SWY's technical notes

Relevant mostly to OS X admins

Monthly Archives: May 2016

Providing Snipe-IT via Docker

The goal of this post is to walk through all the steps needed to take a stranger to Docker from ground zero to a working install of Snipe-IT asset manager in a Docker container, linked to a mysql Docker container, storing data on the host volume, where the host is a Synology NAS.  We’ll start with a presumption that the reader knows why Docker exists and what containers are, but doesn’t have a familiarity with how to make Docker work for them.

My workplace needed a better (read: any) asset tracking system, and the venerable Snipe-IT came across my radar as a suitable choice to explore for multiple reasons:

  1. It’s FOSS
  2. There’s a Docker instance, and I wish to up my Docker game
  3. I found other macadmins who use it
  4. @snipeyhead and @uberbrady are smart devs
  5. The online demo didn’t invoke rage, it felt like something we could use.

Unfortunately, like many online docs, Snipe-IT’s documentation makes some presumptions that the reader has a working familiarity with making containers, linking them, and knowing why they would want to store data on the host filesystem vs a container.  When you’re taking your first walk down this road, the path is not always obvious: I hope to illustrate it with what I learned.

When we start with Snipe-IT’s Docker docs, it starts with the basic: “pull our container from Docker Hub”.  This is definitely what you want.  But not where you want to start: this is a cart in front of a horse.  Before we’re ready for a Snipe-IT container, we need to prepare a mysql container.  But before that, let’s get our Synology ready to do awesome Docker stuff.

To do that, log into the DSM web interface on your Synology, click the Main Menu, and head to the Package Center:

Screen Shot 2016-03-03 at 11.51.53 AM

Installing Docker is a one click event, and is now available from the Main Menu.  Start it up.

Synology’s “Docker Registry” is the desired path to get a pre-built container.  We’ll use the registry search tool to find mysql.  It’s the ribbon-wearing “Official Image” that you wish to download: you can select the version via the “Choose Tag” request that comes after clicking the [download]  button:

Screen Shot 2016-03-03 at 12.12.29 PM

mysql:5.6.29 should now be an option under the Image tab.  We are selecting 5.6.29 per the Snipe-it documentation guidelines regarding 5.7 defaulting to strict-mode, and skipping the requirement to disable strict-mode.

Before we get this image running in a container, we’re at a decision point.  Docker images are designed to be non-persistent.  This aspect is great for updating to the latest image, but “non-persistent” is not a good feature in your asset tracking software database.  There are 2 options for getting the needed persistence:

  • Make another “data-only” container.  Pros: containers are easy to relocate. Cons: you need backups. You’re going to need yet another container to perform backups and restores.
  • Map a path from the mysql container out to the local storage. Pros: can use Synology built-in tools to back this data up. Cons: less easy to relocate… but not all that hard.  Still, you’re not fully conforming to the “container all the things!” viewpoint.  Like most decisions in life, neither is purely right or wrong.

I don’t intend to be shipping these containers around at all, and expect that once established, my asset tracking software will stay where it is for the functional life of the NAS.  So for my needs, I’m going with host-based storage.

To start up our Dockerized instance of mysql, Launch that image from the Launch button. The naming is arbitrary (snipe-mysql is logical), and no changes are needed to the port settings: the default of Local as auto mapped to 3306 is appropriate.

Step 2 is all optional.  I haven’t found a need to limit CPU use to make sure it’s a well behaved neighbor to other services, it’s a pretty low-impact service.

On the summary page, click Advanced Settings.  Here’s where we can set more options, such as where to store data.  From volume choose Add Folder, I put mine in the docker directory, and called it snipe-it_mysql.  With this mounted at /var/lib/mysql, mysql data will now be written out to the host storage instead of being put in the container.  Uncheck Read-Only: we better be able to write here.Screen Shot 2016-03-03 at 1.28.32 PM

Links will not be needed: the Snipe-IT container will link TO this container.  If we’d chosen to go with a data storage container, we’d link to it here.

Environment is where we put the rest of the commands.  These are taken from the Snipe-IT documentationScreen Shot 2016-03-03 at 1.16.58 PM(Substituting your own password values is encouraged.)

Click OK and start up the container.  By clicking Details, you should be able to see the one process running, and consult the log.  If all has worked as intended, your log will end with mysqld: ready for connections, and under File Station/docker/snipe-it_mysql, you’ll see some newly created data: the database that containerized mysql is reading and writing.

So it’s time to connect something to it. Back to the Docker registry to download snipe/snipe-it.Screen Shot 2016-03-03 at 1.36.04 PM

 

Start it up from the wizard under Image.  Port 80 is already in use on the NAS, so we can direct a different port into 80 in the container.Screen Shot 2016-03-03 at 1.44.21 PM

Again head to advanced, and link the container to snipe-mysql.  Keep the Alias named mysql:
Screen Shot 2016-03-07 at 1.34.07 PM

The environment variables are from the SnipeIT documentation, moved from the .env file to the Environment Variables section:  If you don’t list SERVER_URL with port 8088, then the dashboard link will fail.  There’s no rule that you have to use 8088, it can be any high port that appeals to you- it just has to match the Local Port value back on step 1 of this section.
Screen Shot 2016-03-07 at 12.43.04 PM

After starting up the snipeit container, I found that when I pointed the browser at the SnipeIT instance, I got this:

Screen Shot 2016-03-03 at 3.06.24 PM

Turns out, that’s expected.  As we read the fine manual, we see that we’re supposed to execute docker exec -i -t snipeit php artisan app:install in our container to get things started.  At first, I thought I’d get away with that in the “Execution Command” field of the window 2 pics above.  No, it’s interactive: it supplies questions to be answered by a human .  This step requires interacting in the Docker container.  To do that:

  1. SSH into the Synology as a local account with admin abilities. sudo -i to become root, authenticating with the local administrator’s password.
  2. Execute docker exec -i -t snipeit php artisan app:install .  This sends the command “php artisan app:install” to the docker container, and drops the user into the container to interact. This script sets up the first user account: use the username and pass defined in the SQL container’s MYSQL_USER and MYSQL_PASSWORD environment variables, and soon after a number of tables are logged as “migrated”, one can point their browser to the SERVER_URL above to start exploring the new web service on the NAS.

With that, you should have a working Snipe-IT install.  Because this project is frequently updated, you’ll periodically want to grab the current release of SnipeIT from Docker hub, to get the latest fixes and enhancements.  To do so:

  1. Head into your Synology’s Docker management interface, and stop the SnipeIT container, then the Snipe-mysql container.
  2. Go to the Registry tab, and search for snipe-it.  Double-click the same official snipe/snipe-it container you used before.  This will update your container to the latest release (equivalent of a ‘docker pull’ command).  Once updated, start the SQL container first, then the SnipeIT, and you’re current.  Unfortunately, via the GUI, this is an obscure process: it lacks feedback if anything is going on.  If you want to see what’s going on, SSH to the Syno and sudo -i as documented above, and run docker pull snipe/snipe-it.
  3. Start up your updated Docker instance just like before.  While things might vary on what the requirements are on future updates, you should expect to need to do some database migrating to match updates.  This is probably easiest if you gain shell access to the Docker instance: docker exec -i -t snipeit /bin/bash 
    1. Execute only the php artisan commands documented in the Snipe-IT upgrade documentation– the Docker container has handled the composer install for you
      php artisan migrate
      php artisan config:clear
      php artisan config:cache

If you’re going to open this service to the WAN, you’ll naturally want to require SSL on it, which is not covered here. If you’re standing up instances of FOSS software via Docker on a NAS, I’m giving you credit for knowing why that’s important.

In regret of Auto-VoIP

Due to a remodeling project at work, it came to be that I needed to provide temporary Ethernet drops to a lot of areas that weren’t designed to have a human and a VoIP phone sitting there.  To make this happen, we added 8 Netgear GSTP110TP switches to our network- PoE, managed, endorsed by a friend, and not expensive- as these are a temporary fix, not years of infrastructure to rely on.  Configuration was not complicated: each of these had to handle just the main wired client vLAN and the VoIP vLAN, so the task list boiled down to

  • Bring firmware current (who wants to troubleshoot something potentially fixed in last week’s update?)
  • Add the OUI for our Polycom phones, since that was not a vendor it recognized out of the box
  • Enable LLDP on ports 2-8 (1 was declared to be the uplink to the core stack)
  • Add vLANS to the switch, using the Voice VLAN option to match our VoIP vLAN and apply to all ports.

Soon we had streams of Cat5e running in all sorts of ways that would make any self-respecting admin hang his head in shame.

You don't really want to do this.

You don’t really want to do this.

Or this

Or this

During the setup, one other option caught my eye: “auto-VoIP”.  Per the Netgear documentation:

The Auto-VoIP automatically makes sure that time-sensitive voice traffic is given priority over data traffic on ports that have this feature enabled. Auto-VoIP checks for packets carrying the following VoIP protocols:

• Session Initiation Protocol (SIP)

• H.323

• Signalling Connection Control Part (SCCP)

• Media Gateway Control Protocol (MGCP)

Reading this, it sounded like a fine idea to enable this option, and that was done.  With the above configuration set, we started testing switches and plugging phones in, and all worked as expected.  LLDP allowed the switches and phones to establish that there was a device with a qualifying OUI attached to a port, and therefore put its traffic in the voice vLAN, and despite being a cabling mess, all seemed well with the world.

Then the tickets started trickling in- only from staff using phones attached to the Netgears:

  • Lost audio in one direction while on a call (call stays connected, voice transit suddenly became ONE direction only)
  • No dialtone
  • url calling disabled shown on the Polycom screen
  • More one-way audio issues

The events were unlike any other networking oddities I’ve tackled: sometimes they’d be magically fixed before my fellow IT staff or I could get down to witness them. We configured our PRTG monitoring to scan the VoIP subnet and start tracking if phones were pingable or not, and we ended up with 2 day graphs that showed that at approximately 24 hour-ish intervals, we’d loose connectivity with phones, in clusters, all members of the same Netgear.  They didn’t all go offline at the same moment, but a wave of failure would wash over the group: it might loose G2 at 2P, G3 at 2:04, G5 at 2:07, then G3 would work again, G4 would drop pings, G2 would start working… no pattern that we could see, just a wave of “nope, no traffic going to/from that phone” ranging from 2 to 20+ minutes, that would eventually resolve without our input.  Naturally, this never happened in the dark of night: there was the 2P cluster, the 3:45P cluster, and the 6P cluster.

With some guidance from our VoIP provider, we finally determined the culprit: Auto-VoIP.  While this might help improve the experience in high-traffic conditions where the voice device isn’t in a prioritized vLAN of its own (such as a small deployment, where this 8 port switch is the only switch), it’s not a benefit when there’s a dedicated voice vLAN that has its own prioritization rules.  Not only “not a benefit”, but enabling it caused one of the most unique network issues I’ve ever met. Since disabling auto-VoIP on all ports, this issue has not returned.