Yes, the “label” way works and is really straightforward Just add a label from Portainer UI (Docker --label option from CLI) to instruct Traefik properly
The prototype above relies on firewall port forwarding rules for port 80 and 443 to override the main Apache instance and direct IP packets to Traefik. Surely every application that runs a real backend service, like WebTop, Mattermost, Nextcloud can push their rules into [file] to bypass Apache and optimize HTTP(S) traffic hops.
My impression is we do not need the “Published Ports” link in real cases (see image below). The link works only for HTTP, if the container exposes a web server. But web traffic is already handled by a reverse proxy (like Traefik). If the container exposes some other service (for instance a database server) the link is useless!
What did we achieve so far and where to go? Just some thoughts…
Docker integration with Shorewall. Defining the aqua network leads to a situation that can be easily handled with existing Firewall interface, from Server Manager. We need a wizard procedure that creates the firewall objects automatically.
Docker dedicated block device storage: requires an UI to select it (wizard procedure)
Portainer is a nice web UI, tailored on the docker CLI. I think most docker options are trasposed to the UI, so it is really powerful but quite complex. One must know well Docker to operate Portainer. BUT there’s the “Application templates” feature that is really promising for me!
It is like our Software Center page: the good news are that we can customize it, designing app templates specific to the NethServer environment. For instance we can define a “Redmine” template that connects MariaDB instance on NethServer host when it is started. Portainer templates can be instructed to ask for additional parameters interactively, for instance the virtual host name (see the MS SQL example). We can instruct Portainer to read the App catalog from the local NethServer instance, so it can be generated by a template with local parameters.
Traefik is a real reverse proxy. It’s flexible, it has a configuration file and also an HTTP API for configuration. It can auto-configure itself by reading the container labels (set by a Portainer app-template) from Docker: it’s perfect for it. However, its web UI is read-only, so we are still lacking a complete UI to configure it as reverse proxy for services running in another (LAN) host.
The aqua Shorewall zone is defined and created automatically
Portainer is instantiated and configured automatically
A dedicated storage device can be attached and configured before the docker daemon is started for the first time
traefik has been left behind, as we have the “Reverse proxy” page for that. This is the biggest design change since my post here: What about Docker on NethServer 7?
Just for our experiments, I configured mysql port 3306 open from aqua
Now what I can’t still grasp is the container upgrade and backup/restore lifecycles. I need to do some tests and study the latest Docker features to get an idea for them… ideas are welcome!
I tried caddy and joomla but I always get to the Nethserver default page instead of the portainer apps when browsing to http://nethserver:portainerport.
Dedicated storage seems to work (docker volumes are created).
The portainer app button is missing.
After installation it worked but when I did signal-event nethserver-docker-update more often, it happened that portainer was not reachable.
It can be a symptom of a lack of connectivity. I ran this experiment:
configured nethserver-docker on a green-only host
added red interface later
tried to ping from an alpine container ping 8.8.8.8 wget -qO- www.google.com
The ping was blocked. I found the aqua0 bridge was DOWN. It wasn’t bring up by interface-update event. So we need to add some logic to it, to bring it up again. This command was enough to work around the issue:
ip link set aqua0 up
Please check the aqua0 state: if you find it DOWN take note of it!
just a quick test, and probably i miss something… i tested on a VM with only a green interface.
dedicated storage seems ok, but i cannot reach the exposed port of the container, any hints?
Forgot the Docker facilities that automatically expose a TCP port by altering the packet filtering / nat configuration : they are disabled in NethServer!
You have to define a port forward in the NethServer firewall configuration manually.
Edit: If you want to expose a web site, configure the Reverse Proxy
For developers: I think this can be done automatically (and easily) by an RPM too…