Document toolboxDocument toolbox

Test New Brand Bare-Metal Docker Deployment

Owned by Shirly Tsang
Apr 11, 2023
4 min read

Important Note

The minimum system requirements specified for hosts must be dedicated to the host you plan to deploy. They cannot be shared with or used for other non-Infoblox applications. Doing so will negatively affect the performance of your BloxOne services. For information about the minimum system requirements and port usage, see the following:

Prerequisites for Bare-Metal Docker Deployment

Before you start the deployment, complete the following:

  • Ensure that your Docker environment meets the minimum deployment requirements.
  • Open all required ports on the hosts, as list in Test New Brand Port Usage for Bare-Metal Hosts, in addition to the ports required for firewalls.
  • Ensure that there are no other processes using port 53 on the host system on which your host will be deployed. For example, some Ubuntu systems running local DNS cache (system-resolved) might occupy port 53, and your host might not function properly in this case.
  • Dind (Docker-in-Docker) configuration is not supported for host deployments.
  • For Ubuntu 18 and Ubuntu 20 in which systemd-resolved is running, perform the following before deploying a host:

Stop systemd-resolved and remove the corresponding resolv.conf, as follows:

systemctl disable systemd-resolved.service

systemctl stop systemd-resolved

rm -f /etc/resolv.conf

Check and verify if the NetworkManager service exists by performing the following on the host:

systemctl status the NetworkManager

If the NetworkManager service exists, whether it is in the running or non-running state, stop the service by performing the following:

sudo systemctl stop NetworkManager.service

sudo systemctl disable NetworkManager.service

sudo systemctl stop NetworkManager-wait-online.service

sudo systemctl disable NetworkManager-wait-online.service

sudo systemctl stop NetworkManager-dispatcher.service

sudo systemctl disable NetworkManager-dispatcher.service

sudo systemctl stop network-manager.service

sudo systemctl disable network-manager.service

Set resolver, as follows:

tee /etc/resolv.conf << END

nameserver 8.8.8.8

END

  • Disable unattended upgrades on Ubuntu. The unattended upgrades feature is enabled by default, and it runs at system boot without user's permission. Unattended upgrades could cause all containers to be terminated and new containers to be created. When this happens, the host will stay in a bad state and cannot be recovered. To disable unattended upgrades on Ubuntu and its derivatives, run the following command:

$ sudo dpkg-reconfigure unattended-upgrades

  • Install net-tools on the host using the following commands:
    • For Ubuntu:
      $ sudo apt-get install -y net-tools
    • For CentOS and Redhat:
      $ sudo yum install net-tools -y

For Ubuntu 22 only:

  • Edit the file –sudo vi /etc/default/grub:
    • Modify the values from GRUB_CMDLINE_LINUX=”” to GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=no"
    • If the above default values are not there, add the line GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=no"
  • Execute the following commands: 
    • sudo update-grub
    • sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
    • sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
    • sudo reboot

Deploying Hosts in Docker

To deploy hosts in a Docker environment, complete the following:

  1. In the Cloud Services Portal, go to Administration -> Downloads.

  2. On the Downloads page, click Download Package for Docker, and then save the .tar.gz file on your system.

  3. Set up the Docker environment on your system. Ensure that the Docker version is supported, as described in Test New Brand BloxOne Connectivity and Service Requirements and Test New Brand Port Usage for Bare-Metal HostsFor information about how to install Docker, refer to the Docker Documentation.

  4. Download the Infoblox Docker image tar file to your server, and then execute the following command at root. Note that you must have root privileges to execute Docker commands.

    # docker load -i <BloxOne_OnPrem_Docker_<VERSION>.tar.gz

  5. The system displays the download process. The following is a sample display:

    7cbcbac42c44: Loading layer [====================================>] 5.05 MB/5.05 MB
d6f064e063f6: Loading layer [====================================>] 2.218 MB/2.218 MB
f77e7ee6f8c6: Loading layer [====================================>] 69.11 MB/69.11 MB
fa005789404e: Loading layer [====================================>] 4.096 kB/4.096 kB
4024a9f13d19: Loading layer [====================================>] 12.05 MB/12.05 MB
70fdf570286f: Loading layer [====================================>] 4.608 kB/4.608 kB
e8b22bfeae7a: Loading layer [====================================>] 4.608 kB/4.608 kB
6fabe6521295: Loading layer [====================================>] 4.608 kB/4.608 kB
5f70bf18a086: Loading layer [====================================>] 1.024 kB/1.024 kB
Loaded image: infobloxcto/onprem.agent:x.x.xx

  6. Execute the following command to verify that the Infoblox Docker image has been downloaded properly:

    # docker images
    REPOSITORY                   TAG      IMAGE ID        CREATED         SIZE

infobloxcto/onprem.agent    3.1.xx    68f5ed0a1645    20 hours ago    96.9MB

  7. On the Docker system, execute the following command:

    sudo docker run -d \
  --name blox.noa \
  --network=host \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /var/lib/infoblox/certs:/var/lib/infoblox/certs \
  -v /etc/onprem.d/:/etc/onprem.d/ \
  -v /etc:/mount/etc:ro \
  -v /usr/share/zoneinfo:/usr/share/zoneinfo:ro \
  infobloxcto/onprem.agent:<VERSION> \
  --jointoken $JOIN_TOKEN

    Note:

    You must use “blox.noa” as the container name. DO NOT change this. You can capture the onprem.agent Version in the “Loaded image” field when you download the Infoblox Docker image. Note that only Docker image version 19.03.5 or greater supports the join token option.

    To be fully compatible with the BloxOne services, you must update the Docker daemon settings and set the log driver to "json-file." For more information, refer to the Docker documentation at https://docs.docker.com/config/containers/logging/configure/.

  8. You can verify that the Infoblox Docker container images are properly deployed on the system by using the following command:
    # docker ps
  9. You have now successfully deployed the host. It might take a couple minutes for the proxy and BloxOne Threat Defense Cloud to connect. Once connected, the host starts collecting information from your on-prem devices and transmits the data to BloxOne Threat Defense Cloud.
  10. Configure a non-local DNS resolver on the host if you don't want to use the default DNS resolver and do not want Docker to send DNS queries for *.infoblox.com to Google DNS via  8.8.8.8 or 8.8.4.4. For more information, see What's New in BloxOne Threat Defense.
  11. To check the current status of the proxy, you can go to Manage > Hosts in the Cloud Services Portal. For more information about the host status see /wiki/spaces/InfrastructureDRAFT/pages/84904118.