Container Station, Docker and Virtual Switches: help

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Post Reply
seaan
Starting out
Posts: 14
Joined: Thu Jun 20, 2019 4:14 am

Container Station, Docker and Virtual Switches: help

Post by seaan »

Hello,
I managed to deploy a number of services in containers on my QNAP and implemented split DNS using PiHole which is forwarding local DNS requests to a Traefik reverse proxy because my router does not support NAT loopback and will not resolve my own domain correctly for hosts inside the LAN.

Long story short: both PiHole and Traefik are running in containers and are assigned IPs from my LAN, this is done on purpose because both needs to be referenced from the other hosts in my LAN.

The former was created using Container Station as per instructions I found in a tutorial provided by a QNAP engineer on YT, it's using bridge-networking and a static IP address from my CIDR.
The latter (Traefik) was instead created using a docker run script which assigns the container to the same network as PiHole and also a static IP address using --network and --ip options.

For disaster recovery purposes I would like to use docker-run or compose scripts for both containers and I have a question:

how can I replicate via script the current situation where PiHole and Traefik are assigned an IP from my LAN?

I'm struggling to find the correct set of instructions and by fiddling with Virtual Switches I almost messed up my NAS connectivity.

If you feel this is largely offtopic, feel free to send me RTFM although some hints to tutorial references would be appreciated as I found the official Docker Network documents a bit "rusty"

Thanks
Sergio
seaan
Starting out
Posts: 14
Joined: Thu Jun 20, 2019 4:14 am

Re: Container Station, Docker and Virtual Switches: help

Post by seaan »

Answering myself.

Qnet is what can be used to achive what I need.
Description and examples here: https://qnap-dev.github.io/container-st ... /qnet.html
marcel_255
New here
Posts: 4
Joined: Mon Feb 27, 2017 6:09 am

Re: Container Station, Docker and Virtual Switches: help

Post by marcel_255 »

Hello,
can you pls post the link of the YouTube Video ?
I have trouble with qnet and traefik.

Thanks
seaan
Starting out
Posts: 14
Joined: Thu Jun 20, 2019 4:14 am

Re: Container Station, Docker and Virtual Switches: help

Post by seaan »

hi Marcel,
Probably this one but it's focusing on PiHole only:
https://www.youtube.com/watch?v=ZvaQu5_QrJ4

What troubles are you having?
S.
marcel_255
New here
Posts: 4
Joined: Mon Feb 27, 2017 6:09 am

Re: Container Station, Docker and Virtual Switches: help

Post by marcel_255 »

When i run traefik with qnet network. It does not work.

Code: Select all

Unable to obtain ACME certificate for domains \"***.**\": cannot get ACME client get directory at 'https://acme-staging-v02.api.letsencrypt.org/directory': Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-staging-v02.
api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:47916->127.0.0.11:53: i/o timeout" routerName=traefik@docker rule="Host(`***.**`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" providerName=default.acme

When start with "host" or "nat" networkmode works. I dont know why...

Thanks
seaan
Starting out
Posts: 14
Joined: Thu Jun 20, 2019 4:14 am

Re: Container Station, Docker and Virtual Switches: help

Post by seaan »

Traefik is expecting to find SSL certificates but they are not there, you should comment out the corresponding section in traefik.toml.

Do you plan to use Traefik in your LAN only?
marcel_255
New here
Posts: 4
Joined: Mon Feb 27, 2017 6:09 am

Re: Container Station, Docker and Virtual Switches: help

Post by marcel_255 »

Hello,
@seaan I do not quite understand. He can't find an SLL certificate. Since he has to create one first. The acme.json is empty.
No i would use for LAN and WAN. I have a TLD.

When i run traefik with qnet driver (macvlan) for network then i become this error see log. When i remove "--net" settings in docker run command then works...
I don't know why there is a timeout?
Run youre traefik with qnet only ?

Thanks :)


Here are my settings. (This ***** is privacy :DD )

Docker run Command

Code: Select all

docker run -d \
--name=traefik \
-h traefik \
-v /etc/localtime:/etc/localtime:ro \
-v /etc/timezone:/etc/timezone:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v /share/Container/traefik/config:/etc/traefik \
-l "traefik.enable=true" \
-l "traefik.http.routers.traefik.rule=Host(\`traefik.*****.**\`) && (PathPrefix(\`/api\`) || PathPrefix(\`/dashboard\`))" \
-l "traefik.http.routers.traefik.entrypoints=websecure" \
-l "traefik.http.routers.traefik.tls.certresolver=default" \
-l "traefik.http.routers.traefik.service=api@internal" \
-l "traefik.http.routers.traefik.middlewares=auth@docker" \
-l "traefik.http.middlewares.auth.basicauth.users=*****:*****" \
-l "traefik.http.services.traefik.loadbalancer.server.port=8080" \
--net=qnet-static-eth2-51934f \
--ip=192.168.0.70 \
--mac-address=**:**:**:**:**:** \
--restart=always \
traefik
dynamic.yml

Code: Select all

---
tls:
options:
  default:
    minVersion: VersionTLS12
    sniStrict : true
    cipherSuites:
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    curvePreferences:
      - CurveP521
      - CurveP384        
  mintls13:
    minVersion: VersionTLS13

http:
  middlewares:
    secHeaders:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        frameDeny: true
        sslRedirect: true
        #  HSTS Configuration
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
        customRequestHeaders:
          X-Frame-Options: "SAMEORIGIN"
        customFrameOptionsValue: "SAMEORIGIN"

  routers:
    web-router:
      entryPoints:
        - websecure
      rule: "Host(`*****.**`)"
      service: "web-service"
      tls:
        certresolver: default
  services:
    web-service:
      loadBalancer:
        servers:
          - url: "http://192.168.0.50:81"
traefik.toml

Code: Select all

[log]
  level = "DEBUG"

[providers]
  [providers.docker]
    exposedByDefault = false
    endpoint = "unix:///var/run/docker.sock"
    network = "qnet-static-eth2-51934f"
  [providers.file]
    filename = "/etc/traefik/dynamic.yml"
    
[api]
  dashboard = true

[entryPoints.web]
  address = ":80"

  [entryPoints.web.http]
    [entryPoints.web.http.redirections]
      [entryPoints.web.http.redirections.entryPoint]
        to = "websecure"
        scheme = "https"

[entryPoints.websecure]
  address = ":443"

[certificatesResolvers]
  [certificatesResolvers.default.acme]
    email = "*****.***]"
    storage = "/etc/traefik/ACME/acme.json"
    caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
    [certificatesResolvers.default.acme.tlsChallenge]

[respondingTimeouts]
idleTimeout = "360s"
Log / Error

Code: Select all

time="2021-07-20T21:19:24+02:00" level=debug msg="Domains [\"*****.***\"] need ACME certificates generation for domains \"*****.***\"." providerName=default.acme routerName=web-router@file rule="Host(`*****.***`)"                                                                                                     
time="2021-07-20T21:19:24+02:00" level=debug msg="Loading ACME certificates [*****.***]..." routerName=web-router@file rule="Host(`*****.***`)" providerName=default.acme                                                                                                                                                 
time="2021-07-20T21:19:24+02:00" level=debug msg="No default certificate, generating one"                                                                                                                                                                                                                                  
time="2021-07-20T21:19:25+02:00" level=debug msg="Adding route for *****.*** with TLS options default" entryPointName=websecure                                                                                                                                                                                            
time="2021-07-20T21:19:25+02:00" level=debug msg="Adding route for traefik.*****.*** with TLS options default" entryPointName=websecure                                                                                                                                                                                    
time="2021-07-20T21:19:25+02:00" level=debug msg="Try to challenge certificate for domain [*****.***] found in HostSNI rule" rule="Host(`*****.***`)" providerName=default.acme routerName=web-router@file                                                                                                                
time="2021-07-20T21:19:25+02:00" level=debug msg="Try to challenge certificate for domain [traefik.*****.***] found in HostSNI rule" providerName=default.acme routerName=traefik@docker rule="Host(`traefik.*****.***`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"                                              
time="2021-07-20T21:19:25+02:00" level=debug msg="Looking for provided certificate(s) to validate [\"traefik.*****.***\"]..." providerName=default.acme routerName=traefik@docker rule="Host(`traefik.*****.***`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"                                                     
time="2021-07-20T21:19:25+02:00" level=debug msg="Domains [\"traefik.*****.***\"] need ACME certificates generation for domains \"traefik.*****.***\"." rule="Host(`traefik.*****.***`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" providerName=default.acme routerName=traefik@docker                           
time="2021-07-20T21:19:25+02:00" level=debug msg="Loading ACME certificates [traefik.*****.***]..." providerName=default.acme routerName=traefik@docker rule="Host(`traefik.*****.***`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"                                                                               
time="2021-07-20T21:19:25+02:00" level=debug msg="Looking for provided certificate(s) to validate [\"*****.***\"]..." providerName=default.acme routerName=web-router@file rule="Host(`*****.***`)"                                                                                                                       
time="2021-07-20T21:19:25+02:00" level=debug msg="No ACME certificate generation required for domains [\"*****.***\"]." providerName=default.acme routerName=web-router@file rule="Host(`*****.***`)"                                                                                                                     
time="2021-07-20T21:19:26+02:00" level=debug msg="Building ACME client..." providerName=default.acme                                                                                                                                                                                                                       
time="2021-07-20T21:19:26+02:00" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=default.acme                                                                                                                                                                                        
time="2021-07-20T21:19:36+02:00" level=error msg="Unable to obtain ACME certificate for domains \"*****.***\": cannot get ACME client get directory at 'https://acme-staging-v02.api.letsencrypt.org/directory': Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-staging-v02.api.lets
encrypt.org on 127.0.0.11:53: read udp 127.0.0.1:52363->127.0.0.11:53: i/o timeout" providerName=default.acme routerName=web-router@file rule="Host(`*****.***`)"  
seaan
Starting out
Posts: 14
Joined: Thu Jun 20, 2019 4:14 am

Re: Container Station, Docker and Virtual Switches: help

Post by seaan »

Ok, my setup is different. I generated a wildcard SSL certificate for my domain first with Letsencrypt using the acme script, stored the files in a folder and added the path to the certificate files in Traefik's dynamic configuration.

Something like this:

Code: Select all

[[tls.certificates]]
certFile = "/certs/****.cer"
keyFile =  "/certs/****.key"
Not sure if this helps.
marcel_255
New here
Posts: 4
Joined: Mon Feb 27, 2017 6:09 am

Re: Container Station, Docker and Virtual Switches: help

Post by marcel_255 »

Ah ok you did that manually. No, I want to do it automatically via traefik. :)
Otherwise i have to do it myself every 6 months :?
seaan
Starting out
Posts: 14
Joined: Thu Jun 20, 2019 4:14 am

Re: Container Station, Docker and Virtual Switches: help

Post by seaan »

It's actually every three months, you can always automate the renewal but it's your choice
Post Reply

Return to “Miscellaneous”