Container Station, Docker and Virtual Switches: help
-
- Starting out
- Posts: 14
- Joined: Thu Jun 20, 2019 4:14 am
Container Station, Docker and Virtual Switches: help
Hello,
I managed to deploy a number of services in containers on my QNAP and implemented split DNS using PiHole which is forwarding local DNS requests to a Traefik reverse proxy because my router does not support NAT loopback and will not resolve my own domain correctly for hosts inside the LAN.
Long story short: both PiHole and Traefik are running in containers and are assigned IPs from my LAN, this is done on purpose because both needs to be referenced from the other hosts in my LAN.
The former was created using Container Station as per instructions I found in a tutorial provided by a QNAP engineer on YT, it's using bridge-networking and a static IP address from my CIDR.
The latter (Traefik) was instead created using a docker run script which assigns the container to the same network as PiHole and also a static IP address using --network and --ip options.
For disaster recovery purposes I would like to use docker-run or compose scripts for both containers and I have a question:
how can I replicate via script the current situation where PiHole and Traefik are assigned an IP from my LAN?
I'm struggling to find the correct set of instructions and by fiddling with Virtual Switches I almost messed up my NAS connectivity.
If you feel this is largely offtopic, feel free to send me RTFM although some hints to tutorial references would be appreciated as I found the official Docker Network documents a bit "rusty"
Thanks
Sergio
I managed to deploy a number of services in containers on my QNAP and implemented split DNS using PiHole which is forwarding local DNS requests to a Traefik reverse proxy because my router does not support NAT loopback and will not resolve my own domain correctly for hosts inside the LAN.
Long story short: both PiHole and Traefik are running in containers and are assigned IPs from my LAN, this is done on purpose because both needs to be referenced from the other hosts in my LAN.
The former was created using Container Station as per instructions I found in a tutorial provided by a QNAP engineer on YT, it's using bridge-networking and a static IP address from my CIDR.
The latter (Traefik) was instead created using a docker run script which assigns the container to the same network as PiHole and also a static IP address using --network and --ip options.
For disaster recovery purposes I would like to use docker-run or compose scripts for both containers and I have a question:
how can I replicate via script the current situation where PiHole and Traefik are assigned an IP from my LAN?
I'm struggling to find the correct set of instructions and by fiddling with Virtual Switches I almost messed up my NAS connectivity.
If you feel this is largely offtopic, feel free to send me RTFM although some hints to tutorial references would be appreciated as I found the official Docker Network documents a bit "rusty"
Thanks
Sergio
-
- Starting out
- Posts: 14
- Joined: Thu Jun 20, 2019 4:14 am
Re: Container Station, Docker and Virtual Switches: help
Answering myself.
Qnet is what can be used to achive what I need.
Description and examples here: https://qnap-dev.github.io/container-st ... /qnet.html
Qnet is what can be used to achive what I need.
Description and examples here: https://qnap-dev.github.io/container-st ... /qnet.html
-
- New here
- Posts: 4
- Joined: Mon Feb 27, 2017 6:09 am
Re: Container Station, Docker and Virtual Switches: help
Hello,
can you pls post the link of the YouTube Video ?
I have trouble with qnet and traefik.
Thanks
can you pls post the link of the YouTube Video ?
I have trouble with qnet and traefik.
Thanks
-
- Starting out
- Posts: 14
- Joined: Thu Jun 20, 2019 4:14 am
Re: Container Station, Docker and Virtual Switches: help
hi Marcel,
Probably this one but it's focusing on PiHole only:
https://www.youtube.com/watch?v=ZvaQu5_QrJ4
What troubles are you having?
S.
Probably this one but it's focusing on PiHole only:
https://www.youtube.com/watch?v=ZvaQu5_QrJ4
What troubles are you having?
S.
-
- New here
- Posts: 4
- Joined: Mon Feb 27, 2017 6:09 am
Re: Container Station, Docker and Virtual Switches: help
When i run traefik with qnet network. It does not work.
When start with "host" or "nat" networkmode works. I dont know why...
Thanks
Code: Select all
Unable to obtain ACME certificate for domains \"***.**\": cannot get ACME client get directory at 'https://acme-staging-v02.api.letsencrypt.org/directory': Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-staging-v02.
api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:47916->127.0.0.11:53: i/o timeout" routerName=traefik@docker rule="Host(`***.**`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" providerName=default.acme
When start with "host" or "nat" networkmode works. I dont know why...
Thanks
-
- Starting out
- Posts: 14
- Joined: Thu Jun 20, 2019 4:14 am
Re: Container Station, Docker and Virtual Switches: help
Traefik is expecting to find SSL certificates but they are not there, you should comment out the corresponding section in traefik.toml.
Do you plan to use Traefik in your LAN only?
Do you plan to use Traefik in your LAN only?
-
- New here
- Posts: 4
- Joined: Mon Feb 27, 2017 6:09 am
Re: Container Station, Docker and Virtual Switches: help
Hello,
@seaan I do not quite understand. He can't find an SLL certificate. Since he has to create one first. The acme.json is empty.
No i would use for LAN and WAN. I have a TLD.
When i run traefik with qnet driver (macvlan) for network then i become this error see log. When i remove "--net" settings in docker run command then works...
I don't know why there is a timeout?
Run youre traefik with qnet only ?
Thanks
Here are my settings. (This ***** is privacy )
Docker run Command
dynamic.yml
traefik.toml
Log / Error
@seaan I do not quite understand. He can't find an SLL certificate. Since he has to create one first. The acme.json is empty.
No i would use for LAN and WAN. I have a TLD.
When i run traefik with qnet driver (macvlan) for network then i become this error see log. When i remove "--net" settings in docker run command then works...
I don't know why there is a timeout?
Run youre traefik with qnet only ?
Thanks
Here are my settings. (This ***** is privacy )
Docker run Command
Code: Select all
docker run -d \
--name=traefik \
-h traefik \
-v /etc/localtime:/etc/localtime:ro \
-v /etc/timezone:/etc/timezone:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v /share/Container/traefik/config:/etc/traefik \
-l "traefik.enable=true" \
-l "traefik.http.routers.traefik.rule=Host(\`traefik.*****.**\`) && (PathPrefix(\`/api\`) || PathPrefix(\`/dashboard\`))" \
-l "traefik.http.routers.traefik.entrypoints=websecure" \
-l "traefik.http.routers.traefik.tls.certresolver=default" \
-l "traefik.http.routers.traefik.service=api@internal" \
-l "traefik.http.routers.traefik.middlewares=auth@docker" \
-l "traefik.http.middlewares.auth.basicauth.users=*****:*****" \
-l "traefik.http.services.traefik.loadbalancer.server.port=8080" \
--net=qnet-static-eth2-51934f \
--ip=192.168.0.70 \
--mac-address=**:**:**:**:**:** \
--restart=always \
traefik
Code: Select all
---
tls:
options:
default:
minVersion: VersionTLS12
sniStrict : true
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
curvePreferences:
- CurveP521
- CurveP384
mintls13:
minVersion: VersionTLS13
http:
middlewares:
secHeaders:
headers:
browserXssFilter: true
contentTypeNosniff: true
frameDeny: true
sslRedirect: true
# HSTS Configuration
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
customRequestHeaders:
X-Frame-Options: "SAMEORIGIN"
customFrameOptionsValue: "SAMEORIGIN"
routers:
web-router:
entryPoints:
- websecure
rule: "Host(`*****.**`)"
service: "web-service"
tls:
certresolver: default
services:
web-service:
loadBalancer:
servers:
- url: "http://192.168.0.50:81"
Code: Select all
[log]
level = "DEBUG"
[providers]
[providers.docker]
exposedByDefault = false
endpoint = "unix:///var/run/docker.sock"
network = "qnet-static-eth2-51934f"
[providers.file]
filename = "/etc/traefik/dynamic.yml"
[api]
dashboard = true
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[certificatesResolvers]
[certificatesResolvers.default.acme]
email = "*****.***]"
storage = "/etc/traefik/ACME/acme.json"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
[certificatesResolvers.default.acme.tlsChallenge]
[respondingTimeouts]
idleTimeout = "360s"
Code: Select all
time="2021-07-20T21:19:24+02:00" level=debug msg="Domains [\"*****.***\"] need ACME certificates generation for domains \"*****.***\"." providerName=default.acme routerName=web-router@file rule="Host(`*****.***`)"
time="2021-07-20T21:19:24+02:00" level=debug msg="Loading ACME certificates [*****.***]..." routerName=web-router@file rule="Host(`*****.***`)" providerName=default.acme
time="2021-07-20T21:19:24+02:00" level=debug msg="No default certificate, generating one"
time="2021-07-20T21:19:25+02:00" level=debug msg="Adding route for *****.*** with TLS options default" entryPointName=websecure
time="2021-07-20T21:19:25+02:00" level=debug msg="Adding route for traefik.*****.*** with TLS options default" entryPointName=websecure
time="2021-07-20T21:19:25+02:00" level=debug msg="Try to challenge certificate for domain [*****.***] found in HostSNI rule" rule="Host(`*****.***`)" providerName=default.acme routerName=web-router@file
time="2021-07-20T21:19:25+02:00" level=debug msg="Try to challenge certificate for domain [traefik.*****.***] found in HostSNI rule" providerName=default.acme routerName=traefik@docker rule="Host(`traefik.*****.***`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
time="2021-07-20T21:19:25+02:00" level=debug msg="Looking for provided certificate(s) to validate [\"traefik.*****.***\"]..." providerName=default.acme routerName=traefik@docker rule="Host(`traefik.*****.***`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
time="2021-07-20T21:19:25+02:00" level=debug msg="Domains [\"traefik.*****.***\"] need ACME certificates generation for domains \"traefik.*****.***\"." rule="Host(`traefik.*****.***`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" providerName=default.acme routerName=traefik@docker
time="2021-07-20T21:19:25+02:00" level=debug msg="Loading ACME certificates [traefik.*****.***]..." providerName=default.acme routerName=traefik@docker rule="Host(`traefik.*****.***`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
time="2021-07-20T21:19:25+02:00" level=debug msg="Looking for provided certificate(s) to validate [\"*****.***\"]..." providerName=default.acme routerName=web-router@file rule="Host(`*****.***`)"
time="2021-07-20T21:19:25+02:00" level=debug msg="No ACME certificate generation required for domains [\"*****.***\"]." providerName=default.acme routerName=web-router@file rule="Host(`*****.***`)"
time="2021-07-20T21:19:26+02:00" level=debug msg="Building ACME client..." providerName=default.acme
time="2021-07-20T21:19:26+02:00" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=default.acme
time="2021-07-20T21:19:36+02:00" level=error msg="Unable to obtain ACME certificate for domains \"*****.***\": cannot get ACME client get directory at 'https://acme-staging-v02.api.letsencrypt.org/directory': Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-staging-v02.api.lets
encrypt.org on 127.0.0.11:53: read udp 127.0.0.1:52363->127.0.0.11:53: i/o timeout" providerName=default.acme routerName=web-router@file rule="Host(`*****.***`)"
-
- Starting out
- Posts: 14
- Joined: Thu Jun 20, 2019 4:14 am
Re: Container Station, Docker and Virtual Switches: help
Ok, my setup is different. I generated a wildcard SSL certificate for my domain first with Letsencrypt using the acme script, stored the files in a folder and added the path to the certificate files in Traefik's dynamic configuration.
Something like this:
Not sure if this helps.
Something like this:
Code: Select all
[[tls.certificates]]
certFile = "/certs/****.cer"
keyFile = "/certs/****.key"
-
- New here
- Posts: 4
- Joined: Mon Feb 27, 2017 6:09 am
Re: Container Station, Docker and Virtual Switches: help
Ah ok you did that manually. No, I want to do it automatically via traefik.
Otherwise i have to do it myself every 6 months
Otherwise i have to do it myself every 6 months
-
- Starting out
- Posts: 14
- Joined: Thu Jun 20, 2019 4:14 am
Re: Container Station, Docker and Virtual Switches: help
It's actually every three months, you can always automate the renewal but it's your choice