How to create your own Docker image

I mentioned in my previous post that I’ll explain how to create your own Docker image and customize it however you’d like. While is great to just use an image from Docker Hub, it can be that you need some customized image to fit your needs. As said before, is not hard at all to create the image and worth knowing how to do it.

I’ll use for this tutorial a fresh Ubuntu 18.04 minimal installation. You can follow the same steps (or almost) using different Linux distro, Microsoft Windows or MacOS. The reason why I chose Ubuntu is simply because is the distro that I’m most familiar and enjoy working with.

For all steps below you need to be root or run the commands via sudo. So you’ll see either # at the begining of the command if you’re root or $ sudo if you pick to run it with elevated rights.

Install Docker

# apt install -y docker.io

A word of advice here. Be sure to have docker.io typed. If you miss the .io, the system will install a docker, but that’s a different package:

docker/bionic 1.5-1build1 amd64
  System tray for KDE3/GNOME2 docklet applications

You’ll end up with something that cannot be used for what we want to achieve, since the docker command isn’t even there.

You can test if the installation completed successfully by using the following command:

# service docker status

You should see something like this in the output:

Docker service successful status

Since this is a new installation, you’ll have no images, no containers, nothing.
You can check, just to be sure.

# docker image ls

The result should be:

Docker image ls return nothing

I’ll add at the end of the post some basic (and most important) Docker commands to get you started.

Pull Ubuntu 18.04 image – Optional step

This step is optional, but I’d advise to do it, just to test that everything is fine with your Docker installation In this case we’re going to use the official Ubuntu 18.04 minimal Docker image. If you want to read more about this image you can check the explanation on Ubuntu 18.04 minimal Docker image and check their repository on Docker Hub – Ubuntu.

# docker pull ubuntu:18.04

If everything goes well you should see a message ending with “Status: Downloaded newer image for ubuntu:18.04” :

Docker successful download of Ubuntu image

Time to run our first container:

# docker run -i -t ubuntu:18.04 /bin/bash

You should be now in container shell:

Docker container

Now that we tested you can type exit to leave the container.

Create Dockerfile

The Dockerfile is nothing more than a text document which contains all the commands a user could call on the command line to create an image.
A detailed explanation is beyond the scope of this post, but if you’d like to learn more, you can check the Docker Documentation – Dockerfile

Here is a sample that’s good to start with:

# My custom Ubuntu 18.04 with 
# various network tools installed
# Build image with:  docker build mycustomlinux01 .


FROM ubuntu:18.04
MAINTAINER Calin C., https://github.com/yotis1982
RUN apt-get update --fix-missing
RUN apt-get upgrade -y
RUN apt-get install -y software-properties-common
RUN apt-get install -y build-essential
RUN apt-get install -y net-tools mtr curl host
RUN apt-get install -y iputils-arping iputils-ping iputils-tracepath
RUN apt-get install -y iproute2
RUN apt-get install -y traceroute
RUN apt-get install -y tcpdump

A short explanation:

# – This is a comment, add here whatever you think is useful. I’ve picked the name “mycustomlinux01”, but you can add whatever you like.
FROM – is always your first instruction, because it names the base image you’re building your new image from.
MAINTAINER – is the creator of the Dockerfile.
RUN – instruction to run the specified command, in this case apt-get to install various packages

There are multiple instructions for setting environment variables like ADD, COPY, ENV, EXPOSE, LABEL, USER, WORKDIR, VOLUME, STOPSIGNAL, and ONBUILD. You can read all about them in the Docker Documentation – Dockerfile

Using RUN you can add whatever package you need in your custom image. The same like you would do on a regular Ubuntu installation.
Yes, all the packages above could have been added in one RUN line, but for the sake of better visibility I would suggest to have separate lines.

Create your custom Docker image

After you save the Dockerfile is time to create your image

# docker build -t mycustomlinux01 .

You’ll see a lot of output, the same like when you’re installing new packages in any Linux distro. When you see the following lines, you’ll know that the image was successful created:

Docker successful image creation

Let’s check if the image is listed using:

# docker image ls

You should see the mycustomlinux01 image listed:

List my Docker image

Since the image is created successful I’d suggest that you run a container using this image following the same steps like in the “Pull Ubuntu 18.04 image”

Basically that’s it, you just created your custom image.

As mentioned above, here is a list of commands that I find useful to have at hand when working with Docker containers.

List images:

# docker image ls

Start a container from an image:

# docker run -i -t ubuntu:12.04 /bin/bash

Using an ID (you get the ID from List image command):

# docker run -i -t 8dbd9e392a96 /bin/bash

List all containers:

# docker ps -a

List running containers:

# docker ps -l

Attach running container:

# docker attach “container ID”

Remove a container:

# docker rm “container ID”

Last but not least. If you liked my Ubuntu 18.04 Docker image customized for network engineers who wants to learn Python and you would like to install additional packages, here is the Dockerfile:

# Ubuntu 18.04 with Python, Paramiko, Netmiko, Ansible
# various other network tools installed and SSH activated
# Build image with:  docker build -t yotis/ubuntu1804-pfne .

FROM ubuntu:18.04
MAINTAINER Calin C., https://github.com/yotis1982
RUN apt-get update --fix-missing
RUN apt-get upgrade -y
RUN apt-get install -y software-properties-common
RUN apt-get install -y build-essential
RUN apt-get install -y openssl libssl-dev libffi-dev
RUN apt-get install -y net-tools mtr curl host socat
RUN apt-get install -y iputils-arping iputils-ping iputils-tracepath
RUN apt-get install -y iproute2
RUN apt-get install -y iptraf-ng traceroute
RUN apt-get install -y tcpdump nmap
RUN apt-get install -y iperf iperf3
RUN apt-get install -y python python-pip python-dev
RUN apt-get install -y python3 python3-pip python3-dev
RUN apt-get install -y openssh-client telnet
RUN apt-get install -y nano
RUN apt-get install -y netcat
RUN apt-get install -y socat
RUN pip install --upgrade pip
RUN pip install cryptography
RUN pip install paramiko
RUN pip install netmiko
RUN pip install pyntc
RUN pip install napalm
RUN apt-add-repository ppa:ansible/ansible
RUN apt-get update
RUN apt-get install -y ansible
RUN apt-get clean
VOLUME [ "/root" ]
WORKDIR [ "/root" ]
CMD [ "sh", "-c", "cd; exec bash -i" ]

Obviously there is more about Docker than is covered on this post. It wasn’t in my scope to make a detailed analyze of Docker, rather a cheatsheet on how to create your custom image. If you want to learn more there are plenty resources out there and a good starting point is the Docker website.

I hope you find this how-to useful. As always, if you need to add something or you have questions about, please use the Comments form to get in contact with me.

Ubuntu image for EVE-NG – Python for network engineers

Lately I’ve started working more and more with EVE-NG to test various network scenarios, automation and in general to try and learn something everyday.

If you’re familiar with EVE-NG, you know where to find various Linux images which you can download and install . Very helpful indeed, however all of them are coming without any pre-installed tools which I need for network oriented tests. I need Python, IPerf, Ansible, various Python libraries for network automation, etc.
Basically every time when I setup a new lab in EVE-NG, I need to make sure that the Linux image has a connection to Internet to download all these tools. Doable, but too much time consuming.

Lately EVE-NG has the Pro version, where you have Docker images which support some of the tools for a network engineer needs to test automation. If you already have EVE-NG Pro, then maybe this is a bit redundant. However if you’re still using the Community version, it may sounds interesting.

I’ve developed the Ubuntu (18.04) image using the same tools that you can find in my Docker image (Ubuntu 16:04 Pfne):
* If you’re not sure what I’m talking about, please read my previous post.

  • Openssl
  • Net-tools (ifconfig..)
  • IPutils (ping, arping, traceroute…)
  • IProute
  • IPerf
  • TCPDump
  • NMAP
  • Python 2
  • Python 3
  • Paramiko (python ssh support)
  • Netmiko (python ssh support)
  • Ansible (automation)
  • Pyntc
  • NAPALM

The image is hosted on my Firstdigest Project at Sourceforge.
If you are in a hurry, download directly using this link: Ubuntu 18.04 Pfne for EVE-NG.

For convenience here are the steps, but if you run into trouble be sure to check the EVE-NG Documentation.

  • Download the image
  • Using favorite SFTP Client (WinSCP, FileZilla) connect to your EVE-NG and upload the image to the location: /opt/unetlab/addons/qemu/
  • Connect via SSH to your EVE-NG machine and go to location:
cd /opt/unetlab/addons/qemu/
  • Unzip your uploaded image file.
tar xzvf linux-ubuntu-server-18.04-pfne.tar.gz
  • Remove the archived image file (be sure to have a copy somewhere to avoid you have to download it again)
rm -f linux-ubuntu-server-18.04-pfne.tar.gz
  • Fix permissions
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions

The image comes with the following predefined username and password (security was not the point here):

User: root
Password: root
User: pfne
Password: pfne

With this image you have everything ready for your tests. You want to test QoS? Just design a network and two (client / server pair) machine using this image and push some packets with IPerf. Or maybe you want to test some automation. Here you have it, just start playing with.

Btw, I assume you have the EVE-NG installed. If not and you’re into learning topics, I’ll advise you to install this great application. You can start with Community version which is free (and honestly has enough features for most of the self-teaching engineers out there) and if you feel like go with the Pro version.

Let me know if you find it useful. In case of problems, please comment and I’ll try to help in my spare time.

Remote desktop, GNS3 crashes when drag and drop topology objects

Couple of days ago I reinstalled my machine that I use as GNS3 server. It was about time as thing started to become a bit unstable after so many patches and updates to bring it up from Ubuntu 8.04.

I picked Xubuntu 14.04 LTS as my distro because I like XFCE and with the new GNS3 installed directly from PPA following https://www.gns3.com/support/docs/linux-installation it seems to be a piece of cake the entire story.

Unfortunately the reality was different. The above machine is sitting in my lab and most of the time I do just remote desktop on it via X2GO or XRDP. The issue that I encounter was that GNS3 was starting fine, everything looked to be working correctly, but when I was trying to drag and drop an object (like router, switch) to the topology the GNS3 would crash and the logs would show a nice segmentation fault.

I spent a lot of hours reading about and it seems I’m not the only one which had this strange behavior. However nobody could actually point out a real solution to this problem.

One workaround that I found to be working is to use Thinlinc, a remote desktop server provided by Cendio. The free version supports for up to 10 concurrent users and in my case this limitation should not pose a problem. One disadvantage can be seen that it’s not open source and you need to install also the client software. Again not a big deal, at least for my scope.

If you arrived to my post looking for a solution, the above workaround can be one and it’s working fine.

However, the engineer in me was not satisfied as why the solution would not work just using the included packages in Ubuntu 14.04 LTS.

Digging more, I found that the problem is not actually related to GNS3, but rather to the Qt version that comes with Ubuntu 14.04. Also it’s seems that not only GNS3 is affected by this issue, which appears to be a Qt Bug, but also other software used via a remote X11 connection – https://bugreports.qt.io/browse/QTBUG-38109

Now if you check the GNS3 Linux manual installation page, you’ll see that python3-pyqt5 must be installed. When you install it from PPA, the same python3-pyqt5 is installed, just that maybe you’ll miss it among the other packets that are added automatically.

Checking the Ubuntu 14.04 packages http://packages.ubuntu.com/trusty/python/ (search for python3-pyqt5 to avoid going via all packages) I noticed that the default version is 5.2.1 I’ve checked for particular Bugs with this version that can be related to my problems, unfortunately my search brought no conclusive result, so I had to assume that this version has a problem. I’m not a developer so this task was even harder for me.

I went to check the next Ubuntu release. 15.04 is out of the marked since January 2016 and the only alternative was 15.10. I’m not very keen on trying non-LTS versions, but desperate times require desperate measures. Searching for the same python3-pyqt5 (http://packages.ubuntu.com/wily/python/) I saw that this version is 5.4.2.

Next I tried to find a way to install the 5.4.2 python3-pyqt5 version on Ubuntu 14.04. No success here. I ran into more problems than solutions. If you have a solution to have these two versions working together, please let me know.

Having nothing to lose I downloaded the Xubuntu 15.10, installed it and…everything is working like a charm so farm. I can open GNS3 and drag and drop successfully via a remote connection (XRDP or X2GO).

As you can see I have no solution to the actual problem, but at least I can suggest 2-3 workarounds that may get you out of the woods. For me an article like this would have been very helpful while doing my research, but there was none out there, beside different community posts usually without any answer. This is the reason for which I wanted to share this story with you.

If you have this issue and found another solution, please let me know as I would like to use the 14.04 LTS version of Ubuntu, otherwise I need to wait for the release of 16.04 LTS scheduled for this year.

SSL Certificate signed by own CA

There are a lot of “how-to” on the Internet explaining the setup procedure. This is mainly a copy / paste example for those in a hurry :)

How to setup your own CA

Generate a key for CA

openssl genrsa -aes256 -out myCA.key 4096

Pick a password and remember it!

Generate a SSL certificate for CA

openssl req -new -x509 -days 3650 -key myCA.key -out myCA.crt

How to create a new SSL certificate signed by your own CA

Request a new key for the new domain that you want to secure

openssl genrsa -aes256 -out MyServerName.key 2048

Pick a password and remember it!

Request a CSR and sign it with the previous created key

openssl req -new -key MyServerName.key -out MyServerName.csr

Request the SSL certificate and sign it against the CA

openssl x509 -req -in MyServerName.csr -out MyServerName.crt -sha1 -CA myCA.crt -CAkey myCA.key -CAcreateserial -days 720

(Optional for Linux) Secure the key on the server

chmod 0400 *.key

To have the SSL working you need to copy on the server side
– MyServerName.key
– MyServerName.crt
– myCA.crt (that’s the CA certificate)

How to view a certificate

openssl x509 -in MyServerName.crt -text -noout

How to check whether a private key matches a certificate or that the certificate matches the certificate signing request (CSR)

openssl x509 -noout -modulus -in MyServerName.crt | openssl md5
openssl rsa -noout -modulus -in MyServerName.key | openssl md5
openssl req -noout -modulus -in MyServerName.csr | openssl md5

Does anybody knows a simple script that can offer the above functionality from web interface? I was looking around for a while now, but either they are enterprise complex or do not work. Let me know in Comments if you have a good suggestion.

Thanks!

How to integrate F5 BIG-IP VE with GNS3

I would like to start by saying Merry Christmas and Happy Holidays season to all. In between spending time with my family, decorating the Christmas three and opening presents, I did find some time to play around with my hobby and testing something in the lab.

Lately I wanted to get a feeling how F5 BIG-IP works, you know, just to get familiar with its interfaces, rules and being capable of setting up a basic LTM or APM. Far from me the idea of becoming an expert on the first touch, but it’s nice to discover new technologies.

Beside getting the F5 BIG-IP VE (Virtual Edition), running up VMware (ESXi, Player, Fusion or Workstation) and starting the virtual machine I also wanted to emulate some kind of real environment to test. So, I did build the below topology in GNS3:

F5 BIG-IP Simple setup

Some explanation:

  • Client WIN7 is a VM in VirtualBox and integrated in GNS3
  • WWW Servers are VMs in VirtualBox and integrated in GNS3
  • WIN2008 AD DC is a VM in VirtualBox and integrated in GNS3
  • Routers are emulated in GNS3
  • F5 BIG-IP VE is a VM in VMware Workstation and integrated as a Cloud in GNS3

GNS3 is version 1.2.1 which works perfect. Why VirtualBox and VMware Workstation? Usually I have no problem to have my VMs in VirtualBox, but I could not successfully import the F5 BIG-IP VE OVA image in VirtualBox. I had to download a trial version of VMware Workstation to install the OVA image.

If you want to know more about this F5 product, Ethan Banks has a great article about the BIG-IP VE. Please note that Ethan’s article is about getting a lab license for BIG-IP VE. I just went for the trial version. You can download the OVA image and get the license here:
https://www.f5.com/trial/secure/big-ip-ltm-virtual-edition.php

Download the BIG-IP VE OVA image, get a trial license (valid for 90 days) and install it in VMware Workstation. It may work with other VMware products, but in this article I’m using only VMware Workstation.

The part that gave me some headache was the how to have a successfully network communication between VMware Workstation and GNS3.

Before GNS3 1.2.1, when I had to use a “cloud” to integrate VirtualBox VMs in GNS3, I was configuring a TAP interface and use Bridge mode for the VM NIC to the TAP interface. Then on the GNS3 Cloud, I was adding the TAP as a Generic Ethernet NIO on the NIO Ethernet. If you want to refresh more deeply the above information please read my article about How to integrate GNS3 with VirtualBox.

Unfortunately, in VMware Workstation, I cannot just bridge a VMnet interface to a TAP and use that specific VMnet in a VM. I just could not make it work.

To cut it short, here are the steps that I had to follow to have this working. I assume that you have VMware Workstation installed already. Another detail is that I’m using Ubuntu 14.04 to test the entire scenario.

1. Add two VMnet interfaces in VMware Workstation Virtual Network Editor

Use the image below to have an idea what I mean.

Virtual Network Editor

2. Configure the BIG-IP VE NIC as follow in VMware Workstation

I assume that you have the BIG-IP VE OVA imported in VMware Workstation

BIG-IP VE NIC

I had 4 NICs originally, but I only need three:

  • VMnet0 is bridge to my real LAN interface so I can manage the F5 BIG-IP VE over Web / CLI interfaces
  • VMnet11 – one “internal” interface facing LAN (server side)
  • VMnet22 – one “external” interface facing WAN (client side)

3. Configure two tap interfaces for F5 BIG-IP VE to be used in GNS3

11 – internal, 22 – external

sudo tunctl -u user -t tap11
sudo tunctl -u user -t tap22

*user = the non-root user which you use on Ubuntu host.

If you are having problems to find tunctl command please do the following:

sudo apt-get install uml-utilities bridge-utils

Bring the interfaces up

sudo ifconfig tap11 up
sudo ifconfig tap22 up

4. Remove the IP addresses on both TAP and VMnet interfaces

sudo ifconfig tap11 0.0.0.0 promisc up
sudo ifconfig tap22 0.0.0.0 promisc up
sudo ifconfig vmnet11 0.0.0.0 promisc up
sudo ifconfig vmnet22 0.0.0.0 promisc up

5. Bridge the TAP and the VMnet interfaces

sudo brctl addbr br11
sudo brctl addif br11 tap11
sudo brctl addif br11 vmnet11
sudo brctl addbr br22
sudo brctl addif br22 tap22
sudo brctl addif br22 vmnet22

Bring the bridge interfaces up

sudo ifconfig br11 up
sudo ifconfig br22 up

5. Add the F5 BIG-IP VE to GNS3

If with GNS3 1.2.1 you can add the VirtualBox VMs directly, for the VMware Workstation (Player, Fusion, etc…) VMs you still need to you the Cloud part.

My GNS3 for F5 topology looks like this:

F5 topology in GNS3

And the GNS3 Cloud (representing the F5 BIG-IP VE) settings are the following:

F5 GNS3 Cloud settings

6. Connect the GNS3 Cloud interfaces to R1 and R2

Like shown in the image above, connect the TAP interface of the Cloud to the peer routers.

I’m running all applications (GNS3, VMware Workstation, VirtualBox) as non-root user. If you’re doing the same an error may occur in GNS3. Something like:

Server error [-3200] from x.x.x.x:8000: R1: unable to create TAP NIO

If this is the case, please run the following command on Ubuntu host:

sudo setcap cap_net_admin,cap_net_raw=ep /usr/local/bin/dynamips

This will help you setup the environment to test F5 BIG-IP VE in a lab environment totally virtualized. I’m not going to cover here how to configure the F5 BIG-IP VE. Maybe in one of my next articles.

If you encounter problems, please let me know in Comments.