Docker/Pods/Wifi: Difference between revisions

From charlesreid1
m (Replacing charlesreid1.com:3000 with git.charlesreid1.com)
 
(21 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Wifi Boat Overview=
=Wifi Pod Overview=


==Services==
==Services==


UGR wifi boat ships the following services in Docker containers:
UGR wifi pod ships the following services in Docker containers:
* stunnel server
* stunnel server
* web server (hello world, report, file management)
* web server (hello world, report, file management)
Line 13: Line 13:


Please make a note:
Please make a note:
* The UGR wifi boat does not receive or process raw packet data. The Raspberry Pi device will extract network data, either by using a tool that extracts relevant information or by running a tool like scapy or aircrack on the Raspberry Pi to capture and process network data local to the Pi. Only small, digested, processed data is sent back to the server.
* The UGR wifi pod does not receive or process raw packet data. The Raspberry Pi device will extract network data, either by using a tool that extracts relevant information or by running a tool like scapy or aircrack on the Raspberry Pi to capture and process network data local to the Pi. Only small, digested, processed data is sent back to the server.


==Getting Set Up For The Boat==
==Getting Set Up For The Pod==


Make sure your node is all set: [[Deployment/New Node Checklist]]
Make sure your node is all set: [[Deployment/New Node Checklist]]
Line 21: Line 21:
Make sure docker installed: [[Docker/Installing]]
Make sure docker installed: [[Docker/Installing]]


=Boat Containers=
=Pod Containers=


==Stunnel==
==Stunnel==
Line 28: Line 28:


Here's how the Stunnel Docker container will be set up:
Here's how the Stunnel Docker container will be set up:
* Create a Dockerfile or download a prepared one (they are easy enough to make that it is worth doing yourself.)
* Create a Dockerfile (you can download a prepared one, but they are easy enough to make that it is worth doing yourself.)
* Make a Docker Stunnel container image
* Make a Docker Stunnel container image
* Run a Docker Stunnel container image
* Run a Docker Stunnel container image
Line 34: Line 34:
* Ensure that networking with host is working and configured properly
* Ensure that networking with host is working and configured properly


===Create Dockerfile for stunnel container image===
===Get Files===


The files needed to get the Stunnel docker image working with the SSL keys obtained from LetsEncrypt are contained in the following git.charlesreid1.com repository:
Get the Dockerfile from the git.charlesreid1.com repo: https://git.charlesreid1.com/docker/d-stunnel


https://charlesreid1.com:3000/docker/stunnel
<pre>
$ mkdir ~/docker
$ cd ~/docker
$ git clone https://git.charlesreid1.com/docker/d-stunnel
$ cd d-stunnel
</pre>
 
This will also have some supporting scripts and example config files.
 
===Create Certificate===
 
Next step is to create a certificate.
 
See [[Stunnel#Certificate]]
 
Option 1 is to use Let's Encrypt (recommended). Use the [[LetsEncrypt]] page and the <code>generate_letsencrypt_cert.sh</code> script in the d-stunnel repository.
 
Option 2 is to use a self-signed certificate. See [[RaspberryPi/SSH Stunnel]] for details and use the <code>generate_ss_cert.sh</code> script in the d-stunnel repository.


===Preparing to build stunnel container image===
Link to d-stunnel repository: https://git.charlesreid1.com/docker/d-stunnel


Before we can build the container image, we need to have the SSL certificate the server will use, as well as the stunnel configuration file.
===Configure Client===


Some of this is taken care of in the docker/stunnel repository on git.charlesreid1.com:
Next, configure your client stunnel using stunnel.conf. On a Mac, this will go in <code>/usr/local/etc/stunnel/stunnel.conf</code>. On Ubuntu/Linux, it will go in <code>/etc/stunnel/stunnel.conf</code>. The client machine's configuration should map ports matching whatever you're trying to do. There are some examples in the docker/d-stunnel repository on git.charlesreid1.com: https://git.charlesreid1.com/docker/d-stunnel


https://git.charlesreid1.com/docker/stunnel
These pages have sample client configuration files:


<pre>
* [[Stunnel/SSH]] - tunneling SSH over port 443
$ mkdir ~/docker
* [[Stunnel/Scp]] - tunneling secure copy over port 443
$ cd ~/docker
* [[Stunnel/HTTP]] - tunneling HTTP traffic over port 8000
$ git clone https://charlesreid1.com:3000/docker/stunnel
$ cd docker-stunnel
</pre>


Run the sudo_prep.sh script to make copies of the Let's Encrypt keys in the current directory:
====Configure Raspberry Pi Client====


<pre>
Stunnel client config files for Raspberry Pi: https://git.charlesreid1.com/rpi/p-stunnel
$ sudo ./sudo_prep.sh
</pre>


Now your SSL certificates are in-place and ready to be copied into the container.
===Configure Server===


Next we will take care of the stunnel configuration file.
Configure the server by setting the server's stunnel.conf file to match the client's and whatever service you're trying to access.  


===Networking/Ports Configuration===
These pages have sample server configuration files:


Stunnel exposes one port externally (for clients to connect on), typically 443. This is the port on which all of the SSL-wrapped traffic will pass. We will need to map this port from the Docker container to the host, and open that port on the host's firewall.
* [[Stunnel/SSH]]
* [[Stunnel/Scp]]
* [[Stunnel/HTTP]]


Stunnel accept encrypted traffic on that exposed port. It will unwrap the traffic, removing the SSL layer, and forward the unencrypted traffic on to another local port, typically one that is not publicly exposed.
This is the configuration file that will be copied into the Docker container and used with its stunnel instance. It is recommended you check out https://git.charlesreid1.com/docker/d-stunnel and put it into the d-stunnel/ directory.


For our test, the stunnel container will listen for connections on 443. It will forward these to local port 8443. We will set up a Python HTTP server on port 8443 that only listens for local requests and responds with a "HALLO WURLLD" page. If the stunnel container is configured correctly, we should be able to send HTTP requests to the stunnel container, and have it pass those through to the Python HTTP server, which will serve up the "HALLO WURLLD" page.
===TLDR===


Start with the configuration file for stunnel. It will live in <code>/etc/stunnel/stunnel.conf</code>. Here is what we will use:
You have to map ports from container to host, and your host and container have to share the same network interface. Here is what the final run command looks like:


<pre>
<pre>
output = /var/log/stunnel4/stunnel.log
docker run \
cert=/etc/stunnel/stunnel.pem
--network=host \
key=/etc/stunnel/stunnel.pem
-p 443:443 -p 22:22 \
pid=/var/run/stunnel4/stunnel.pid
-ti cmr_stunnel \
client=yes
/bin/bash
[ssh]
accept = 443
connect = 127.0.0.1:8443
</pre>
</pre>
This will accept inbound encrypted connections on 443, and will decrypt them and forward them along to local port 8443, where Python will be listening. Because this is a server, we are emulating inbound requests, just like a web server. Stunnel will be wrapping HTTP requests from a browser with SSL.
Now we have the SSL certificates and the configuration file finished, and we are ready to build our Docker image..


===Build Docker stunnel container image from Dockerfile===
===Build Docker stunnel container image from Dockerfile===
Line 106: Line 113:
</pre>
</pre>


===Run the Docker stunnel conainer image===
===Networking/Ports Configuration===


You can fire up the docker container and get a Bash shell:
First, let's talk about how stunnel works, independently of Docker.


<pre>
Stunnel will expose one port externally (for clients to connect on). Typically, this is 443, but it can be any port. This is the port on which all of the SSL-wrapped traffic will pass. It then forwards that traffic on to another local port (typically this is a port with a service that is not externally exposed, but that isn't a requirement). The configuration file determines which local port the stunnel server will map traffic to.
$ docker run -ti cmr_stunnel /bin/bash
</pre>


Test that the stunnel command works.  
Now let's talk about how to do this when running stunnel from within Docker.


Now that stunnel is running okay, and the certificates are working, let's get the networking and ports figured out.
The Docker container will be running an stunnel service that listens on some port (say 443) and forwards that traffic on to some other port. The hitch is, Docker containers are not, by default, connected to host ports, so we need to explicitly link ports from the container to ports on the host.


===Port Mapping===
The first port we want to map is the port on which stunnel is listening - if stunnel listens on 443 inside the container, we can make that available on the host port 443 by specifying <code>-p 443:443</code> when we run the docker container.


Docker networking guide provides some useful info: https://docs.docker.com/engine/userguide/networking/
However, we also need to map the destination port, where stunnel is forwarding traffic to, to the host destination port. If we use a simple example of tunneling SSH traffic through stunnel, we need to link the stunnel Docker container's port 22 to the host's port 22.


We can specify three networks: the host network, a bridge network (shared between host and container only), or no network at all.
Finally, we also need the docker container to share a networking interface with the host - otherwise, the host needs to dedicate a separate listener (on the host) listening to each of the ports that we map. This creates a conflict if there is already an SSH server listening on the port we're trying to bind to. Since these two services are just talking to each other, they should be able to bind to the same network interface. Use the <code>--network=host</code> to force the container and host to share the same network interface.


We want to attach the container to the outside world via the standard network interface onboard the host. Use <code>--network=host</code> when running the container .
See [[Docker/Networking]] for the setup and configuration files for tunneling SSH over an stunnel SSL connection on port 443.


ok,
Here is what the final run command looks like:


but now prob is,
<pre>
docker run \
--network=host \
-p 443:443 -p 22:22 \
-ti cmr_stunnel \
/bin/bash
</pre>


how to id self, container missing ifconfig
===Run the Docker stunnel container image===


You can fire up the docker container and get a Bash shell:


<pre>
docker run \
--network=host \
-p 443:443 -p 22:22 \
-ti cmr_stunnel \
/bin/bash
</pre>


Running the stunnel command should work okay.


===Load Image with Networking/Ports Configured===
=Flags=
 
 
===Links===
 
Stunnel documentation (man page): https://www.stunnel.org/static/stunnel.html
 
Stunnel Dockerfile that is about as simple as it is going to get: https://github.com/taskworld/docker-stunnel/blob/master/Dockerfile
 
Note: ufw needs to accept, not drop, traffic: [https://www.digitalocean.com/community/tutorials/docker-explained-how-to-create-docker-containers-running-memcached]
 
Note: container needs to bind to 0.0.0.0, not localhost, or it won't be accessible outside the container: [http://serverfault.com/questions/714340/ssh-tunnel-to-docker-container]
 
 


{{DockerFlag}}


[[Category:Docker]]
[[Category:Docker]]
[[Category:Boats]]
[[Category:Docker Pods]]
[[Category:Wireless]]
[[Category:Wireless]]


Latest revision as of 03:22, 9 October 2019

Wifi Pod Overview

Services

UGR wifi pod ships the following services in Docker containers:

  • stunnel server
  • web server (hello world, report, file management)
  • https web server 9hello world)
  • mongodb database

Stretch goals:

  • Data to inform the server about processes that are running? How to install a program that runs on the pi and tries to call home and send updates on information going on with the operating system, running processes, etc.?

Please make a note:

  • The UGR wifi pod does not receive or process raw packet data. The Raspberry Pi device will extract network data, either by using a tool that extracts relevant information or by running a tool like scapy or aircrack on the Raspberry Pi to capture and process network data local to the Pi. Only small, digested, processed data is sent back to the server.

Getting Set Up For The Pod

Make sure your node is all set: Deployment/New Node Checklist

Make sure docker installed: Docker/Installing

Pod Containers

Stunnel

Stunnel is a server/client service that allows arbitrary traffic to be transported through an encrypted HTTP over SSL layer (HTTPS). Since port 443 is usually open even on locked-down networks, this is an extremely handy tool for punching through firewalls. Due to the nature of encrypted traffic, the contents of an HTTPS packet cannot be inspected, so services that would otherwise be blocked due to their protocols, like SSH, can pass in and out of the network just fine by being wrapped up in HTTPS.

Here's how the Stunnel Docker container will be set up:

  • Create a Dockerfile (you can download a prepared one, but they are easy enough to make that it is worth doing yourself.)
  • Make a Docker Stunnel container image
  • Run a Docker Stunnel container image
  • Ensure that Stunnel is working and configured properly (ignoring network)
  • Ensure that networking with host is working and configured properly

Get Files

Get the Dockerfile from the git.charlesreid1.com repo: https://git.charlesreid1.com/docker/d-stunnel 

$ mkdir ~/docker
$ cd ~/docker
$ git clone https://git.charlesreid1.com/docker/d-stunnel
$ cd d-stunnel

This will also have some supporting scripts and example config files.

Create Certificate

Next step is to create a certificate.

See Stunnel#Certificate

Option 1 is to use Let's Encrypt (recommended). Use the LetsEncrypt page and the generate_letsencrypt_cert.sh script in the d-stunnel repository.

Option 2 is to use a self-signed certificate. See RaspberryPi/SSH Stunnel for details and use the generate_ss_cert.sh script in the d-stunnel repository.

Link to d-stunnel repository: https://git.charlesreid1.com/docker/d-stunnel

Configure Client

Next, configure your client stunnel using stunnel.conf. On a Mac, this will go in /usr/local/etc/stunnel/stunnel.conf. On Ubuntu/Linux, it will go in /etc/stunnel/stunnel.conf. The client machine's configuration should map ports matching whatever you're trying to do. There are some examples in the docker/d-stunnel repository on git.charlesreid1.com: https://git.charlesreid1.com/docker/d-stunnel

These pages have sample client configuration files:

Configure Raspberry Pi Client

Stunnel client config files for Raspberry Pi: https://git.charlesreid1.com/rpi/p-stunnel

Configure Server

Configure the server by setting the server's stunnel.conf file to match the client's and whatever service you're trying to access.

These pages have sample server configuration files:

This is the configuration file that will be copied into the Docker container and used with its stunnel instance. It is recommended you check out https://git.charlesreid1.com/docker/d-stunnel and put it into the d-stunnel/ directory.

TLDR

You have to map ports from container to host, and your host and container have to share the same network interface. Here is what the final run command looks like: 

docker run \
	--network=host \
	-p 443:443 -p 22:22 \
	-ti cmr_stunnel \
	/bin/bash

Build Docker stunnel container image from Dockerfile

From the git repo checked out above, which contains a Dockerfile, run docker build to build the image: 

$ docker build -t cmr_stunnel .

This may take a minute. Once that's finished make sure Docker now lists the image: 

$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
cmr_stunnel         latest              2b197f506e02        59 seconds ago      219 MB

Networking/Ports Configuration

First, let's talk about how stunnel works, independently of Docker.

Stunnel will expose one port externally (for clients to connect on). Typically, this is 443, but it can be any port. This is the port on which all of the SSL-wrapped traffic will pass. It then forwards that traffic on to another local port (typically this is a port with a service that is not externally exposed, but that isn't a requirement). The configuration file determines which local port the stunnel server will map traffic to.

Now let's talk about how to do this when running stunnel from within Docker.

The Docker container will be running an stunnel service that listens on some port (say 443) and forwards that traffic on to some other port. The hitch is, Docker containers are not, by default, connected to host ports, so we need to explicitly link ports from the container to ports on the host.

The first port we want to map is the port on which stunnel is listening - if stunnel listens on 443 inside the container, we can make that available on the host port 443 by specifying -p 443:443 when we run the docker container.

However, we also need to map the destination port, where stunnel is forwarding traffic to, to the host destination port. If we use a simple example of tunneling SSH traffic through stunnel, we need to link the stunnel Docker container's port 22 to the host's port 22.

Finally, we also need the docker container to share a networking interface with the host - otherwise, the host needs to dedicate a separate listener (on the host) listening to each of the ports that we map. This creates a conflict if there is already an SSH server listening on the port we're trying to bind to. Since these two services are just talking to each other, they should be able to bind to the same network interface. Use the --network=host to force the container and host to share the same network interface.

See Docker/Networking for the setup and configuration files for tunneling SSH over an stunnel SSL connection on port 443.

Here is what the final run command looks like: 

docker run \
	--network=host \
	-p 443:443 -p 22:22 \
	-ti cmr_stunnel \
	/bin/bash

Run the Docker stunnel container image

You can fire up the docker container and get a Bash shell: 

docker run \
	--network=host \
	-p 443:443 -p 22:22 \
	-ti cmr_stunnel \
	/bin/bash

Running the stunnel command should work okay.

Flags


Docker.png
docker
notes on the virtual microservice container platform

Docker

Installing the docker platform: Docker/Installing

Docker Hello World: Docker/Hello World


Creating Docker Containers:

Getting docker containers from docker hub: Docker/Dockerhub

Creating docker containers with dockerfiles: Docker/Dockerfiles

Managing Dockerfiles using git: Docker/Dockerfiles/Git

Setting up Python virtualenv in container: Docker/Virtualenv


Running Docker Containers:

Running docker containers: Docker/Basics

Dealing with volumes in Docker images: Docker/Volumes

Removing Docker images: Docker/Removing Images

Rsync Docker Container: Docker/Rsync


Networking with Docker Containers:

Docker/Networking




Flags  · Template:DockerFlag  · e




Docker.png
docker pods
pods are groups of docker containers that travel together

Docker pods are collections of Docker containers that are intended to run in concert for various applications.


Wireless Sensor Data Acquisition Pod

Docker/Pods/Wifi

The wireless sensor data acquisition pod deploys containers
to allow Raspberry Pis to transfer sensor data over wireless networks
by establishing secure SSL tunnels out of the network.

This pod uses the following technologies:

Stunnel  · Rsync  · Apache  · MongoDB  · Python  · Jupyter (numerical Python stack)


Deep Learning Pod

Docker/Pods/Deep Learning

This pod utilizes the following technologies:

Python  · Sklearn  · Jupyter (numerical Python stack)  · Keras  · TensorFlow


Flags  · Template:DockerPodsFlag  · e



Retrieved from "https://charlesreid1.com/w/index.php?title=Docker/Pods/Wifi&oldid=26821"