A simple base of docker infrastructure

Revision: August 2022

keywords: software-architecture

contacts: Markus von Steht

Description

The stack contains the following modules:

• Portainer to monitor and administer what is happening with docker
• Traefik to monitor and administer the networking namespace

Running the Docker compose pipeline

1. Copy .env.dist to .env (no adjustments required / for future use with credentials)
2. Prior to first run spawn the dedicated docker network in docker-compose.yaml section network by setting external: false. On shutting down (not destroying) the stack this should be reset to false.
3. Run make run-compose and let the container for the simple stack come online.
4. Use CTRL+C to shut down the stack.
5. Invoke make clean and make clean stack=extended, respectively to remove the stack.

Manual access to container

Using compose:
docker-compose exec <container-name> env SAMPLEPAR="testing" bash

Using docker:
docker exec -it <container-name> bash

Installing self-signed certs and enabling TLS in Traefik

1. sudo apt install libnss3-tools

2. Download executable

   curl -JLO "https://dl.filippo.io/mkcert/latest?for=linux/amd64"
   chmod +x mkcert-v*-linux-amd64
   sudo cp mkcert-v*-linux-amd64 /usr/local/bin/mkcert
   rm mkcert-v*-linux-amd64

3. Running mkcert -install, results in "Created a new local CA". The file rootCA.pem will usually be generated in the folder $HOME/.local/share/mkcert which can be confirmed using mkcert -CAROOT.

4. (Optional) Copy rootCA.pem to relevant area of operations and register with trust store or install in browser.

   • For Ubuntu Linux this corresponds to copying the file to /usr/local/share/ca-certificates,
   • running sudo update-ca-certificates,
   • and confirming that the new certificate is added using:
     awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt

5. Build certificates for specific endpoints with or without wildcards:

   mkcert -cert-file local-cert.pem -key-file local-key.pem example.com "*.example.com" example.test localhost 127.0.0.1 ::1

   # output
   Created a new certificate valid for the following names
   - "example.com"
   - "*.example.com"
   - "example.test"
   - "localhost"
   - "127.0.0.1"
   - "::1"
   Reminder: X.509 wildcards only go one level deep, so this won\'t match a.b.tufhades-local.net ℹ️
   The certificate is at "./local-cert.pem" and the key at "./local-key.pem"

6. (Optional) Copy local-cert.pem and local-key.pem to reverse proxy config staging location and bind them to the container.

7. Configure Traefik dynamic-conf.yaml to match the domains used in the certificate and ensure that the certs file are properly referenced from the location to which they will be copied in the container.

8. Ensure that TLS/SSL ports are open for receiving traffic and that endpoint labels in container configurations have TLS enabled and proper routing configured, e.g.:

   # docker-compose.yaml
   labels:
     - "traefik.enable=true"
     - "traefik.http.routers.traefik.tls=true"
     - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_NAME}`)"
     - "traefik.http.services.traefik.loadbalancer.server.port=8080"

References:

• Mkcert
• Configuration of TLS