Hello, I'm looking at deploying ClearOS as a home server : File sharing via SMB/FTP, Plex & offsite backups to Alibaba Object Storage Service. The simplest way I can accomplish this is with minio client docker image + cron jobs.
My question is are there any gotcha's involved with deploying & using a Docker image from Docker Hub on ClearOS?
Cheers
boPt
My question is are there any gotcha's involved with deploying & using a Docker image from Docker Hub on ClearOS?
Cheers
boPt
Share this post:
Accepted Answer
There is potentially a nasty gotcha which is the firewall. ClearOS firewalling and docker do not play well together so, if you install app-docker, it will stop docker changing the firewall. If your docker app needs various firewall rules, and would normally create them itself, what I've done is edited /etc/sysconfig/docker-network to enable iptables. Then I restart the firewall and then docker. Snapshot the filter and nat firewall e.g:
You can see how I've done it if you install the ClearGLASS app or look in GitLab, but note that I've also integrated the firewall rules into the systemd unit file so when you start ClearGLASS the rules are added. See the 20-clearglass and clearglass.service files in clearglass-community in GitLab I've done something similar for the Samba Active Directory implementation in this post, but in this case I did not integrate it with any systemd file (there is not one). When Creating the firewall rules I took short-cuts. For the Samba AD one, docker was creating a rule for every port. I just created a single rule which covered the IP address and not the individual ports and protocols. Also docker was creating funny rules like a rule covering a docker interface then another identical rule covering all interfaces except the docker interface. I combined them into a single rule. I omitted rules where there were pre-existing ClearOS ones which took precedence. I think this relates to the "RELATED,ESTABLISHED" rules but I can't remember offhand.
iptables -nvL > firewall1.txt
iptables -nvL -t nat > firewall-nat1.txt
Then start your docker container and dump the firewall again:iptables -nvL > firewall2.txt
iptables -nvL -t nat > firewall-nat2.txt
You then need to diff the files to work out the extra rules added by your image. Create the rules in a file /etc/clearos/firewall.d/20-something (use a number greater than 10 in the name) and add your rules to it.You can see how I've done it if you install the ClearGLASS app or look in GitLab, but note that I've also integrated the firewall rules into the systemd unit file so when you start ClearGLASS the rules are added. See the 20-clearglass and clearglass.service files in clearglass-community in GitLab I've done something similar for the Samba Active Directory implementation in this post, but in this case I did not integrate it with any systemd file (there is not one). When Creating the firewall rules I took short-cuts. For the Samba AD one, docker was creating a rule for every port. I just created a single rule which covered the IP address and not the individual ports and protocols. Also docker was creating funny rules like a rule covering a docker interface then another identical rule covering all interfaces except the docker interface. I combined them into a single rule. I omitted rules where there were pre-existing ClearOS ones which took precedence. I think this relates to the "RELATED,ESTABLISHED" rules but I can't remember offhand.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »