Nethserver-portainer needs testers AND ideas :D

Feature
75

Yes, the “label” way works and is really straightforward :smiley: Just add a label from Portainer UI (Docker --label option from CLI) to instruct Traefik properly

image
image746×615 39.7 KB

The prototype above relies on firewall port forwarding rules for port 80 and 443 to override the main Apache instance and direct IP packets to Traefik. Surely every application that runs a real backend service, like WebTop, Mattermost, Nextcloud can push their rules into [file] to bypass Apache and optimize HTTP(S) traffic hops.

My impression is we do not need the “Published Ports” link in real cases (see image below). The link works only for HTTP, if the container exposes a web server. But web traffic is already handled by a reverse proxy (like Traefik). If the container exposes some other service (for instance a database server) the link is useless!

image
image1194×437 66.8 KB

What did we achieve so far and where to go? Just some thoughts…

  1. Docker integration with Shorewall. Defining the aqua network leads to a situation that can be easily handled with existing Firewall interface, from Server Manager. We need a wizard procedure that creates the firewall objects automatically.

  2. Docker dedicated block device storage: requires an UI to select it (wizard procedure)

  3. Portainer is a nice web UI, tailored on the docker CLI. I think most docker options are trasposed to the UI, so it is really powerful but quite complex. One must know well Docker to operate Portainer. BUT there’s the “Application templates” feature that is really promising for me!

    image
    image858×838 107 KB

    It is like our Software Center page: the good news are that we can customize it, designing app templates specific to the NethServer environment. For instance we can define a “Redmine” template that connects MariaDB instance on NethServer host when it is started. Portainer templates can be instructed to ask for additional parameters interactively, for instance the virtual host name (see the MS SQL example). We can instruct Portainer to read the App catalog from the local NethServer instance, so it can be generated by a template with local parameters.

  4. Traefik is a real reverse proxy. It’s flexible, it has a configuration file and also an HTTP API for configuration. It can auto-configure itself by reading the container labels (set by a Portainer app-template) from Docker: it’s perfect for it. However, its web UI is read-only, so we are still lacking a complete UI to configure it as reverse proxy for services running in another (LAN) host.

2 Likes
76

@stephdl what is the second package ?

this is still the right way to install it ?

77

we would test a new way for docker, do not use TCP port but internal IP for container, still WIP

78

I am running portainer on ssl see here https://login.genius.ke:9000

and it all seems to be working fine.
and how come I never knew this was there, its a very nice effort.

whats the plan with regards to fully intergrating it in nethserver. will it be in the software center.

1 Like
79

this location for Jenkins password is not there v
/var/jenkins_home/secrets/initialAdminPassword

80

I just pushed an RPM to nethforge-testing, based on the previous Portainer prototype.

The source code is now an official NethServer repository, please have a look at the README here: https://github.com/NethServer/nethserver-docker/blob/master/README.rst.

  yum --enablerepo=nethforge-testing install nethserver-docker

In short:

  • The aqua Shorewall zone is defined and created automatically
  • Portainer is instantiated and configured automatically
  • A dedicated storage device can be attached and configured before the docker daemon is started for the first time
  • traefik has been left behind, as we have the “Reverse proxy” page for that. This is the biggest design change since my post here: What about Docker on NethServer 7?

Just for our experiments, I configured mysql port 3306 open from aqua

Now what I can’t still grasp is the container upgrade and backup/restore lifecycles. I need to do some tests and study the latest Docker features to get an idea for them… :thinking: ideas are welcome!

5 Likes
81

Ideas will come later, for now : hourra

3 Likes
82 
[root@ns7loc13 ~]# db configuration set docker service status enabled
[root@ns7loc13 ~]# signal-event nethserver-docker-update

you missed something, docker is down after the installation

EDIT : too fast, missing to read the README, it is wanted

1 Like
83

I tested it on a VM (1 green interface) and on a gateway server (green and red)

On the gateway app templates are missing, I only got 8 templates. (usually there are more categories in the drop-down too):

grafik
grafik716×883 90.1 KB

I tried caddy and joomla but I always get to the Nethserver default page instead of the portainer apps when browsing to http://nethserver:portainerport.

Dedicated storage seems to work (docker volumes are created).

The portainer app button is missing.

After installation it worked but when I did signal-event nethserver-docker-update more often, it happened that portainer was not reachable.

1 Like
84

Ok I can create a basic container (tried alpine and ubuntu) think to use the good setting in portainer ->interactive & tty

Screenshot_2018-09-12%20Portainer
Screenshot_2018-09-12 Portainer.png1252×329 17.7 KB

for the network, set an IP in the network range 172.28.0.0/16, I am not sure for the mac address it should work with the default one.

Screenshot_2018-09-12%20Portainer(1)
Screenshot_2018-09-12 Portainer(1).png1252×481 22.2 KB

at least this what I missed first

85

It can be a symptom of a lack of connectivity. I ran this experiment:

  • configured nethserver-docker on a green-only host
  • added red interface later
  • tried to ping from an alpine container
    ping 8.8.8.8
    wget -qO- www.google.com

The ping was blocked. I found the aqua0 bridge was DOWN. It wasn’t bring up by interface-update event. So we need to add some logic to it, to bring it up again. This command was enough to work around the issue:

 ip link set aqua0 up

Please check the aqua0 state: if you find it DOWN take note of it!

2 Likes
86

just a quick test, and probably i miss something… i tested on a VM with only a green interface.
dedicated storage seems ok, but i cannot reach the exposed port of the container, any hints?

1 Like
87

Forgot the Docker facilities that automatically expose a TCP port by altering the packet filtering / nat configuration :blush: : they are disabled in NethServer!

You have to define a port forward in the NethServer firewall configuration manually.

Edit: If you want to expose a web site, configure the Reverse Proxy

For developers: I think this can be done automatically (and easily) by an RPM too…

3 Likes
88

A post was split to a new topic: Help needed with firewall and nethserver-docker

89

For any one who is using the docker swarm and I repeat this is only for docker swarm

to install traefik reverse proxy

docker network create --driver=overlay traefik-net

this creates a new overlay network for traefik to work on

then we need to create the service

docker service create
–name traefik
–constraint=node.role==manager
–publish 80:80
–publish 8080:8080
–mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock
–network traefik-net
traefik:v1.6
–docker
–docker.swarmmode
–docker.domain=traefik
–docker.watch
–web

then you can access it via local ip :8080

edqvta3.png3840×1080 170 KB

web where documentation for this

90

@stephdl, I tried to install nethserver-docker recently and never succeed to log onto portainer; always got 500 server errors.

Decided it was really too cutting edge technology and preferred to go for a DO droplet and uninstalled the thing.

Now I get plenty of those messages :

Dec 16 20:37:51 mattlabs nmbd[30919]: [2018/12/16 20:37:51.755513,  0] ../source3/libsmb/nmblib.c:873(send_udp)                                                                                                                                                            │
Dec 16 20:37:51 mattlabs nmbd[30919]:  Packet send failed to 172.28.255.255(138) ERRNO=Operation not permitted                                                                                                                                                             │
Dec 16 20:37:51 mattlabs nmbd[30919]: [2018/12/16 20:37:51.755637,  0] ../source3/libsmb/nmblib.c:873(send_udp)                                                                                                                                                            │
Dec 16 20:37:51 mattlabs nmbd[30919]:  Packet send failed to 172.28.255.255(138) ERRNO=Operation not permitted                                                                                                                                                             │
Dec 16 20:38:10 mattlabs systemd: Starting Time & Date Service...

Maybe there is something not handled when uninstalling.

Txs :slight_smile:

91

Bump next steps

4 Likes
92

Wow. That’s really a moving target nowadays…

93

Could be an idea for GSoC :thinking:

94

also this seems a good news: