Install ntopng in Docker

1. Install Docker CE on Fedora 27 -64 version

Docker EE is not supported on Fedora. Different Docker editions and corresponding supported operating systems are lists in Docker Guide.

1. Uninstall old versions

Older versions of Docker were called dockeror docker-engine. Uninstall them along with associated dependencies.

$ sudo dnf remove docker \
                  docker-common \
                  docker-selinux \
                  docker-engine-selinux \
                  docker-engine

It is OK if none of these packages are found to be installed. The Docker CE package is now called “docker-ce”. The contents of /var/lib/docker/, including images, containers, volumes, and networks, are preserved

2. Install Docker CE using the repository

Set up the repository

Install dnf-plugins-corepackage

$ sudo dnf -y install dnf-plugins-core

Set up the stable repository

$ sudo dnf config-manager \
    --add-repo \
    https://download.docker.com/linux/fedora/docker-ce.repo

Optional: enable the edge and test repositories, included in docker.repo.

$ sudo dnf config-manager --set-enabled docker-ce-edge

$ sudo dnf config-manager --set-enabled docker-ce-test

The command used to disable the edge or test repositories:

$ sudo dnf config-manager --set-disabled docker-ce-edge

Install Docker CE

Install the latest version of Docker CE

$ sudo dnf install docker-ce

If this is the first time you are installing a package from a recently added repository, you will be prompted to accept the GPG key, and the key’s fingerprint will be shown. Verify that the fingerprint matches 060A 61C5 1B55 8A7F 742B 77AA C52F EB6B 621E 9F35and if so, accept the key.

Install a specific version of Docker CE

$ sudo dnf -y install docker-ce-<VERSION>

Start Docker CE

$ sudo systemctl start docker

Verify Docker CE is running

$ sudo docker run hello-world

2. Install Dockerized ntopng

NTOPNG related Docker images needs to be generated in order to run ntopng inside Docker.

1. Download a Collection of Dockerfile from Github

$ mkdir docker-ntopng 
$ cd docker-ntopng
$ git clone https://github.com/ntop/docker-ntop.git

2. Install PF_RING Tools

In order to take advantages of PF_RING tools accelerations when using ntop applications, PF_RING kernel module and drivers need to be loaded. More information are found PF_RING Documentation.

Install and Run PF_RING

$ docker build -t pfring -f Dockerfile.pfring .
$ docker run --net=host pfring pfcount -i ens2f0

Run PF_RING Through ZC interface

If you want to use a ZC interface, you need to get access to the license file from the container.

$ docker run --net=host -v F8F21E028080:/etc/pf_ring/F8F21E028080 pfring pfcount -i zc:ens2f0

3. Install and Run ntopng

$ docker build -t ntopng -f Dockerfile.ntopng .
$ docker run -it --net=host -p 3000:3000 ntopng -i ens2f0

Open website http://localhost-IP-address:3000and start to monitor your network.

4. Install and Run Other ntop Applications

Install and Run nProbe

$ docker build -t nprobe -f Dockerfile.nprobe .
$ docker run -it --net=host nprobe -i ens2f0

Install and Run n2disk

$ docker build -t n2disk -f Dockerfile.n2disk .
$ docker run -it --net=host n2disk -i ens2f0 -o /tmp

Install and Run nscrub

$ docker build -t nscrub -f Dockerfile.nscrub .
$ docker run -it --net=host -p 8880:8880 nscrub -i eth1 -o eth2

You can configure application license sharing the license file with the container.

$ docker run -it --net=host -p 8880:8880 -v $(pwd)/nscrub.license:/etc/nscrub.license nscrub -i eth1 -o eth2

More information of configuring Dockerfile can be found here.

3. Open ports in the firewall using CLI

Note that when starting to run ntopng in Docker, port 3000 is possibly blocked by firewall. If you can not get access to the website, check and open port for a zone to which the monitored interface belongs.

1. List All Zones

List all zones and find the zone including your localhost interface.

$ sudo firewall-cmd --list-all-zones

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno1
  sources:
  services: ssh dhcpv6-client
  ports: 
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

2. List All Open Ports for a Zone

Check whether port 3000 is open or not.

$ sudo firewall-cmd --zone=public --list-ports

3. Open a Port to a Zone

If port 300 is not opened, then add a port to the zone, allowing TCP traffic to por 3000 to the “public” zone.

$ sudo firewall-cmd --zone=public --add-port=3000/tcp

Check zone “public” again.

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno1
  sources:
  services: ssh dhcpv6-client
  ports: 3000/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

4. Restart ntopng

If port is added, try to restart ntopng in docker and logon.

Reference

[1] https://docs.docker.com/v17.09/engine/installation/linux/docker-ce/fedora/
[2] https://github.com/ntop/docker-ntop
[3] https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sec-Open_Ports_in_the_firewall-CLI.html