Running in Docker and receiving flows, traps or syslog messages over UDP

We provide ways to run Minion and OpenNMS with Docker and you can configure it to receive Flows, Syslog or SNMP traps. Here are some important hints you should be aware of. It is a combination of how UDP based protocols work combined with how networking works with Docker service especially in combination with virtualized environments such as running Docker on Mac with xhyve.

If you use a network for your container and you just publish your UDP ports this will have side effects. Here is a very simplified example for explanation:

When you use Docker for Mac and you receive UDP datagrams, they will run through NAT and for your dockerized process it seems like your UDP datagrams came from 172.18.0.1 instead of 192.178.178.1. In the case of flows, the address 172.18.0.1 will be used as the IP address to assign the packets to the flow exporter. In the case of Syslog or SNMP traps over UDP, the source address will be used to assign these events to the node in the OpenNMS database.

If you can’t get around the NAT, for flows you can use additional meta data to assign flow packets differently, .e.g.:

  • Netflow v5: engineID
  • Netflow v9: sourceID
  • IPFix: observationDomainId
  • SFlow: sub_agent_id

:biohazard: UDP packets from all your devices will have 172.18.0.1 as the source IP address.

There is no simple solution for SNMP Traps and Syslog.

Solution: Run Docker on Linux and don’t use NAT for VMs

If you run your Minion or OpenNMS Horizon on Linux you won’t have this problem, cause the source IP in the UDP datagrams are preserved.

By default, we run as non-root user and you get probably issues opening network ports, especially administrative ports < 1024. To avoid issues, the default ports for SNMP traps is 1162/udp and 1514/udp for syslog. You use the ports directive to listen on 162/udp and forward to 1162/udp with 162:1162/udp so you don’t have to add privileges to the Minion/Horizon container.