Our docker container definitions
Hopefully, this helps give an idea about what it takes to set this up.
Be sure you aren't talking to 172.17.0.0/16 before you do this! If you use that address range elsewhere, please apply the fix for docker0 before installing docker.
Using docker for services that require a fixed IP address (ie. DNS/DHCP) can be a bit tricky. My goal was to avoid adding NAT in the middle so that a stopped container would not respond to ARP requests and could be moved without fiddling with the host network. To accomplish this, I use a bridge with a physical interface in the proper network as the docker network for these containers.
By default, docker0 will use the least-convenient IPv4 non-routable range
possible in my environment. To make matters worse, the typical way to fix this
on Debian (editing /etc/default/docker) has no effect if you are running
under systemd (the new default in debian). To change the docker0 bridge IP, I
do the following:
# /etc/systemd/system/docker.service
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --bip=192.0.2.1/24
# /etc/network/interfaces
## LACP is not needed, just something we chose to do in our environment
auto bond0
iface bond0 inet manual
bond_slaves eth2 eth3
# LACP, requires matching switch configuration
bond_mode 802.3ad
auto br0
iface br0 inet manual
bridge-ports bond0
bridge-maxwait 0
bridge-fd 0
add bridge to docker, NB: removing the bridge in docker will delete the bridge and all slave interfaces
docker network create -d bridge --gateway <ip_for_br0> -o com.docker.network.bridge.name=br0 -o com.docker.network.bridge.enable_ip_masquerade=false --aux-address "DefaultGatewayIPv4=<default_gateway>" --subnet <network_CIDR> ipamnet
Look at the *.env.example files to get an idea of which environment options are respected
I have proxied the web foo behind nginx on the host because I am lazy.
docker run --name dev-openipam-web --env-file=openipam_web_options.env -v /var/run/docker_openipam_dev:/var/run/uwsgi openipam-webHere is the corresponding nginx config:
upstream openipam_dev {
server unix:///var/run/docker_openipam_dev/openipam.sock;
}
server {
listen 443 ssl;
# SSL config omitted for brevity
location / {
uwsgi_pass openipam_dev;
include uwsgi_params;
}
}
This will need to be running on the IP address configured as a helper address on your routers (it may also work on something in the same L2 domain as your clients).
docker run --env-file ~/dhcp_server.env --net ipamnet --ip $IP_HELPER_ADDRESS -v /dev/log:/dev/log --name dhcptest --restart=unless-stopped -d openipam-dhcpTODO: I don't recommend running your production database in a docker container. We are currently using londiste3 to keep an up-to-date replica without the write load from DHCP to handle DNS queries.
This is the DNS server you should point NS records at
# FIXME: I don't think this is configured to log to syslog currently
docker run --env-file openipam-root-test.env --net ipamnet --ip $IP_FROM_NS_RECORDS -v /run/postgresql/:/var/run/postgresql/ -v /dev/log:/dev/log --name dev-openipam-nsroot -d openipam-powerdns-authoritativeTODO: This is the DNS server you should point clients at -- any other DNS recursor will work as well