farfui
- Joined
- Nov 20, 2017
- Messages
- 4
- Reaction score
- 2
- Nov 20, 2017
- #1
Docker hub image: https://hub.docker.com/r/farfui/3cx/ Running the container
If you run the container on an APPARMOR enabled machine you have to add "--security-opt apparmor=unconfined" to the run command.
- Create a macvlan network. This is an example and you have to translate this command to map your needs.
Code:
docker network create \ -d macvlan \ --subnet 192.168.1.0/24 \ --gateway 192.168.1.1 \ -o parent=eth0 mv_eth0
- Run the container
Code:
docker run \ -d \ --hostname {YOUR HOSTNAME} \ --memory {MEMORY} \ --memory-swap {SWAP MEMORY} \ --ip {IP ADDRESS} \ --network mv_eth0 \ --restart unless-stopped \ -v 3cx_backup:/mnt/backup \ -v 3cx_recordings:/mnt/recordings \ -v 3cx_log:/var/log \ -v /sys/fs/cgroup:/sys/fs/cgroup:ro \ --cap-add SYS_ADMIN \ --name 3cx \ farfui/3cx:15.5
- Setup the timezone. You can find the full listing under "/usr/share/zoneinfo/".
Code:
docker exec 3cx timedatectl set-timezone {YOUR ZONE INFO}
- Start 3CX Wizard for initial setup
Code:
docker exec -ti 3cx /usr/sbin/3CXWizard --cleanup
build.sh - How this container was build
Code:
#!/bin/bashdocker build --force-rm --no-cache --build-arg BUILD_STRING="$(date -u)" --build-arg BUILD_DATE="$(date +%d-%m-%Y)" --build-arg BUILD_TIME="$(date +%H:%M:%S)" -t 3cx_stage1 .docker run -d --privileged --name 3cx_stage1_c 3cx_stage1docker exec 3cx_stage1_c bash -c \ " systemctl mask systemd-logind console-getty.service [emailprotected] getty-static.service [emailprotected] [emailprotected] getty.target \ && systemctl enable nginx exim4 postgresql \ && echo 1 | apt-get -y install 3cxpbx"docker stop 3cx_stage1_cdocker commit 3cx_stage1_c farfui/3cx:15.5docker push farfui/3cx:15.5docker rm 3cx_stage1_cdocker rmi 3cx_stage1
Dockerfile
Code:
FROM debian:stretchARG BUILD_STRINGARG BUILD_DATEARG BUILD_TIMELABEL build.string $BUILD_STRINGLABEL build.date $BUILD_DATELABEL build.time $BUILD_TIMEENV DEBIAN_FRONTEND noninteractiveENV LANG en_US.UTF-8ENV LANGUAGE enENV container dockerRUN apt-get update \ && apt-get update -y \ && apt-get upgrade -y \ && apt-get install -y --allow-unauthenticated \ apt-utils \ wget \ gnupg2 \ systemd \ locales \ && sed -i 's/\# \(en_US.UTF-8\)/\1/' /etc/locale.gen \ && locale-gen \ && wget -O- http://downloads.3cx.com/downloads/3cxpbx/public.key | apt-key add - \ && echo "deb http://downloads.3cx.com/downloads/debian stretch main" | tee /etc/apt/sources.list.d/3cxpbx.list \ && apt-get update -y \ && apt-get install -y --allow-unauthenticated \ libcurl3=7.38.0-4+deb8u5 \ $(apt-cache depends 3cxpbx | grep Depends | sed "s/.*ends:\ //" | tr '\n' ' ') \ && rm -f /lib/systemd/system/multi-user.target.wants/* \ && rm -f /etc/systemd/system/*.wants/* \ && rm -f /lib/systemd/system/local-fs.target.wants/* \ && rm -f /lib/systemd/system/sockets.target.wants/*udev* \ && rm -f /lib/systemd/system/sockets.target.wants/*initctl* \ && rm -f /lib/systemd/system/basic.target.wants/* \ && rm -f /lib/systemd/system/anaconda.target.wants/*EXPOSE 5015/tcp 5001/tcp 5060/tcp 5060/udp 5061/tcp 5090/tcp 5090/udp 9000-9500/udpCMD ["/lib/systemd/systemd"]
Last edited:
Reactions:
kusig and StefanWStefanW
- Joined
- Jun 2, 2009
- Messages
- 2,842
- Reaction score
- 1,033
- Nov 20, 2017
- #2
farfui said:
FROM debian:stretch
ENV DEBIAN_FRONTEND noninteractive
ENV container dockerRUN echo 'deb http://ftp.de.debian.org/debian/ jessie main' | tee -a /etc/apt/sources.list \
nice one, much the same to what I played with, some parts are much nicer handled with the mac vlan.
Just the repo use this lines:
wget -O- http://downloads.3cx.com/downloads/3cxpbx/public.key | apt-key add -
echo "deb http://downloads.3cx.com/downloads/debian stretch main" | tee /etc/apt/sources.list.d/3cxpbx.list
apt-get install libcurl3=7.38.0-4+deb8u5
apt-get update
apt-get install 3cxpbx
farfui
- Joined
- Nov 20, 2017
- Messages
- 4
- Reaction score
- 2
- Nov 20, 2017
- #3
Thank you. I've updated the image in the docker hub and the original post.
According to this post https://www.3cx.com/blog/docs/linux-version-9-stretch/ we have to install
libicu52 and libssl1.0.0 . Are they still needed?
It is not possible to run apt-get install 3cxpbx from within the Dockerfile because 3cx requires a running systemd and you can not run systemd from command line because it must bu run with PID 1, hence you have to build an intermediate image and then run that image and use "docker exec ..." to install 3cxpbx on it. Is it possible to install 3cxpbx without systemd?
It would be great if we could get rid of the --privileged flag and instead use
Code:
--cap-add=SYS_ADMIN –v /sys/fs/cgroup:/sys/fs/cgroup:ro
which is required for systemd. This would dramatically increase the security of the container. The problem is that 3cx crashes when trying to enumerate the interfaces and more specifically when trying to access the file /sys/class/net/lo/operstate. I suppose that is because docker is automatically enforcing the docker-default apparmor profile https://github.com/moby/moby/blob/master/profiles/apparmor/template.go . One solution would be to rewrite that profile and enforce it with --security-opt apparmor=docker-3cx . Is there more elegant solution to this?
StefanW
- Joined
- Jun 2, 2009
- Messages
- 2,842
- Reaction score
- 1,033
- Nov 21, 2017
- #4
farfui said:
libicu52 and libssl1.0.0
no, only libcurl3=7.38.0-4+deb8u5 is needed for strech debian 9
StefanW
- Joined
- Jun 2, 2009
- Messages
- 2,842
- Reaction score
- 1,033
- Nov 21, 2017
- #5
farfui said:
3cxpbx without systemd?
no and this is a bit the pitfall, Docker is great for a single app running inside of it (Apache+php is still fine). 3CX looks like one but packages 8 different services.
farfui
- Joined
- Nov 20, 2017
- Messages
- 4
- Reaction score
- 2
- Nov 24, 2017
- #6
Yes, better. I also added
Code:
ENV LANGUAGE ensed -i 's/\# \(en_US.UTF-8\)/\1/' /etc/locale.gen \locale-gen \
PS
The original post is also edited.
farfui
- Joined
- Nov 20, 2017
- Messages
- 4
- Reaction score
- 2
- Nov 24, 2017
- #7
There is a little bit more secure method of running the container without --privileged mode. You can disable docker-default apparmor profile with
Code:
--security-opt apparmor=unconfined
and you have to add this
Code:
--cap-add SYS_ADMIN -v /sys/fs/cgroup:/sys/fs/cgroup:ro
for systemd to work correctly.
That way you will keep enabled seccomp kernel facilities and will not enable all the kernel capabilities.
PS
The original post is also edited.