OpenTox

Lazar in a Docker Shorewall Nginx Environment
in-silico toxicology gmbh blog

This post explains how to setup Lazar Docker image in a Shorewall Nginx Environment with a static IP

Docker creates its own virtual interface docker0 with a network in a private subnet (in a random 172.17.x.x net). On container start it selects a random IP (e.g. 172.17.0.1) for the container.

In this example we want to run a lazar docker container with a static IP in a 10.0.1.x subnet. The lazar prediction application will be available with the lazar-gui at mysub.mydomain.mytld on port 80 for webbrowser. Shorewall is used as a firewall and to port-forward ssh direct into the container. Nginx at the host machine delivers HTTP access via FQDN to the GUI.

This article summarizes several documentations, blog entries and stackoverflow discussions (all linked in the text) together with lazar setup.

Please keep in mind: Always check that your shorewall settings do not lock you out of your own machine (ssh ports). Always ensure login before you close the last open ssh session.

Setup your own docker subnet

restart docker when changing network settings

sudo systemctl stop docker
sudo systemctl start docker

create a docker bridge (br0) with subnet 10.0.1.1/24 (see also https://docs.docker.com/engine/reference/commandline/network_create/)

docker network create --subnet=10.0.1.1/24  --gateway=10.0.1.254 br0

check with:

docker network ls
>>>
NETWORK ID          NAME                DRIVER
6c30cce12345        br0                 bridge              
0fd4123450fc        bridge              bridge              
e3a931234593        none                null                
e311234523dc        host                host

Download and setup lazar

download the docker lazar image

docker pull insilicotox/lazar-public-data:LATEST_TAG

run docker image with a static IP (use v3 or favoured tag)

docker run -p 8088:8088 --net br0 --ip 10.0.1.101 -itd insilicotox/lazar-public-data:v3

list containers to find out CONTAINER_ID

docker ps -a

start container with

docker start <CONTAINER_ID>

go into the container to start the database and lazar-gui application (see also: https://hub.docker.com/r/insilicotox/lazar-public-data/)

docker exec -ti CONTAINER_ID bash

ist@CONTAINER_ID:~$  sudo /etc/init.d/mongod start
ist@CONTAINER_ID:~$  cd lazar-gui
ist@CONTAINER_ID:~$  unicorn -p 8088 -D
ist@CONTAINER_ID:~$  exit

Shorewall Setup

get the name of the new bridge

ip addr
>>>
...
34: br-6c30cceb5756: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
  link/ether 02:42:6f:42:d2:8e brd ff:ff:ff:ff:ff:ff
  inet 10.0.1.254/24 scope global br-6c30cceb5756
     valid_lft forever preferred_lft forever
  inet6 fe80::42:6fff:fe42:d28e/64 scope link 
     valid_lft forever preferred_lft forever

name of the network bridge in this example is br-6c30cceb5756

for a clean restart of shorewall do

sudo shorewall stop
sudo shorewall clear
sudo shorewall start

Shorewall versions < 5.0.6

see http://shorewall.net/Docker.html

add hooks to /etc/shorewall/init /etc/shorewall/stop and /etc/shorewall/start to keep iptables settings from docker as described at: http://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/

for /etc/shorewall/init and /etc/shorewall/stop

if iptables -t nat -L DOCKER >/dev/null 2>&1; then
    echo '*nat' >/etc/shorewall/docker_rules
    iptables -t nat -S DOCKER >>/etc/shorewall/docker_rules
    iptables -t nat -S POSTROUTING >>/etc/shorewall/docker_rules
    echo "COMMIT" >>/etc/shorewall/docker_rules

    echo '*filter' >>/etc/shorewall/docker_rules
    iptables -S DOCKER >> /etc/shorewall/docker_rules
    echo "COMMIT" >>/etc/shorewall/docker_rules
fi

for /etc/shorewall/start

if [ -f /etc/shorewall/docker_rules ]; then
    iptables-restore -n </etc/shorewall/docker_rules
    run_iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
    run_iptables -t nat -I OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
    run_iptables -I FORWARD -o docker0 -j DOCKER
    run_iptables -I FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    run_iptables -I FORWARD -i docker0 ! -o docker0 -j ACCEPT
    run_iptables -I FORWARD -i docker0 -o docker0 -j ACCEPT

    rm -f /etc/shorewall/docker_rules
fi

shorewall configuration files

add the bridge to shorewall interfaces (‘br0’ is an example name, name can be at most 5 characters long) : /etc/shorewall/interfaces

br0       br-6c30cceb5756 detect          routeback,bridge

add new line for bridge in /etc/shorewall/zones

br0      ipv4

ssh into the container add a forwarding from port 22101 on host to port 22 on container at: /etc/shorewall/rules
You might to start ssh daemon inside the container with sudo /etc/init.d/ssh restart

DNAT            net             br0:10.0.1.101:22       tcp     22101

add policies to /etc/shorewall/policy (do not place behind “all all REJECT info”)

br0             br0             ACCEPT
br0             net             ACCEPT
br0             fw              ACCEPT
fw              br0             ACCEPT
br0             all             ACCEPT

Nginx Setup

set proxy in nginx to give port 8088 to port 80 on webserver

server {
    listen          80;
    server_name mysub.mydomain.mytld;
    client_max_body_size 5000m;
    proxy_read_timeout 600;
    location / {
          proxy_pass http://10.0.1.101:8088;
          proxy_set_header   Host $host;
     }
}
blog comments powered by Disqus

Published

23 March 2016

Tags