Linux

Docker - Swarm

Setup

Let’s assume we have 3 Nodes in a Docker Swarm Setup.

  • Tick
  • Trick
  • Track

Track is the Leader/Manager. All Machines runs Debian 12.0 (RC, as it is not yet released)

Show Nodes

docker node ls
root@track:~# docker node ls
ID                            HOSTNAME    STATUS    AVAILABILITY   MANAGER STATUS   ENGINE VERSION
b2zvkc374v08q2rpocljhkg5n     tick        Ready     Active                          23.0.2
khom3cx05bxqxktjq1k5j16gk *   track       Ready     Active         Leader           23.0.2
lq53s6mhuzvqrehks0j68sr3e     trick       Ready     Active                          23.0.2

Create Simple Service

Run a simple Docker service that uses an alpine-based filesystem, and isolates a ping to 8.8.8.8

Docker - Keycloak

KeyCloak

Keycloak is an open source identity and access management solution.

Requirements:

  • Linux Host with Docker & Docker Compose

  • Public IP Adress & FQDN Entry

  • Port 80/443 open from any

docker-compose.yml

version: "3.7"

services:    
  sso:
    image: quay.io/keycloak/keycloak:21.0
    container_name: "keycloak"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./keycloak.conf:/opt/keycloak/conf/keycloak.conf
    command:
      - start-dev
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=XxXxXxXxXxXxXx
      - PROXY_ADDRESS_FORWARDING=true
      - VIRTUAL_HOST=keycloak.your.domain.de
      - VIRTUAL_PORT=8080
      - LETSENCRYPT_HOST=keycloak.your.domain.de
    networks:
      - internal

  database:
    image: postgres:13
    container_name: "postgres"
    environment:
      - POSTGRES_USER=keycloak
      - POSTGRES_DATABASE=keycloak
      - POSTGRES_PASSWORD=XxXxXxXxXxXxXx
    volumes:
      - postgres_data:/var/lib/postgresql/data
    networks:
      - internal

  proxy:
    image: nginxproxy/nginx-proxy
    container_name: "nginx"
    ports:
      - "443:443"
      - "80:80"
    volumes:
      - conf:/etc/nginx/conf.d
      - vhost:/etc/nginx/vhost.d
      - html:/usr/share/nginx/html
      - certs:/etc/nginx/certs
      - /var/run/docker.sock:/tmp/docker.sock:ro
    networks:
      - internal

  acme-companion:
    image: nginxproxy/acme-companion
    container_name: "acme-proxy"
    environment:
      - DEFAULT_EMAIL=<mail@your.domain.de>
    volumes_from:
      - proxy
    volumes:
      - certs:/etc/nginx/certs
      - acme:/etc/acme.sh
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - internal

networks:
  internal:
    driver: bridge
    driver_opts:
      com.docker.network.driver.mtu: 1450

volumes:
  postgres_data:
  conf:
  vhost:
  html:
  certs:
  acme:

keycloak.conf

proxy=edge
db=postgres
db-url-host=postgres
db-user=keycloak
db-password=XxXxXxXxXxXxXxXx
db-database=keycloak
db-schema=public
hostname-strict=false
http-enabled=true

Up, Up, Up

docker compose up -d; docker compose logs -f

Any Comments ?

sha256: ae07bb4c0d896a00d456ec5e725109a85a45a165400d0e64a44e9bf46adda5a6

OpenBSD - Minio

Inspired

https://obsd.solutions/en/blog/2023/01/11/minio-on-openbsd-72-install/

Requirements

  • Fresh VM, running OpenBSD 7.2, fully patched

  • Public IP, all Ports allowed

  • FQDN pointing to your IP

run all the commands as root (or with ‘doas’ prepending …)

add Package

as usual with OpenBSD

pkg_add minio

Extend File Limits

we need some more current open files …

cat << EOF >> /etc/login.conf

# Minio, added $(date)
EOF

cat << 'EOF' >> /etc/login.conf
minio:\
  :openfiles-cur=4096:\
  :openfiles-max=8192:\
  :tc=daemon:
EOF

# Rebuild capdb
cap_mkdb /etc/login.conf

don’t forget go restart the box

Docker - Traefik Advanced

Intro

After a Basic Setup with fix Configuration, here an example where we put some Variables in a “.env” File.

Requirements:

Linux Host with Docker see here, Public IP Adress and rechable Port 80 & 443

two FQDN pointing to your IP:

  • traefik.yourdomain.de
  • whoami.yourdomain.de

Env Vars

let’s run the following Commands which generates a “.env” File. It will also create a User “dashboard” and ask you twice for the Password

echo 'domain="your.domain.de"'      > .env
echo 'traefik="traefik.${domain}"'  >> .env
echo 'whoami="whoami.${domain}"'    >> .env
echo 'mail="name@${domain}"'        >> .env
echo -n 'dashboardaccount="' >> .env; echo -n $(htpasswd -nB dashboard) |sed -e s/\\$/\\$\\$/g >> .env; echo '"' >> .env

.env

and here is the Content of my .env File.

Wireguard on Debian

Wireguard with Debian

Grab a Fresh Debian which has Public Internet Access. Target is to build a WG Tunnel and assign a Public IP to the Server.

Debian 11.6

apt-get install -y wireguard wireguard-tools

Gen Key

cd /etc/wireguard
umask 077; wg genkey | tee privatekey | wg pubkey > publickey

Set Vars

myprivkey=$(cat privatekey)
mypublicaddress="45.xx.xx.xx/28, 2a0e:xxxx:xxx::xxx/64"
yourpubkey="3XK8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
yourpubip="45.xxx.xxx.xxx"
yourpubport="443"

Config

cat << EOF > wg0.conf
[Interface]
PrivateKey = ${myprivkey}
Address    = PUBLIC_IP_V4/xx, PUBLIC_IP_V6/xx
 
[Peer]
PublicKey  = ${yourpubkey}
Endpoint   = ${yourpubip}:${yourpubport}
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 60
EOF

Tunnel UP

systemctl enable wg-quick@wg0
systemctl start  wg-quick@wg0
systemctl status wg-quick@wg0

Check IP

i3

Any Comments ?

sha256: c4d87bfca434aca32d6a8869720220b6ea4abe1ff534dd6e715cbb73d4f7025e

Docker - Traefik

Intro

Following a Working Example how to get Traefik and a few Dummy Containers running on Docker. If you wanna have a bit advanced Example and put some Variables in a “.env” File, you may wanna check this Post.

Requirements

Linux Host with Docker see here, Public IP Adress and rechable Port 80 & 443

two FQDN pointing to your IP:

  • traefik.yourdomain.de
  • whoami.yourdomain.de

Docker Traefik Example

cat << EOF > docker-compose.yml
version: "3.3"

services:
  traefik:
    image: "traefik:v2.9"
    container_name: "traefik"
    command:
      # Traefik Log
      - "--log.level=DEBUG"
      - "--log.filePath=/logs/traefik.log"
      - "--api.insecure=true"
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      # Access Log
      - "--accesslog=true"
      - "--accesslog.filePath=/logs/access.log"
      # Prometheus metrics
      ## Enable prometheus metrics
      - "--metrics.prometheus=true"
      ## Create a manual router instead of the default one.
      - "--metrics.prometheus.manualrouting=true"
      - "--metrics.prometheus.addrouterslabels=true"
    ports:
      - "80:80"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./logs/:/logs/"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.yourdomain.de`)"
      - "traefik.http.routers.dashboard.entrypoints=web"
      - "traefik.http.routers.dashboard.service=api@internal"
      # Auth: dasboard/XXXXXXXX
      - "traefik.http.routers.dashboard.middlewares=dashboard_auth"
      - "traefik.http.middlewares.dashboard_auth.basicauth.users=dashboard:$$XXXXXXXXXXXXXXXXXXXX"

  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.yourdomain.de`)"
      - "traefik.http.routers.whoami.entrypoints=web"
EOF

Up

docker compose up -d

Redirect HTTP to HTTPS

replace MAIL@YOURDOMAIN.DE, traefik.yourdomain.de and whoami.yourdomain.de with the appropriate Values …

Docker - Container

Stuff for the running Containers

List running Containers

$ docker ps
CONTAINER ID  IMAGE   COMMAND                  CREATED          STATUS          PORTS                    NAMES
f99ad3355bae  blog    "/home/docker/init_a…"   14 minutes ago   Up 14 minutes   0.0.0.0:3031->3031/tcp   quizzical_bardeen

Shell into Containter

docker exec -it f99ad3355bae bash

first build cache

apt-get update

install Tools

  • netstat
  • ps
  • tcpdump
apt-get install -y net-tools procps tcpdump telnet netcat

Any Comments ?

sha256: 27a1368fbcb11db26404131aeb2b0e15d07bc32f61df6389a7c685df61bfc5aa

Alpine - Pandas on Docker Image

How to install Pandas on Alpine Linux

Run Alpine Container

docker run -it alpine

add packages

apk update
apk add python3 py3-pip gcc python3-dev g++

add / build pandas

time pip install pandas
real 26m 13.14s
user 30m 46.40s
sys   3m 27.51s

Happy Pandas !


Any Comments ?

sha256: afb99c7e3ed003bee48b65795a153c4fe7835fe3dae0759b70ab2bfb5adc4fd5

Docker - Traefik - Wildcard Subdomain

Intro

I was wondering if you can have Wildcart Certs for certain Subdomain. Idea is to provide a Service with “myservice.auth.your.domain” which automatically requests Authentication, while the same Service “myservice.whitelist.your.domain” is reachable through some Whitelisted IP only.

As Traefik can Chain Middleware, but not implements some logic (If Whitelist -> ok, else do Basic Auth …), i have to build another solution.

let’s have a look

Prepare Folders

cd /your/traffic/rootfolder
mkdir -p config/dynamic

.env File

we need two variables, so let’s put them in the .env File

Docker - Traefik - Stripprefix

Strip Prefix

Let’s assume you have a URL “https://whoami.your.domain.de/removeme" and you wanna get rid of the “removeme” before passing the Request to the Webserver. Stripprefix is your friend …

docker-compose.yml

  whoami:
    image: containous/whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/wegdamit,/removeme"
      - "traefik.http.routers.whoami.middlewares=test-stripprefix@docker"
      - "traefik.http.routers.whoami.rule=Host(`whoami.your.domain.de`)"
      - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
      - "traefik.http.routers.whoami.tls=true"

Any Comments ?

sha256: 0620c0c2d7ae033f2536f6797a048772e52a09119367f4864f8bb2a754d2ea57