Forums

bo Pt
bo Pt
Offline
Resolved
0 votes
Hello, I'm looking at deploying ClearOS as a home server : File sharing via SMB/FTP, Plex & offsite backups to Alibaba Object Storage Service. The simplest way I can accomplish this is with minio client docker image + cron jobs.

My question is are there any gotcha's involved with deploying & using a Docker image from Docker Hub on ClearOS?

Cheers
boPt
Monday, March 25 2019, 05:36 AM
Share this post:

Accepted Answer

Monday, March 25 2019, 09:09 AM - #Permalink
Resolved
0 votes
There is potentially a nasty gotcha which is the firewall. ClearOS firewalling and docker do not play well together so, if you install app-docker, it will stop docker changing the firewall. If your docker app needs various firewall rules, and would normally create them itself, what I've done is edited /etc/sysconfig/docker-network to enable iptables. Then I restart the firewall and then docker. Snapshot the filter and nat firewall e.g:
iptables -nvL > firewall1.txt
iptables -nvL -t nat > firewall-nat1.txt
Then start your docker container and dump the firewall again:
iptables -nvL > firewall2.txt
iptables -nvL -t nat > firewall-nat2.txt
You then need to diff the files to work out the extra rules added by your image. Create the rules in a file /etc/clearos/firewall.d/20-something (use a number greater than 10 in the name) and add your rules to it.

You can see how I've done it if you install the ClearGLASS app or look in GitLab, but note that I've also integrated the firewall rules into the systemd unit file so when you start ClearGLASS the rules are added. See the 20-clearglass and clearglass.service files in clearglass-community in GitLab I've done something similar for the Samba Active Directory implementation in this post, but in this case I did not integrate it with any systemd file (there is not one). When Creating the firewall rules I took short-cuts. For the Samba AD one, docker was creating a rule for every port. I just created a single rule which covered the IP address and not the individual ports and protocols. Also docker was creating funny rules like a rule covering a docker interface then another identical rule covering all interfaces except the docker interface. I combined them into a single rule. I omitted rules where there were pre-existing ClearOS ones which took precedence. I think this relates to the "RELATED,ESTABLISHED" rules but I can't remember offhand.
The reply is currently minimized Show
Responses (1)
  • Accepted Answer

    bo Pt
    bo Pt
    Offline
    Monday, March 25 2019, 09:13 PM - #Permalink
    Resolved
    0 votes
    Thanks for your detailed answer Nick. Much appreciated.

    Regards
    Chris
    The reply is currently minimized Show
Your Reply