Need testers for Portainer CE 2.1.1 - latest version

Reference: https://www.portainer.io/.

Portainer is an open source tool for managing containerized applications. It works with Kubernetes, Docker, Docker Swarm, Azure ACI in both data centres and at the edge.

Portainer removes the complexity associated with orchestrators so anyone can manage containers. It can be used to deploy and manage applications, observe the behavior of containers and provide the security and governance necessary to deploy containers widely.

Prerequisite

We disable the Portainer from Nethserver.

# config setprop portainer status disabled

# signal-event nethserver-docker-update


We open port 9000 which will be used by Portainer.

# config set fw_portainer service status enabled TCPPort 9000 access green,red

# signal-event firewall-adjust

We verify.

# cat /etc/shorewall/rules | egrep '9000'

ACCEPT  loc     $FW     tcp     9000
ACCEPT  net     $FW     tcp     9000

Certificate

■ ■ ■ When the script acme.sh is used to obtain the certificate

Certificate path → /root/.acme.sh/toto.org
Public key → toto.org.cer
Private key → toto.org.key

The basic docker run command takes the following form:

docker run [OPTIONS] IMAGE[:TAG|@DIGEST] [COMMAND] [ARG...]

docker run → Command name
portainer/portainer-ce → Name of the container image
-d → Detached
-p → 9000:9000
–name → portainer
–restart → unless-stopped
-v → /var/run/docker.sock:/var/run/docker.sock
-v → /root/.acme.sh/toto.org:/certs
-v → portainer_data:/data
–ssl → Tells Docker to use the specified SSL settings
–sslcert → /certs/toto.org.cer
–sslkey → /certs/toto.org.key

docker run → Name of the docker command to use.

portainer/portainer-ce → Name of the container image to use. If the image is not installed, Docker will download and install it.

-d → Execution mode.
When starting a Docker container, you must first decide whether you want to run the container in background mode, i.e. detached, or in the default foreground mode.
To start a container in detached mode, you use the -d=true option or simply -d. By design, containers started in detached mode terminate when the root process used to run the container terminates, unless you also specify the --rm… option.

-p → Specifies the port to use. Example: 9000:9000, the first is the port outside the container while the second is the one inside the container.

--name → The operator can identify a container in three ways: long UUID, short UUID and its name.
The UUIDs come from the docker daemon. If you do not assign a container name with the --name option, the daemon generates a random string name for you. Setting a name can be a convenient way to add meaning to a container. If you specify a name, you can use it to reference the container in a Docker network. This works for both background and foreground Docker containers.

--restart → By using the --restart parameter with docker run, you can specify a restart policy to specify how a container should or should not be restarted upon exit.
When a restart policy is active on a container, it will be displayed as either Up or Restarting in the docker ps command.
● no → Do not automatically restart the container when it exits. This is the default value.
● on-failure[:max-retries] → Restart only if the container exits with a non-zero exit status. Optionally, you can limit the number of restart attempts by the docker daemon.
● always → Always restart the container regardless of the exit status. When you specify always, the docker daemon will try to restart the container indefinitely. The container will also always be started when the docker daemon starts, regardless of the current state of the container.
● unless-stopped → Always restarts the container regardless of the exit state, including when the docker daemon starts, unless the container was put into a stopped state before the Docker daemon was stopped.

-v → Volumes are the preferred mechanism for persistence of data generated and used by containers. Volumes are fully managed by Docker.
If you start a container with a volume that does not yet exist, Docker creates the volume for you.
If you start a container that creates a new volume and the container has files or directories in the directory to be “mounted” (as below /root/.acme.sh/toto.org), the contents of the directory are copied into the volume. The container then mounts the volume and uses it.
Ex: -v /root/.acme.sh/toto.org:/certs
● -v → To specify a “volume”.
● /root/.acme.sh/toto.org → Outside the container full path of the directory.
● : → Separator (no space before or after).
● /certs → Inside the container full path of the directory (i.e. the mount point).

--ssl → Tells Docker to use the specified SSL settings.

--sslcert → Specifies the full path to the certificate’s public key inside the container.

--sslkey → Specifies the full path of the certificate’s private key inside the container.

Warning

Before installing Portainer CE, it is strongly recommended to restart Docker, otherwise you will get the docker error: Error response from daemon: driver failed programming external connectivity on endpoint portainer.

# systemctl restart docker

We verify.

# systemctl status docker | grep Active

Active: active (running) since ven. 2021-04-30 21:53:26 EDT; 11s ago

Installation

The command must be on one line, otherwise, each line must start with an alphabetical character or with a “/” and not with a “-”.

# docker run -d -p 9000:9000 --name portainer --restart unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v /root/.acme.sh/toto.org:/certs -v portainer_data:/data portainer/portainer-ce --ssl --sslcert /certs/toto.org.cer --sslkey /certs/toto.org.key

Unable to find image 'portainer/portainer-ce:latest' locally
latest: Pulling from  portainer/portainer-ce
94cfa856b2b1: Pull complete
49d59ee0881a: Pull complete
527b866940d5: Pull complete
Digest: sha256:5064d8414091c175c55ef6f8744da1210819388c2136273b4607a629b7d93358
Status: Downloaded newer image for portainer/portainer-ce:latest
834d207eff8005f7c6bc5539e464ed5bceaecb5e4264feae22ad7a485a0e4a7b

Docker did not find the portainer/portainer-ce:latest image, so it downloads and installs the required image.

portainer/portainer-ce → The name of the Portainer image.

834d207eff80 → The short UUID.

834d207eff8005f7c6bc5539e464ed5bceaecb5e4264feae22ad7a485a0e4a7b → The long UUID.

We display all the containers currently installed.

# docker ps -a

CONTAINER ID   IMAGE                    COMMAND                  CREATED          STATUS                   PORTS                                                 NAMES
834d207eff80   portainer/portainer-ce   "/portainer --ssl --…"   11 seconds ago   Up 5 seconds             8000/tcp, 0.0.0.0:9000->9000/tcp, :::9000->9000/tcp   portainer
1079944c9090   hello-world              "/hello"                 2 hours ago      Exited (0) 2 hours ago                                                         zealous_payne

Our new container, which has been given the name portainer, runs correctly (STATUS → Up 5 seconds).

Verification of Portainer’s operation

We go to the URL of our site specifying https and port 9000: https://toto.org:9000

The lock is closed indicating that our certificate is working properly.

● We choose a name for the Portainer administrator and a password that we confirm.
● We uncheck Allow collection of anonymous statistics…
● Create user.

Click on Manage the local Docker environment → Connect.

● The Portainer welcome screen appears.
● The version is 2.1.1 (Latest).
● Click inside the local frame.

● The dashboard appears and gives a summary of the present Docker components.

● In the menu, we click Containers to display all the containers.

Deleting a container

We delete the container zealous_pane (random name generated by Docker) which is the one of the hello-world image.

● Check the container zealous_pane → Remove.

● Activate the button Automatically remove non-persistent volumes → Remove.

● The zealous_pane container has been removed.

App Template

● By clicking App Templates, several templates are displayed.
● By clicking a template, its page is displayed and we can deploy it in our Docker.

■ ■ ■ When the NethServer manager is used to obtain the certificate

If our server is directly connected to the Internet and we used the NethServer manager to obtain a Let’s Encrypt certificate, the same procedure can be used to apply this certificate to Portainer. The only differences are the path of the certificate keys and their names.

Path to the certificate → /etc/letsencrypt|
Public key → live/toto.org/cert.pem|
Private key → live/toto.org/privkey.pem|

It is absolutely necessary to use the path /etc/letsencrypt, because the files cert.pem and privkey.pem are links that point to the directory ../../archive/toto.org and Docker must be able to access the latter inside the portainer container. Indeed, if we use the path /etc/letsencrypt/live, Docker will only map this directory and its subdirectories into the portainer container and it will not see the ../../archive directory inside the container.

Warning

Before installing Portainer CE, it is strongly recommended to restart Docker, otherwise you will get the docker error: Error response from daemon: driver failed programming external connectivity on endpoint portainer.

# systemctl restart docker

We verify.

# systemctl status docker | grep Active

Active: active (running) since ven. 2021-04-30 21:53:26 EDT; 11s ago

Installation

The command must be on one line, otherwise, each line must start with an alphabetical character or with a “/” and not with a “-”.

# docker run -d -p 9000:9000 --name portainer --restart unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v /etc/letsencrypt:/certs -v portainer_data:/data portainer/portainer-ce --ssl --sslcert /certs/live/toto.org/cert.pem --sslkey /certs/live/toto.org/privkey.pem

Unable to find image 'portainer/portainer-ce:latest' locally
latest: Pulling from  portainer/portainer-ce
94cfa856b2b1: Pull complete
49d59ee0881a: Pull complete
527b866940d5: Pull complete
Digest: sha256:5064d8414091c175c55ef6f8744da1210819388c2136273b4607a629b7d93358
Status: Downloaded newer image for portainer/portainer-ce:latest
3043d906e23a3bc6adcdba19024a010acdabe478f63fec5cac6d728cd6b1962d

We verify.

# docker ps -a

CONTAINER ID   IMAGE                    COMMAND                  CREATED          STATUS          PORTS                                                 NAMES
3043d906e23a   portainer/portainer-ce   "/portainer --ssl --…"   18 seconds ago   Up 10 seconds   8000/tcp, 0.0.0.0:9000->9000/tcp, :::9000->9000/tcp   portainer
1079944c9090   hello-world              "/hello"                 30 minutes ago   Exited (0) 30 minutes ago                                             tender_haslett

Multi-lines command

● Example of the Portainer command spread over several lines.
● Each line must start with an alphabetical character or a “/” and not with a “-”.

# docker run -d -p 9000:9000 --name                           \
portainer --restart                                           \
unless-stopped -v                                             \
/var/run/docker.sock:/var/run/docker.sock -v                  \
/etc/letsencrypt:/certs -v                                    \
portainer_data:/data portainer/portainer-ce --ssl --sslcert   \
/certs/live/toto.org/cert.pem --sslkey                        \
/certs/live/toto.org/privkey.pem

All comments and suggestions appreciated,

Michel-André