Of course I am trying to replicate our local instance that was created a few months back to be docker instance at the request of higher ups who want docker. The install is required to be offline/air gapped from the external internet I was able to figure out the process for getting docker images offline yet my docker knowledge is very basic
A simple answer is yes quickstart image that is offline/airgapped
Gotcha. So now I understand what you did and why and now the title of the post makes more sense to me too! thank you. Let me talk to some people and mull over this and I’ll get back to you. Thanks for the clarity.
Thank you for the assistance
Is the base os for this RedHat 7.9?
Yes Red Hat 7.9 is the OS
Hi there @cmbryner , to try to reproduce that problem, I installed Docker in CentOS7 and ran the script to start the Ziti Controller. I didn’t run into the same issue.
I have collected the files I used to build the CentOS7 VM and install things in case it helps you to identify what is different about your environment.
Hello I got the same issue I tried blowing away the VM and running again and the same result occurred
It makes me think your OS has some differences and those differences are probably not going to be particularly easy for us to reproduce/troubleshoot… Do you have a script of “things you do” with a RHEL 7.9 install in order to get things working? For example, how do you install docker? Do you have any antivirus, things like that. We’ve seen odd issues from other linuxes before, we’ve seen SELinux get in the way etc.
Its just a standard Red hat Images download from red hat no changes nothing crazy installed. To setup the VM there is a script to join it to AD and give it an IP but that’s it and I have tried with selinux off and mcafee off.
I installed docker following their install instructions and I can run the hello world docker image just fine
I will add when I tired to run the latest openziti quickstart I get an error that says it does not exist but when I pass a tag of 0.27.2 it runs perfectly fine. I am leaning toward an issue with /var/openziti/scripts/ziti-cli-functions.sh but I am not sure since when I go and try and read the script it says it does not exist
Does the /var/openziti/scripts/ziti-cli-functions.sh get created at docker run time or is pulled from the internet?
Can you share a link to the steps you used? I specifically want to follow whaterver you followed. Also if there’s anything else important about the setup lemme know. I also think there’s a problem with the setup, but it’s odd to me because you’re getting the /var/openziti/scripts/ziti-cli-functions.sh: line 1141: /persistent/ziti.env: Permission denied
error, which seems like a strange/unexpected permission issue to me.
The script is baked into the image itself.
This may be a permissions issue do I have to add myself to any special docker group to be able to run docker images
You do, but if you ran hello-world you should be fine. Generally you add “whatever” user you are to the docker group and that’s all you need to do… I still can’t get docker installed on RHEL7.9 tho …
Ok… So here are the two changes you need to perform to make this work. I’ll update our docs accordingly.
Since you’re running as root
, when run your docker containers apparently on RHEL you’ll need to also supply the --user root
and --privileged
flag to the docker commands.
So, for example:
docker run \
--user root --privileged \
--network myFirstZitiNetwork \
--network-alias ziti-controller \
--network-alias ziti-edge-controller \
-p 1280:1280 \
-it \
--rm \
-v ~/docker-volume/myFirstZitiNetwork:/persistent/pki \
-v ~/docker-volume/myFirstZitiNetwork/ziti.env:/persistent/ziti.env \
openziti/quickstart \
/var/openziti/scripts/run-controller.sh
If you do that, I think you’ll be good to go.
Also note, the next challenge you’ll probably hit is the advertised addresses. The docker quickstarts make assumptions about all the traffic being routable. I don’t think we have any guides on how to use docker “anywhere” yet.
Yes, you will need to add a non-root user to permission group “docker”. “root” already has permission to use the Docker API socket. You can see the socket by running docker context ls
.
On my system you can see that group has write permission on the socket.
❯ ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 Mar 29 15:25 /var/run/docker.sock=
If I may, it’s a good idea to run commands and services as a non-root user. Your RedHat OS has good support for sudo
, and I think it will help you out in the long run to run as root selectively instead of by default.
The Ziti Controller doesn’t need to run as root inside the container, and keep in mind that the UID inside the container has the same privileges as UID outside the container.
In the lab I sent with CentOS 7.8 I made sure it will work. I ran the quickstart there as non-root, and I see the same errors you saw when I run the quickstart as root.
Good luck and let us know how it’s going.
Thanks for your help it now fully works in our offline lab just like the local setup I have written the steps to install both options and sent to our integration engineer so that he can do what he wants with it. Appreciate everything
FYI @cmbryner you might be interested in another post I made for another user around docker which I think you’ll want/need… It shows you how to use docker “anywhere” and how to override the advertised addresses…
check it out here… fyi