I have following docker-compose YAML file:
...
node-exporter:
image: prom/node-exporter:latest
container_name: node-exporter
restart: unless-stopped
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /:/rootfs:ro
command:
- '--path.procfs=/host/proc'
- '--path.rootfs=/rootfs'
- '--path.sysfs=/host/sys'
- '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)'
expose:
- 9100
networks:
- monitoring
...
when I run docker-compose up in the logs I am seeing the following:
ts=2022-12-09T03:42:29.448Z caller=tls_config.go:232 level=info msg="Listening on" address=[::]:9100
ts=2022-12-09T03:42:29.448Z caller=tls_config.go:235 level=info msg="TLS is disabled." http2=false address=[::]:9100
ts=2022-12-09T03:43:07.813Z caller=collector.go:169 level=error msg="collector failed" name=os duration_seconds=6.5056e-05 err="open /rootfs/etc/os-release: permission denied"
Is there any config change I need to do in order to fix this error?
Related
I am trying to connect via this documentation of GraphQL Mesh the ParseServer which is a docker container to Mesh via the .meshrc.yaml file. But I am not sure how to send the MASTER Key and Application ID in order to do the proper connection.
What I've tried already is:
schemaHeaders
operationHeaders
Neither of them worked. When I am running the graphql_mesh from my docker-compose I am getting the fallowing error:
Failed to generate the schema Error: Failed to fetch introspection from http://localhost:1337/graphql: Error: connect ECONNREFUSED 127.0.0.1:1337 2023-02-10T13:38:52.347296144Z at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1494:16)
Below I my docker files and my .meshrc.yaml.
docker-compose.yml file:
version: '3.9'
services:
database:
image: mongo:6.0.4
environment:
MONGO_INITDB_ROOT_USERNAME: admin
MONGO_INITDB_ROOT_PASSWORD: admin
volumes:
- ${HOME}/_DOCKER_DATA_/database:/data/db
networks:
- my_network
server:
restart: always
image: parseplatform/parse-server:5.4.1
ports:
- 1337:1337
environment:
- PARSE_SERVER_APPLICATION_ID=COOK_APP
- PARSE_SERVER_APPLICATION_NAME=COOK_NAME
- PARSE_SERVER_MASTER_KEY=MASTER_KEY_1
- PARSE_SERVER_DATABASE_URI=mongodb://admin:admin#mongo/parse_server?authSource=admin
- PARSE_SERVER_URL=http://10.0.2.2:1337/parse
- PARSE_SERVER_MOUNT_GRAPHQL=true
links:
- database:mongo
volumes:
- ${HOME}/_DOCKER_DATA_/server:/data/server
networks:
- my_network
dashboard:
image: parseplatform/parse-dashboard:5.0.0
ports:
- "4040:4040"
depends_on:
- server
environment:
- PARSE_DASHBOARD_APP_ID=COOK_APP
- PARSE_DASHBOARD_MASTER_KEY=MASTER_KEY_1
- PARSE_DASHBOARD_USER_ID=admin
- PARSE_DASHBOARD_USER_PASSWORD=admin
- PARSE_DASHBOARD_ALLOW_INSECURE_HTTP=true
- PARSE_DASHBOARD_SERVER_URL=http://localhost:1337/parse
- PARSE_DASHBOARD_GRAPHQL_SERVER_URL=http://localhost:1337/graphql
volumes:
- ${HOME}/_DOCKER_DATA_/dashboard:/data/dashboard
networks:
- my_network
graphql_mesh:
build:
context: .
dockerfile: Dockerfile_graphql_mesh
volumes:
- ./work/.meshrc.yaml:/work/.meshrc.yaml
ports:
- "4000:4000"
stdin_open: true
tty: true
networks:
- my_network
networks:
my_network:
driver: bridge
The Dockerfile_graphql_mesh:
FROM node:19.6.0-alpine3.17
COPY work /work
WORKDIR /work
RUN yarn add #graphql-mesh/cli
RUN yarn add graphql
RUN yarn add #graphql-mesh/graphql
RUN yarn add #graphql-mesh/runtime
RUN yarn add #envelop/auth0
CMD yarn run mesh dev
.meshrc.yaml:
sources:
- name: ParseServer_3
handler:
graphql:
endpoint: http://localhost:1337/graphql
schemaHeaders:
X-Parse-Application-Id: 'COOK_APP'
X-Parse-Master-Key: 'MASTER_KEY_1'
serve:
playground: true
I am trying to get the propper conection and generation of schema.grapql via the GraphQL Mesh.
I have a minio docker service running, which is connectable on storage/console.
My traefik also works for this.
But I suspect the connections to use the pattern BUCKET.backup.lo.domain.com which leads to a 404 from traefik.
I clearly see this pattern, for example, when using Cyberduck to connect (in the traefik logs and Cyberduck itself). The connection itself is possible (backup.lo.domain.com). I also get the buckets listed. But as soon as I click on the bucket it shows a modal with the bucket.lo.domain.com pattern and the traefik default certificate.
version: "3.8"
volumes:
minio-data:
services:
minio:
container_name: minio-backup
image: quay.io/minio/minio:RELEASE.2022-01-08T03-11-54Z
networks:
- traefik
volumes:
- minio-data:/data
command:
- server
- /data
- --console-address
- ":9001"
environment:
- TZ=${TIME_ZONE}
- MINIO_ROOT_USER=root
- MINIO_ROOT_PASSWORD=password
- MINIO_BROWSER_REDIRECT_URL=https://backup-console.lo.domain.com
- MINIO_DOMAIN=https://backup.lo.domain.com
labels:
- traefik.enable=true
- traefik.docker.network=traefik
- traefik.http.routers.minio.service=minio
- traefik.http.routers.minio.rule=Host(`backup.lo.domain.com`)
- traefik.http.routers.minio.tls.certresolver=letsenc
- traefik.http.routers.minio.entrypoints=websecure
- traefik.http.services.minio.loadbalancer.server.port=9000
- "traefik.http.routers.minio-console.service=minio-console"
- "traefik.http.routers.minio-console.rule=Host(`backup-console.lo.domain.com`)"
- "traefik.http.routers.minio-console.entrypoints=websecure"
- "traefik.http.routers.minio-console.tls.certresolver=letsenc"
- "traefik.http.services.minio-console.loadbalancer.server.port=9001"
restart: unless-stopped
traefik:
image: traefik
container_name: traefik
command:
- --providers.docker=true
- --entryPoints.web.address=:80
- --entryPoints.websecure.address=:443
labels:
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.tls.certresolver=letsenc"
- "traefik.http.routers.traefik.service=api#internal"
- "traefik.http.routers.traefik.tls.domains[0].main=lo.domain.com"
- "traefik.http.routers.traefik.tls.domains[0].sans=*.lo.domain.com"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
restart: unless-stopped
networks:
traefik:
networks:
traefik_public:
Any ideas? Could I use something like wildcards for subdomains?
The problem here is that buckets do not have sub-domain DNS entries in your setup. If you disable this and use path-style requests things should work fine: https://docs.cyberduck.io/protocols/s3/#disable-use-of-virtual-host-style-requests
Specifically, you need to set s3.bucket.virtualhost.disable to true in Cyberbuck.
I had the previous version (from last yr) of minio running well behind traefik and on portainer with no issues. I attempted an upgrade 4 days ago to the new version and it's been downhill since then. I get the login page but it won't accept credentials; Error:
{"code":500,"detailedMessage":"Post \"https://storage.example.com/\": dial tcp <ip>:443: i/o timeout","message":"invalid Login"}
I suspect it has something to do with the TLS certificate.
Below is my compose file, I've generated the certs as required; any assistance is is welcomed:
minio:
image: minio/minio
container_name: minio
restart: unless-stopped
command: server /data --certs-dir "./minio-data/certs" --address ":9000" --console-address ":9001"
networks:
- traefik-proxy2
expose:
- "9000"
- "9001"
volumes:
- ./minio-data:/data
environment:
- "MINIO_ROOT_USER=love"
- "MINIO_ROOT_PASSWORD=love1234"
- "MINIO_BROWSER_REDIRECT_URL=https://stash.example.com"
- "MINIO_SERVER_URL=https://storage.example.com"
labels:
- "traefik.enable=true"
- "traefik.http.services.minio.loadbalancer.server.port=9000"
- "traefik.http.routers.minio.rule=Host(`storage.example.com`)"
- "traefik.http.middlewares.minio-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.minio.middlewares=minio-https-redirect"
- "traefik.http.routers.minio.entrypoints=https"
- "traefik.http.routers.minio.service=minio"
- "traefik.http.routers.minio.tls=true"
- "traefik.http.routers.minio.tls.certresolver=http"
- "traefik.http.services.minio-console.loadbalancer.server.port=9001"
- "traefik.http.routers.minio-console.rule=Host(`stash.example.com`)"
I was getting the same Invalid Login error: Post "http://minio.localhost/": dial tcp: lookup minio.localhost on 127.0.0.11:53: no such host.
The following docker-compose.yml works. The solution is NOT to use MINIO_DOMAIN or MINIO_SERVER_URL. See # comments at environment: variables.
version: "3.3"
services:
minio:
# Please use fixed versions :D
image: minio/minio:RELEASE.2021-10-06T23-36-31Z
networks:
- traefik-proxy2
volumes:
- minio-data:/data
command:
- server
- /data
- --console-address
- ":9001"
environment:
- MINIO_ROOT_USER=love
- MINIO_ROOT_PASSWORD=love1234
# Do NOT use MINIO_DOMAIN or MINIO_SERVER_URL with Traefik.
# All Routing is done by Traefik, just tell minio where to redirect to.
- MINIO_BROWSER_REDIRECT_URL=http://stash.localhost
deploy:
labels:
- traefik.enable=true
- traefik.docker.network=traefik-proxy2
- traefik.constraint-label=traefik-proxy2
- traefik.http.routers.minio.service=minio
- traefik.http.routers.minio.rule=Host(`storage.localhost`)
- traefik.http.services.minio.loadbalancer.server.port=9000
- traefik.http.routers.minio-console.service=minio-console
- traefik.http.routers.minio-console.rule=Host(`stash.localhost`)
- traefik.http.services.minio-console.loadbalancer.server.port=9001
volumes:
minio-data:
networks:
traefik-proxy2:
external: true
I have this composer file, it was working properly, but 2 days ago I added a new domain and it fails to get the Let's encrypt certficate,
version: '3.4'
services:
traefik:
image: "traefik:v2.4"
container_name: "traefik"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.web.http.redirections.entrypoint.permanent=true"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.dnschallenge=true"
- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudns"
- "--certificatesresolvers.myresolver.acme.email=myemail#gmail.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
labels:
- "com.centurylinklabs.watchtower.enable=false"
ports:
- "80:80"
- "443:443"
environment:
- "CLOUDNS_AUTH_ID=xxxx"
- "CLOUDNS_AUTH_PASSWORD=xxxx"
volumes:
- type: volume
source: traefik
target: /letsencrypt
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
- "organic"
php-apache:
image: "php7.4"
restart: "unless-stopped"
container_name: "php-apache"
labels:
- "traefik.enable=true"
- "traefik.http.routers.exampledomain.rule=Host(`example.com`)"
- "traefik.http.routers.exampledomain.entrypoints=websecure"
- "traefik.http.routers.exampledomain.tls.certresolver=myresolver"
- "com.centurylinklabs.watchtower.enable=false"
networks:
- "organic"
networks:
organic:
driver: bridge
Here are the errors I'm getting
traefik | time="2021-04-17T03:31:02Z" level=debug msg="legolog: [INFO] retry due to: acme: error: 400 :: POST :: :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce:
traefik | time="2021-04-17T03:31:02Z" level=error msg="Unable to obtain ACME certificate for domains \"example.com\": unable to generate a certificate for thedomains [example.com]: error: one or more domains had a problem:\n[example.com] [example.com] acme: error presenting token: time limit exceeded: last error: %!w(<nil>)\n" providerName=myresolver.acme rule="Host(`example.com`)" routerName=exampledomain#docker
The tx is generated successfully in ClouDNS is normal, I have spent two days trying to figure out what might be the problem with no luck.
I had the same problem recently and after many configuration tries I deleted the traefik container (not recreate) as well as the letsencrypt volume. Then I redeployed with docker-compose up -d. On startup of traefik new certificates there generated immediately and without any complains. Hope this helps solves your issue as well.
traefik:
image: "traefik:v2.4"
container_name: "traefik"
restart: always
command:
#- "--log.level=DEBUG"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.docker.network=traefik_proxy"
- "--providers.docker.endpoint=tcp://docker-socket-proxy:2375"
- "--ping=true"
- "--ping.entryPoint=ping"
- "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
- "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.letsencrypt.acme.email=${CERTIFICATE_EMAIL}"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--certificatesResolvers.letsencrypt.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
- "--entryPoints.ping.address=:8081"
- "--entrypoints.http.address=:80"
- "--entrypoints.https.address=:443"
- "--entrypoints.https.http.tls.certresolver=letsencrypt"
- "--entrypoints.https.http.tls.domains[0].main=${DOMAINNAME}"
- "--entrypoints.https.http.tls.domains[0].sans=*.${DOMAINNAME}"
environment:
- CF_DNS_API_TOKEN=${CLOUDFLARE_DNS_API_TOKEN}
healthcheck:
test: ["CMD", "wget", "-c", "http://localhost:8081/ping"]
retries: 3
interval: "15s"
timeout: "3s"
start_period: "15s"
networks:
- traefik_proxy
- socket-proxy
security_opt:
- no-new-privileges:true
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
volumes:
- "letsencrypt:/letsencrypt"
#- "/var/run/docker.sock:/var/run/docker.sock:ro"
labels:
- "com.centurylinklabs.watchtower.enable=true"
depends_on:
- docker-socket-proxy
My config is a simple Docker Swarm (on Docker for Windows) with a Treafik container and a very simple Spring Boot 'echo' container.
I would like to forward a browser request for 'localhost/traefik' to the Traefik dashboard and 'localhost/echo/something' to a simple Sprint Boot echo application.
Expected to work:
localhost/treafik => gives a "Gateway timeout"
localhost/echo/something => gives a "Gateway timeout"
Expected not to work, but bypass Traefik (incorrectly):
localhost:8080 => shows the Traefik dashboard
localhost:8082/echo/something => { "status":"something" }
How can I improve the docker-compose.yml file to get the expected result? Can this have to do with 'networking'? When creating any network, even an overlay, gave error messages.
version: '3.7'
services:
traefik:
image: traefik:latest
command: --api --docker
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- //k/data/slackbot/traefik.toml:/traefik.toml
ports:
- "80:80"
- "8080:8080"
labels:
- "traefik.enable=true"
- "traefik.frontend.rule=Host:localhost;PathPrefixStrip:/traefik"
- "traefik.port=8080"
- "traefik.protocol=http"
- "traefik.backend=traefik"
slackbotsimple:
image: solvedshared/slackbotsimple:latest
ports:
- 8082:8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.enable=true"
- "traefik.frontend.rule=Host:localhost;PathPrefix:/echo"
- "traefik.port=8082"
- "traefik.protocol=http"
- "traefik.backend=slackbotsimple
The first issue was a networking issue. Solved, thanks to clever Jim.
The other issue was that I used the wrong port number. To route from the frontend '/echo' to the backend, the 'ports' section is NOT used. I could route directly to the exposed port of the slackbot application!
Take a look at the ports config: only 80 is available.
version: '3.7'
services:
traefik:
image: traefik:latest
command: --api --docker
restart: always
networks:
- slackbotnet
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- //k/data/slackbot/traefik.toml:/traefik.toml
ports:
- "80:80"
labels:
- "traefik.enable=true"
- "traefik.docker.network=slackbotnet"
- "traefik.frontend.rule=Host:localhost;PathPrefixStrip:/traefik"
- "traefik.port=8080"
- "traefik.protocol=http"
- "traefik.backend=traefik"
slackbotsimple:
image: solvedshared/slackbotsimple:latest
networks:
- slackbotnet
volumes:
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.enable=true"
- "traefik.docker.network=slackbotnet"
- "traefik.frontend.rule=Host:localhost;PathPrefix:/echo"
- "traefik.port=8080"
- "traefik.protocol=http"
- "traefik.backend=slackbotsimple"
networks:
slackbotnet:
name: slackbotnet