I am trying to connect MinIO with KeyCloak and I follow the instructions provided in this documentation:
https://github.com/minio/minio/blob/master/docs/sts/keycloak.md
What I have done so far is deploy a Docker container for the MinIO server, another one for the MinioClient and a third one used for the KeyCloak server.
As you can see in the following snippet the configuration of the Minio Client container is done correctly, since I can list the buckets available in the Minio Server:
mc ls myminio
[2020-05-14 11:54:59 UTC] 0B bucket1/
[2020-05-06 12:23:01 UTC] 0B bucket2/
I have an issue arising when I try to configure MinIO as depicted in step 3 (Configure MinIO) of the documentation. In more detail, the command that I run is this one:
mc admin config set myminio identity_openid config_url="http://localhost:8080/auth/realms/demo/.well-known/openid-configuration" client_id="account"
And the error I get is this one:
mc: <ERROR> Cannot set 'identity_openid config_url=http://localhost:8080/auth/realms/demo/.well-known/openid-configuration client_id=account' to server. Get http://localhost:8080/auth/realms/demo/.well-known/openid-configuration: dial tcp 127.0.0.1:8080: connect: connection refused.
When I curl this address http://localhost:8080/auth/realms/demo/.well-known/openid-configuration from the MinIO Client container though, I retrieve the JSON file.
Turns out, all I had to do is change the localhost in the config_url, from localhost to the IP of the KeyCloak container (172.17.0.3).
This is just a temporary solution that works for now, but I will continue searching for something more concrete than just hardcoding the IP.
When I figure out the solution, this answer will be updated.
Update
I had to create a docker-compose.yml file as the one below in order to overcome the issues without having to manually place the IP of the KeyCloak container.
version: '2'
services:
miniod:
image: minio/minio
restart: always
container_name: miniod
ports:
- 9000:9000
volumes:
- "C:/data:/data"
environment:
- "MINIO_ACCESS_KEY=access_key"
- "MINIO_SECRET_KEY=secret_key"
command: ["server", "/data"]
networks:
- minionw
mcd:
image: minio/mc
container_name: mcd
networks:
- minionw
kcd:
image: quay.io/keycloak/keycloak:10.0.1
container_name: kcd
restart: always
ports:
- 8080:8080
environment:
- "KEYCLOAK_USER=admin"
- "KEYCLOAK_PASSWORD=pass"
networks:
- minionw
networks:
minionw:
driver: "bridge"
Connection refused occurs when a port is not accessible on the hostname or IP we specified.
Please try exposing the port using --expose flag along with the port number which you wish to expose when using the docker CLI. Then being exposed, you can access on it on localhost
Related
I am fairly new to using traefik, so I might be totally missing something simple, but I have the following docker-compose.yaml:
version: '3.8'
services:
reverse-proxy:
container_name: reverse_proxy
restart: unless-stopped
image: traefik:v2.0
command:
- --entrypoints.web.address=:80
- --entrypoints.web-secure.address=:443
- --api.insecure=true
- --providers.file.directory=/conf/
- --providers.file.watch=true
- --providers.docker=true
ports:
- "80:80"
- "8080:8080"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./scripts/certificates/conf/:/conf/
- ./scripts/certificates/ssl/:/certs/
networks:
- bnkrl.io
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host(`traefik.bnkrl.io`)"
- "traefik.docker.network=bnkrl.io"
bankroll:
container_name: bankroll
build:
context: .
ports:
- "3000"
volumes:
- .:/usr/src/app
command: yarn start
networks:
- bnkrl.io
labels:
- "traefik.http.routers.bankroll.rule=Host(`bankroll.bnkrl.io`)"
- "traefik.docker.network=bnkrl.io"
- "traefik.http.services.bankroll.loadbalancer.server.port=3000"
- "traefik.http.routers.bankroll-https.rule=Host(`bankroll.bnkrl.io`)"
- "traefik.http.routers.bankroll-https.tls=true"
networks:
bnkrl.io:
external: true
But for some reason the following is happening:
Running curl when ssh'd into my bankroll container gives the following:
/usr/src/app# curl bankroll.bnkrl.io
curl: (7) Failed to connect to bankroll.bnkrl.io port 80: Connection refused
Despite having - "traefik.http.services.bankroll.loadbalancer.server.port=3000" label set up.
I am also unable to hit traefik from my application container:
curl traefik.bnkrl.io
curl: (6) Could not resolve host: traefik.bnkrl.io
Despite my expectation to be able to do so since they are both on the same network.
Any help with understanding what I might be doing wrong would be greatly appreciated! My application (bankroll) is a very basic hello-world react app, but I don't think any of the details around that are relevant to the issue I'm facing.
EDIT: I am also not seeing any error logs on traefik side of things.
You are using host names that are not declared and therefore are unreachable.
To reach a container from another container, you need to use the service name, for example, if you connect to bankroll from the reverse-proxy it will hit the other service.
While if you want to access them from the host machine, you will have to publish the ports (which you did, it's all the stuff in ports in your Docker-compose file) and access from localhost or from your machine local IP address instead of traefik.bnkrl.io.
If you want to access from traefik.bnkrl.io, you will have to declare this host name, and point it to the place where the Docker containers are running from.
So either a DNS record in the domain bnkrl.io pointing to your local machine, or a HOSTS file entry in your computer pointing to 127.0.0.1.
Another note: For SSL you are going to need a valid certificate to use for the host name. While in local development, you can use the self-signed certificate provided by Traefik, but you may have to install it in the computer connecting to the service, or allow untrusted certificates from your browser, or wherever you are making the requests from (some browsers no longer support using self-signed certificates). For SSL on the Internet you will need to look at things like Let's Encrypt.
I’m trying to connect to an ssh server from a docker container lifted by docker-compose.
On my localhost, I have enabled the port to use with "ufw allow 4222", I have placed port 4222 in my docker-compose.yml file.
I have also added the public key of my localhost to the container and to the authorized keys of the server, the problem is that it keeps failing me, someone knows that more I can check or take into account? thank you.
docker-compose.yml
version: '3.9'
services:
hermes:
depends_on:
- mongodb
build:
context: ./hermes-app/
container_name: hermes
tty: true
ports:
- "5000:5000"
- "4222"
environment:
- SLACK_CLIENT_ID=${SLACK_CLIENT_ID}
- SLACK_CLIENT_SECRET=${SLACK_CLIENT_SECRET}
- SLACK_SIGNING_SECRET=${SLACK_SIGNING_SECRET}
- SLACK_VERIFICATION_TOKEN=${SLACK_VERIFICATION_TOKEN}
- SSH_HOST=${SSH_HOST}
- SSH_USER=${SSH_USER}
- SSH_PORT=${SSH_PORT}
networks:
- netrmes
Error:
root#6d55aa960f46:/hermes-app# ssh root#my_server -p 4222
ssh: connect to host my_server port 4222: Connection refused
So you try to ssh from the container to your host system. The container knows nothing about my_server if it is not in netrmes network. You could use host network and then
ssh root#localhost -p 4222
I am new in dockers and I need some help please.
I am trying to install TICK in docker. Influxdb, Kapacitor and Chronograf will be installed in dockers but telegraf will be installed in each machine that will be necessary.
Port 8086 in my host is in use, so I will use 8087 for influxdb. Is it posible to configure influxdb dokcer with -p 8087:8086? If so, which port should I configure in conf files?
Docker compose file will be:
version: '3'
networks:
TICK_network:
services:
influxdb:
image: influxdb
container_name: influxdb
networks:
TICK_network:
ports:
- "8087:8086"
- "8083:8083"
expose:
- "8087"
- "8083"
hostname: influxdb
volumes:
- /var/lib/influxdb:/var/lib/influxdb
- /etc/influxdb/influxdb.conf:/etc/influxdb/influxdb.conf:ro
restart: unless-stopped
kapacitor:
image: kapacitor
container_name: kapacitor
networks:
TICK_network:
links:
- influxdb
ports:
- "9092:9092"
expose:
- "9092"
hostname: kapacitor
volumes:
- /var/lib/kapacitor:/var/lib/kapacitor
- /etc/kapacitor/kapacitor.conf:/etc/kapacitor/kapacitor.conf:ro
restart: unless-stopped
chronograf:
image: chronograf
container_name: chronograf
networks:
TICK_network:
links:
- influxdb
- kapacitor
ports:
- "8888:8888"
expose:
- "8888"
hostname: chronograf
volumes:
- /var/lib/chronograf:/var/lib/chronograf
restart: unless-stopped
influxdb.conf is edited to point to port 8087
[http]
enabled = true
bind-address = ":8087"
auth-enabled = true
Kapacitor.conf and telegraf.conf are also pointing to port 8087.
But I am receiving following errors:
Telegraf log:
W! [outputs.influxdb] when writing to [http://localhost:8087]: database "telegraf" creation failed: Post http://localhost:8087/query: EOF
E! [outputs.influxdb] when writing to [http://localhost:8087]: Post http://localhost:8087/write?db=tick: EOF
E! [agent] Error writing to outputs.influxdb: could not write any address
kapacitor log:
vl=error msg="encountered error" service=run err="open server: open service *influxdb.Service: failed to link subscription on startup: authorization failed"
run: open server: open service *influxdb.Service: failed to link subscription on startup: authorization failed
What you did is correct if you want to access those services from outside the Docker network, that is from the host access to localhost:8087 for example.
However, this is not correct in your case. As you are using docker-compose, all the services are in the same network, and therefore, you need to attack the port in which the influx is listening in the Docker network (the right-side port), that is, 8086.
But, even if you do so, it will still not work. Why? Because you are trying to access localhost from the Telegraf container. You need to configure the access to influx as influxdb:8086, not as localhost:8087. influxdb here is the name of the container, if for example you name it ailb90, then it would be ailb90:8086
thanks for your answer. But telegraf is not installed in a container. This is why I access to database using urls = ["http://localhost:8087"].
In the other hand, kapacitor is installed in a docker container. The conexion to influxdb is made using the string urls=["https://influxdb:8087"]. If I cinfigure kapacitor in port 8086 it gives a connexion error (I think it is because influxdb.conf is pointing to port 8087):
lvl=error msg="failed to connect to InfluxDB, retrying..." service=influxdb cluster=default err="Get http://influxdb:8086/ping: dial tcp 172.0.0.2:8086: connect: connection refused"
I have a docker-compose file with two services: app and httpd
app
app:
image: primus852/machinelearning:latest
ports:
- 5001:5000
expose:
- "5001"
restart: always
networks:
- default
volumes:
- ./api:/app
environment:
- FLASK_APP=app/source/__init__.py
- FLASK_ENV=development
httpd
httpd:
image: primus852/mitswiki:latest
ports:
- 80:80
restart: always
networks:
- default
volumes:
- ./project:/var/www/html
Flask app
The app container has an endpoint like this:
#app.route('/predict', methods=['GET'])
def predict():
...DO STH....
I can open http://localhost:5001/predict in my browser, works...
I can curl from my cmd: curl localhost:5001/predict, works...
But when I am inside my httpd container this does not work from the console: curl localhost:5001/predict
curl: (7) Failed to connect to localhost port 5001: Connection refused
So I thought I address the app container as I address my mysql from inside my httpd container: curl app:5001/predict but it has the same result.
Can anyone see what I am doing wrong?
According to your yaml:
ports:
- 5001:5000
Inside container you have to use port 5000
Inside the httpd container localhost refers to just that httpd container. It cannot access other containers by default.
Another thing which might be occuring is that your app is not open for 'remote' access. A connection from one container to another one is a remote connection.
Within your docker-compose files you can link containers to eachother
While the containers are linked you can then use curl to get the /predict page by using curl app:5001/predict
Context
I was planning on simplifying some development setup of multiple docker-compose.yml by introducing virtual hosts locally. I looked around and decided to use nginx-proxy for the reverse-proxy (ability to set VIRTUAL_HOST for each service).
Setup
To expose these on the host machine I went the route of dnsmasq and adding a /etc/resolver/test/ with nameserver 127.0.0.1.
I went and put the above into action using a dev/docker-compose.yml file:
version: '3.5'
services:
nginx-proxy:
image: jwilder/nginx-proxy
restart: 'always'
ports:
- "80:80"
- "443:443"
volumes:
- "/var/run/docker.sock:/tmp/docker.sock:ro"
dnsmasq:
image: andyshinn/dnsmasq
restart: 'always'
ports:
- "53:53/tcp"
- "53:53/udp"
cap_add:
- NET_ADMIN
command: --log-facility=-
volumes:
- ./data/dnsmasq.conf:/etc/dnsmasq.conf
- ./data/dnsmasq.d:/etc/dnsmasq.d
networks:
default:
external:
name: proxynet
The data/dnsmasq.conf file only contains address=/test/127.0.0.1.
I've also created an external network proxynet and use that as the default network for the docker-compose file(s) (docker network create proxynet). This then allows other docker-compose files and services to be linked to the proxy.
I have the following proj1/docker-compose.yml:
version: "3.5"
services:
proj1-web:
image: jwilder/whoami
environment:
- VIRTUAL_HOST=proj1-web.test
networks:
default:
external:
name: proxynet
Having both these of these docker-compose files running (i.e., docker-compose up) I am able to access proj1-web.test from my local machine. Everything works as expected.
Now I want to be able to reference proj1-web.test in another container and have it resolve to the running container.
I'll create proj2/docker-compose.yml (similar to previous just different name):
version: "3.5"
services:
proj2-web:
image: jwilder/whoami
environment:
- VIRTUAL_HOST=proj2-web.test
networks:
default:
external:
name: proxynet
With everything running I can access both proj1-web.test and proj2-web.test from my local machine. I can successfully curl different services using between proj1 and proj2: docker-compose run proj1-web sh -c "apk update -qq; apk add curl -qq; curl -v proj2-web:8000".
Problem
The problem is that I cannot curl the virtual host's name proj2-web.test from proj1: docker-compose run proj1-web sh -c "apk update -qq; apk add curl -qq; curl -v proj2-web.test":
* Rebuilt URL to: proj2-web.test/
* Trying 127.0.0.1...
* TCP_NODELAY set
* connect to 127.0.0.1 port 80 failed: Connection refused
* Failed to connect to proj2-web.test port 80: Connection refused
* Closing connection 0
curl: (7) Failed to connect to proj2-web.test port 80: Connection refused
Is there something I'm missing here? It appears the individual containers don't have access to the DNS being provided from dnsmasq to my local machine, I cannot figure out how to grant them that access. Maybe I'm going about this the wrong way -- I am open to suggestions.
I ended up creating a solution which addresses my question. You can see the repository here for the tool:
https://github.com/scoremedia/dcdc
I also created a blog post detailing a bit of this: https://kevinjalbert.com/docker-compose-dns-consistency-dcdc/
Hopefully this helps others.