Docker Swarm Portainer Notes

Posted by Matt Wakeling in Sunday, 17 March 2024

# Download Portainer Agent Stack (Version 2.19.4)

curl -L https://downloads.portainer.io/ce2-19/portainer-agent-stack.yml -o portainer-agent-stack.yml

# Bugfix Docker Socket access

Update portainer-agent-stack.yml to add readonly access to docker socket by adding volume to portainer section this will automatically configure the 'local' environment.
vi portainer-agent-stack.yml

    volumes:
      - portainer_data:/data
      - /var/run/docker.sock:/var/run/docker.sock:ro

# Configure Docker Swarm environment, by agent

Update portainer-agent-stack.yml to add readonly access to docker socket by adding volume to portainer section

Give your environment configuration a unique name. ie docker_lab01
For the environment address (i ran this from the same node running portainer-portainer:

docker network inspect portainer_agent_network

Under "containers" section, get the IPv4Address, i.e. 10.10.5.5/24

The default environment address will be 10.10.5.5:9001

Click connect

# Example Screenshot


# [WARN] memberlist: Was able to connect to XXX but other probes failed, network may be misconfigured

Portainer agent logs contain "network may be misconfigured" and "agent container running in more than a single Docker network. This might cause communication issues | network_count=2 ". This looks like it can be ignored and is due the networks being in "ingress" and "portainer_agent_network".

0 comments
under:

Docker certificate signed by unknown authority

Posted by Matt Wakeling in Saturday, 16 March 2024


While attempting to build a clone of a Harbor Registry Installation for testing an upgrade/migration, my new Debian 12 Docker installation was reporting Error response from daemon: Get "https://registry.local/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority which was stopping me from logging in and performing any push/pull of images.

The following steps worked for me, the issue will be the CA crt, but have included the other harbor lines...

CA & Harbor Certificates

  • mkdir /opt/harbor/certs
  • cd /opt/harbor/certs
  • openssl genrsa -out ca.key 4096
  • openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=London/L=London/O=myCompany/OU=Registry/CN=registry.local"  -key ca.key  -out ca.crt
  • openssl genrsa -out registry.local.key 4096
  • openssl req -sha512 -new -subj  "/C=CN/ST=London/L=London/O=myCompany/OU=Registry/CN=registry.local" -key registry.local.key -out registry.local.csr
  • cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=registry.local
EOF
  • openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in registry.local.csr -out registry.local.crt
  • openssl x509 -inform PEM -in registry.local.crt -out registry.local.cert
  • cd /etc/docker/certs.d/registry.local\:443/
  • Remove any existing certificate / keys from the folder.
  • cd /opt/harbor/certs
  • cp registry.local.cert /etc/docker/certs.d/registry.local\:443/
  • cp registry.local.key /etc/docker/certs.d/registry.local\:443/
  • cp ca.crt /etc/docker/certs.d/registry.local\:443/

Update CA Certificates

  • Save the cert to the file , like the command above (the port is crucial, no need for the protocol)Copy from above which will be in /etc/docker/certs.d/<registry>:<port>/ca.crt
  • copy it to /usr/local/share/ca-certificates/: sudo cp ca.crt /usr/local/share/ca-certificates/
  • run update-ca-certificates: sudo update-ca-certificates

Apply new certs:

  • cd /opt/registry/harbor/
  • ./prepare --with-trivy --with-clair

Update Docker Daemon to add an insecure registry (i.e. self signed).

  •  vi /etc/docker/daemon.json
{
  "insecure-registries" : ["registry.local:443"]
}

Restart Docker

  • systemctl restart docker
Check CERT Valid dates update in browser and check PEM matches...
  • openssl s_client -showcerts -connect registry.local:443 < /dev/null   | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
  • cat /opt/registry/certs/registry.local.cert
  • Certificates should match.

Docker Login

  • docker login registry.local

0 comments
under:

Debian GNU/Linux 12 (bookworm)

Posted by Matt Wakeling in Thursday, 14 March 2024

Trying to build a Node/Lab for Docker Orchestration learning, I've built a ZP-0088 Rack Tower containing 4 x PI4's and applied the latest Raspbian (DEBIAN 12) O/S Lite and firmware rpi-6.6.y at the time of writing.

Getting Staic IP for both WLAN0 and ETH0 was a little tasking, due to the changes in network services, this is configured to use NetworkManager.

The example is using 192.168.1.1 as my router address, but change if yours differs.

Network Configuration

Reset back to blank state:

  • Connect directly to the Raspberry PI
  • Remove existing network configuration from /etc/wpa_supplicant/wpa_supplicant.conf
  • Remove existing network configuration from /etc/network/interfaces
  • Remove existing network connection files from /etc/NetworkManager/system-connections/
  • Update manged=true in /etc/NetworkManager/NetworkManager.conf.
  • Reboot 

Apply Network Configurations:

EASY WIFI Method:

  • Run raspi-confi, system options, Wireless LAN and configure SSID and Password and no configuration error reported (as any conflicting configurations were removed above).
  • Reboot
  • Automatic IP Address (DHCP) over wifi should now be configured 

Manually Configure WIFI

  • Show connection status, run: nmcli dev status
  • If your unsure your wifi is enabled, your can run : nmcli radio wifi
  • If disabled run: nmcli radio wifi on
  • Scan available wifi networks, run: nmcli dev wifi list
  • Connect to the wifi: nmcli dev wifi connect <network-ssid> password <network-password>
  • Connection will be made and IP automatically assigned by DHCP.
  • Test connection using ping: ping google.co.uk
  • Check connection using: ip r
  • New configuration file added to /etc/NetworkManager/system-connections/ 

Update WIFI for Static IP

  • Edit your WIFI configuration file: vi /etc/NetworkManager/system-connections/<SSID>.nmconnection
  • Update the [ipv4] section from DHCP
[ipv4]
method=auto
  • to a STATIC IP Address.
[ipv4]
address1=192.168.1.2/24,192.168.1.1
dns=192.168.1.1
method=manual

  • Reboot or Restart Network Manager: systemctl restart NetworkManager
  • View Service Log if any issues:  journalctl -u NetworkManager.service. 

Add Wired STATIC IP Wired Connection

  • Show connection status to find Wired Connection name: nmcli conn show
  • Modify connection for a static IP address, change connection name if differs: nmcli con mod "Wired connection 1" ipv4.addresses "192.168.1.3/24" ipv4.gateway "192.168.1.1" ipv4.dns "192.168.1.1" ipv4.method "manual"
  • List /etc/NetworkManager/system-connections/ files shows new configuration file.
  • Reboot or Restart Network Manager: systemctl restart NetworkManager
  • List configured IP Addresses using: 
    • ip r
    • ifconfig





0 comments
under:
Newer Entries »
« Older Entries