Merge pull request #513 from NethServer/master

Update official branch

administrator-manual/en/bandwidth_monitor.rst

@@ -4,26 +4,72 @@
 Bandwidth monitor
 =================
 
-.. note::
-
-  The configuration page of this module is available only in the old Server Manager
-  and will not be ported to the new one.
-
-ntopng
-======
-
-ntopng is a powerful tool that allows you to analyze real-time
-network traffic. It allows you to evaluate the bandwidth used by
-individual hosts and to identify the most commonly used network protocols.
-
-Enable ntopng
-    Enabling ntopng, all traffic passing through the network interfaces
-    will be analyzed. It can cause a slowdown of the network and an
-    increased in system load.
-Port
-    The port where to view the ntopng web interface.
-Password for 'admin' user
-    Admin user password. This password is not related to
-    the |product| admin password.
-Interfaces
-    Interfaces on which ntopng will listens to.
+**Bandwidth monitor** module allows you to analyze real-time network traffic using 
+`ntopng <https://www.ntop.org/products/traffic-analysis/ntop/>`_ under the hood.
+**ntopng** is a powerful tool that evaluates the bandwidth used by
+individual hosts and identifies the most commonly used network protocols.
+
+
+Dashboard
+=========
+
+:guilabel:`Dashboard` page provides an overview on network usage displaying traffic information on some graphical widgets.
+
+
+Status
+------
+
+:guilabel:`Status` section informs you whether bandwidth monitor is currently enabled and provides :guilabel:`Open bandwidth monitor app`
+button to access **ntopng** web interface.
+
+
+Top local hosts
+---------------
+
+This table shows the list of hosts belonging to local networks that are currently generating most throughput,
+either downloading or uploading.
+This widget can help identify any hosts that are using a lot of bandwidth.
+
+
+Top remote hosts
+----------------
+
+This table shows the list of remote hosts that are currently generating most throughput, either downloading
+or uploading.
+
+
+Traffic by interface
+--------------------
+
+This chart plots the throughput generated by monitored interfaces during the last 5 minutes.
+
+
+Traffic by protocol
+-------------------
+
+This chart plots the traffic divided by protocol during the last 5 minutes. **ntopng** tries to recognize
+various layer 7 protocols such as HTTP, TLS, DNS, SIP, Facebook, Spotify, Zoom, etc.
+
+
+Settings
+========
+
+In :guilabel:`Settings` page you can manage **Bandwidth monitor** configuration through the following controls:
+
+* :guilabel:`Enable bandwidth monitor`: if enabled, all traffic passing through selected network interfaces
+  will be analyzed. Depending on the capabilities of your server, it may cause a slowdown of 
+  the network and an increase in system load.
+* :guilabel:`Interfaces`: the network interfaces **ntopng** will listen to.
+* :guilabel:`Web interface port`: the TCP port where **ntopng** web interface should be available.
+  By default TCP port is **3000** and can be accessed from green zone.
+* :guilabel:`Enable authentication`: if enabled, **ntopng** web interface will require login credentials.
+  Username is ``admin`` and default password is ``admin``.
+
+When **Bandwidth monitor** is enabled, **ntopng** web interface is available at: ``http://<SERVER_NAME>:<WEB_INTERFACE_PORT>``.
+A link to **ntopng** web interface is provided in :guilabel:`Dashboard` and :guilabel:`Settings` pages.
+
+
+Logs
+====
+
+In :guilabel:`Logs` page you can examine systemd journal of **ntopng** unit.

administrator-manual/en/docker.rst

@@ -12,8 +12,8 @@ Docker is an open platform for developing, shipping, and running applications. D
 
 .. warning::
 
- Docker is customised to NethServer and the firewall layer. It means that the default bridge ``docker0`` is disabled and we use other bridge called ``aqua`` and ``aeria``.
- If you have still some doubts why you should never use the default bridge ``docker0``, the official docker documentation `stated on it <https://docs.docker.com/network/bridge/#differences-between-user-defined-bridges-and-the-default-bridge>`_.
+ Docker is customised to |product| and the firewall layer. The default bridge ``docker0`` is enabled to provide compatibility, however the official docker documentation `stated on why you should not use it <https://docs.docker.com/network/bridge/#differences-between-user-defined-bridges-and-the-default-bridge>`_. 
+ Docker with |product| comes with 3 other networks called ``aqua``, ``aeria`` and ``macvlan``.
 
 Official documentation
 ======================
@@ -31,6 +31,37 @@ Install from the Software Center or use the command line: ::
 
   yum install nethserver-docker
 
+Docker repository
+=================
+
+The official repository of docker is bundled but not enabled, the upgrade might break the running containers. It is advised to stop all containers before to upgrade ``docker-ce``. 
+
+To upgrade to the latest stable version of docker: ::
+
+ yum update --enablerepo=docker-ce-stable
+
+to enable it permanently: ::
+
+ config setprop docker enableRepository enabled
+ signal-event nethserver-docker-update
+
+Configuration
+=============
+If you have a free block device (required for production environments) assign it to Docker before starting it for the first time ::
+
+ config setprop docker DirectLvmDevice /dev/sdb
+ signal-event nethserver-docker-update
+
+Review the current settings with ::
+
+ config show docker
+
+Network, is the IP network address of the aqua zone
+IpAddress, is the IP address of the Docker host in the Network above
+
+After each change, you have to restart docker ::
+
+ signal-event nethserver-docker-update
 
 Web user Interface
 ==================
@@ -46,19 +77,28 @@ Portainer is itself a container without important data, except the admin credent
 
 The official documentation of portainer can be found at : https://www.portainer.io/documentation/
 
+Default network
+===============
+
+The default bridge docker0 is allowed in the firewall of |product|, any ports or the containers will be opened through shorewall. Any docker howto is supposed to be compatible.
+
+Example of nginx container on port ``9001``: ::
+
+ docker run  -dit --name nginx-test-01 -p 9001:80 --restart=unless-stopped nginx:alpine nginx-debug -g 'daemon off;'
+
 Aqua network
 ============
 
 A new firewall zone and docker network, ``aqua``. Basically, containers are attached to aqua and they can talk each other. IP traffic from other zones, like green and red must be configured with the usual Firewall rules and Port forwarding pages.
 
 For an integration with system services, connections from the aqua zone are allowed to the MySQL/MariaDB port ``3306``. it means that a docker running on ``aqua`` can use the mysql database on the server.
-More port rules can be opened to the system services running on the server with a esmith db command ::
+More port rules can be opened to the system services running on the server with a esmith db command (these rules allow **only** the containers to connect to a service running on the server)::
 
  db dockrules set customName aqua TCPPorts 5141,5142 UDPPorts 5143,5144 status enabled
  signal-event firewall-adjust
 
 
-You have to specify to use the network ``aqua`` for your container, the default ``docker0`` doesn't exist. Each container on the network ``aqua`` will have an IP from the network ``172.28.0.0/16``. They can communicate each other and the server can ping each container.
+You have to specify to use the network ``aqua`` for your container, the default ``docker0`` is another network. Each container on the network ``aqua`` will have an IP from the network ``172.28.0.0/16``. They can communicate each other and the server can ping each container.
 
 For example (pihole on aqua with a static IP): :: 
 
@@ -70,20 +110,20 @@ For example (pihole on aqua with a static IP): ::
 Aeria network
 =============
 
-NethServer docker provides a docker network named ``Aeria`` that is bound to a bridge. The container will have an IP attributed by the dhcp server of your local network, all containers will communicate like any servers on your network.
+|product| docker provides a docker network named ``Aeria`` that is bound to a bridge. The container will have an IP attributed by the dhcp server of your local network, all containers will communicate like any servers on your network.
 
 For the bridge creation the server manager could be used, if you have already installed the account provider Samba AD (nethserver-dc), you have already a bridge called ``br0``. 
 
-.. note::
+.. warning::
 
-  A bridge is mandatory to ``aeria``, you must accomplish this step before to go further: ``ip a`` can valid that the bridge is up and workable
+  A bridge is mandatory to ``aeria``, you must accomplish this step before to go further: ``ip a`` can valid that the bridge is up and workable. The same bridge cannot be shared among ``aeria`` and ``macvlan``, it is a docker limitation.
 
 To enable the Aeria network, the ``bridgeAeria`` property has to be set to the name of the bridge ::
 
  config setprop docker bridgeAeria br0
  signal-event nethserver-docker-update
 
-The NethServer DHCP module can be used to set IP addresses for the docker containers. By default docker containers use random MAC addresses so fixed ones need to be set for the containers to make DHCP reservations work.
+The |product| DHCP module can be used to set IP addresses for the docker containers. By default docker containers use random MAC addresses so fixed ones need to be set for the containers to make DHCP reservations work.
 
 Here is an example for starting pihole in the Aeria network and set the MAC address ::
 
@@ -96,29 +136,53 @@ Aeria uses a docker plugin. To update the plugin ::
 
  signal-event nethserver-docker-plugin-update
 
+Macvlan
+=======
 
-Docker repository
-=================
+A container use TCP/UDP ports to communicate  outside of the server, this is the default networking. However your container could need to get a real IP on your network. Like this it will be reachable with ``http://IPofYourContainer`` 
+instead of ``http://IPofYourServer:port``. A specific configuration like a DNS sinkhole (as pihole) must have an IP, because it might break the DNS resolution of your server. Therefore with a different IP, all hosts of your network will use the services of pihole like if it was on another server.
 
-The official repository of docker is enabled to update the latest stable version.
+.. note::
 
-Configuration
-=============
-If you have a free block device (required for production environments) assign it to Docker before starting it for the first time ::
+  The difference between macvlan and aeria is that macvlan is not a plugin, it is an official network driver.
 
- config setprop docker DirectLvmDevice /dev/sdb
- signal-event nethserver-docker-update
- 
-Review the current settings with ::
+|product| docker provides a docker network named ``macvlan`` that must be bound to a bridge. Each container on the network ``macvlan`` must have a relevant IP in the range assigned to macvlan, all containers will communicate like any servers on your network.
 
- config show docker
+For the bridge creation the server manager could be used, if you have already installed the account provider Samba AD (nethserver-dc), you have already a bridge called ``br0``. 
 
-Network, is the IP network address of the aqua zone
-IpAddress, is the IP address of the Docker host in the Network above
+.. warning::
 
-After each change, you have to restart docker ::
+  A bridge is mandatory to ``macvlan``, you must accomplish this step before to go further: ``ip a`` can valid that the bridge is up and workable. The same bridge cannot be shared among ``aeria`` and ``macvlan``, it is a docker limitation.
 
- signal-event nethserver-docker-update
+Macvlan must be created by filling some important parameters, the goal is to create a container with an IP on your network, each parameter depends from your network setting.
+
+- macVlanGateway : It is the gateway of your network, generally speaking it is your router (here **192.168.1.1**)
+
+- macVlanLocalNetwork : It is the full network of your router (here **192.168.1.0/24** from **192.168.1.1** to **192.168.1.255**)
+
+- macVlanNetwork : It is the restricted IP for ``macVlan0`` (here **192.168.1.224/27**, you can use **30 IP** for your containers from **192.168.1.225** to **192.168.1.254**)
+
+- macVlanNic : It is the network interface where to run macvlan (**br0** here)
+
+Create the network ::
+
+  config setprop  docker macVlanGateway 192.168.1.1 macVlanLocalNetwork 192.168.1.0/24 macVlanNetwork 192.168.1.224/27 macVlanNic br0
+
+Then trigger the event  ::
+
+  signal-event nethserver-docker-update
+
+You have to specify to use the network ``macvlan`` for your container, the default ``docker0`` is another network.
+
+Docker creation example on macvlan ::
+
+  docker run --net=macvlan -dit --name nginx-test-02 --ip=192.168.1.225 --restart=unless-stopped nginx:alpine nginx-debug -g 'daemon off;'
+
+The container can be contacted at the relevant IP ::
+
+  curl http://192.168.1.225
+
+In case of the proposed CIDR doesn't fit your need, you should have a look to an `IP calculator <https://www.calculator.net/ip-subnet-calculator.html>`_
 
 Issues
 ======