perfsonar-user - Re: [perfsonar-user] testpoint docker image firewall rules for
Subject: perfSONAR User Q&A and Other Discussion
List archive
- From: Mark Feit <>
- To: Johann Hugo <>, "" <>
- Subject: Re: [perfsonar-user] testpoint docker image firewall rules for
- Date: Fri, 3 Feb 2023 16:58:28 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internet2.edu; dmarc=pass action=none header.from=internet2.edu; dkim=pass header.d=internet2.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8xGSZDLLUBHAC2/NjLubfGhqcDFxnluxfWtd8xoMTbw=; b=iGURm01vlvngwWrfBcEQ5H1cftBcCn/u+k3RpXzhsD/R3Y5Y6eNx+vFG8tTEVq/lq60/HDp0eAcQIklaCbGnbXwN8MApVzYMhVMK+I77JPiipESDeStNfNka5QH1JJJ6caFZRe/j1+RoVtGy19qprDbE7fQ/NRiodcFOyExDe4vw0F1MCeGLoN+o7Rwh6quAlOZsoNCtyr9KVh/GBLx6ht2YmuIcN1f/SccyhJ5m1CK6HMkS+nXNZzqtdg8DItvpQuq3W8o1BG4lE+NcrIB7TFYPtrQdtkdPj3ghOeHuPOU6lGDCn/qgJhwc5WmO6bV3OXrlrdndKrQMmMiUr1w/tA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LvsM73U+HiW/Ok/rcp5dNOmNznvp5GFHA9yi8PAN/77NtpwI+v/9AMyupqckgBHbPTNlJCmaav5gcS9Za7nAyhE/cMsC1Xqon1CU1T25AcENnsmBKTU4XVdgHRB3UVviu4WjgbAAQa+kG3ADNXM3qa2LTiYtD7IXzAZ46/413SR/Fv+LM8RjarD1j9yedaYW+fqecrflXxs3rqY0Q10jzrj0M0krRmnMBV3mRlq4mhVuOp/mDlpNc5THkZ+6FGEmUtpDUc4+CsCemsKY++Q9VA5ldZALKhSUoV4b4m2VMOLGCyVHZe914DQmSKttpU+atEaFG+DqnsIIj6Hn2e0fpA==
|
Johann Hugo writes:
I would like to run this script automatically when starting the container (with docker-compose) /usr/lib/perfsonar/scripts/configure_firewall install
Where is the best place to do it ?
As far as I know, Docker Compose doesn’t have hooks to run programs on the host when containers are started. I suspect that has to do with running on multiple OSes prevents them from guaranteeing consistent behavior across all of them. The only reliable way to achieve that would be to wrap both actions in a script that does both and run that instead of Docker Compose, but that causes logistical problems if you want to keep the host systems free of container-specific code.
One other option is to piggyback the container directly onto an outside interface with Docker’s macvlan network driver. The container includes the perfsonar-toolkit-security package, so it’s already properly-firewalled internally. We’re doing at Internet2 on our internal 100 Gb/s systems and the drag on performance is essentially zero compared to bare metal on the same hardware.
--Mark
|
- [perfsonar-user] testpoint docker image firewall rules for, Johann Hugo, 02/03/2023
- Re: [perfsonar-user] testpoint docker image firewall rules for, Mark Feit, 02/03/2023
- Re: [perfsonar-user] testpoint docker image firewall rules for, Johann Hugo, 02/09/2023
- Re: [perfsonar-user] testpoint docker image firewall rules for, Mark Feit, 02/09/2023
- Re: [perfsonar-user] testpoint docker image firewall rules for, Johann Hugo, 02/09/2023
- Re: [perfsonar-user] testpoint docker image firewall rules for, Mark Feit, 02/03/2023
Archive powered by MHonArc 2.6.24.