Docker swarm mode, портьер, трафик
Я пытаюсь настроить веб-сервер в режиме Docker Swarm. Любая помощь приветствуется.
Моя идея состоит в том, чтобы настроить отдельную машину, чтобы она работала автономно, но готова к масштабированию для балансировки нагрузки и отказоустойчивости. Я ожидаю, что traefik работает на всех моих узлах, а не только на master, как я видел в некоторых примерах.
Текущие проблемы:
- Давайте, кажется, шифрование не работает, но я не вижу ошибки в журналах
- Я не могу связаться с портьеером
Другой вопрос, возможно ли использовать Консул, встроенный ключ / значение вместо Консул, вместо Консул?
Мой файл развертывания ниже:
version: "3.7"
services:
# swarm_socket
# Increase security in case of attack attempt
swarm_socket:
image: alpine/socat
command: tcp-listen:2375,fork,reuseaddr unix-connect:/var/run/docker.sock
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- net_mgmt
deploy:
placement:
constraints:
- node.role == manager
- node.platform.os == linux
# swarm_kv
# Key/Value store for traefik cluster
swarm_kv:
image: consul
command: agent -server -client='{{ GetInterfaceIP "eth0" }}' -bind='{{ GetInterfaceIP "eth0" }}' -bootstrap
volumes:
- swarm_kv_data:/consul/data
networks:
- net_mgmt
deploy:
mode: global
update_config:
parallelism: 1
failure_action: rollback
delay: 30s
monitor: 15s
restart_policy:
condition: any
delay: 5s
max_attempts: 10
window: 60s
placement:
constraints:
- node.role == manager
- node.platform.os == linux
# traefik_init
# Init traefik config
traefik_init:
image: traefik:1.7
depends_on:
- swarm_socket
command:
- "storeconfig"
- "--logLevel=DEBUG"
- "--api"
- "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
- "--entrypoints=Name:https Address::443 TLS"
- "--defaultentrypoints=http,https"
- "--acme"
- "--acme.storage=traefik/acme/account"
- "--acme.entryPoint=https"
- "--acme.httpChallenge.entryPoint=http"
- "--acme.onHostRule=true"
- "--acme.onDemand=false"
- "--acme.acmeLogging=true"
- "--acme.email=mail@example.com" # Set your email
- "--docker"
- "--docker.swarmmode=true"
- "--docker.endpoint=tcp://swarm_socket:2375"
- "--docker.watch=true"
- "--docker.exposedbydefault=false"
- "--docker.domain=example.com" # Set your domain
- "--consul"
- "--consul.endpoint=swarm_kv:8500"
- "--consul.prefix=traefik"
networks:
- net_mgmt
- net_public
deploy:
restart_policy:
condition: on-failure
placement:
constraints:
- node.role == manager
- node.platform.os == linux
# traefik
# Traefik cluster
traefik:
image: traefik:1.7
depends_on:
- swarm_socket
- traefik_init
command:
- "--docker"
- "--docker.swarmmode=true"
- "--docker.endpoint=tcp://swarm_socket:2375"
- "--consul"
- "--consul.endpoint=swarm_kv:8500"
- "--consul.prefix=traefik"
networks:
- net_mgmt
- net_public
ports:
- 80:80
- 443:443
- 8080:8080 # Remove after that config works
deploy:
labels:
- "traefik.enable=true"
- "traefik.port=8080"
- "traefik.docker.network=net_public"
- "traefik.frontend.rule=Host:traefik.example.com" # Set you domain
- "traefik.frontend.auth.basic.users=[sgobbit:$apr1$hpnuX1jh$IXu2P4aae0weviroUxP4S1]"
mode: global
placement:
constraints:
- node.platform.os == linux
# catchall
# Catch all unmanaged domain and show a dedicated page
catchall:
image: mikesir87/cats # Replace with real static page
networks:
- net_public
deploy:
labels:
- "traefik.enable=true"
- "traefik.port=5000"
- "traefik.protocol=http"
- "traefik.backend=catchall"
- "traefik.docker.network=net_public"
- "traefik.frontend.rule=HostRegexp:{catchall:.*}"
- "traefik.frontend.priority=2"
- "traefik.frontend.entryPoints=http,https"
- "traefik.backend.loadbalancer.swarm=true"
- "traefik.backend.loadbalancer.method=drr"
- "traefik.backend.loadbalancer.stickiness=true"
restart_policy:
condition: on-failure
update_config:
parallelism: 1
delay: 10s
placement:
constraints:
- node.platform.os == linux
# portainer_agent
# Agent that run on all nodes
portainer_agent:
image: portainer/agent
environment:
AGENT_CLUSTER_ADDR: tasks.portainer_agent
AGENT_PORT: 9001
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/lib/docker/volumes:/var/lib/docker/volumes
networks:
- net_mgmt
deploy:
mode: global
placement:
constraints:
- node.platform.os == linux
# portainer
# Web UI to manage the cluster
portainer:
image: portainer/portainer
depends_on:
- portainer_agent
command: -H tcp://tasks.portainer_agent:9001 --tlsskipverify
volumes:
- portainer_data:/data
networks:
- net_mgmt
- net_public
ports: # Remove after that config works
- 9000:9000 # Remove after that config works
labels:
- "traefik.enable=true"
- "traefik.port=9000"
- "traefik.docker.network=net_public"
- "traefik.backend=portainer"
- "traefik.frontend.rule=Host:portainer.example.com" # Set you domain
- "traefik.frontend.priority=1"
- "traefik.backend.loadbalancer.swarm=true"
- "traefik.backend.loadbalancer.method=drr"
- "traefik.backend.loadbalancer.stickiness=true"
deploy:
mode: replicated
replicas: 1
placement:
constraints:
- node.role == manager
- node.platform.os == linux
volumes:
swarm_kv_data: # Storage Key/Value
portainer_data: # Storage portainer
networks:
net_mgmt:
driver: overlay
external: true
net_public:
driver: overlay
external: true
2 ответа
- Документы Traefik говорят, что нужно включить ведение журнала acme для Let's Encrypt info:
acmeLogging = true
- Посмотрите мой пример Swarm Portainer плюс Traefik и многое другое на http://dogvs.cat/
- Использовать журнал Swarm плота, а не консул для traefik? Нет, это невозможно как конечный пользователь.
Я еще не сообщал об этом, но я нашел причину, по которой Portainer был недоступен, в моем файле развертывания раздел "метки" находился вне раздела "развертывание", куда его вместо этого нужно было вставить.
Но проблема с "Let's Encrypt" сохраняется, когда я работаю с "Consul".
Я добавил эти строки в служебные команды "traefik_init":
- --traefikLog
- --traefikLog.filePath=/logs/traefik.log
- --traefikLog.format=json
- --accessLog
- --accessLog.filePath=/logs/access.log
- --accessLog.format=json
И этот объем в контейнер traefik:
volumes:
- /home/dockers/traefik:/logs
И я смог проверить журнал лучше, я вижу эти ошибки, но я не знаю, как решить:
time="2019-01-06T12:12:19Z" level=debug msg="Building ACME client..."
time="2019-01-06T12:12:19Z" level=error msg="Cannot unmarshall private key []"
time="2019-01-06T12:12:19Z" level=error msg="Error building ACME client &{Email: Registration:<nil> PrivateKey:[] KeyType: DomainsCertificate:{Certs:[] lock:{w:{state:0 sema:0} writerSem:0 readerSem:0 readerCount:0 readerWait:0}} ChallengeCerts:map[] HTTPChallenge:map[]}: private key was nil"
time="2019-01-06T12:12:19Z" level=debug msg="Cannot get key traefik/alias Key not found in store, setting default traefik"
time="2019-01-06T12:12:19Z" level=debug msg="Cannot get key traefik/alias Key not found in store, setting default traefik"
time="2019-01-06T12:12:19Z" level=debug msg="Cannot list keys under \"traefik/backends/\": Key not found in store"
time="2019-01-06T12:12:19Z" level=debug msg="Cannot list keys under \"traefik/frontends/\": Key not found in store"
time="2019-01-06T12:12:19Z" level=debug msg="Cannot list keys under \"traefik/tls/\": Key not found in store"
time="2019-01-06T12:12:19Z" level=debug msg="Configuration received from provider consul: {}"
...а также...
time="2019-01-06T12:12:57Z" level=debug msg="Datastore reload"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot get key traefik/alias Key not found in store, setting default traefik"
time="2019-01-06T12:12:57Z" level=debug msg="Transaction committed be38f149-90f9-4e44-bf6c-34a714e243ce"
time="2019-01-06T12:12:57Z" level=debug msg="LoadCertificateForDomains [traefik.digilogico.com]..."
time="2019-01-06T12:12:57Z" level=debug msg="Datastore reload"
time="2019-01-06T12:12:57Z" level=debug msg="Looking for provided certificate to validate [traefik.digilogico.com]..."
time="2019-01-06T12:12:57Z" level=debug msg="Domains [\"traefik.digilogico.com\"] need ACME certificates generation for domains \"traefik.digilogico.com\"."
time="2019-01-06T12:12:57Z" level=debug msg="Loading ACME certificates [traefik.digilogico.com]..."
time="2019-01-06T12:12:57Z" level=info msg="legolog: [INFO] [traefik.digilogico.com] acme: Obtaining bundled SAN certificate"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot list keys under \"traefik/backends/\": Key not found in store"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot list keys under \"traefik/frontends/\": Key not found in store"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot list keys under \"traefik/tls/\": Key not found in store"
time="2019-01-06T12:12:57Z" level=debug msg="Configuration received from provider consul: {}"
time="2019-01-06T12:12:57Z" level=info msg="Skipping same configuration for provider consul"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot get key traefik/alias Key not found in store, setting default traefik"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot list keys under \"traefik/backends/\": Key not found in store"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot list keys under \"traefik/frontends/\": Key not found in store"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot list keys under \"traefik/tls/\": Key not found in store"
time="2019-01-06T12:12:57Z" level=debug msg="Configuration received from provider consul: {}"
time="2019-01-06T12:12:57Z" level=info msg="Skipping same configuration for provider consul"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot get key traefik/alias Key not found in store, setting default traefik"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot list keys under \"traefik/backends/\": Key not found in store"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot list keys under \"traefik/frontends/\": Key not found in store"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot list keys under \"traefik/tls/\": Key not found in store"
time="2019-01-06T12:12:57Z" level=debug msg="Configuration received from provider consul: {}"
time="2019-01-06T12:12:57Z" level=info msg="Skipping same configuration for provider consul"
time="2019-01-06T12:12:58Z" level=info msg="legolog: [INFO] [traefik.digilogico.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/dLo1YvzenunzLIIqFAmtuQftWZaRefPmYKfgv4-N0c4"
time="2019-01-06T12:12:58Z" level=info msg="legolog: [INFO] [traefik.digilogico.com] acme: Trying to solve HTTP-01"
time="2019-01-06T12:12:58Z" level=debug msg="Challenge Present traefik.digilogico.com"
time="2019-01-06T12:12:58Z" level=debug msg="Transaction 65fbd48b-b7d8-4f8a-b4e7-c8bff46833a5 begins"
time="2019-01-06T12:12:58Z" level=error msg="Datastore sync error: object lock value: expected 65fbd48b-b7d8-4f8a-b4e7-c8bff46833a5, got be38f149-90f9-4e44-bf6c-34a714e243ce, retrying in 532.564811ms"
time="2019-01-06T12:12:58Z" level=debug msg="Datastore reload"