[Question] The use in containers

[gerardo-junior]

I'm running some tests, to eventually create a packaging continuous integration for my distro and would like to take a concept test in isolated environments . Do any of you have an "official" docker image with the nipe working properly?

ps. if you feel like answering in Portuguese!

[naltun]

@GouveaHeitor would you like nipe containerized? If so, I can get the Dockerfile written.

This could be a cool idea. In theory, the container image can be used to help employ the use of Tor for other containerized applications. Thoughts?

[htrgouvea]

Hi @naltun,

Yes, we would like to see Nipe running in a docker container! I tried to write Dockerfile a few times but I always got some problems/bugs!

If you write Dockerfile, it will be of great help!

Thx!

[naltun]

@GouveaHeitor Alright, I'll try writing a Dockerfile. I'm new to Docker, but I've written a handful of Dockerfiles.

Mind telling me what issues/complications you found when trying?

[htrgouvea]

The problems were related to iptables... I confess that I did not strive to look for the real reasons for this.

[naltun]

@GouveaHeitor that is really helpful info. Thanks!

[naltun]

A couple things I've already found:

1. perl nipe.pl install isn't installing the config files. I'll look into this...
2. iptables isn't installed by default on the perl images I'm using. I've already fixed this by installing it via the Dockerfile.

About point 1, check this out (me inside of the container):

The exit status of perl nipe.pl install is also 0.

About point 2, I believe that all/most perl official container runtimes are using Debian as the system. Currently I am using perl:5.28-stretch, although I tried perl:5.28-slim-stretch (to reduce the image size). I encountered an error here w/ CPAN modules... So for the time being I am going to move forward to the regular stretch image. 👍

Edit for Appending notes:

• I do not think system() subroutine calls are working across the scripts

[naltun]

Currently running into this gem:

iptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

Edit: Even running sudo perl nipe.pl start throws this error. Also, I noticed that even though I receive this iptables issue, nipe.pl still exits with a status of 0. This may want to be changed?

[naltun]

I'm working off of this branch, by the way.

So I've gotten everything set up. I can start/stop the service, but perl nipe.pl status, even when the service is started, gives this:
[!] ERROR: sorry, it was not possible to establish a connection to the server.

[bmeneg]

@GouveaHeitor @naltun ok, I just got the same error while playing around with nipe in my machine (not container). Not even a direct request to https://check.torproject.org/api/ip with curl worked.

What I figured out after some debugging was that I had a conflicting iptables rule with TCP/UDP output packets that Nipe set vs another component had set previously (libvirt to be more precise, related to virtualization).

The solution I found was to basically flush the whole iptable rules I had:

 --flush   -F [chain]          Delete all rules in  chain or all chains

Hence:

$ ./nipe.pl start
...
$ ./nipe.pl status
[!] ERROR: sorry, it was not possible to establish a connection to the server.
$ curl https://check.torproject.org/api/ip                                                                                     
curl: (6) Could not resolve host: check.torproject.org
$ ./nipe.pl stop
# iptables-save > iptable-rules.save
# iptables -F
$ ./nipe.pl start
...
$ curl https://check.torproject.org/api/ip
{"IsTor":true,"IP":"46.165.245.154"}
$ ./nipe.pl status
[+] Status: activated. 
[+] Ip: 87.118.116.103

We could force a flush on iptables rules before nipe set its own rules, but I don't know how other apps rules would interact and, possibly, conflict with nipe's.

FWIW, Issue #49 was closed and was related to this specific issue. I'm going to open a new issue to further investigate it.

[htrgouvea]

I started to develop an image for Nipe using the Dockerfile, it is available in the "develop" branch, however it is not ready yet.

I believe that because it is an isolated and restricted container, we will not face problems such as conflict of rules of other applications, only if it is something of the docker image itself.

[bmeneg]

@GouveaHeitor the idea is to keep both nipe and tor running on the same container? If so, yep, it may work without any problems.

I have another idea that we'll need to discus further in the near future, involving a more robust approach with VMs instead of containers (which could be included, of course :P).

[htrgouvea]

Yes, the idea is to have everything operating in the same container ... I think people want Nipe in this format to be able to use it as a kind of proxy in their networks ... I'm trying to work on that because many people want to use it the nipe that way.

[MrNonoss]

Hi there,
Thanks à lot for this amazing tool.
I had the same idea. I forked the repo to "dockerize" nipe.
I worked on it à but today and managed to get à proper image, without errors.
However, the container doesn't start, or at least, do not last. For it to work, I have to exec bash and manualy issue the commands.
If you'd like to take à look, it's over there : Repo

[htrgouvea]

It's still not 100% but the best image I've managed to get so far is:

FROM perl:latest

EXPOSE 9050 9061

WORKDIR /nipe
COPY . /nipe

RUN cpan install IO::Socket::SSL Try::Tiny Config::Simple JSON
RUN apt update && \
    apt upgrade && 
RUN perl nipe.pl install

CMD ["perl" "nipe.pl" "start"]
CMD ["perl", "nipe.pl" "status"]

# docker run -d --cap-add=NET_ADMIN --net=host nipe

[htrgouvea]

Thx @MrNonoss