Getting introduced to Docker
It HAS been a while since I last posted but I’m trying my best to not let that deter me from continuing to blog.
Thanks to my company, I was able to finish the video course about Network+ from TotalSeminars on Udemy. While the course was great, I sometimes felt like it was not exactly enough to just rely on it to prepare for the eponymous exam, which is why I decided to buy the book from the same company.
Because the book is about 900 pages long, it will take me a while to get to the end, but every now and then when I have the energy and the motivation for it, I open it up to where I last left it and start studying to see what I missed and what could be improved in my notes. It’s also a good way for me to just go over everything that I’ve learnt about and try to make it stick.
That being said, the issue with not only loving IT but working IT is that you always need to be up to date with the latest technologies. I’m saying issue but I see it as a double-edged sword: on the one end it can make things stressful for you because you feel like you just never know enough but on the other end, it’s a new technology! Yay! Awesome!
And this is pretty much how over the last weekend, I decided to finally get introduced to Docker.
I had been using virtual machines for years to try things out and while it’s always easy to just clone a machine when you don’t want to waste time going over the setup again, it can consume a lot of resources and a lot of space.
What is great about the idea of containerization is that everything seems much more flexible when it comes to that. You can easily and rather quickly make your own Dockerfile which doesn’t weigh much and can quickly let you get set up instead of wasting time downloading an ISO and creating a VM from scratch. And the space, the space, man! It’s such a small amount of space needed!
Of course, containers are not meant to replace VMs but I have to admit that I was blown away by the end of the 2h Linux Academy Introduction course I did on Saturday. It’s so easy to set up!
So, what did I do with this you may ask? Well, when I can, I try to use the theoretical knowledge I’ve learnt and put it into practice. This is how I started to think about setting up a FreeIPA container on my Intel x86_64 backup server. That machine has 4GB of RAM only and its main jobs are to automatically backup files via rsync on a daily basis, to serve Plex Media Server and to provide those files via a Samba share. This does not consume the 4GB of RAM it has, based on the monitoring of the resources. That’s why I figured that it would be a good idea to add FreeIPA to it, permanently, for me to have the same software used at work as my home DNS server.
Now you may ask: why don’t I just install it on top of openmediavault, used as the OS of my home server? I mean, it is a Linux box after all and it would be easy enough to do that. Yes, but openmediavault already comes with a web interface running on port 80. And because I want to keep that web interface, I was left with a few choices:
- either I spin up a VM: unrealistic based on the resources I have left on the machine
- or I find a way to let FreeIPA’s web UI run on a different port than 80: meh, too lazy for that
- OR I just use the little bit of knowledge that I now have about Docker to… well… dockerize it.
It will hopefully come as no surprise to anybody that I chose the third option. Now, the main reason if this post is to actually write down a couple of interesting things I found out while trying to get this to work.
Because I set this up as a container, it by default used a bridged network off my home server, meaning that it didn’t get a 192.168.0.x IP address but a 10.88.x.x IP address. That’s all great but I don’t just want this container to be accessible from that home server, I want it to be accessible from all the machines on my LAN!
My network skills quickly made me aware that the first thing I needed to do from another device from which I wanted to reach FreeIPA was to just create a static route. Indeed, by default, the computer on which I was working on had no way in hell to know how to reach anything on 10.88.0.0/16. So… I stood there and thought for a second. Let’s try this command:
ip route add 10.88.0.0/16 via home_server_IP_address
Basically, that means I’m using my home server as the gateway to serve requests sent to any host in that subnet. Cause, you know, it’s sitting on that home server.
The good part is that I now can reach the gateway 10.88.0.1, which is a very good sign. However, my FreeIPA container is sitting on 10.88.0.2 and I can’t ping it. I have no idea why. Why the hell could I reach the gateway but not the machine on it?
Well. It turned out that by default, a Linux box doesn’t allow packet forwarding, which means that I could have tried everything and it would never have worked unless I changed that. To make this work, I had to use these two commands on the home server:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD ACCEPT
The second one I had to use because by default, FORWARD was dropped. Now if I’m not mistaken (but I will double-check later), this was when everything changed: not only could I still reach the gateway of that subnet but now I could also reach the FreeIPA container on it! SUCCESS!
It took me a lot of time to figure this out. I had never done anything like this before so the positive thing was that I was able to learn something from it and that I don’t just consider this lost time. It wasn’t. I now know more than I did before I started working on this.
So what does this mean? FreeIPA is now running and can technically be accessed from all hosts in my LAN if I make sure to change the DNS settings and to have the route added. Problem is that with the SOHO box I have provided by my ISP, I can’t change the search domain that would then be retrieved by DHCP by hosts connecting to the network. So for now, if I want to make this work, I have to set the connections to manual instead of automatic. That’s but a small price to pay to make this work.
Whether or not I will actually make good use of it or if it will be discarded in a near future is a completely different story. But this was fun and I’m looking forward to learning more!