implement port-channel connection between Distribution switch 1 anc access switches 1 & 2. Connect access switches 1 & 2 with port-channnel. Configure spanning tree, to make sure Distr switch will be root bridge.

Configuration fragments.

DC switch 1:

interface Port-channel14
  description Port-Channel to Distr switch 1
 
interface Ethernet0/1
  description Link to Distr switch 1
  switchport
  switchport mode trunk
  channel-group 14 mode active
interface Ethernet0/2
  description Link to Distr switch 1
  switchport
  switchport mode trunk
  channel-group 14 mode active
interface Ethernet0/3
  description Link to Distr switch 1
  switchport
  switchport mode trunk
  channel-group 14 mode active
interface Ethernet0/4
  description Link to Distr switch 1
  switchport
  switchport mode trunk
  channel-group 14 mode active

Distr switch 1:

spanning-tree vlan 10-500 priority 28672

interface Port-channel14
  description Port-Channel to DC switch 1
 
interface Port-channel56
  description Port-Channel to DC switch 1

interface Port-channel78
  description Port-Channel to DC switch 1

interface Ethernet0/1
  description Link to DC switch 1
  switchport
  switchport mode trunk
  channel-group 14 mode active
interface Ethernet0/2
  description Link to DC switch 1
  switchport
  switchport mode trunk
  channel-group 14 mode active
interface Ethernet0/3
  description Link to DC switch 1
  switchport
  switchport mode trunk
  channel-group 14 mode active
interface Ethernet0/4
  description Link to DC switch 1
  switchport
  switchport mode trunk
  channel-group 14 mode active

interface Ethernet0/5
  description Link to acc switch 1
  switchport
  switchport mode trunk
  channel-group 56 mode active
interface Ethernet0/6
  description Link to acc switch 1
  switchport
  switchport mode trunk
  channel-group 56 mode active

interface Ethernet0/7
  description Link to acc switch 2
  switchport
  switchport mode trunk
  channel-group 78 mode active
interface Ethernet0/8
  description Link to acc switch 2
  switchport
  switchport mode trunk
  channel-group 78 mode active

Acc switch 1

interface Port-channel12
  description Port-Channel to Distr switch 1
 
interface Port-channel34
  description Port-Channel to acc switch 2


interface Ethernet0/1
  description Link to Distr switch 1
  switchport
  switchport mode trunk
  channel-group 12 mode active
interface Ethernet0/2
  description Link to Distr switch 1
  switchport
  switchport mode trunk
  channel-group 12 mode active

interface Ethernet0/3
  description Link to acc switch 2
  switchport
  switchport mode trunk
  channel-group 34 mode active
interface Ethernet0/4
  description Link to acc switch 2
  switchport
  switchport mode trunk
  channel-group 34 mode active

Acc switch 2

interface Port-channel12
  description Port-Channel to Distr switch 1
 
interface Port-channel34
  description Port-Channel to acc switch 1


interface Ethernet0/1
  description Link to Distr switch 1
  switchport
  switchport mode trunk
  channel-group 12 mode active
interface Ethernet0/2
  description Link to Distr switch 1
  switchport
  switchport mode trunk
  channel-group 12 mode active

interface Ethernet0/3
  description Link to acc switch 1
  switchport
  switchport mode trunk
  channel-group 34 mode active
interface Ethernet0/4
  description Link to acc switch 1
  switchport
  switchport mode trunk
  channel-group 34 mode active

Upgrade OS on NEXUS switch from v6 to v9

There is no option to direct upgrade from v6 to v9. Following steps allow this happens. Remember memory limits and use smaller image, if you need to.

Copy new image to switch.

copy usb1:n3000-uk9-kickstart.6.0.2.U6.10.bin bootflash:
copy usb1:n3000-uk9.6.0.2.U6.10.bin bootflash:
copy usb1:nxos.7.0.3.I6.1.bin bootflash:

Install image.

install all kickstart bootflash:n3000-uk9-kickstart.6.0.2.U6.10.bin system bootflash:n3000-uk9.6.0.2.U6.10.bin

remove old image

delete bootflash:n3000-uk9-kickstart.6.0.2.U6.6.bin
delete bootflash:n3000-uk9.6.0.2.U6.6.bin

Install v7 image.

install all nxos bootflash:nxos.7.0.3.I6.1.bin

delete old images

delete bootflash:n3000-uk9*

Copy v9 image

copy usb1:nxos.9.3.8.bin bootflash:

do some configuration change

conf t
no system dme enable
end
copy run start

Install v9.

install all nxos bootflash:nxos.9.3.8.bin

Port-channel (PC) / Virtual port-channel (VPC)

Port-Channel – is a bundle of 2+ links between 2 switches (see example below). Links bundled together and connection utilize throughput of both links. In comparison to spanning tree, links utilization become more efficient, as both links are used for data transfer.

Sample configuration.

Sw1

interface Port-channel12
  description Port-Channel to SW2
 
interface Ethernet0/1
  description Link to SW2
  switchport
  switchport mode trunk
  channel-group 12 mode active
interface Ethernet0/2
  description Link to SW2
  switchport
  switchport mode trunk
  channel-group 12 mode active

Sw2

interface Port-channel21
  description Port-Channel to SW1
 
interface Ethernet0/1
  description Link to SW1
  switchport
  switchport mode trunk
  channel-group 21 mode active
interface Ethernet0/2
  description Link to SW1
  switchport
  switchport mode trunk
  channel-group 21 mode active

Virtual Port-Channel – same as Port-Channel, with single difference – link on one side of VPC goes to two switches (see example below).

This feature LIMITED to some switch models.

Sample configuration.

SW1

interface port-channel 10
  description Port-channel-To-SW2-and-SW3

interface Ethernet1/1
  description link-To-SW2
  switchport mode trunk
  switchport trunk allowed vlan 10,20
  channel-group 10 mode active

interface Ethernet1/2
  description link-To-SW3
  switchport mode trunk
  switchport trunk allowed vlan 10,20
  channel-group 10 mode active

Sw2

vrf context vpc_keepalive

interface port-channel 10

  description Port-channel-To-SW1
  vpc 1

interface Ethernet1/49
  description VPC Keepalive link
  ip address 10.255.255.1/30
  no shu
  
interface Ethernet1/1
  description link-To-SW1
  switchport mode trunk
  switchport trunk allowed vlan 10,20
  spanning-tree port type edge trunk
  channel-group 10 mode active

vpc domain 1
  role priority 1
  peer-keepalive destination 10.255.255.2 source 10.255.255.1 vrf vpc_keepalive
  delay restore 450
  peer-gateway
  auto-recovery
  fast-convergence

interface port-channel100
  description vPC peer-link 
  vpc peer-link

interface Ethernet1/50
  description to SW3
  switchport
  switchport mode trunk
  channel-group 100 mode active
  no shutdown

  interface Ethernet1/51
  description to SW3
  switchport
  switchport mode trunk
  channel-group 100 mode active
  no shutdown

SW3

vrf context vpc_keepalive

interface port-channel 10
  description Port-channel-To-SW1
  vpc 1

interface Ethernet1/49
  description VPC keepalive link
  ip address 10.255.255.2/30
  no shu
  
interface Ethernet1/1
  description link-To-SW1
  switchport mode trunk
  switchport trunk allowed vlan 10,20
  spanning-tree port type edge trunk
  channel-group 10 mode active

vpc domain 1
  role priority 2
  peer-keepalive destination 10.255.255.1 source 10.255.255.2 vrf vpc_keepalive
  delay restore 450
  peer-gateway
  auto-recovery
  fast-convergence

interface port-channel100
  description vPC peer-link 
  vpc peer-link

interface Ethernet1/50
  description to SW2
  switchport
  switchport mode trunk
  channel-group 100 mode active
  no shutdown

  interface Ethernet1/51
  description to SW2
  switchport
  switchport mode trunk
  channel-group 100 mode active
  no shutdown