Sidebar
public:it:containers
This is an old revision of the document!
Table of Contents
Exams
Videos
Nvidia-Docker
Traefik
example config
---
# step 0:
# docker network create --driver=bridge --attachable --internal=false gateway
version: "3"
services:
traefik:
image: traefik:v2.5.3
container_name: traefik
restart: unless-stopped
ports:
- "80:80"
- "443:443"
- "8080:8080"
- "2222:2222"
volumes:
# Here is the mount of the local `ssl` directory
- ./data/letsencrypt:/letsencrypt
# The docker socket is mounted for auto-discovery of new services
- /var/run/docker.sock:/var/run/docker.sock:ro
# Globally Available User Creds
- ./data/users_credentials:/users_credentials:ro
# Mount config files directly
- ./data/traefik-tls.toml:/traefik-tls.toml
# traefik log file
- /var/log/traefik:/var/log
networks:
- gateway
command:
- "--log.level=WARN"
- "--accesslog=true"
- "--accessLog.filePath=/var/log/access.log"
#- "--accessLog.filters.statusCodes=400-499"
#- "--pilot.dashboard=false" # Still being developed
- "--api.dashboard=true"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.docker.useBindPortIP=true"
- "--providers.docker.network=gateway"
- "--providers.docker.watch=true"
# provide a file where options can be provided
# Default TLS certificates must be specified in a file :sadface:
- "--providers.file.filename=/traefik-tls.toml"
# Entry Points
- "--entrypoints.web.address=0.0.0.0:80"
- "--entrypoints.websecure.address=0.0.0.0:443"
- "--entrypoints.giteassh.address=0.0.0.0:2222"
# import tls options from file for the websecure entrypoint
- "--entrypoints.websecure.http.tls.options=default@file"
# Certificate Resolver
- "--certificatesresolvers.le.acme.email=user@example.com"
- "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.le.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
# Staging. You'll want to replace the acme.json file. BACKUP this file!!!
#- "--certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.le.acme.httpchallenge=true"
- "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
labels:
- traefik.enable=true
# Priority: Highest number == first prio
# https://doc.traefik.io/traefik/routing/routers/#priority
# Route traffic for *.my.lan first
- traefik.http.routers.mylan.rule=hostregexp(`.*\.my\.lan`)
- traefik.http.routers.mylan.entrypoints=web
- traefik.http.routers.mylan.priority=1000
# global redirect to https
- traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
- traefik.http.routers.http-catchall.entrypoints=web
- traefik.http.routers.http-catchall.middlewares=redirect-to-https
- traefik.http.routers.http-catchall.priority=1
# middleware redirect
- traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
networks:
gateway:
external: true
/traefik-tls.toml
# due to Go limitations, it is highly recommended that you use an ECDSA
# certificate, or you may experience compatibility issues
#[[tls.certificates]]
##certFile = "/path/to/signed_cert_plus_intermediates"
##keyFile = "/path/to/private_key"
# certFile = "/traefik/certs/default.crt"
# keyFile = "/traefik/certs/default.crt"
[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
]
Min.io
Minimal object store server with S3 compatibility written in GO.
Garage
S3 compatible object store. Similar to min.io.
Kubernetes
1. Run this on hypervisor:
curl -sfL https://get.k3s.io | sh -
2. Verify it worked:
k3s kubectl get node
Docs: https://rancher.com/docs/k3s/latest/en/cluster-access/
3. Copy /etc/rancher/k3s/k3s.yaml on the hypervisor to your machine at ~/.kube/config. Then replace “localhost” with the IP or name of your K3s server. kubectl can now manage your K3s cluster.
Docker
Deploy docker containers on remote hosts with docker-compose
Environment variable
DOCKER_HOST=“ssh://user@remotehost” docker-compose up -d
Context
$ docker context ls NAME DESCRIPTION DOCKER ENDPOINT KUBERNETES ENDPOINT ORCHESTRATOR … remote ssh://user@remotemachine $ cd hello-docker $ docker-compose ‐‐context remote up -d
$ docker context create remote ‐‐docker “host=ssh://user@remotemachine” remote Successfully created context “remote” $ docker context ls NAME DESCRIPTION DOCKER ENDPOINT KUBERNETES ENDPOINT ORCHESTRATOR default * Current DOCKER_HOST… unix:///var/run/docker.sock swarm remote ssh://user@remotemachine
Format commands
Paste this into ~/.docker/config.json:
{
"psFormat": "table {{.Names}}\\t{{.Image}}\\t{{.RunningFor}} ago\\t{{.Status}}\\t{{.Command}}",
"imagesFormat": "table {{.Repository}}\\t{{.Tag}}\\t{{.ID}}\\t{{.Size}}"
}
Podman
Seems to not require mapping UID and GIDs.
Ubuntu 20.10 supports podman install.
If on 20.04 you can add the repo: https://podman.io/getting-started/installation
- On ubuntu 20.04 and earlier install the podman repo.
- Install
apt-get install -y slirp4netns podman
- Edit max user name spaces
$ echo “user.max_user_namespaces=28633” > /etc/sysctl.d/userns.conf $ sysctl -p /etc/sysctl.d/userns.conf
subuid and subgid
Pre-generating all possible values for /etc/subuid and /etc/subgid, based on uid and gid, rather than the user and group names, is also possible. This can simplify shared management of shared computing environments using LDAP/AD, while there is no standardized way to store or retrieve subuid and subgid values from those directories.
An example python program to generate the files:
f = open("/etc/subuid", "w")
for uid in range(1000, 65536):
f.write("%d:%d:65536\n" %(uid,uid*65536))
f.close()
f = open("/etc/subgid", "w")
for uid in range(1000, 65536):
f.write("%d:%d:65536\n" %(uid,uid*65536))
f.close()
Map local uid/gid into container
#!/bin/bash
# https://github.com/containers/podman/blob/main/troubleshooting.md#33-container-creates-a-file-that-is-not-owned-by-the-users-regular-uid
subuidSize=$(( $(podman info --format "{{ range .Host.IDMappings.UIDMap }}+{{.Size }}{{end }}" ) - 1 ))
subgidSize=$(( $(podman info --format "{{ range .Host.IDMappings.GIDMap }}+{{.Size }}{{end }}" ) - 1 ))
uid=$(id -u)
gid=$(id -g)
podman run --rm -it \
-v ./dir1:/dir1 \
--user $uid:$gid \
--uidmap $uid:0:1 \
--uidmap 0:1:$uid \
--uidmap $(($uid+1)):$(($uid+1)):$(($subuidSize-$uid)) \
--gidmap $gid:0:1 \
--gidmap 0:1:$gid \
--gidmap $(($gid+1)):$(($gid+1)):$(($subgidSize-$gid)) \
docker.io/library/ubuntu /bin/bash
# "touch /dir1/a; chmod 600 /dir1/a"
Docker features that are unsupported in Podman
app container
DevOps discussion
public/it/containers.1648831941.txt.gz · Last modified: 2022/04/01 11:52 by phil
