How to test your network services with Docker

Posted on by zed

This container has been tested with IOS / NXOS and ACI.

Test syslog

You can verify if you receive logs with syslog-ng. This service runs on the default port udp/514.

The configuration on the file /etc/syslog-ng/syslog-ng.conf redirects the external logs to the following file: /var/log/remote-syslog.log

# Extract of syslog-ng.conf

source s_net {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};

log { source(s_net); destination(d_net); };
destination d_net { file(“/var/log/remote-syslog.log”); };

Logs could be see with the following command:

root@89944db0da60:~# tailf /var/log/remote-syslog.log 
Apr 15 06:50:51 10.0.100.46 2019 Apr 15 06:50:48 UTC: %ETHPORT-5-IF_DOWN_CFG_CHANGE: Interface Ethernet1/1 is down(Config change)
 Apr 15 06:50:52 10.0.100.46 2019 Apr 15 06:50:49 UTC: %ETHPORT-5-IF_DOWN_ADMIN_DOWN: Interface Ethernet1/1 is down (Administratively down)
 Apr 15 06:50:55 10.0.100.46 2019 Apr 15 06:50:52 UTC: last message repeated 1 time
Apr 15 11:57:59 10.255.0.2 %LOG_LOCAL7-4-SYSTEM_MSG [F1186][raised][config-failure][warning][sys/phys-[eth1/35]/fault-F1186] Port configuration failure.                                   Reason: 2                                   Failed Config: l1:PhysIfspeed_failed_flag

Test snmptrap

snmptrapd is used to receive snmptrap. The logs are redirect to the file : /var/log/snmptrapd.log.

The configuration files are the following : /etc/snmp/snmptrapd.conf and /etc/default/snmptrapd.

The community configured is “public”. You can change in the /etc/snmp/snmptrad file or disabled the authentification with ” disableAuthorization yes”

Example:

Agent Address: 0.0.0.0
Agent Hostname: nxos – UDP: [10.0.100.46]:59353->[172.21.0.2]:162
Date: 6:50:57 15-4
Enterprise OID: .
EngineID:
Trap Type: Cold Start
Trap Sub-Type: 0
Community/Infosec Context: TRAP2, SNMP v2c, community nxos
Uptime: 0
Description: Cold Start
PDU Attribute/Value Pair Array:
iso.3.6.1.2.1.1.3.0 = Timeticks: (16384794) 1 day, 21:30:47.94
iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.2.1.17.0.2
iso.3.6.1.4.1.9.9.46.1.3.1.1.1.1.1 = INTEGER: 1
iso.3.6.1.2.1.31.1.1.1.1.436207616 = STRING: “Ethernet1/1”

Agent Address: 0.0.0.0
Agent Hostname: nxos – UDP: [10.0.100.46]:59353->[172.21.0.2]:162
Date: 6:51:6 15-4
Enterprise OID: .
EngineID:
Trap Type: Cold Start
Trap Sub-Type: 0
Community/Infosec Context: TRAP2, SNMP v2c, community nxos
Uptime: 0
Description: Cold Start
PDU Attribute/Value Pair Array:
iso.3.6.1.2.1.1.3.0 = Timeticks: (16385696) 1 day, 21:30:56.96
iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.4.1.9.9.43.2.0.2
iso.3.6.1.4.1.9.9.43.1.1.1.0 = Timeticks: (16384764) 1 day, 21:30:47.64
iso.3.6.1.4.1.9.9.43.1.1.6.1.6.7117 = INTEGER: 3

Test tacacs+

tacacs+ is used to verify the Authentication, Authorization and Accounting. The configuration is in the file /etc/tacacs/tac_plus.conf.

We use the following package : http://www.shrubbery.net/tac_plus/

The current configuration is the following:

  • Tacacs Key : cisco1234
  • user : user1 / cisco1234
  • Right: admin

The log files are the following :

  • For accounting : /var/log/tacacs/tac_plus.acct
  • For authentication : /var/log/tac_plus.log

Test radius

We use freeradius with the following files:

  • radiusd.conf
  • clients.conf
  • users

The logs are in the following directory /var/log/freeradius/.

Example for IOS/NXOS and ACI :

user1 Cleartext-Password := “cisco1234”
Service-Type = NAS-Prompt-User,
Cisco-AVPair = “shell:priv-lvl=15”,
Cisco-AVPair += “shell:domains=all/admin/”

Synchronize ntp

This container can be use to verify if your device can synchronize with a ntp server. This container runs a ntp server as stratum 5.

server 127.127.1.0

fudge 127.127.1.0 stratum 5

SSH / scp server

You can use this container to upload some file via scp if needed. The daemon is stopped and you need to create you own user.

root@9371dba394dc:~# adduser cisco
 Adding user cisco' ... Adding new groupcisco' (1001) …
 Adding new user cisco' (1001) with groupcisco' …
 Creating home directory /home/cisco' ... Copying files from/etc/skel' …
 New password:
 Retype new password:
 passwd: password updated successfully
 Changing the user information for cisco
 Enter the new value, or press ENTER for the default
         Full Name []:
         Room Number []:
         Work Phone []:
         Home Phone []:
         Other []:
 Is the information correct? [Y/n] y

root@9371dba394dc:~# /etc/init.d/ssh start
 [ ok ] Starting OpenBSD Secure Shell server: sshd.

The port exposed for ssh is 30022 on the docker-compose.yml file. You can change this port.

Docker-compose file

docker-compose.yml

version: "3"
 services:
   network-test:
     build: .
     image: zednetwork/network-test
     ports:
      - "30022:22/tcp"
      - "123:123/udp"
      - "49:49/tcp"
      - "162:162/udp"
      - "514:514/udp"
      - "1812:1812/udp"
      - "1813:1813/udp"
     tty: true
     stdin_open: true

To download the container :
docker pull zednetwork/network-test:latest

To enter in the container :

docker exec -it <container_ID> /bin/bash