I've just used the example from this documentation(https://media.readthedocs.org/pdf/portainer/1.19.1/portainer.pdf)
to configure the portainer's agent but keep receiving the error "Unable to proxy the request via the Docker socket". In this case the stack is displayed as "down".
Portainer works just fine without the agent and mounting docker.sock.
This is the docker-compose fragment
agent:
image: portainer/agent
environment:
AGENT_CLUSTER_ADDR: tasks.agent
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/lib/docker/volumes:/var/lib/docker/volumes
networks:
- agent_network
deploy:
mode: global
placement:
constraints: [node.platform.os == linux]
portainer:
image: portainer/portainer
command: -H tcp://tasks.agent:9001 --tlsskipverify
ports:
- target: 9000
published: 9000
protocol: tcp
mode: ingress
volumes:
- portainer_data:/data
networks:
- agent_network
deploy:
mode: replicated
replicas: 1
placement:
constraints: [node.role == manager]
Related
I have this compose file
version: "3.3"
volumes:
jenkins_home:
external: false
driver: local
driver_opts:
type: none
o: 'bind'
device: '/var/jenkins_home'
certs:
external: false
driver: local
driver_opts:
type: none
o: 'bind'
device: '/etc/certs'
services:
docker:
image: docker:dind
restart: unless-stopped
privileged: true
volumes:
- jenkins_home:/var/jenkins_home
- certs:/certs/client
ports:
- "2376:2376"
environment:
DOCKER_TLS_CERTDIR: /certs
deploy:
mode: replicated
replicas: 1
placement:
constraints: [node.role == manager]
jenkins:
image: git.example.com:8444/devops/docker-services/jenkins
build:
context: services/jenkins
args:
ssl_pass: changeit
restart: unless-stopped
depends_on:
- "docker"
volumes:
- jenkins_home:/var/jenkins_home
- certs:/certs/client
ports:
- "8080:8080"
- "8443:8443"
- "3268:3268"
- "50000:50000"
environment:
DOCKER_HOST: tcp://docker:2376
DOCKER_CERT_PATH: /certs/client
DOCKER_TLS_VERIFY: 1
deploy:
mode: replicated
replicas: 1
placement:
constraints: [node.role == manager]
icecc-scheduler:
image: git.example.com:8444/devops/docker-services/icecc-scheduler
build: services/icecc-scheduler
restart: unless-stopped
network_mode: host
deploy:
mode: replicated
replicas: 1
placement:
constraints: [node.role == manager]
icecc-daemon:
image: git.example.com:8444/devops/docker-services/icecc-daemon
build: services/icecc-daemon
restart: unless-stopped
network_mode: host
deploy:
mode: global
when I run docker stack deploy --compose-file docker-compose.yml build_farm
It claims to start everything successfully. But running docker stack services build_farm I get
ID NAME MODE REPLICAS IMAGE PORTS
tap0zlw086wm build_farm_docker replicated 0/1 docker:dind *:2376->2376/tcp
n13pcmy8zpip build_farm_icecc-daemon global 0/1 git.example.com:8444/devops/docker-services/icecc-daemon:latest
ofpsosrhrzoq build_farm_icecc-scheduler replicated 0/1 git.example.com:8444/devops/docker-services/icecc-scheduler:latest
b9llhoe97vwz build_farm_jenkins replicated 0/1 git.example.com:8444/devops/docker-services/jenkins:latest *:3268->3268/tcp, *:8080->8080/tcp, *:8443->8443/tcp, *:50000->50000/tcp
Which seems to mean none of the services actually started, I can't access any of them which seems to confirm this.
The second issue is that the icecc-daemon container only has one replica despite being started in global mode with 2 nodes on the swarm
docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION
rc6aajdnwnis4dvn4um7qcwk9 ex12873 Ready Active 20.10.12
phnvvy2139wft9innou0uermq * ex12874 Ready Active Leader 20.10.12
I have a setup of 1 master and 2 worker nodes running docker swarm. I deployed Traefik + Consul using the setup below:
version: '3.3'
services:
consul-leader:
image: consul:latest
command:
- agent
- -server
- -client=0.0.0.0
- -bootstrap
- -ui
environment:
CONSUL_BIND_INTERFACE: eth0
CONSUL_LOCAL_CONFIG: '{"leave_on_terminate": true}'
volumes:
- consul-data-leader:/consul/data
networks:
- default
- traefik-public
logging:
driver: json-file
deploy:
labels:
traefik.tags: traefik-public
traefik.redirectorservice.frontend.redirect.entryPoint: https
traefik.webservice.frontend.entryPoints: https
traefik.redirectorservice.frontend.entryPoints: http
traefik.docker.network: traefik-public
traefik.enable: 'true'
traefik.frontend.auth.basic.users: admin:$apr1$lKAo73kT$xlahD.KLANH8ZbMaDXDsC.
traefik.port: '8500'
traefik.frontend.rule: Host:consul.live.mydomain.app
consul-replica:
image: consul:latest
command:
- agent
- -server
- -client=0.0.0.0
- -retry-join=consul-leader
environment:
CONSUL_BIND_INTERFACE: eth0
CONSUL_LOCAL_CONFIG: '{"leave_on_terminate": true}'
volumes:
- consul-data-replica:/consul/data
networks:
- default
- traefik-public
logging:
driver: json-file
deploy:
replicas: 3
traefik:
image: traefik:v1.7
command:
- --docker
- --docker.swarmmode
- --docker.watch
- --docker.exposedbydefault=false
- --constraints=tag==traefik-public
- --entrypoints=Name:http Address::80
- --entrypoints=Name:https Address::443 TLS
- --consul
- --consul.endpoint=consul-leader:8500
- --acme
- --acme.email=me.me#me.com
- --acme.storage=traefik/acme/account
- --acme.entryPoint=https
- --acme.httpChallenge.entryPoint=http
- --acme.onhostrule=true
- --acme.acmelogging=true
- --logLevel=INFO
- --accessLog
- --api
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- default
- traefik-public
logging:
driver: json-file
deploy:
replicas: 3
labels:
traefik.tags: traefik-public
traefik.redirectorservice.frontend.redirect.entryPoint: https
traefik.webservice.frontend.entryPoints: https
traefik.redirectorservice.frontend.entryPoints: http
traefik.docker.network: traefik-public
traefik.enable: 'true'
traefik.frontend.auth.basic.users: admin:$apr1$lKAo73kT$xlahD.KLANH8ZbMaDXDsC.
traefik.port: '8080'
traefik.frontend.rule: Host:traefik.live.mydomain.app
placement:
constraints:
- node.role == manager
networks:
default:
driver: overlay
traefik-public:
external: true
volumes:
consul-data-replica:
driver: local
When I deploy a service or stack in GLOBAL mode, everything seems to work fine. However, when I try to deploy stack using replicated mode, SSL certificate is not generated and Traefik is using TRAEFIK DEFAULT CERT instead. Can anyone tell me what I'm doing wrong ?
I'm quite new to Netdata and also Docker Swarm. I ran Netdata for a while on single hosts but now trying to stream Netdata from workers to a manager node in a swarm environment where the manager also should act as a central Netdata instance. I'm aiming to only monitor the data from the manager.
Here's my compose file for the stack:
version: '3.2'
services:
netdata-client:
image: titpetric/netdata
hostname: "{{.Node.Hostname}}"
cap_add:
- SYS_PTRACE
security_opt:
- apparmor:unconfined
environment:
- NETDATA_STREAM_DESTINATION=control:19999
- NETDATA_STREAM_API_KEY=1x214ch15h3at1289y
- PGID=999
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /var/run/docker.sock:/var/run/docker.sock
networks:
- netdata
deploy:
mode: global
placement:
constraints: [node.role == worker]
netdata-central:
image: titpetric/netdata
hostname: control
cap_add:
- SYS_PTRACE
security_opt:
- apparmor:unconfined
environment:
- NETDATA_API_KEY_ENABLE_1x214ch15h3at1289y=1
ports:
- '19999:19999'
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /var/run/docker.sock:/var/run/docker.sock
networks:
- netdata
deploy:
mode: replicated
replicas: 1
placement:
constraints: [node.role == manager]
networks:
netdata:
driver: overlay
attachable: true
Netdata on the manager works fine and the container runs on the one worker node I'm testing on. According to log output it seems to run well and gathers names from the docker containers running as it does in a local environment.
Problem is that it can't connect to the netdata-central service running on the manager.
This is the error message:
2019-01-04 08:35:28: netdata INFO : STREAM_SENDER[7] : STREAM 7 [send to control:19999]: connecting...,
2019-01-04 08:35:28: netdata ERROR : STREAM_SENDER[7] : Cannot resolve host 'control', port '19999': Name or service not known,
not sure why it can't resolve the hostname, thought it should work that way on the overlay network. Maybe there's a better way to connect and not rely on the hostname?
Any help is appreciated.
EDIT: as this question might come up - the firewall (ufw) on the control host is inactive, also I think the error message clearly points to a problem with name resolution.
Your API-Key is in the wrong format..it has to be a GUID. You can generate one with the "uuidgen" command...
https://github.com/netdata/netdata/blob/63c96aa96f96f3aea10bdcd2ecd92c889f26b3af/conf.d/stream.conf#L7
In the latest image the environment variables does not work.
The solution is to create a configuration file for the stream.
My working compose file is:
version: '3.7'
configs:
netdata_stream_master:
file: $PWD/stream-master.conf
netdata_stream_client:
file: $PWD/stream-client.conf
services:
netdata-client:
image: netdata/netdata:v1.21.1
hostname: "{{.Node.Hostname}}"
depends_on:
- netdata-central
configs:
-
mode: 444
source: netdata_stream_client
target: /etc/netdata/stream.conf
security_opt:
- apparmor:unconfined
environment:
- PGID=999
volumes:
- /proc:/host/proc:ro
- /etc/passwd:/host/etc/passwd:ro
- /etc/group:/host/etc/group:ro
- /sys:/host/sys:ro
- /var/run/docker.sock:/var/run/docker.sock
deploy:
mode: global
netdata-central:
image: netdata/netdata:v1.21.1
hostname: control
configs:
-
mode: 444
source: netdata_stream_master
target: /etc/netdata/stream.conf
security_opt:
- apparmor:unconfined
environment:
- PGID=999
ports:
- '19999:19999'
volumes:
- /etc/passwd:/host/etc/passwd:ro
- /etc/group:/host/etc/group:ro
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /var/run/docker.sock:/var/run/docker.sock
deploy:
mode: replicated
replicas: 1
placement:
constraints: [node.role == manager]
I’m quite new in docker world.
I have a local virtulbox setup:
vm1=swarm manager (mysql,visualizer) IP: 192.168.99.100
vm2= wordpress service IP: 192.168.99.101
I can reach the application on both IP’s 100/101. But I would like to also use the localhost in order to port forward localhost to NET since 192.168.99.0 subnet is HOST only.
In VBOX I have portforwarding set like this for the NAT interface on the machine where apache runs:
HOST PORT 8888 / GUEST PORT 8888
Currently the YAML looks like this:
version: '3.4'
services:
wordpress:
image: wordpress
depends_on:
- mysql
- wordpress
deploy:
placement:
constraints: [node.labels.application==true]
mode: replicated
replicas: 1
update_config:
parallelism: 1
delay: 10s
restart_policy:
condition: on-failure
ports:
- "80:80"
environment:
WORDPRESS_DB_PASSWORD: "12345"
networks:
- wordpress_net
mysql:
image: mysql:latest
volumes:
- "/mnt/sda1/var/lib/docker/volumes/mysql_data/_data:/var/lib/mysql"
deploy:
placement:
constraints: [node.role == manager]
environment:
MYSQL_ROOT_PASSWORD: "12345"
networks:
- wordpress_net
visualizer:
image: dockersamples/visualizer:stable
ports:
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
deploy:
placement:
constraints: [node.role == manager]
networks:
- wordpress_net
networks:
wordpress_net:
How can I attach the eth0 interface to container. So both the swarm network and the NAT-ed network will be reachable ?
I was trying something like this but without success:
services:
wordpress:
image: wordpress
depends_on:
- mysql
- wordpress
deploy:
placement:
constraints: [node.labels.application==true]
mode: replicated
replicas: 1
update_config:
parallelism: 1
delay: 10s
restart_policy:
condition: on-failure
ports:
- target: 80
published: 80
protocol: tcp
mode: ingress
- target: 80
published: 8888
protocol: tcp
mode: host
environment:
WORDPRESS_DB_PASSWORD: "12345"
networks:
- wordpress_net
Thanks !
simplified swarm:
manager1 node
- consul-agent
worker1 node
- consul-client1
- web-app:80
- web-network:9000
database1 node
- consul-client2
- redis:6379
- mongo:27017
The web-app and web-network services can connect to redis and mongo through their service names correctly, e.g redis.createClient('6379', 'redis') and mongoose.connect('mongodb://mongo').
However, container web-app cannot connect to web-network, I'm trying to make a request like so:
request('http://web-network:9000')
But get the error:
errorno: ECONNREFUSED
address: 10.0.1.9
port: 9000
Request to web-network using a private IP does work:
request('http://11.22.33.44:9000')
What am I missing? Why can they connect to redis and mongo but not between each container? When moving redis/mongo to the same node as web-app, it will still work, so I don't think the issue comes because the services cannot talk to a service on the same server node.
Can we make docker network use private IP instead of the pre-configured subnet?
docker stack deploy file
version: '3'
services:
web-app:
image: private-repo/private-image
networks:
- swarm-network
ports:
- "80:8080"
deploy:
placement:
constraints:
- node.role==worker
web-network:
image: private-repo/private-image2
networks:
- swarm-network
ports:
- "9000:8080"
deploy:
placement:
constraints:
- node.role==worker
redis:
image: redis:latest
networks:
- swarm-network
ports:
- "6739:6739"
deploy:
placement:
constraints:
- engine.labels.purpose==database
mongo:
image: mongo:latest
networks:
- swarm-network
ports:
- "27017:27017"
deploy:
placement:
constraints:
- engine.labels.purpose==database
networks:
swarm-network:
driver: overlay
docker stack deploy app -c docker-compose.yml