Docker swarm mode, портьер, трафик

Я пытаюсь настроить веб-сервер в режиме Docker Swarm. Любая помощь приветствуется.

Моя идея состоит в том, чтобы настроить отдельную машину, чтобы она работала автономно, но готова к масштабированию для балансировки нагрузки и отказоустойчивости. Я ожидаю, что traefik работает на всех моих узлах, а не только на master, как я видел в некоторых примерах.

Текущие проблемы:

  • Давайте, кажется, шифрование не работает, но я не вижу ошибки в журналах
  • Я не могу связаться с портьеером

Другой вопрос, возможно ли использовать Консул, встроенный ключ / значение вместо Консул, вместо Консул?

Мой файл развертывания ниже:

version: "3.7"
services:

  # swarm_socket
  #   Increase security in case of attack attempt
  swarm_socket:
    image: alpine/socat
    command: tcp-listen:2375,fork,reuseaddr unix-connect:/var/run/docker.sock
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - net_mgmt
    deploy:
      placement:
        constraints:
          - node.role == manager
          - node.platform.os == linux

  # swarm_kv
  #   Key/Value store for traefik cluster
  swarm_kv:
    image: consul
    command: agent -server -client='{{ GetInterfaceIP "eth0" }}' -bind='{{ GetInterfaceIP "eth0" }}' -bootstrap
    volumes:
      - swarm_kv_data:/consul/data
    networks:
      - net_mgmt
    deploy:
      mode: global
      update_config:
        parallelism: 1
        failure_action: rollback
        delay: 30s
        monitor: 15s
      restart_policy:
        condition: any
        delay: 5s
        max_attempts: 10
        window: 60s
      placement:
        constraints:
          - node.role == manager
          - node.platform.os == linux

  # traefik_init
  #   Init traefik config
  traefik_init:
    image: traefik:1.7
    depends_on:
      - swarm_socket
    command:
      - "storeconfig"
      - "--logLevel=DEBUG"
      - "--api"
      - "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
      - "--entrypoints=Name:https Address::443 TLS"
      - "--defaultentrypoints=http,https"
      - "--acme"
      - "--acme.storage=traefik/acme/account"
      - "--acme.entryPoint=https"
      - "--acme.httpChallenge.entryPoint=http"
      - "--acme.onHostRule=true"
      - "--acme.onDemand=false"
      - "--acme.acmeLogging=true"
      - "--acme.email=mail@example.com" # Set your email
      - "--docker"
      - "--docker.swarmmode=true"
      - "--docker.endpoint=tcp://swarm_socket:2375"
      - "--docker.watch=true"
      - "--docker.exposedbydefault=false"
      - "--docker.domain=example.com" # Set your domain
      - "--consul"
      - "--consul.endpoint=swarm_kv:8500"
      - "--consul.prefix=traefik"
    networks:
      - net_mgmt
      - net_public
    deploy:
      restart_policy:
        condition: on-failure
      placement:
        constraints:
          - node.role == manager
          - node.platform.os == linux

  # traefik
  #   Traefik cluster
  traefik:
    image: traefik:1.7
    depends_on:
      - swarm_socket
      - traefik_init
    command:
      - "--docker"
      - "--docker.swarmmode=true"
      - "--docker.endpoint=tcp://swarm_socket:2375"
      - "--consul"
      - "--consul.endpoint=swarm_kv:8500"
      - "--consul.prefix=traefik"
    networks:
      - net_mgmt
      - net_public
    ports:
      - 80:80
      - 443:443
      - 8080:8080 # Remove after that config works
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.port=8080"
        - "traefik.docker.network=net_public"
        - "traefik.frontend.rule=Host:traefik.example.com" # Set you domain
        - "traefik.frontend.auth.basic.users=[sgobbit:$apr1$hpnuX1jh$IXu2P4aae0weviroUxP4S1]"
      mode: global
      placement:
        constraints:
          - node.platform.os == linux

  # catchall
  #   Catch all unmanaged domain and show a dedicated page
  catchall:
    image: mikesir87/cats # Replace with real static page
    networks:
      - net_public
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.port=5000"
        - "traefik.protocol=http"
        - "traefik.backend=catchall"
        - "traefik.docker.network=net_public"
        - "traefik.frontend.rule=HostRegexp:{catchall:.*}"
        - "traefik.frontend.priority=2"
        - "traefik.frontend.entryPoints=http,https"
        - "traefik.backend.loadbalancer.swarm=true"
        - "traefik.backend.loadbalancer.method=drr"
        - "traefik.backend.loadbalancer.stickiness=true"
      restart_policy:
        condition: on-failure
      update_config:
        parallelism: 1
        delay: 10s
      placement:
        constraints:
          - node.platform.os == linux

  # portainer_agent
  #   Agent that run on all nodes
  portainer_agent:
    image: portainer/agent
    environment:
      AGENT_CLUSTER_ADDR: tasks.portainer_agent
      AGENT_PORT: 9001
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/lib/docker/volumes:/var/lib/docker/volumes
    networks:
      - net_mgmt
    deploy:
      mode: global
      placement:
        constraints:
          - node.platform.os == linux

  # portainer
  #   Web UI to manage the cluster
  portainer:
    image: portainer/portainer
    depends_on:
      - portainer_agent
    command: -H tcp://tasks.portainer_agent:9001 --tlsskipverify
    volumes:
      - portainer_data:/data
    networks:
      - net_mgmt
      - net_public
    ports: # Remove after that config works
      - 9000:9000 # Remove after that config works
    labels:
      - "traefik.enable=true"
      - "traefik.port=9000"
      - "traefik.docker.network=net_public"
      - "traefik.backend=portainer"
      - "traefik.frontend.rule=Host:portainer.example.com" # Set you domain
      - "traefik.frontend.priority=1"
      - "traefik.backend.loadbalancer.swarm=true"
      - "traefik.backend.loadbalancer.method=drr"
      - "traefik.backend.loadbalancer.stickiness=true"
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints:
          - node.role == manager
          - node.platform.os == linux

volumes:
  swarm_kv_data: # Storage Key/Value
  portainer_data: # Storage portainer

networks:
  net_mgmt:
    driver: overlay
    external: true
  net_public:
    driver: overlay
    external: true

2 ответа

  1. Документы Traefik говорят, что нужно включить ведение журнала acme для Let's Encrypt info: acmeLogging = true
  2. Посмотрите мой пример Swarm Portainer плюс Traefik и многое другое на http://dogvs.cat/
  3. Использовать журнал Swarm плота, а не консул для traefik? Нет, это невозможно как конечный пользователь.

Я еще не сообщал об этом, но я нашел причину, по которой Portainer был недоступен, в моем файле развертывания раздел "метки" находился вне раздела "развертывание", куда его вместо этого нужно было вставить.

Но проблема с "Let's Encrypt" сохраняется, когда я работаю с "Consul".

Я добавил эти строки в служебные команды "traefik_init":

  - --traefikLog
  - --traefikLog.filePath=/logs/traefik.log
  - --traefikLog.format=json
  - --accessLog
  - --accessLog.filePath=/logs/access.log
  - --accessLog.format=json

И этот объем в контейнер traefik:

volumes:
  - /home/dockers/traefik:/logs

И я смог проверить журнал лучше, я вижу эти ошибки, но я не знаю, как решить:

time="2019-01-06T12:12:19Z" level=debug msg="Building ACME client..."
time="2019-01-06T12:12:19Z" level=error msg="Cannot unmarshall private key []"
time="2019-01-06T12:12:19Z" level=error msg="Error building ACME client &{Email: Registration:<nil> PrivateKey:[] KeyType: DomainsCertificate:{Certs:[] lock:{w:{state:0 sema:0} writerSem:0 readerSem:0 readerCount:0 readerWait:0}} ChallengeCerts:map[] HTTPChallenge:map[]}: private key was nil"
time="2019-01-06T12:12:19Z" level=debug msg="Cannot get key traefik/alias Key not found in store, setting default traefik"
time="2019-01-06T12:12:19Z" level=debug msg="Cannot get key traefik/alias Key not found in store, setting default traefik"
time="2019-01-06T12:12:19Z" level=debug msg="Cannot list keys under \"traefik/backends/\": Key not found in store"
time="2019-01-06T12:12:19Z" level=debug msg="Cannot list keys under \"traefik/frontends/\": Key not found in store"
time="2019-01-06T12:12:19Z" level=debug msg="Cannot list keys under \"traefik/tls/\": Key not found in store"
time="2019-01-06T12:12:19Z" level=debug msg="Configuration received from provider consul: {}"

...а также...

time="2019-01-06T12:12:57Z" level=debug msg="Datastore reload"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot get key traefik/alias Key not found in store, setting default traefik"
time="2019-01-06T12:12:57Z" level=debug msg="Transaction committed be38f149-90f9-4e44-bf6c-34a714e243ce"
time="2019-01-06T12:12:57Z" level=debug msg="LoadCertificateForDomains [traefik.digilogico.com]..."
time="2019-01-06T12:12:57Z" level=debug msg="Datastore reload"
time="2019-01-06T12:12:57Z" level=debug msg="Looking for provided certificate to validate [traefik.digilogico.com]..."
time="2019-01-06T12:12:57Z" level=debug msg="Domains [\"traefik.digilogico.com\"] need ACME certificates generation for domains \"traefik.digilogico.com\"."
time="2019-01-06T12:12:57Z" level=debug msg="Loading ACME certificates [traefik.digilogico.com]..."
time="2019-01-06T12:12:57Z" level=info msg="legolog: [INFO] [traefik.digilogico.com] acme: Obtaining bundled SAN certificate"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot list keys under \"traefik/backends/\": Key not found in store"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot list keys under \"traefik/frontends/\": Key not found in store"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot list keys under \"traefik/tls/\": Key not found in store"
time="2019-01-06T12:12:57Z" level=debug msg="Configuration received from provider consul: {}"
time="2019-01-06T12:12:57Z" level=info msg="Skipping same configuration for provider consul"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot get key traefik/alias Key not found in store, setting default traefik"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot list keys under \"traefik/backends/\": Key not found in store"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot list keys under \"traefik/frontends/\": Key not found in store"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot list keys under \"traefik/tls/\": Key not found in store"
time="2019-01-06T12:12:57Z" level=debug msg="Configuration received from provider consul: {}"
time="2019-01-06T12:12:57Z" level=info msg="Skipping same configuration for provider consul"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot get key traefik/alias Key not found in store, setting default traefik"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot list keys under \"traefik/backends/\": Key not found in store"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot list keys under \"traefik/frontends/\": Key not found in store"
time="2019-01-06T12:12:57Z" level=debug msg="Cannot list keys under \"traefik/tls/\": Key not found in store"
time="2019-01-06T12:12:57Z" level=debug msg="Configuration received from provider consul: {}"
time="2019-01-06T12:12:57Z" level=info msg="Skipping same configuration for provider consul"
time="2019-01-06T12:12:58Z" level=info msg="legolog: [INFO] [traefik.digilogico.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/dLo1YvzenunzLIIqFAmtuQftWZaRefPmYKfgv4-N0c4"
time="2019-01-06T12:12:58Z" level=info msg="legolog: [INFO] [traefik.digilogico.com] acme: Trying to solve HTTP-01"
time="2019-01-06T12:12:58Z" level=debug msg="Challenge Present traefik.digilogico.com"
time="2019-01-06T12:12:58Z" level=debug msg="Transaction 65fbd48b-b7d8-4f8a-b4e7-c8bff46833a5 begins"
time="2019-01-06T12:12:58Z" level=error msg="Datastore sync error: object lock value: expected 65fbd48b-b7d8-4f8a-b4e7-c8bff46833a5, got be38f149-90f9-4e44-bf6c-34a714e243ce, retrying in 532.564811ms"
time="2019-01-06T12:12:58Z" level=debug msg="Datastore reload"
Другие вопросы по тегам