Category Archives: Cisco

Create a Docker Container for your Cisco ESA, SMA or WSA Offline Content Updates

23 Monday Nov 2020

Posted by in Cisco

Leave a comment

This process demonstrates how to use a Docker container to update your Cisco ESA and SMA (and WSA) appliances.

This HOWTO assumes you have a functioning Docker environment, the Cisco ESA/SMA (or WSA) Offline Content license, the Cisco Offline Content Public internet facing server and the 20200302-123456789_ipServer-v1.tar file from Cisco.

1) On your Public internet facing Cisco Offline Content server, run the ipClient –apps command to update the Content folders.
> sudo perl ipClient-v9.0.pl –apps
a. The command above creates the /cisco/offline/ipclient/transferPackage/applications.tar file with all of the updates bundled inside.

2) On the Docker server, create the new working directory for your Dockerfile. In this case, the admin user’s home folder is /home/admin and the new folder is ciscooffct.
> sudo mkdir –p ciscooffct
> cd ciscooffct

3) Inside the ciscooffct folder, create a file named Dockerfile and copy/paste the section below into that file and save it. Note, you can edit (or remove) the label section below to whatever you want. It’s just for informational purposes.
> vi Dockerfile (in vi, enter wq! when done pasting in the text below to save)

# Base OS.
FROM ubuntu:18.04

# Update the OS and install perl and apache2 packages.
RUN apt-get update && apt-get install -y \
libconfig-tiny-perl \
libanyevent-dbi-perl \
liblwp-protocol-https-perl \
libxml-opml-simplegen-perl \
libdbd-csv-perl \
libanyevent-dbd-pg-perl \
libwww-perl \
apache2 \
vim-tiny \
vim \
inetutils-ping \
&& rm -rf /var/lib/apt/lists/*

# Create the apache folders and enable it.
RUN mkdir -pv /cisco/offline/ipclient
RUN mkdir -pv /cisco/offline/ipclient/files
RUN mkdir -pv /cisco/offline/ipclient/logs
RUN mkdir -pv /cisco/offline/ipclient/cert
RUN mkdir -pv /cisco/offline/ipclient/httpd
RUN mkdir -pv /cisco/offline/ipclient/httpd/manifests
RUN mkdir -pv /cisco/offline/ipclient/DATABASE
RUN mkdir -pv /cisco/offline/ipclient/transferPackage

RUN mkdir -pv /cisco/offline/
RUN mkdir -pv /cisco/offline/ipclient/updater
RUN mkdir -pv /cisco/offline/ipclient/updater/logs
RUN mkdir -pv /var/www/html/asyncos
RUN mkdir -pv /cisco/offline/ipServer

# Copy the modified processUploads.pl script to the image.
COPY 20200302-123456789_ipServer-v1.tar /cisco/offline/ipServer/
COPY applications.tar /cisco/offline/ipclient/transferPackage/
RUN ls -l /cisco/offline/ipServer/
RUN cd /cisco/offline/ipServer/ && tar -xf 20200302-123456789_ipServer-v1.tar
RUN chmod -R 755 /cisco/offline/ipServer

# Set one or more individual labels
LABEL version=”0.1-beta”
LABEL vendor1=”Cisco”
LABEL created-by=”slice2″
LABEL release-date=”2020-NOV-23″

# Apache ports
EXPOSE 80
EXPOSE 443

ENV APACHE_RUN_USER www-data
ENV APACHE_RUN_GROUP www-data
ENV APACHE_LOG_DIR /var/log/apache2

# Run Apache
CMD [“/usr/sbin/apache2ctl”, “-D”, “FOREGROUND”]

# Get a shell after you run the container.
CMD [“/bin/bash”]

4) When you purchased the Offline Content support contract from Cisco, you received the ipClient, ipServer and Certificate files. Locate the server side file 20200302-123456789_ipServer-v1.tar (or whatever your version string is) as you will need it for this to work.
a. Extract the tar file and edit the processUploads.pl script.
b. The sections below should be modified. For the $LOCAL_UPDATE_SERVER value, enter the IP address of your Docker container. This is usually 172.17.0.2 for the first container and increments by 1 for each container. Run the docker ps –a command to see how many containers are running (see the STATUS header). If it doesn’t say Exited, it’s running.

my $UPLOAD_PATH = “/cisco/offline/ipclient/transferPackage”;
my $HTTPD_PATH = “/var/www/html”;
my $LOCAL_UPDATE_SERVER = “your internal or private server IP or FQDN”;
open(LOG, “/cisco/offline/ipclient/updater/logs/cleanup.log”);

c. After you have edited the file, tar it back up using the same file name.

5) Move your files. Copy both files, 20200302-123456789_ipServer-v1.tar and /cisco/offline/ipclient/transferPackage/applications.tar (from the Public server), to the /home/<your username>/ciscooffct folder on your Docker server. It should look like this.
admin@lab01 ciscooffct]$ pwd

/home/admin/ciscooffct

[admin@lab01 ciscooffct]$ ls -l

-rwxr-xr-x. 1 admin admin 28160 Nov 5 15:06 20200302-123456789_ipServer-v1.tar
-rwxr-x—. 1 admin admin 1123635200 Nov 5 16:45 applications.tar
-rw-rw-r–. 1 admin admin 2362 Nov 5 17:36 Dockerfile

6) On the Docker server, build the image. The image name is ciscooffct and the tag is ESA-SMA.

> docker build -t ciscooffct:ESA-SMA .

7) Run the image now that it has been built.

> docker run -ti -p80:80 –name ciscooffct ciscooffct:ESA-SMA

a. You will notice that you have a new prompt inside the container.

root@d33c4054c299:/# df -h
Filesystem Size Used Avail Use% Mounted on
overlay 36G 27G 8.9G 75% /
tmpfs 64M 0 64M 0% /dev
tmpfs 3.8G 0 3.8G 0% /sys/fs/cgroup
shm 64M 0 64M 0% /dev/shm
/dev/mapper/centos_lab01-root 36G 27G 8.9G 75% /etc/hosts
tmpfs 3.8G 0 3.8G 0% /proc/asound
tmpfs 3.8G 0 3.8G 0% /proc/acpi
tmpfs 3.8G 0 3.8G 0% /proc/scsi
tmpfs 3.8G 0 3.8G 0% /sys/firmware

b. Open a new xterm or new xterm tab to get a prompt on the Docker host, not inside the container. On the Docker terminal, enter the command below to find the IP address of the container and ping it.

> docker exec ciscooffct cat /etc/hosts | grep 172
172.17.0.2 d33c4054c299

> ping 172.17.0.2

c. Next, get the running status of the container.

> docker ps -a | grep ciscooffct
d33c4054c299 ciscooffct:ESA-SMA “/bin/bash” 18 minutes ago Up 18 minutes
0.0.0.0:80->80/tcp, 443/tcp ciscooffct

d. Back in the container terminal (the one with the root@d33c4054c299:/# prompt), run the perl script and start Apache.
> cd /cisco/offline/ipServer/20200302-123456789_ipServer-v1

> perl processUploads.pl

> apachectl start

e. If you have one, launch a browser on your Docker server and test access to the update content. If not, simply launch a browser on another host and point it to the IP address of the Docker server (not the container).

8) Commit your changes and prepare the image for export. Keep the container running during this process.
a. Find the container ID (in Red)

> docker ps -a | grep cisco
42f04b35318a ciscooffct:ESA-SMA “/bin/bash” About a minute ago Up About a minute 0.0.0.0:80->80/tcp, 443/tcp ciscooffct

b. Commit your changes before saving the image. This captures the new content updates. For the “-a” value, just enter the person’s name or initials that committed the changes.

> docker commit -a “Slice2” 42f04b35318a ciscooffct:ESA-SMA
sha256:c2c51d8936a0f0fa3101057101df43e3fb0084ad017669fd20a97666634fa194

c. Save a copy of the image and increment the name by one using the v1 (v2, v3, etc.) method. Check the size of the file when done.

> docker save -o ciscooffctv1.tar ciscooffct:ESA-SMA
> du -h ciscooffctv1.tar
2.4G ciscooffctv1.tar

d. Transfer the file to the production Docker server on your internal (Private) network and place it in /tmp (or the location of your choice) and load it. Make sure the ownership/permissions on the .tar file are correct before you load it. Check with the Docker server admin and adjust accordingly with chown/chmod. By default, the .tar file is created with 0600 (rw——-).

> docker load < /tmp/ciscooffctv1.tar
Loaded image: ciscooffct:ESA-SMA

> docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
ciscooffct ESA-SMA c1c51d8936a0 22 minutes ago 2.5GB

> docker image ls | grep cisco (use this if you have a lot of images)
ciscooffct ESA-SMA c1c51d8936a0 23 hours ago 2.5GB

e. Start the Container using the incremented name (v1, etc.) so you know it’s new, start apache in the Container terminal and verify that it’s running.

> docker run -ti -p80:80 –name ciscooffctv1 ciscooffct:ESA-SMA

root@8ef4161ddfc5:/# apachectl start
> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8ef4161ddfc5 ciscooffct:ESA-SMA “/bin/bash” 4 minutes ago Up 4 minutes 0.0.0.0:80->80/tcp, 443/tcp ciscooffctv1

9) Make sure your Cisco appliances are pointing to this Container (the Docker server IP). When done updating the ESA/SMA appliances (using the updatenow command on each ESA/SMA via ssh or serial terminal), stop the container and remove the image. The image is obsolete after updating because Cisco releases new Content Updates every 4 hours or so. There is no need to keep this image on the Docker server.

> docker stop ciscooffctv1
> docker rm ciscooffctv1

10) Consider a daily or weekly schedule for updates. The next time you need to update content on the appliances, simply move in a new applications.tar file from the Public offline content server and run steps 6, 7, 8 and 9. The distilled steps are.

Start of Public side:
a. Add the new applications.tar file to the working folder.
b. build
c. run
d. perl processUploads.pl and apachectl start
e. commit
f. save (burn ciscooffctv1.tar file to DVD, move to Private network)

Start of Private side:
g. load (check ownership/permissions before load)
h. run
i. apachectl start
j. updatenow (on the ESA/SMA)
k. stop
l. rm