You are now ready to launch the cSRX Container Firewall container that is running in Docker on
the Linux bare-metal server. When you start the cSRX Container Firewall image, you have a
running container of the image. You can stop and restart the cSRX Container Firewall
container (see Managing cSRX Container Firewall Containers), and
the container will retain all settings and file system changes unless those changes are
explicitly deleted. However, the cSRX Container Firewall will lose anything in memory and
all processes will be restarted.
You have a series of cSRX Container Firewall environment variables that enable you to modify
operating characteristics of the cSRX Container Firewall container when it is launched. You
can modify:
-
When you deploy cSRX Container Firewall you must enable the SSH service and SSH option
for root-login. SSH service is not enabled by default.
To enable SSH service run the set system services ssh
command and for
root user login run the set system services ssh root-login allow
command.
Traffic forwarding mode (static route or secure-wire)
cSRX Container Firewall container size (small, medium, or large)
Packet I/O driver (polled or interrupt)
CPU affinity for cSRX Container Firewall control and data daemons
Address Resolution Protocol (ARP) and Neighbor Discovery
Protocol (NDP) entry timeout values
Number of interfaces you need to add to container. Default
is 3 and maximum is 17 (which means 1 management interfaces and 16
data interfaces).
Note: Specification of an environment variable is not mandatory when launching the cSRX Container
Firewall container; most environment variables have a default value as shown in cSRX Container Firewall Environment Variables Overview. You can launch
the cSRX Container Firewall using the default environment variable settings.
To launch the cSRX Container Firewall container:
-
Use the
docker run
command to launch the cSRX Container Firewall
container. You include the mgt_bridge
management bridge to connect the
cSRX Container Firewall to a network.
root@csrx-ubuntu3:~/csrx# docker run -d --privileged
--network=mgt_bridge -e
--name=<csrx-container-name> hub.juniper.net/security/<csrx-image-name>
For example, to launch csrx2
using cSRX Container Firewall software
image csrx:18.21R1.9
enter:
root@csrx-ubuntu3:~/csrx# docker run -d --privileged
--network=mgt_bridge -e --name=csrx2
hub.juniper.net/security/csrx:18.2R1.9
Note:
You must include the --privileged
flag in the docker
run
command to enable the cSRX Container Firewall container to run in
privileged mode.
- Connect the left and right bridges to the Docker network.
root@csrx-ubuntu3:~/csrx# docker network
connect left_bridge csrx2
root@csrx-ubuntu3:~/csrx#
root@csrx-ubuntu3:~/csrx# docker network connect
right_bridge csrx2
root@csrx-ubuntu3:~/csrx#
-
Confirm that the three-bridge network has been created for the cSRX Container Firewall
container.
root@csrx-ubuntu3:~/csrx# docker network ls
NETWORK ID NAME DRIVER SCOPE
80bea9207560 bridge bridge local
619da6736359 host host local
112ab00aab1a left_bridge bridge local
1484998f41bb mgt_bridge bridge local
daf7a5a477bd none null local
e409a4f54237 right_bridge bridge local
-
Confirm that the cSRX Container Firewall container is listed as a running Docker
container.
root@csrx-ubuntu3:~/csrx# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
35e33e8aa4af csrx "/etc/rc.local init" 7 minutes ago Up 7 minutes 22/tcp,
830/tcp csrx2
-
Confirm that the cSRX Container Firewall container is up and running. You should see
the expected Junos OS processes, such as nsd, srxpfe, and mgd.
root@csrx-ubuntu3:~/csrx# docker top csrx2
UID PID PPID C STIME TTY TIME CMD
root 318 305 0 09:13 pts/1 00:00:00 bash
root 27423 27407 0 Mar30 pts/0 00:00:00 /bin/bash -e /etc/rc.local init
root 27867 27423 0 Mar30 ? 00:08:16 /usr/sbin/rsyslogd -M/usr/lib/rsyslog
root 27880 27423 0 Mar30 ? 00:00:00 /usr/sbin/sshd
root 27882 27423 0 Mar30 ? 00:00:00 /usr/sbin/nstraced
root 27907 27423 0 Mar30 ? 00:00:08 /usr/sbin/mgd
root 27963 27423 0 Mar30 pts/0 00:34:50 /usr/bin/monit -I
root 27979 27423 0 Mar30 ? 00:01:10 /usr/sbin/nsd
root 27989 27423 0 Mar30 ? 00:00:02 /usr/sbin/appidd -N
root 28023 27423 0 Mar30 ? 00:00:21 /usr/sbin/idpd -N
root 28040 27423 0 Mar30 ? 00:09:21 /usr/sbin/wmic -N
root 28048 27423 0 Mar30 ? 00:52:50 /usr/sbin/useridd -N
root 28126 27423 2 Mar30 ? 1-05:21:47 /usr/sbin/srxpfe -a -d
root 28186 27423 0 Mar30 ? 00:01:37 /usr/sbin/utmd -N
root 28348 27423 0 Mar30 ? 00:02:44 /usr/sbin/kmd
-
Confirm the IP address of the management interface of the cSRX Container Firewall
container.
root@csrx-ubuntu3:~/csrx# docker inspect csrx2 | grep
IPAddress
"SecondaryIPAddresses": null,
"IPAddress": "",
"IPAddress": "172.19.0.2",
"IPAddress": "172.18.0.2",
"IPAddress": "172.20.0.2",