--- layout: post title: "Lazar in a Docker Shorewall Nginx Environment" description: "" category: Installation tags: [Setup, Nginx, Docker, Shorewall, lazar] --- {% include JB/setup %} **This post explains how to setup Lazar Docker image in a Shorewall Nginx Environment with a static IP** Docker creates its own virtual interface **docker0** with a network in a private subnet (in a random 172.17.x.x net). On container start it selects a random IP (e.g. for the container. In this example we want to run a lazar docker container with a static IP in a 10.0.1.x subnet. The lazar prediction application will be available with the lazar-gui at mysub.mydomain.mytld on port 80 for webbrowser. Shorewall is used as a firewall and to port-forward ssh direct into the container. Nginx at the host machine delivers HTTP access via FQDN to the GUI. This article summarizes several documentations, blog entries and stackoverflow discussions (all linked in the text) together with lazar setup. Please keep in mind: **Always check that your shorewall settings do not lock you out** of your own machine (ssh ports). Always ensure login before you close the last open ssh session. ## Setup your own docker subnet restart docker when changing network settings sudo systemctl stop docker sudo systemctl start docker create a docker bridge (br0) with subnet (see also https://docs.docker.com/engine/reference/commandline/network_create/) docker network create --subnet= --gateway= br0 check with: docker network ls >>> NETWORK ID NAME DRIVER 6c30cce12345 br0 bridge 0fd4123450fc bridge bridge e3a931234593 none null e311234523dc host host ## Download and setup lazar download the docker lazar image docker pull insilicotox/lazar-public-data run docker image with a static IP docker run -p 8088:8088 --net br0 --ip -itd insilicotox/lazar-public-data:v3 list containers to find out CONTAINER_ID docker ps -a start container with docker start go into the container to start the database and lazar-gui application (see also: https://hub.docker.com/r/insilicotox/lazar-public-data/) docker exec -ti CONTAINER_ID bash ist@CONTAINER_ID:~$ sudo /etc/init.d/mongod start ist@CONTAINER_ID:~$ cd lazar-gui ist@CONTAINER_ID:~$ unicorn -p 8088 -D ist@CONTAINER_ID:~$ exit ## Shorewall Setup get the name of the new bridge ip addr >>> ... 34: br-6c30cceb5756: mtu 1500 qdisc noqueue state UP group default link/ether 02:42:6f:42:d2:8e brd ff:ff:ff:ff:ff:ff inet scope global br-6c30cceb5756 valid_lft forever preferred_lft forever inet6 fe80::42:6fff:fe42:d28e/64 scope link valid_lft forever preferred_lft forever name of the network bridge in this example is **br-6c30cceb5756** for a clean restart of shorewall do sudo shorewall stop sudo shorewall clear sudo shorewall start ### Shorewall versions < 5.0.6 see http://shorewall.net/Docker.html add hooks to /etc/shorewall/init /etc/shorewall/stop and /etc/shorewall/start to keep iptables settings from docker as described at: http://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/ for ***/etc/shorewall/init*** and ***/etc/shorewall/stop*** if iptables -t nat -L DOCKER >/dev/null 2>&1; then echo '*nat' >/etc/shorewall/docker_rules iptables -t nat -S DOCKER >>/etc/shorewall/docker_rules iptables -t nat -S POSTROUTING >>/etc/shorewall/docker_rules echo "COMMIT" >>/etc/shorewall/docker_rules echo '*filter' >>/etc/shorewall/docker_rules iptables -S DOCKER >> /etc/shorewall/docker_rules echo "COMMIT" >>/etc/shorewall/docker_rules fi for ***/etc/shorewall/start*** if [ -f /etc/shorewall/docker_rules ]; then iptables-restore -n