Categories
Snippets Uncategorized

nextcloud and Docker and reverse proxies

I have a nextcloud setup like described here (docker-compose, let’s encrypt proxy companion, postgres and nextcloud). And for a while I couldn’t connect any new nextcloud clients to the installation.

This fixed it:

<?php
$CONFIG = array (
  # manually added because it's not picked up from
  # the env vars once set ... it seems ...

  # the docker IP range
  'trusted_proxies' => ["172.16.0.0/12"],

  # the hostname of the server
  'overwritehost'   => "my.super.secret.server",

  # the ENDUSER->PROXY protocol, NOT the proxy-> nextcloud protocol!
  'overwriteprotocol' => "https",

  #
  # AAAND NOW back to the original config file ...
  # ...
)

Some notes:

Categories
CICD Development Docker Infrastructure Linux

Databases with dokku

This is part 2 of a couple of blog posts about dokku, a amazing little Heroku clone.

In the previous post I showed how to set up Dokku on a DigitalOcean droplet, and deployed a little hello-world container with a single git push. The reason why I wanted dokku thoug was the need of a database. As said – hosting comes cheap, databases usually come either expensive or with limited flexibility, or just too annoying configuration effort.

Dokku is the perferct middle ground. Let’s see why.

For me it was the existing postgres plugin which you can simply install and use. The whole process is incredibly easy, takes wbout two commands, and looks like this (let’s assume our “hello world” container uses a database):

$ sudo dokku plugin:install https://github.com/dokku/dokku-postgres.git postgres

That’s it, again.

$ dokku postgres:create hello-world

dokku postgres:create hello-world
Waiting for container to be ready
Creating container database Securing connection to database
=====> Postgres container created: hello-world
=====> Container Information
       Config dir: /var/lib/dokku/services/postgres/hello-world/config
       Data dir: /var/lib/dokku/services/postgres/hello-world/data
       Dsn: postgres://postgres:bd6b0725d710bb5a662bb628eee787b1@dokku-postgres-hello-world:5432/hello_world
       Exposed ports: -
       Id: 785ef252c748ed85739d1d6ad375a1e1bd66e925ac79358e9ffaa30ab852d6c0 
       Internal ip: 172.17.0.9
       Links: -
       Service root: /var/lib/dokku/services/postgres/hello-world
       Status: running
       Version: postgres:10.2

$ docker ps

CONTAINER ID   IMAGE                      COMMAND                  CREATED         STATUS         PORTS      NAMES
cc99cccacf2c   dokku/hello-world:latest   "/bin/sh -c 'php-fpm…"   2 minutes ago   Up 2 minutes   80/tcp     hello-world.web.1
785ef252c748   postgres:10.2              "docker-entrypoint.s…"   5 minutes ago   Up 5 minutes   5432/tcp   dokku.postgres.hello-world
[...]

This creates a database container with postgres 10.2, as you can see. You can influence a lot of behavior by using environment variables, see the GitHub page for more info.

Then you link the container to the running app:

$ dokku postgres:link hello-world hello-world
-----> Setting config vars
       DATABASE_URL: postgres://postgres:bd6b0725d710bb5a662bb628eee787b1@dokku-postgres-hello-world:5432/hello_world
-----> Restarting app hello-world
-----> Releasing hello-world (dokku/hello-world:latest)...
-----> Deploying hello-world (dokku/hello-world:latest)...
-----> Attempting to run scripts.dokku.predeploy from app.json (if defined)
-----> No Procfile found in app image
-----> DOKKU_SCALE file found (/home/dokku/hello-world/DOKKU_SCALE)
=====> web=1
-----> Attempting pre-flight checks 
       For more efficient zero downtime deployments, create a file CHECKS. 
       See http://dokku.viewdocs.io/dokku/deployment/zero-downtime-deploys/ for examples 
       CHECKS file not found in container: Running simple container check...
-----> Waiting for 10 seconds ...
-----> Default container check successful!
-----> Running post-deploy
-----> Configuring hello-world.my-paas.for-myself.com...(using built-in template)
-----> Creating http nginx.conf
-----> Running nginx-pre-reload Reloading nginx
-----> Setting config vars DOKKU_APP_RESTORE: 1
-----> Found previous container(s) (14c349cb496d) named hello-world.web.1
=====> Renaming container (14c349cb496d) hello-world.web.1 to hello-world.web.1.1535285386
=====> Renaming container (cc99cccacf2c) serene_bassi to hello-world.web.1
-----> Attempting to run scripts.dokku.postdeploy from app.json (if defined)
-----> Shutting down old containers in 60 seconds
=====> 14c349cb496d95cc4be1833f2e7f6ef2bef099a37c2a22cd4dcdb542f09bea0f
=====> Application deployed:
       http://hello-world.my-paas.for-myself.com

And done.

What happened? You have now the environment variable $DATABASE_URL set in the hello-world app, that’s why the restart was necessary (which you can postpone, if you want, but you probably need it now, right?).

Let’s check:

$ docker exec -ti hello-world.web.1 /bin/sh 

[now in the container]

# env | grep DATABASE 
DATABASE_URL=postgres://postgres:bd6b0725d710bb5a662bb628eee787b1@dokku-postgres-hello-world:5432/hello_world 

That’s it. Super easy. Now if you’re using Django, you could use kennethreitz/dj-database-url to automatically parse and use it, and you’re done. (Probably every framework has something similar, so just have a look).

Categories
CICD Development Docker Infrastructure

Build your own PaaS with Dokku

I was looking for some “play” deployment method for a couple of things I want to try out. Most of them require a database. And it should be cheap, cause I don’t have any load on them and don’t earn any money, so I don’t want to spend basically no money if possible. The usual suspects are too expensive – AWS, Heroku, etc.

So I looked around and found Dokku.

Dokku is a set of – hang on – shell scripts – which basically emulate Heroku on a machine of your own. It’s integrated with Digital Ocean droplets out of the box, if you want it. And the whole thing is 5 € / month, which is perfect. It also integrates with a Dockerfile based deployment, so you do git push and everything just works.

It’s amazing.

This is how you get started. But before you can get started, you need a domain you control, either on AWS or any other hoster. This is for routing traffic to your deployments later. You also need a public SSH key, or better a public / private key pair. Once you have both you can …

  1. create a Digital Ocean account, and …
  2. add your SSH public key to your account, and …
  3. in that account, create a new droplet with a “Dokku” image preinstalled.
  4. Wait until the droplet finished provisioning.

While the droplet is being created, you can also create a project locally to test it later:

$ mkdir dokku-test
$ cd dokku-test
$ git init
$ echo "FROM tutum/hello-world" > Dockerfile
$ git add Dockerfile
$ git commit -m "Initial commit"

In this little test project we only create a Dockerfile from an hello-world image which displays “Hello world” in a browser so we can verify it worked.

Once the droplet is done, you can start setting up your personal little PaaS. First, you have to configure your DNS. We will set up a wildcard entry for our deployments, and a non-wildcard entry for git. Let’s assume your domain is for-myself.com, then you would add …

  • my-paas.for-myself.com , type “A” (or “AAAA” if you are IPv6) to your droplet IP
  • *.my-paas.for-myself.com just the same

Then you SSH into your droplet, and create your dokku project. (This is something you have to do for every project). All you have to do for this is:

$ ssh root@DROPLET_IP
~# dokku apps:create hello-world
-----> Creating hello-world... done
~# _

Done.

Now you configure a git remote URL for your project, and push it:

$ git remote add dokku dokku@my-paas.for-myself.com:hello-world

Again – done. If you push your project now (assuming DNS is already set), everything should happen automagically:

$ git push --set-upstream dokku master
X11 forwarding request failed
Enumerating objects: 3, done.
Counting objects: 100% (3/3), done.
Writing objects: 100% (3/3), 241 bytes | 241.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0)
-----> Cleaning up...
-----> Building hello-world from dockerfile...
remote: build context to Docker daemon  2.048kB
Step 1/1 : FROM tutum/hello-world
latest: Pulling from tutum/hello-world
658bc4dc7069: Pulling fs layer
[... TRUNCATED ...]
983d35417974: Pull complete
Digest: sha256:0d57def8055178aafb4c7669cbc25ec17f0acdab97cc587f30150802da8f8d85
Status: Downloaded newer image for tutum/hello-world:latest
 ---> 31e17b0746e4
Successfully built 31e17b0746e4
Successfully tagged dokku/hello-world:latest
-----> Setting config vars
       DOKKU_DOCKERFILE_PORTS:  80/tcp
-----> Releasing hello-world (dokku/hello-world:latest)...
-----> Deploying hello-world (dokku/hello-world:latest)...
-----> Attempting to run scripts.dokku.predeploy from app.json (if defined)
-----> No Procfile found in app image
-----> DOKKU_SCALE file not found in app image. Generating one based on Procfile...
-----> New DOKKU_SCALE file generated
=====> web=1
-----> Attempting pre-flight checks
       For more efficient zero downtime deployments, create a file CHECKS.
       See http://dokku.viewdocs.io/dokku/deployment/zero-downtime-deploys/ for examples
       CHECKS file not found in container: Running simple container check...
-----> Waiting for 10 seconds ...
-----> Default container check successful!
-----> Running post-deploy
-----> Creating new /home/dokku/hello-world/VHOST...
-----> Setting config vars
       DOKKU_PROXY_PORT_MAP:  http:80:80
-----> Configuring hello-world.my-paas.for-myself.com...(using built-in template)
-----> Creating http nginx.conf
-----> Running nginx-pre-reload
       Reloading nginx
-----> Setting config vars
       DOKKU_APP_RESTORE:  1
=====> Renaming container (14c349cb496d) amazing_snyder to hello-world.web.1
-----> Attempting to run scripts.dokku.postdeploy from app.json (if defined)
=====> Application deployed:
       http://hello-world.my-paas.for-myself.com

To my-paas.for-myself.com:hello-world
 * [new branch]      master -> master
Branch 'master' set up to track remote branch 'master' from 'dokku'.

And if you open your URL now (which is hello-world.my-paas.for-myself.com) you should see this image:

Now, for 5 € / month you get:

  • A heroku-like, no-nonsense, fully automated, git-based deployment platform
  • A server which you control (and have to maintain, okay, but on which you can deploy …)
  • A database (or many of them – dokku provides great integration for databases btw; more on that in another post)
  • Publicly reachable deployments (for customers, testing, whatever)
  • Let’s Encrypt certificates (dokku provides support for these as well, again more in a later post)
  • And for 1 € more (it’s always 20% of the base price) you get backups of your system)

That’s absolutely incredible. Oh, and did I mention that the maintainers are not only friendly, but also super responsive and incredibly helpful on Slack?

Categories
Docker Infrastructure Snippets

Logs with docker and logstash

It would be nice to have all container logs from a docker cluster sent to … let’s say, an ELK stack. Right?

Right.

So we did:

  • on each host in the cluster, we use the GELF log driver to send all logs to a logstash instance
  • the logstash instance clones each request using type “ELK”
  • to the “ELK” clone, it adds the token for the external ELK service
  • the “ELK” clone goes out to the external ELK cluster
  • the original event goes to S3.

Here’s how.

Categories
Infrastructure

Testing logstash configs with Docker

Now this is really not rocket science, but since I might do this more often, I don’t want to google every time.

Prepare your directories

./tmp                   # THIS IS YOUR WORKING DIRECTORY
  |- patterns/          # optional
  |   |- patternfile1   # optional
  |   |- patternfile2   # optional
  |- logs.log
  |- logstash.conf

Prepare your logstash config

# logstash.conf
input {
  file {
    path => '/stash/logs.log'
  }
}

filter {
  # whatever config you want to test
  grok {
    match        => [ "message", "%{WHATEVER}" ]
    patterns_dir => '/stash/patterns'              # optional :)
  }
}

output {
  stdout { codec => rubydebug }
}

Run logstash

docker run --rm -ti -v $(pwd):/stash logstash logstash -f /stash/logstash.conf

Done.

Done. 🙂

Categories
Longer things

My take at a CI infrastructure, Pt.3

All right, back again. Much text here. Let’s talk about …

Containerizing The Binaries

We are done with the build, now we have a binary. I went for something simple: Who knows best how to put this into a container? The dev guy. Cause he knows what he needs, where he needs it, and where it can be found after the build.

But containerizing it should be not hard, given a moderately complex software with a couple of well thought-of build scripts. So I went for this:

/my_code/
   |--- docker/
   |      |--- prepare.sh     # optional
   |      |--- Dockerfile     # required ;)
   |--- main.c
   |--- SELECT_BUILD_CONTAINER
   |--- build/                # created by the build
          |--- ...

Now it get’s straightforward: The build scripts in TeamCity …

  • look for the docker directory, change into it,
  • execute the “prepare.sh” script if found,
  • build a container from the Dockerfile,
  • tag the container and
  • push it into the registry (which is configured centrally in TeamCity)

Tagging the containers

A docker cotainer is referenced like this:

some/thing:and_a_tag

How do we choose how to name the container we just built? Two versions.

For projects which contain nothing but a Dockerfile (which we have, cause our build containers are also versioned, of course), I enforce this combination:

Repository name: docker-one-two
... will yield:  one/two:1234abc9-321 (as container repo/name:tag)

The build script enforces the scheme “docker-one-two”, and takes “one” and “two” automatically as names for the container. Then “1234abc9” is the git commit id (short), and “321” is the build number.

Why not only the git commit ID? Because between builds, the same result is not guaranteed if executing the build again. If you build a container, and the execution contains an “apt-get update”, two builds a week apart will not result in the same contents.

For “simple” or “pure” code builds I use the following scheme:

Repository name: some-thing
... will yield:  some/thing:1234abc9

Same reasoning.

In both cases a container “some/thing:latest” is also tagged and pushed.

Now when we run a software container, we can see

  • with which container it was built (by looking at “SET_BUILD_CONTAINER”),
  • which base container was used to build the software container (by looking at “docker/Dockerfile”)
  • and we can do this cause we know the git commit ID.

For each base container (or “pure” Dockerfile projects), we extend this with a build number.

Done.

So this is my state so far. If anyone reads this, I would be interested in comments or feedback.

 

Categories
Longer things

My take at a CI infrastructure, Pt.2

For CI I want the classics – a check in (push) to the repo should be catched by TeamCity, and trigger …

  • a build of the artifact, once
  • running of unit tests
  • containerizing the artifact
  • uploading it to a private Docker registry

The question was: How?

This post deals with building the code.

Building Code

When I build code I am faced with a simple question: Which library versions do I use?

When I have multiple projects, the question becomes complex. Which version do I install on which build agent? How do I assign build tasks to agents? What if some software cannot be installed? How can I do a rollback? Or try with another lib version quickly?

The solution: Build containers. I am sure I have read about it somewhere, this is in no part an invention of my own, but I just can’t find an article explaining it.

It basically goes like this. We have a docker container, which contains all necessary build libs in their development form and the build tools to build something. We pull the container, mount our checked out code dir in the container, and run the build in the controlled environment of it. We want a different set of libs? We re-build the container with them, and use the other container to build the project. Doesn’t work? Go back to the previous one.

The prerequisite of this is a build process that does not change, or at least does not change for a set of projects. We use CMake, so it’s the same build commands over and over: “cmake .”, “make”, “make test”. That’s it. My first working build container looks like this:

FROM 10.10.10.11:5000/runner/boost:9a443273-2
MAINTAINER Fly Penguin <fly@flypenguin.de>
RUN \
     dnf -y update && dnf -y upgrade \
  && dnf -y install cmake make gcc-c++ boost-test boost-devel \
  && dnf clean all \
  && mkdir /build
WORKDIR /build

Building the code now is super easy:

git clone ssh://... my_code
cd my_code
docker run --rm -v $(pwd):/build builder/boost:1234 cmake .
docker run --rm -v $(pwd):/build builder/boost:1234 make
docker run --rm -v $(pwd):/build builder/boost:1234 make test

Done.

… or? One question remains: How do I select the build container?

There are two possibilities: In the build system configuration (read: TeamCity), or in the code. I went for the code. The reason is pretty simple: I check out a specific revision of the code, I know which container it was built with. From there I can work my way up:

./mycode
   |--- main.c
   |--- SET_BUILD_CONTAINER

Guess what’s in “SET_BUILD_CONTAINER”? Correct. Something like this:

my_registry_url:5000/builder/boost:abcdef98-210

The build configuration in TeamCity reads the file, and acts accordingly. Later I will talk more on those tags, and in the next post I talk about containerizing the binaries.

Categories
Docker

Docker and proxies

… so I don’t forget.

“docker pull” will not use the HTTP_PROXY variable. Why? Because “docker” is just the cli program which tells the daemon what to do. And the daemon probably does not know about the variable if just set in the terminal.

So, what to do to make docker use it described pretty well here: https://docs.docker.com/articles/systemd/#http-proxy

Next thing: Don’t forget to go “systemctl daemon-reload”, because otherwise this will not be effective, even with “systemctl restart docker”.

Done.

Categories
Uncategorized

Fedora, docker and self-signed SSL certs

I am behind a company firewall with a man-in-the-middle SSL certificate for secure connections. Can’t have viruses over SSL, can we?

But apps which actually verify SSL connections (which is all of the apps using standard SSL/TLS/whatnot libs) do not like this. And rightfully so. But then we’re left with the following problem:

$ docker search test
FATA[0000] Error response from daemon: GEt https://index.docker.io/v1/search?q=test: x509: certificate signed by unknown authority
$

Now, to solve this on Fedora we do the following (all as root):

  • get a file with the signing certificate as PEM or DER format
  • place this file under /etc/pki/ca-trust/source/anchors
  • run “update-ca-trust extract”
  • restart docker (“systemctl restart docker.service”)

A “man update-ca-trust” is also helpful to understand what’s happening.

Sources:

  • http://is.gd/rzKxsO
  • http://is.gd/t9to1R