Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All
     

    Related Documentation

     

    Installing cSRX in a Bare-Metal Linux Server

    This section outlines the steps to install the cSRX container in a Linux bare-metal server environment that is running Ubuntu, Red Hat Enterprise Linux (RHEL) , or CentOS. The cSRX container is packaged in a Docker image and runs in the Docker Engine on the Linux host.

    This section includes the following topics:

    Before You Deploy

    Before you deploy the cSRX Container Firewall as an advanced security service in a Linux container environment, ensure that you:

    • Review Requirements for Deploying cSRX on a Bare-Metal Linux Server to verify the system software requirement specifications for the Linux server required to deploy the cSRX container.

    • Install and configure Docker on your Linux host platform to implement the Linux container environment. Docker installation requirements vary based on the platform and the host OS (Ubuntu, Red Hat Enterprise Linux (RHEL), or CentOS). See Install Docker for installation instructions on the different supported Linux host operating systems.

    Confirming Docker Installation

    Before you load the cSRX image, confirm that Docker is properly installed on the Linux host and that the Docker Engine is running.

    To confirm Docker installation:

    1. Confirm that Docker is installed and running on the Linux server by using the service docker status command.

      root@csrx-ubuntu3:~# service docker status

      docker start/running, process 701

      You should also be able to run docker run hello-world and see a similar response.

      root@csrx-ubuntu3:~# docker run hello-world

       
      Hello from Docker!
      This message shows that your installation appears to be working correctly.
      
    2. Verify the installed Docker Engine version by using the docker version command.

      Note: Ensure that Docker version 1.9.0 or later is installed on the Linux host.

      root@csrx-ubuntu3:~# docker version

      Client:

      Docker version 17.05.0-ce-rc1, build 2878a85

      API Version: 1.30

      Go version: go1.8.3

      Git commit: 02cid87

      Built: Fri June 23 21:17:13 2017

      OS/Arch: linux/amd64


      Server:

      Docker version 17.05.0-ce-rc1, build 2878a85

      API Version: 1.30 (minimum version 1.12)

      Go version: go1.8.3

      Git commit: 02cid87

      Built: Fri June 23 21:17:13 2017

      OS/Arch: linux/amd64

      Experimental: False

    Loading the cSRX Image

    The cSRX image is available as a cSRX Docker file from the Juniper Internal Docker registry.

    Once the Docker Engine has been installed on the host, perform the following to download and start using the cSRX image:

    1. Login to the Juniper Internal Docker registry using the login name and password that you received as part of the sales fulfillment process when ordering cSRX.

      root@csrx-ubuntu3:~csrx# docker login hub.juniper.net -u <username> -p <password>

    2. Pull the cSRX image from the Juniper Internal Docker registry.

      root@csrx-ubuntu3:~csrx# docker pull hub.juniper.net/security/csrx:<version>

      For example, to pull cSRX image version 18.1R1.0:

      root@csrx-ubuntu3:~csrx# docker pull hub.juniper.net/security/csrx:18.1R1.0

    3. After the cSRX image loads, confirm that it is listed in the repository of Docker images.

      root@csrx-ubuntu3:~/csrx# docker images

      REPOSITORY TAG IMAGE ID CREATED SIZE

      csrx 18.1R1.0 6fcdebe006e4 Less than a second ago 585MB

      root@csrx-ubuntu3:~/csrx#

    Creating the Linux Bridge Network for the cSRX

    A Linux bridge is a virtual switch implemented as a kernel module. This Linux bridge is used within a Linux host to emulate a hardware bridge. Docker allows you to create a Linux bridge network and connect the cSRX container to this network to implement management and data processing sessions. The interfaces are created with the Linux VETH driver and are used to communicate with the Linux kernel.

    This procedure describes how to create a three-bridge network for the cSRX container that includes: mgt_bridge (eth0), left_bridge (eth1), and right_bridge (eth2). The mgt_bridge is used by the cSRX for out-of-band management to accept management sessions and traffic, and the left_bridge and right_bridge are both used by the cSRX as the revenue ports to process in-band data traffic.

    Note: srxpfe is the data-plane daemon that receives and sends packets from the two revenue ports of a cSRX container. srxpfe requires the untrusted interface (eth1) and trusted interface (eth2) to be attached to the Linux bridge, and it will not properly load if the two revenue ports are not attached.

    The trusted and untrusted interfaces required by a cSRX connector are connected to this Linux bridge on eth1 and eth2. In this example, the untrusted interface (eth1) is connected to Linux bridge Br1 and the trusted interface (eth2) is connected to Linux bridge Br2. By default, the cSRX boots in Layer 3 mode where it performs forwarding between the trusted and untrusted interfaces.

    Note: Docker automatically connects the management interface (eth0) to the Linux bridge and assigns an IP address. Interfaces eth1 and eth2 are for the inband traffic and you must assign a trusted and untrusted interface to the two revenue interfaces. cSRX must be bound with the Linux bridge to pass traffic.

    To create a three-bridge network for a cSRX in the Linux host:

    1. Create the management bridge in the network.

      root@csrx-ubuntu3::~/csrx# docker network create --driver bridge mgt_bridge

      3228844986eae1d1a8d367b34b54b31b130842be072b9dcdf7da3601c95b7130

    2. Create the left bridge in the network (untrusted interface (eth1)).

      root@csrx-ubuntu3::~/csrx# docker network create --driver bridge left_bridge

      f1324b0a9072c55ababbcc51d83c83658084b67513811e13829172cccbc08e5d

    3. Create the right bridge in the network (trusted interface (eth2)).

      root@csrx-ubuntu3::~/csrx# docker network create --driver bridge right_bridge

      196bd039f7c2401df4c117ea684114548a3df0b9d406cf3cf8f17338fab96774

    Launching the cSRX Container

    You are now ready to launch the cSRX container that is running in Docker on the Linux bare-metal server. When you start the cSRX image, you have a running container of the image. You can stop and restart the cSRX container (see Docker Management of a cSRX Container), and the container will retain all settings and file system changes unless those changes are explicitly deleted. However, the cSRX will lose anything in memory and all processes will be restarted.

    You have a series of cSRX environment variables that enable you to modify operating characteristics of the cSRX container when it is launched. You can modify:

    • Initial root account password to log in to the cSRX container using SSH

    • Traffic forwarding mode (static route or secure-wire)

    • cSRX container size (small, medium, or large)

    • Packet I/O driver (polled or interrupt)

    • CPU affinity for cSRX control and data daemons

    • Address Resolution Protocol (ARP) and Neighbor Discovery Protocol (NDP) entry timeout values

    Note: Specification of an environment variable is not mandatory when launching the cSRX container; most environment variables have a default value as shown in cSRX Environment Variables Overview. You can launch the cSRX using the default environment variable settings.

    To launch the cSRX container:

    1. Use the docker run command to launch the cSRX container. You include the mgt_bridge management bridge to connect the cSRX to a network. If you intend to log into the cSRX container using SSH, you must specify an initial root password when launching the cSRX.

      root@csrx-ubuntu3:~/csrx# docker run -d --privileged --network=mgt_bridge -e CSRX_ROOT_PASSWORD=<password> --name=<csrx-container-name> <csrx-image-name>

      For example, to launch csrx2 using cSRX software image csrx-18.1R1.0 and root password xxxxxxxx enter:

      root@csrx-ubuntu3:~/csrx# docker run -d --privileged --network=mgt_bridge -e CSRX_ROOT_PASSWORD=xxxxxxxx --name csrx2 csrx-18.1R1.0

      Note: You must include the --privileged flag in the docker run command to enable the cSRX container to run in privileged mode.

    2. Connect the left and right bridges to the Docker network.

      root@csrx-ubuntu3:~/csrx# docker network connect left_bridge csrx2

      root@csrx-ubuntu3:~/csrx#

      root@csrx-ubuntu3:~/csrx# docker network connect right_bridge csrx2

      root@csrx-ubuntu3:~/csrx#

    3. Confirm that the three-bridge network has been created for the cSRX container.

      root@csrx-ubuntu3:~/csrx# docker network ls

      NETWORK ID NAME DRIVER SCOPE

      80bea9207560 bridge bridge local

      619da6736359 host host local

      112ab00aab1a left_bridge bridge local

      1484998f41bb mgt_bridge bridge local

      daf7a5a477bd none null local

      e409a4f54237 right_bridge bridge local

    4. Confirm that the cSRX container is listed as a running Docker container.

      root@csrx-ubuntu3:~/csrx# docker ps

      CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

      35e33e8aa4af csrx "/etc/rc.local init" 7 minutes ago Up 7 minutes 22/tcp, 830/tcp csrx2

    5. Confirm that the cSRX container is up and running. You should see the expected Junos OS processes, such as nsd, srxpfe, and mgd.

      root@csrx-ubuntu3:~/csrx# docker top csrx2

       
      UID                 PID                 PPID                C                   STIME               TTY                 TIME                CMD
      root                318                 305                 0                   09:13               pts/1               00:00:00            bash
      root                27423               27407               0                   Mar30               pts/0               00:00:00            /bin/bash -e /etc/rc.local init
      root                27867               27423               0                   Mar30               ?                   00:08:16            /usr/sbin/rsyslogd -M/usr/lib/rsyslog
      root                27880               27423               0                   Mar30               ?                   00:00:00            /usr/sbin/sshd
      root                27882               27423               0                   Mar30               ?                   00:00:00            /usr/sbin/nstraced
      root                27907               27423               0                   Mar30               ?                   00:00:08            /usr/sbin/mgd
      root                27963               27423               0                   Mar30               pts/0               00:34:50            /usr/bin/monit -I
      root                27979               27423               0                   Mar30               ?                   00:01:10            /usr/sbin/nsd
      root                27989               27423               0                   Mar30               ?                   00:00:02            /usr/sbin/appidd -N
      root                28023               27423               0                   Mar30               ?                   00:00:21            /usr/sbin/idpd -N
      root                28040               27423               0                   Mar30               ?                   00:09:21            /usr/sbin/wmic -N
      root                28048               27423               0                   Mar30               ?                   00:52:50            /usr/sbin/useridd -N
      root                28126               27423               2                   Mar30               ?                   1-05:21:47          /usr/sbin/srxpfe -a -d
      root                28186               27423               0                   Mar30               ?                   00:01:37            /usr/sbin/utmd -N
      root                28348               27423               0                   Mar30               ?                   00:02:44            /usr/sbin/kmd
      
    6. Confirm the IP address of the management interface of the cSRX container.

      root@csrx-ubuntu3:~/csrx# docker inspect csrx2 | grep IPAddress

       
                  "SecondaryIPAddresses": null,
                  "IPAddress": "",
                          "IPAddress": "172.19.0.2",
                          "IPAddress": "172.18.0.2",
                          "IPAddress": "172.20.0.2",
      

    Note: See Docker Management of a cSRX Container for details on how to stop and restart a cSRX container.

     

    Related Documentation

     

    Modified: 2018-06-19