Error implementing PandoraFMS on Docker

thiagolima · 08-19-2016, 02:41 PM

Axel,

I'm using a [tt]Nginx[/tt] container to reverse proxy the requests towards the Moby Dick host. I've lots of web services there so the [tt]Nginx[/tt] can orchestrate the flow and provide a additional security layer. If I set [tt]docker[/tt] to publish some port directly (e.g [tt]9080[/tt] of the host to [tt]80[/tt] of the container), the page works flawlessly. So I think that it can be some misconfiguration of the reverse proxy. Perhaps the PHP part isn't working properly.

I'm gonna solve this and then I'm gonna build some sumarized tutorial on how to start [tt]PandoraFMS[/tt] using the [tt]-v[/tt] parameter for Database persistence, [tt]--network[/tt] for environment isolation and some other info. So people can get that easily in the future.

Thank you again for all the helping and for all the talking. It's been an awesome learning proccess here about [tt]docker[/tt] and also about [tt]PandoraFMS[/tt].

thiagolima · 08-23-2016, 12:11 AM

Hi Axel,

It was really some misconfiguration on Nginx reverse proxy that was affecting my installation. I was making access using [tt]SSL[/tt] on port 443 to the reverse proxy and it was proxy passing the access to PandoraFMS Console on port 80. Well, Google Chrome intercept this port and protocol change and flag the access as insecure giving me the following error message:

Code:
Mixed Content: The page at 'https://servername/pandora_console/index.php' was loaded over HTTPS, but requested an insecure script 'http://servername/pandora_console/include/graphs/flot/pandora.flot.js'. This request has been blocked; the content must be served over HTTPS.

The way out (since I really do wanna use SSL) was to enable [tt]mod_ssl.so[/tt] onto the [tt]Apache[/tt] of the [tt]PandoraFMS Console[/tt] container, but it isn't installed and I'm unable to install it using [tt]apt[/tt] as well.

Why isn't it ready for [tt]SSL[/tt] already? Could you please help me on enabling mod_ssl.so in order to be able to only communicate using [tt]SSL[/tt] between the containers?

Regards,
Thiago Lima

axel · 08-30-2016, 09:49 AM

Hello Thiago,

I think you should enable the "Enforce https" option under the Setup menu, that will force all the HTTP requests to HTTPS requests.

If you go to the setup (gear icon) -> Setup -> General setup you'll find the check there. Let me know the results!

thiagolima · 09-06-2016, 05:53 PM

Hi Axel,

Thank you for that information, I've forgotten. this option But I've done that and yet still I'm unable to bind on HTTPS port. Inspecting the container, I can see that the 443 port isn't exposed:

Code:
"Ports": {

    "162/udp": null,

    "41121/tcp": null,

    "80/tcp": null,

    "8022/tcp": [

        {

            "HostIp": "0.0.0.0",

            "HostPort": "8022"

        }

    ],

    "8023/tcp": [

        {

            "HostIp": "0.0.0.0",

            "HostPort": "8023"

        }

    ]

}

So I've launched it once again with the [tt]--expose[/tt] argument in order to make the [tt]443[/tt] port available for connections.

After that, I've seen that the bind with SSL was still being refused. So I've run[tt] netstat-lnp[/tt] and this is the output:

Code:
$ docker exec -it PandoraFMS-Console netstat -lnp

Active Internet connections (only servers)

Proto Recv-Q    Send-Q    Local Address        Foreign Address        State        PID/Program name

tcp        0        0        127.0.0.11:41124    0.0.0.0:*            LISTEN        -

tcp        0        0        0.0.0.0:8022        0.0.0.0:*            LISTEN        -

tcp        0        0        0.0.0.0:8023        0.0.0.0:*            LISTEN        -

tcp        0        0        :::80            :::*                LISTEN        39/httpd

udp        0        0        127.0.0.11:45726    0.0.0.0:*

Checking the available mods, the mod_ssl wasn't installed either. So I've run the following command:

Code:
docker exec -it PandoraFMS-Console yum -y install mod_ssl

But it fails with the following message:

Code:
error: %posttrans(httpd-2.2.15-54.el6.centos.x86_64) scriptlet failed, signal 15

Error in POSTTRANS scriptlet in rpm package httpd-2.2.15-54.el6.centos.x86_64

Which seems to be some bug regarding the [tt]SELINUX[/tt]. Well, at this point I'd like to ask you for a Console image ready for [tt]SSL[/tt] since it is not just a application issue. Could you please consider that?

thiagolima · 09-12-2016, 12:35 PM

Hi Axel,

I've built my own image which is ready for [tt]SSL[/tt]. It is hosted as a public image so anyone can pull from Dockerhub and following you can find the [tt]Dockerfile[/tt] so people can see how it was built.

It was built based on the [tt]PHP[/tt] official docker image and the main difference is that it was based on [tt]Debian[/tt]. I don't think it would be an issue because nowadays I'm running it over [tt]Ubuntu[/tt] (on my legacy environment not Dockerized). It seems to be working, I'll let you know about any issue I could find. Feel free to have a look, use it, and of course to suggest any enhancements.

Here it go:
Dockerhub: https://hub.docker.com/r/tdsis/pandorafms-console/

Dockerfile:

Code:
FROM php:5.6.25-apache

RUN apt-get update \

    && apt-get install -y -o Dpkg::Options::="--force-confnew" libapache2-mod-php5 \

                            php5 \

                            php5-mysql \

                            php5-gd \

                            php5-curl \

                            php-pear \

                            php5-snmp \

                            php-db \

                            php-gettext \

                            graphviz \

                            php5-xmlrpc \

                            php5-ldap \

                            dbconfig-common \

                            mysql-client \

                            ssl-cert

COPY apache2-foreground /usr/local/bin/

COPY pandorafms.console_6.0SP3.deb /tmp/

COPY pandorafms.conf /etc/apache2/sites-available/

RUN dpkg -i /tmp/pandorafms.console_6.0SP3.deb \

    && apt-get -f install

WORKDIR /etc/apache2/mods-enabled

RUN ln -s ../mods-available/ssl.conf ssl.conf \

    && ln -s ../mods-available/ssl.load ssl.load \

    && ln -s ../mods-available/rewrite.load rewrite.load \

    && ln -s ../mods-available/socache_shmcb.load socache_shmcb.load

WORKDIR /etc/apache2/sites-enabled

RUN rm -f 000-default.conf \

    && rm -f default-ssl.conf \

    && ln -s ../sites-available/pandorafms.conf pandorafms.conf

ENV MAX_INPUT_TIME=-1

ENV MAX_EXECUTION_TIME=0

ENV UPLOAD_MAX_FILESIZE=800M

ENV MEMORY_LIMIT=1024M

RUN sed -i "s/max_input_time = 60/max_input_time = ${MAX_INPUT_TIME}/g" /etc/php5/apache2/php.ini \

    && sed -i "s/max_execution_time = 30/max_execution_time = ${MAX_EXECUTION_TIME}/g" /etc/php5/apache2/php.ini \

    && sed -i "s/upload_max_filesize = 2M/upload_max_filesize = ${UPLOAD_MAX_FILESIZE}/g" /etc/php5/apache2/php.ini \

    && sed -i "s/memory_limit = 128M/memory_limit = ${MEMORY_LIMIT}/g" /etc/php5/apache2/php.ini \

    && sed -i "s/pcntl_exec,//g" /etc/php5/apache2/php.ini

RUN apt-get autoremove -y \

    && apt-get autoclean

EXPOSE 80 443 41121 162/udp

CMD ["apache2-foreground"]

Now I've pulled the [tt]pandorafms/pandorafms-server:6[/tt] image and the Server is running as well. I'm gonna perform some tests and I'll share here the results. Thank you for all the helping so far.

Regards!