Docker/Pods/Wifi
From charlesreid1
Wifi Boat Overview
Services
UGR wifi boat ships the following services in Docker containers:
- stunnel server
- web server (hello world, report, file management)
- https web server 9hello world)
- mongodb database
Stretch goals:
- Data to inform the server about processes that are running? How to install a program that runs on the pi and tries to call home and send updates on information going on with the operating system, running processes, etc.?
Please make a note:
- The UGR wifi boat does not receive or process raw packet data. The Raspberry Pi device will extract network data, either by using a tool that extracts relevant information or by running a tool like scapy or aircrack on the Raspberry Pi to capture and process network data local to the Pi. Only small, digested, processed data is sent back to the server.
Getting Set Up For The Boat
Make sure your node is all set: Deployment/New Node Checklist
Make sure docker installed: Docker/Installing
Boat Containers
Stunnel
Stunnel is a server/client service that allows arbitrary traffic to be transported through an encrypted HTTP over SSL layer (HTTPS). Since port 443 is usually open even on locked-down networks, this is an extremely handy tool for punching through firewalls. Due to the nature of encrypted traffic, the contents of an HTTPS packet cannot be inspected, so services that would otherwise be blocked due to their protocols, like SSH, can pass in and out of the network just fine by being wrapped up in HTTPS.
Here's how the Stunnel Docker container will be set up:
- Create a Dockerfile (you can download a prepared one, but they are easy enough to make that it is worth doing yourself.)
- Make a Docker Stunnel container image
- Run a Docker Stunnel container image
- Ensure that Stunnel is working and configured properly (ignoring network)
- Ensure that networking with host is working and configured properly
Get Files
Get the Dockerfile from the git.charlesreid1.com repo: https://charlesreid1.com:3000/docker/d-stunnel
$ mkdir ~/docker $ cd ~/docker $ git clone https://charlesreid1.com:3000/docker/d-stunnel $ cd d-stunnel
This will also have some supporting scripts and example config files.
Create Certificate
Next step is to create a certificate.
Option 1 is to use Let's Encrypt (recommended). Use the LetsEncrypt page and the generate_letsencrypt_cert.sh script in the d-stunnel repository.
Option 2 is to use a self-signed certificate. See RaspberryPi/SSH Stunnel for details and use the generate_ss_cert.sh script in the d-stunnel repository.
Link to d-stunnel repository: https://charlesreid1.com:3000/docker/d-stunnel
Stunnel Configuration
To configure stunnel, use your own stunnel.conf file or use an example stunnel.conf file provided in the repository.
See Stunnel page for more info. If you are running an stunnel server, see Stunnel/Server.
There are many configurations that you can potentially use stunnel for (e.g., HTTP or SSH or MongoDB).
It's best to start simple, and test out forwarding SSH traffic over an arbitrary port: Stunnel/SSH
(Then you can try SSH carried over port 443.)
Then move on to HTTP traffic tunneled over an arbitrary port: Stunnel/HTTP
Then MongoDB traffic tunneled over an arbitrary port: Stunnel/MongoDB
Networking/Ports Configuration
First, let's talk about how stunnel works, independently of Docker.
Stunnel will expose one port externally (for clients to connect on). Typically, this is 443, but it can be any port. This is the port on which all of the SSL-wrapped traffic will pass. It then forwards that traffic on to another local port (typically this is a port with a service that is not externally exposed, but that isn't a requirement). The configuration file determines which local port the stunnel server will map traffic to.
Now let's talk about how to do this when running stunnel from within Docker.
The Docker container will be running an stunnel service that listens on some port (say 443) and forwards that traffic on to some other port. The hitch is, Docker containers are not, by default, connected to host ports, so we need to explicitly link ports from the container to ports on the host.
The first port we want to map is the port on which stunnel is listening - if stunnel listens on 443 inside the container, we can make that available on the host port 443 by specifying -p 443:443 when we run the docker container.
However, we also need to map the destination port, where stunnel is forwarding traffic to, to the host destination port. If we use a simple example of tunneling SSH traffic through stunnel, we need to link the stunnel Docker container's port 22 to the host's port 22.
Build Docker stunnel container image from Dockerfile
From the git repo checked out above, which contains a Dockerfile, run docker build to build the image:
$ docker build -t cmr_stunnel .
This may take a minute. Once that's finished make sure Docker now lists the image:
$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE cmr_stunnel latest 2b197f506e02 59 seconds ago 219 MB
Run the Docker stunnel conainer image
You can fire up the docker container and get a Bash shell:
$ docker run -ti cmr_stunnel /bin/bash
Test that the stunnel command works.
Now that stunnel is running okay, and the certificates are working, let's get the networking and ports figured out.
Port Mapping
Docker networking guide provides some useful info: https://docs.docker.com/engine/userguide/networking/
We can specify three networks: the host network, a bridge network (shared between host and container only), or no network at all.
We want to attach the container to the outside world via the standard network interface onboard the host. Use --network=host when running the container .
ok,
but now prob is,
how to id self, container missing ifconfig
Load Image with Networking/Ports Configured
Links
Stunnel documentation (man page): https://www.stunnel.org/static/stunnel.html
Stunnel Dockerfile that is about as simple as it is going to get: https://github.com/taskworld/docker-stunnel/blob/master/Dockerfile
Note: ufw needs to accept, not drop, traffic: [1]
Note: container needs to bind to 0.0.0.0, not localhost, or it won't be accessible outside the container: [2]