Setting Up RaspAP with Docker

Overview

This document provides step-by-step instructions for setting up RaspAP on a Raspberry Pi using Docker, suitable for ARM devices.

It covers modifying the Docker Compose configuration, launching the service, and accessing the RaspAP interface.

Requirements

Raspberry Pi with ARM architecture
Docker and Docker Compose installed
Internet connection

Installation Steps

Clone the Repository

Open a terminal and navigate to your home directory.
Clone the RaspAP Docker repository:

git clone https://github.com/RaspAP/raspap-docker.git

Move into directory:

cd raspap-docker

Modify Docker Compose Configuration

Open the docker-compose.yaml file in a text editor or via Visual Studio Code if you have SSH'ed into your Raspberry Pi.

nano docker-compose.yaml

Uncomment the cgroup: host line under the raspap service to enable ARM device support:

version: "3.8"
services:
  raspap:
    container_name: raspap
    image: ghcr.io/raspap/raspap-docker:latest
    ports:
      - "80:80"
    privileged: true
    network_mode: host
    cgroup: host
    environment:
      - RASPAP_SSID=raspap-webgui
      - RASPAP_SSID_PASS=ChangeMe
      - RASPAP_COUNTRY=GB
      - RASPAP_WEBGUI_USER=admin
      - RASPAP_WEBGUI_PASS=secret
      - RASPAP_WEBGUI_PORT=80
    cap_add:
      - SYS_ADMIN
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:rw
    restart: unless-stopped

Notes

Removed the commented-out build: . line since you are using the pre-built image.
Updated the port mapping to "80:80" to match the RASPAP_WEBGUI_PORT environment variable.
Added cgroup: host to enable the workaround for ARM devices as mentioned in the README.
Ensured that the /sys/fs/cgroup volume is mounted with :rw to make it writable.
Save the changes and exit the editor (in nano, press Ctrl+O to save and Ctrl+X to exit).

Docker Compose file analysis

The Docker Compose file you provided defines the configuration for running a Docker container that sets up RaspAP, to convert a Raspberry Pi into a WiFi access point or router.

Here's a detailed breakdown of the Docker Compose file's components

Specifies the version of the Docker Compose file syntax. 3.8 is a stable version that supports most Docker features necessary for production environments.

Services:
- The file defines a single service named raspap.
Container Details:
- container_name: Sets the name of the container to raspap.
- image: Points to the Docker image to be used, ghcr.io/raspap/raspap-docker:latest, which is hosted on GitHub Container Registry.
Ports:
- Maps port 8081 of the host to port 8081 of the container, implying that the RaspAP web interface or other services running on this port in the container can be accessed using port 8081 on the host machine.
Privileged Mode:
- privileged: true grants the container full access to the host system. This is often necessary for network manipulation and hardware access, which are typical requirements for networking software like RaspAP.
Network Mode:
- network_mode: host configures the networking of the container to use the host's networking stack. This is crucial for a networking application like RaspAP that needs to manage and configure the host's network interfaces directly.
Environment Variables:
- Sets environment variables within the container to configure RaspAP's initial settings:
  - RASPAP_SSID: The default SSID for the WiFi network.
  - RASPAP_SSID_PASS: The default password for the WiFi network.
  - RASPAP_COUNTRY: Sets the country code for WiFi operation to comply with local regulations.
  - RASPAP_WEBGUI_USER: Default username for the RaspAP web interface.
  - RASPAP_WEBGUI_PASS: Default password for the RaspAP web interface.
  - RASPAP_WEBGUI_PORT: Port on which the web interface is served (interesting as it contrasts with the port mapping mentioned earlier).
Capabilities:
- cap_add: [SYS_ADMIN] adds specific Linux capabilities to the container, allowing it to perform tasks usually reserved for system administrators, such as managing network interfaces and settings.
Volumes:
- Mounts /sys/fs/cgroup:/sys/fs/cgroup:rw which is necessary for proper function of the Linux control groups (cgroups), which is especially relevant for resource management and system-level operations that RaspAP might perform.
Restart Policy:
- unless-stopped specifies that the container should always restart unless explicitly stopped by the user. This ensures that RaspAP will continue running across reboots or unless it is stopped for maintenance or configuration changes.

Key Considerations

Security Implications: Running containers in privileged mode and with host network mode should be handled with care due to elevated access to the host system.
Performance and Resource Access: Given the high level of system access provided to the container, it can efficiently manage hardware and network resources, which is ideal for RaspAP’s intended purpose.

This Docker Compose setup is well-suited for deploying RaspAP in environments where Docker is used, combining ease of deployment with robust access to system resources necessary for network management.

Set up IP Tables (not necessary)

sudo iptables -I DOCKER-USER -i wlan0 -o eth0 -j ACCEPT
sudo iptables -t nat -C POSTROUTING -o eth0 -j MASQUERADE || sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -C FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT || sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -C FORWARD -i wlan0 -o eth0 -j ACCEPT || sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
sudo iptables-save

An explanation of the IP table Setup

sudo iptables -I DOCKER-USER -i wlan0 -o eth0 -j ACCEPT

This command inserts a rule into the DOCKER-USER chain of the iptables filter table.
The -I option specifies that the rule should be inserted at the beginning of the chain.
The -i wlan0 option specifies the input interface as wlan0 (wireless interface).
The -o eth0 option specifies the output interface as eth0 (wired interface).
The -j ACCEPT option specifies that packets matching this rule should be accepted and allowed to pass through.
This command allows packets to move from the wireless interface (wlan0) to the wired interface (eth0).
It's like opening a door for packets to go from the wireless network to the wired network.

sudo iptables -t nat -C POSTROUTING -o eth0 -j MASQUERADE || sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE:

This command checks if a specific rule exists in the POSTROUTING chain of the iptables NAT table using the -C option. If the rule doesn't exist, it appends the rule using the -A option.
The -t nat option specifies that we are working with the NAT table.
The -o eth0 option specifies the output interface as eth0.
The -j MASQUERADE option specifies that the source IP address of the packets should be modified (masqueraded) to the IP address of the eth0 interface.
This command enables Network Address Translation (NAT) for packets going out through the wired interface (eth0).
It's like disguising the source address of packets coming from the wireless network to make them appear as if they originated from the wired interface.
This allows wireless clients to access the internet through the wired connection.

sudo iptables -C FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT || sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT:

This command checks if a specific rule exists in the FORWARD chain of the iptables filter table using the -C option. If the rule doesn't exist, it appends the rule using the -A option.
The -i eth0 option specifies the input interface as eth0.
The -o wlan0 option specifies the output interface as wlan0.
The -m state --state RELATED,ESTABLISHED option specifies that the rule should match packets that are part of an existing connection or related to an established connection.
The -j ACCEPT option specifies that packets matching this rule should be accepted and allowed to pass through.
This command allows packets that are part of existing or related connections to move from the wired interface (eth0) to the wireless interface (wlan0).
It's like allowing packets that are part of ongoing conversations to continue moving between the wired and wireless networks.

sudo iptables -C FORWARD -i wlan0 -o eth0 -j ACCEPT || sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT:

This command checks if a specific rule exists in the FORWARD chain of the iptables filter table using the -C option. If the rule doesn't exist, it appends the rule using the -A option.
The -i wlan0 option specifies the input interface as wlan0.
The -o eth0 option specifies the output interface as eth0.
The -j ACCEPT option specifies that packets matching this rule should be accepted and allowed to pass through.
In summary, this rule allows packets to be forwarded from the wlan0 interface to the eth0 interface.

Overall, these commands set up the necessary iptables rules to enable packet forwarding and NAT between the wireless (wlan0) and wired (eth0) interfaces.

They allow wireless clients connected to the wlan0 interface to access the internet through the eth0 interface, while also allowing the forwarding of related and established connections between the two interfaces.

sudo iptables-save:

This command saves the current iptables configuration to a file, typically located at /etc/iptables/rules.v4 or /etc/sysconfig/iptables, depending on the Linux distribution.

Saving the iptables configuration ensures that the rules persist across system reboots.

Launch RaspAP using Docker Compose

Ensure you use Docker's recommended docker compose command (not docker-compose):

docker compose up -d

The terminal will display the progress as Docker pulls the necessary images and starts the RaspAP container.

Verify Container Launch

Check that the Docker container is running correctly

docker container ls

You should see the raspap container listed as running.

Accessing the RaspAP Interface

Access the RaspAP web interface through the Raspberry Pi URL:

http://192.168.68.67

Username: your username

Password: secret

You will now have access to RaspAP

Advanced Usage

Docker Run Alternative

If you prefer not to use Docker Compose, you can directly run the Docker container:

docker run --name raspap -it -d --privileged --network=host --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw --cap-add SYS_ADMIN ghcr.io/raspap/raspap-docker:latest

This command sets up RaspAP with the necessary privileges and network configuration.

Using Container Registry

Alternatively, use the pre-built Docker image from the GitHub Container registry without cloning the repository:

docker run --name raspap -it -d --privileged --network=host -v /sys/fs/cgroup:/sys/fs/cgroup:ro --cap-add SYS_ADMIN ghcr.io/raspap/raspap-docker:latest

Troubleshooting

To view logs from the RaspAP container, use:

docker logs raspap

Check Docker daemon logs for more detailed troubleshooting:

journalctl -xu docker.service

This documentation is designed to provide clear, structured guidance for users setting up RaspAP on a Raspberry Pi using Docker, ensuring an accessible and straightforward setup process.

PreviousAP-STA mode NextNode-Red

Last updated 10 months ago

Was this helpful?

version: "3.8" services: raspap: container_name: raspap image: ghcr.io/raspap/raspap-docker:latest ports: - "80:80" privileged: true network_mode: host cgroup: host environment: - RASPAP_SSID=raspap-webgui - RASPAP_SSID_PASS=ChangeMe - RASPAP_COUNTRY=GB - RASPAP_WEBGUI_USER=admin - RASPAP_WEBGUI_PASS=secret - RASPAP_WEBGUI_PORT=80 cap_add: - SYS_ADMIN volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw restart: unless-stopped

sudo iptables -I DOCKER-USER -i wlan0 -o eth0 -j ACCEPT sudo iptables -t nat -C POSTROUTING -o eth0 -j MASQUERADE || sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo iptables -C FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT || sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -C FORWARD -i wlan0 -o eth0 -j ACCEPT || sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT sudo iptables-save