Launching the cSRX Container Firewall Container

You are now ready to launch the cSRX Container Firewall container that is running in Docker on the Linux bare-metal server. When you start the cSRX Container Firewall image, you have a running container of the image. You can stop and restart the cSRX Container Firewall container (see Managing cSRX Container Firewall Containers), and the container will retain all settings and file system changes unless those changes are explicitly deleted. However, the cSRX Container Firewall will lose anything in memory and all processes will be restarted.

You have a series of cSRX Container Firewall environment variables that enable you to modify operating characteristics of the cSRX Container Firewall container when it is launched. You can modify:

When you deploy cSRX Container Firewall you must enable the SSH service and SSH option for root-login. SSH service is not enabled by default.

To enable SSH service run the set system services ssh command and for root user login run the set system services ssh root-login allow command.
Traffic forwarding mode (static route or secure-wire)
cSRX Container Firewall container size (small, medium, or large)
Packet I/O driver (polled or interrupt)
CPU affinity for cSRX Container Firewall control and data daemons
Address Resolution Protocol (ARP) and Neighbor Discovery Protocol (NDP) entry timeout values
Number of interfaces you need to add to container. Default is 3 and maximum is 17 (which means 1 management interfaces and 16 data interfaces).

Note:

Specification of an environment variable is not mandatory when launching the cSRX Container Firewall container; most environment variables have a default value as shown in cSRX Container Firewall Environment Variables Overview. You can launch the cSRX Container Firewall using the default environment variable settings.

To launch the cSRX Container Firewall container:

Use the docker run command to launch the cSRX Container Firewall container. You include the mgt_bridge management bridge to connect the cSRX Container Firewall to a network.

root@csrx-ubuntu3:~/csrx# docker run -d --privileged --network=mgt_bridge -e --name=<csrx-container-name> hub.juniper.net/security/<csrx-image-name>

For example, to launch csrx2 using cSRX Container Firewall software image csrx:18.21R1.9 enter:

root@csrx-ubuntu3:~/csrx# docker run -d --privileged --network=mgt_bridge -e --name=csrx2 hub.juniper.net/security/csrx:18.2R1.9

Note:
You must include the --privileged flag in the docker run command to enable the cSRX Container Firewall container to run in privileged mode.
Connect the left and right bridges to the Docker network.
root@csrx-ubuntu3:~/csrx# docker network connect left_bridge csrx2

root@csrx-ubuntu3:~/csrx#

root@csrx-ubuntu3:~/csrx# docker network connect right_bridge csrx2

root@csrx-ubuntu3:~/csrx#
Confirm that the three-bridge network has been created for the cSRX Container Firewall container.

root@csrx-ubuntu3:~/csrx# docker network ls

NETWORK ID NAME DRIVER SCOPE

80bea9207560 bridge bridge local

619da6736359 host host local

112ab00aab1a left_bridge bridge local

1484998f41bb mgt_bridge bridge local

daf7a5a477bd none null local

e409a4f54237 right_bridge bridge local
Confirm that the cSRX Container Firewall container is listed as a running Docker container.

root@csrx-ubuntu3:~/csrx# docker ps

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

35e33e8aa4af csrx "/etc/rc.local init" 7 minutes ago Up 7 minutes 22/tcp, 830/tcp csrx2

Confirm that the cSRX Container Firewall container is up and running. You should see the expected Junos OS processes, such as nsd, srxpfe, and mgd.

root@csrx-ubuntu3:~/csrx# docker top csrx2

Confirm the IP address of the management interface of the cSRX Container Firewall container.

root@csrx-ubuntu3:~/csrx# docker inspect csrx2 | grep IPAddress

Launching the cSRX Container Firewall Container

Related Documentation