PhilsWiki

User Tools

Site Tools

Trace:

Sidebar

Public
Internal

edit the sidebar

public:it:containers

This is an old revision of the document!

Table of Contents

Exams

Videos

Nvidia-Docker

Traefik

example config

---
# step 0:
#   docker network create --driver=bridge --attachable  --internal=false gateway

version: "3"

services:
  traefik:
    image: traefik:v2.5.3
    container_name: traefik
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
      - "2222:2222"
    volumes:
      # Here is the mount of the local `ssl` directory
      - ./data/letsencrypt:/letsencrypt
      # The docker socket is mounted for auto-discovery of new services
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # Globally Available User Creds
      - ./data/users_credentials:/users_credentials:ro
      # Mount config files directly
      - ./data/traefik-tls.toml:/traefik-tls.toml
      # traefik log file
      - /var/log/traefik:/var/log
    networks:
      - gateway
    command:
      - "--log.level=WARN"
      - "--accesslog=true"
      - "--accessLog.filePath=/var/log/access.log"
      #- "--accessLog.filters.statusCodes=400-499"
      #- "--pilot.dashboard=false" # Still being developed 
      - "--api.dashboard=true"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.useBindPortIP=true"
      - "--providers.docker.network=gateway"
      - "--providers.docker.watch=true"
      # provide a file where options can be provided
      # Default TLS certificates must be specified in a file :sadface:
      - "--providers.file.filename=/traefik-tls.toml"
      # Entry Points
      - "--entrypoints.web.address=0.0.0.0:80"
      - "--entrypoints.websecure.address=0.0.0.0:443"
      - "--entrypoints.giteassh.address=0.0.0.0:2222"
      # import tls options from file for the websecure entrypoint
      - "--entrypoints.websecure.http.tls.options=default@file"
      # Certificate Resolver
      - "--certificatesresolvers.le.acme.email=user@example.com"
      - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.le.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
      # Staging. You'll want to replace the acme.json file. BACKUP this file!!!
      #- "--certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.le.acme.httpchallenge=true"
      - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
    labels:
      - traefik.enable=true
      # Priority: Highest number == first prio
      #   https://doc.traefik.io/traefik/routing/routers/#priority
      # Route traffic for *.my.lan first
      - traefik.http.routers.mylan.rule=hostregexp(`.*\.my\.lan`)
      - traefik.http.routers.mylan.entrypoints=web
      - traefik.http.routers.mylan.priority=1000
      # global redirect to https
      - traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
      - traefik.http.routers.http-catchall.entrypoints=web
      - traefik.http.routers.http-catchall.middlewares=redirect-to-https
      - traefik.http.routers.http-catchall.priority=1
      # middleware redirect
      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https

networks:
  gateway:
    external: true

/traefik-tls.toml 

# due to Go limitations, it is highly recommended that you use an ECDSA
# certificate, or you may experience compatibility issues
#[[tls.certificates]]
##certFile = "/path/to/signed_cert_plus_intermediates"
##keyFile = "/path/to/private_key"
#  certFile = "/traefik/certs/default.crt"
#  keyFile = "/traefik/certs/default.crt"

[tls.options]
  [tls.options.default]
    minVersion = "VersionTLS12"
    cipherSuites = [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
    ]

Min.io

Minimal object store server with S3 compatibility written in GO.

Kubernetes

1. Run this on hypervisor: 

curl -sfL https://get.k3s.io | sh -

2. Verify it worked: 

k3s kubectl get node

Docs: https://rancher.com/docs/k3s/latest/en/cluster-access/

3. Copy /etc/rancher/k3s/k3s.yaml on the hypervisor to your machine at ~/.kube/config. Then replace “localhost” with the IP or name of your K3s server. kubectl can now manage your K3s cluster.

Docker

Contexts

Format commands

source

Paste this into ~/.docker/config.json: 

{
  "psFormat": "table {{.Names}}\\t{{.Image}}\\t{{.RunningFor}} ago\\t{{.Status}}\\t{{.Command}}",
  "imagesFormat": "table {{.Repository}}\\t{{.Tag}}\\t{{.ID}}\\t{{.Size}}"
}

Podman

Seems to not require mapping UID and GIDs.

Ubuntu 20.10 supports podman install.

If on 20.04 you can add the repo: https://podman.io/getting-started/installation

Rootless Podman basics

  1. On ubuntu 20.04 and earlier install the podman repo.
  2. Install
    apt-get install -y slirp4netns podman
  3. Edit max user name spaces 
    $ echo “user.max_user_namespaces=28633” > /etc/sysctl.d/userns.conf 	 
$ sysctl -p /etc/sysctl.d/userns.conf

Podman Config files Podman to Docker

Docker features that are unsupported in Podman

podman-compose

Ubuntu Container with systemd

app container

https://github.com/google/gvisor https://firecracker-microvm.github.io/

DevOps discussion

https://www.reddit.com/r/devops/comments/p11l4k/devops_engineer_is_the_new_sysadmin/ https://medium.com/nerd-for-tech/devops-engineer-is-the-new-sysadmin-5bc46b86d413

public/it/containers.1635730183.txt.gz · Last modified: 2021/10/31 20:29 by phil

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki