You are now ready to launch the cSRX Container Firewall container that is running in Docker on
the Linux bare-metal server. When you start the cSRX image, you have a running container of
the image. You can stop and restart the cSRX container (see Manage cSRX in Bare-Metal Linux Server), and the container
retains all the settings and file system changes unless those changes are explicitly
deleted. However, the cSRX looses anything in memory and all processes are restarted.
You have a series of cSRX environment variables that enable you to modify operating
characteristics of the cSRX container when it is launched. You can modify:
-
When you deploy cSRX you must enable the SSH service and SSH option for root-login. SSH
service is not enabled by default.
To enable SSH service run the set system services ssh
command and for
root user login run the set system services ssh root-login allow
command.
Traffic forwarding mode (static route or secure-wire)
cSRX container size (small, medium, or large)
Packet I/O driver (polled or interrupt)
CPU affinity for cSRX control and data daemons
Address Resolution Protocol (ARP) and Neighbor Discovery
Protocol (NDP) entry timeout values
Number of interfaces you need to add to container. Default
is 3 and maximum is 17 (which means 1 management interfaces and 16
data interfaces).
Note: Specification of an environment variable is not mandatory when launching the cSRX container; most
environment variables have a default value as shown in cSRX Environment Variables Overview. You can launch
the cSRX using the default environment variable settings.
To launch the cSRX container:
-
Use the
docker run
command to launch the cSRX container. You include
the mgt_bridge
management bridge to connect the cSRX to a network.
root@csrx-ubuntu3:~/csrx# docker run -d --privileged
--network=mgt_bridge -e
--name=<csrx-container-name> hub.juniper.net/security/<csrx-image-name>
For example, to launch csrx2
using cSRX software image
csrx:18.21R1.9
enter:
root@csrx-ubuntu3:~/csrx# docker run -d --privileged
--network=mgt_bridge -e --name=csrx2
hub.juniper.net/security/csrx:18.2R1.9
Note:
You must include the --privileged
flag in the docker
run
command to enable the cSRX container to run in privileged mode.
- Connect the left and right bridges to the Docker network.
root@csrx-ubuntu3:~/csrx# docker network
connect left_bridge csrx2
root@csrx-ubuntu3:~/csrx#
root@csrx-ubuntu3:~/csrx# docker network connect
right_bridge csrx2
root@csrx-ubuntu3:~/csrx#
-
Confirm that the three-bridge network has been created for the cSRX container.
root@csrx-ubuntu3:~/csrx# docker network ls
NETWORK ID NAME DRIVER SCOPE
80bea9207560 bridge bridge local
619da6736359 host host local
112ab00aab1a left_bridge bridge local
1484998f41bb mgt_bridge bridge local
daf7a5a477bd none null local
e409a4f54237 right_bridge bridge local
-
Confirm that the cSRX container is listed as a running Docker container.
root@csrx-ubuntu3:~/csrx# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
35e33e8aa4af csrx "/etc/rc.local init" 7 minutes ago Up 7 minutes 22/tcp,
830/tcp csrx2
-
Confirm that the cSRX container is up and running. You should see the expected Junos OS
processes, such as nsd, srxpfe, and mgd.
root@csrx-ubuntu3:~/csrx# docker top csrx2
UID PID PPID C STIME TTY TIME CMD
root 318 305 0 09:13 pts/1 00:00:00 bash
root 27423 27407 0 Mar30 pts/0 00:00:00 /bin/bash -e /etc/rc.local init
root 27867 27423 0 Mar30 ? 00:08:16 /usr/sbin/rsyslogd -M/usr/lib/rsyslog
root 27880 27423 0 Mar30 ? 00:00:00 /usr/sbin/sshd
root 27882 27423 0 Mar30 ? 00:00:00 /usr/sbin/nstraced
root 27907 27423 0 Mar30 ? 00:00:08 /usr/sbin/mgd
root 27963 27423 0 Mar30 pts/0 00:34:50 /usr/bin/monit -I
root 27979 27423 0 Mar30 ? 00:01:10 /usr/sbin/nsd
root 27989 27423 0 Mar30 ? 00:00:02 /usr/sbin/appidd -N
root 28023 27423 0 Mar30 ? 00:00:21 /usr/sbin/idpd -N
root 28040 27423 0 Mar30 ? 00:09:21 /usr/sbin/wmic -N
root 28048 27423 0 Mar30 ? 00:52:50 /usr/sbin/useridd -N
root 28126 27423 2 Mar30 ? 1-05:21:47 /usr/sbin/srxpfe -a -d
root 28186 27423 0 Mar30 ? 00:01:37 /usr/sbin/utmd -N
root 28348 27423 0 Mar30 ? 00:02:44 /usr/sbin/kmd
-
Confirm the IP address of the management interface of the cSRX container.
root@csrx-ubuntu3:~/csrx# docker inspect csrx2 | grep
IPAddress
"SecondaryIPAddresses": null,
"IPAddress": "",
"IPAddress": "172.19.0.2",
"IPAddress": "172.18.0.2",
"IPAddress": "172.20.0.2",