Docker Swarm: Difference between revisions

From Wildsong
Jump to navigationJump to search
Brian Wilson (talk | contribs)
mNo edit summary
Brian Wilson (talk | contribs)
mNo edit summary
Line 6: Line 6:
Some day I will spin up some IoT and Edge nodes for buzzword compliance but for now it's just one node. [[Bellman]]
Some day I will spin up some IoT and Edge nodes for buzzword compliance but for now it's just one node. [[Bellman]]


Note, it made me pick an ethernet address.
Note, it made me pick an ethernet address, this is Bellman's primary internet interface.


  bellman> '''docker swarm init --advertise-addr 192.168.123.2'''
  bellman> '''docker swarm init --advertise-addr 192.168.123.2'''
Line 30: Line 30:
  shaboxhgakqer14j1ve7zyysj
  shaboxhgakqer14j1ve7zyysj


The "attachable" option is for containers not yet running in swarm. I will need that soon,
The "attachable" option is for containers not yet running in swarm. I will need that soon, when I run bash in Debian for tests.
when I run bash in Debian for tests.


Now ordinarily I'd use Docker Compose to start a reverse proxy (my favorite today is Varnish).
Now ordinarily I'd use Docker Compose to start a reverse proxy (my favorite today is Varnish).
Line 40: Line 39:
  docker service create --name web --replicas 4 -p 80:80 --network testing --detach nginx:latest
  docker service create --name web --replicas 4 -p 80:80 --network testing --detach nginx:latest


Now I have 4 copies of nginx running. I can see that they were published on port 80 but that's inside the funny swarm network,
Now I have 4 copies of nginx running. I can see that they were published on port 80 but that's inside the funny swarm network, how to see them? They are on localhost, I can do this "curl http://localhost". I can get the id (or just use the name "web")  
how to see them? They are on localhost, I can do this "curl http://localhost". I can get the id (or just use the name "web")  
and then kill them off,
and then kill them off,


Line 48: Line 46:
  curl http://localhost
  curl http://localhost


When I do the "curl" with the nginx replicas shut down, I see the page served by Varnish (still running in Compose), it's the Home Assistant instance.
When I do the "curl" with the nginx replicas shut down, I can see the page served by Varnish (still running in Compose), it's the Home Assistant instance.
So I guess the swarm takes precedence over whatever is running in Compose.  
So I guess '''the swarm takes precedence over whatever is running in Compose'''.  


I skipped the "--network testing" parameter and everything still worked. I think maybe that's just so I can attach more services later?? Like this.
'''This bit me when I accidentally masked Psono by putting the test for nginx on port 81. That's where I run Psono.'''
This looks the way I expected.
 
I skipped the "--network testing" parameter and everything still worked. I think maybe that's just so I can attach more services later?? Here's a test. This looks the way I expected.


  docker run -it --rm --network testing debian:bullseye bash
  docker run -it --rm --network testing debian:bullseye bash
Line 78: Line 77:
With nginx I can create my own Docker image and build the healthcheck right into the image.
With nginx I can create my own Docker image and build the healthcheck right into the image.


Yes I know "curl" is not the answer. https://blog.sixeyed.com/docker-healthchecks-why-not-to-use-curl-or-iwr/
Yes, I know "curl" is not the answer. https://blog.sixeyed.com/docker-healthchecks-why-not-to-use-curl-or-iwr/ but for now it's what I am using!  
but for now it's what I am using! In my Dockerfile,  
 
In my Dockerfile, I have this


  FROM nginx:latest
  FROM nginx:latest
Line 88: Line 88:
  $ docker service create --name web --replicas 1 -p 80:80 --network testing --detach wildsong/nginx
  $ docker service create --name web --replicas 1 -p 80:80 --network testing --detach wildsong/nginx
  $ docker ps | grep web
  $ docker ps | grep web
  01a3f36f7580  wildsong/nginx:latest                                     "/docker-entrypoint.…"  About a minute ago  Up About a minute (healthy)  80/tcp  web.1.ssssfmwmwp8je7g1dnsabevew
  01a3f36f7580  wildsong/nginx:latest     "/docker-entrypoint.…"  About a minute ago  Up About a minute (healthy)  80/tcp  web.1.ssssfmwmwp8je7g1dnsabevew
 
When I create the service, I will get a warning because I have not pushed that image (wildsong/nginx) to a registry, but it still works because I am running only one node for now. When I do "docker ps" I can see that the container is marked as "healthy".
 


When I create the service, I will get a warning because I have not pushed that image (wildsong/nginx) to a registry, but it still works
The service is bound to the IP address I created with the "docker swarm init" command. So I can hit it with the localhost address or the one I specified, with nginx, pointing a browser at http://192.168.123.2/ works.
because I am running only one node for now. When I do the "docker ps" I can see that the container is marked as "healthy".


LUNCH BREAK NOW.
I suspect this means Varnish will redirect traffic to it??? https://bellman.wildsong.biz/ should work if that's true. It does not, for some reason it's going to Home Assistant.


=== How do volumes work in a swarm? ===
=== How do volumes work in a swarm? ===

Revision as of 21:23, 21 April 2023

Docker Swarm is an orchestrator and so is Kubernetes.

Kubernetes is breathing down my neck too and today I am thinking, "What the hell, go for it! Why NOT run a single node with Kubernetes?" I spent an hour looking at it and it just adds more complexity.

Some day I will spin up some IoT and Edge nodes for buzzword compliance but for now it's just one node. Bellman

Note, it made me pick an ethernet address, this is Bellman's primary internet interface.

bellman> docker swarm init --advertise-addr 192.168.123.2
Swarm initialized: current node (isk0jocx0rb37yonoafstyvoj) is now a manager.

To add a worker to this swarm, run the following command:

   docker swarm join --token SWMTKN-1-5b81dywl9xkis6769fxnsvjahfy361w2kxkz69nc35bz3nxt6s-43jxeopl6inw8xur1vpcl23w7 192.168.123.2:2377

To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.

I can add a node on another machine using that token. I won't be doing this today. It would look like this.

tern> docker swarm join --token SWMTKN-1-5b81dywl9xkis6769fxnsvjahfy361w2kxkz69nc35bz3nxt6s-43jxeopl6inw8xur1vpcl23w7 192.168.123.2:2377
This node joined a swarm as a worker.
bellman> docker node ls
ID                            HOSTNAME            STATUS              AVAILABILITY        MANAGER STATUS      ENGINE  VERSION
isk0jocx0rb37yonoafstyvoj *   bellman             Ready               Active              Leader              19.03.5
vjbx2h8n8280ecib2btzkwcxw     tern                Ready               Active                                  18.09.1
bellman> docker network create -d overlay --attachable testing
shaboxhgakqer14j1ve7zyysj

The "attachable" option is for containers not yet running in swarm. I will need that soon, when I run bash in Debian for tests.

Now ordinarily I'd use Docker Compose to start a reverse proxy (my favorite today is Varnish).

Before worrying about Varnish though I will spin up simple web server on just the one existing node. If I add tern it will spread them over the two nodes. I want it to use that "testing" network.

docker service create --name web --replicas 4 -p 80:80 --network testing --detach nginx:latest

Now I have 4 copies of nginx running. I can see that they were published on port 80 but that's inside the funny swarm network, how to see them? They are on localhost, I can do this "curl http://localhost". I can get the id (or just use the name "web") and then kill them off,

docker service ls
docker service rm pmbrvm6wow7q
curl http://localhost

When I do the "curl" with the nginx replicas shut down, I can see the page served by Varnish (still running in Compose), it's the Home Assistant instance. So I guess the swarm takes precedence over whatever is running in Compose.

This bit me when I accidentally masked Psono by putting the test for nginx on port 81. That's where I run Psono.

I skipped the "--network testing" parameter and everything still worked. I think maybe that's just so I can attach more services later?? Here's a test. This looks the way I expected.

docker run -it --rm --network testing debian:bullseye bash
# apt update
# apt install -y bind9-dnsutils
# nslookup web
Server:         127.0.0.11
Address:        127.0.0.11#53

Non-authoritative answer:
Name:   web
Address: 10.0.1.27
# apt install -y curl
# curl http://10.0.1.27
# curl http://web/

The standard nginx page is returned from curl both times, so I know it's hitting a replica and running under the name "web", which is what I assigned. Inside the container I can see my local LAN too, for example from the Debian instance I can "curl http://bellman.wildsong.biz:8123/" and get the Home Assistant page. So far, easy easy.

That healthcheck thing

It's not too soon to think about it. ;-)

With nginx I can create my own Docker image and build the healthcheck right into the image.

Yes, I know "curl" is not the answer. https://blog.sixeyed.com/docker-healthchecks-why-not-to-use-curl-or-iwr/ but for now it's what I am using!

In my Dockerfile, I have this

FROM nginx:latest
HEALTHCHECK CMD curl --fail http://localhost || exit 1
$ docker build -t wildsong/nginx .
$ docker service rm web
$ docker service create --name web --replicas 1 -p 80:80 --network testing --detach wildsong/nginx
$ docker ps | grep web
01a3f36f7580   wildsong/nginx:latest      "/docker-entrypoint.…"   About a minute ago   Up About a minute (healthy)   80/tcp   web.1.ssssfmwmwp8je7g1dnsabevew

When I create the service, I will get a warning because I have not pushed that image (wildsong/nginx) to a registry, but it still works because I am running only one node for now. When I do "docker ps" I can see that the container is marked as "healthy".


The service is bound to the IP address I created with the "docker swarm init" command. So I can hit it with the localhost address or the one I specified, with nginx, pointing a browser at http://192.168.123.2/ works.

I suspect this means Varnish will redirect traffic to it??? https://bellman.wildsong.biz/ should work if that's true. It does not, for some reason it's going to Home Assistant.

How do volumes work in a swarm?

docker service create --name proxy \
 -p 80:80 -p 443:443 \
 -e DHPARAM_GENERATION="false" \
 -v /var/run/docker.sock:/tmp/docker.sock:ro \
 -v ./network_internal.conf:/etc/nginx/network_internal.conf \
 -v ./vhost.d:/etc/nginx/vhost.d \
 -v proxy_html:/usr/share/nginx/html \
 -v proxy_dhparam:/etc/nginx/dhparam \
 -v proxy_certs:/etc/nginx/certs:ro \
 jwilder/nginx-proxy:alpine

Bring in Compose

By that I mean I want to deploy a stack of containers using a docker-compose.yml file as the configuration. So far I have not needed it, if I start just one container per project then "docker service" commands are fine.