Traefik with Portainer container doable on FWG?

Lynk

November 14, 2022 02:38
Edited

Wanted to start experimenting with Traefik and Portainer and start utilizing my 512Gb m.2 SSD I installed. Is this supported on the FWG?

Comments

38 comments

David Koppenhofer

November 13, 2022 17:10
On the Purple, the default location for docker is /var/lib/docker, a 2 Gig partition.

I created a script that moves the docker root to the SD card, because my images alone were approaching the 2G limit - purely moving the data volumes wouldn't cut it. (Though that would have been easier)

https://help.firewalla.com/hc/en-us/community/posts/4491452568851-Moving-docker-to-SD-card-on-Firewalla-Purple
1

Comment actions Permalink
Lynk

November 13, 2022 18:57
Awesome thanks. Going to try this out today.
1

Comment actions Permalink
Lynk

November 14, 2022 05:17

Edited
So i followed your guide to copy over to /dev/sda1 and then did this last:

https://help.firewalla.com/hc/en-us/articles/360060535553-Guide-How-to-reset-your-docker-service-Beta-

I think i screwed up when i followed all steps here..'sudo docker ps' shows nothing now.

pi@firewalla:~/firewalla/etc (Firewalla) $ df
Filesystem 1K-blocks Used Available Use% Mounted on
udev 4011396 0 4011396 0% /dev
tmpfs 808308 51008 757300 7% /run
/dev/mmcblk0p3 3546848 2843428 503536 85% /media/root-ro
tmpfs-root 204800 24396 180404 12% /media/root-rw
overlayroot 204800 24396 180404 12% /
tmpfs 4041540 4 4041536 1% /dev/shm
tmpfs 5120 0 5120 0% /run/lock
tmpfs 4041540 0 4041540 0% /sys/fs/cgroup
/dev/mmcblk0p2 487634 78217 379721 18% /boot
/dev/mmcblk0p9 258095 242 257853 1% /boot/efi
/dev/mmcblk0p8 4062912 611696 3225120 16% /data
/dev/mmcblk0p7 999320 220216 710292 24% /log
/dev/mmcblk0p5 1998672 969612 907820 52% /media/home-ro
/dev/mmcblk0p6 1998672 808736 1068696 44% /media/home-rw
overlay 1998672 808736 1068696 44% /home
/dev/mmcblk0p4 3546848 15132 3331832 1% /var/lib/docker
/dev/sda1 491207920 2298000 463888208 1% /mnt
tmpfs 20480 176 20304 1% /alog
tmpfs 30720 636 30084 3% /bspool
tmpfs 808308 0 808308 0% /run/user/1000
0

Comment actions Permalink
Lynk

November 14, 2022 06:29
under /mnt/docker i created the docker-compose.yaml for pihole with the following config:

# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/

services:

pihole:

container_name: pihole

image: pihole/pihole:latest

environment:

# set a secure password here or the default will be firewalla

WEBPASSWORD: 'firewalla'

# Volumes store your data between container upgrades

volumes:

- '/data/pi-hole/etc-pihole/:/etc/pihole/'

- './etc-dnsmasq.d/:/etc/dnsmasq.d/'

- '/etc/localtime:/etc/localtime:ro'

restart: unless-stopped

cap_add:

- NET_ADMIN

networks:

default:

# static IP address for pi-hole

ipv4_address: 172.16.0.2

networks:

default:

driver: bridge

ipam:

config:

# your chosen docker network here

- subnet: 172.16.0.0/24

After creating and starting pi-hole, df shows:

pi@firewalla:~/.firewalla/config/post_main.d (Firewalla) $ df
Filesystem 1K-blocks Used Available Use% Mounted on
udev 4011396 0 4011396 0% /dev
tmpfs 808308 69560 738748 9% /run
/dev/mmcblk0p3 3546848 2843428 503536 85% /media/root-ro
tmpfs-root 204800 24408 180392 12% /media/root-rw
overlayroot 204800 24408 180392 12% /
tmpfs 4041540 4 4041536 1% /dev/shm
tmpfs 5120 0 5120 0% /run/lock
tmpfs 4041540 0 4041540 0% /sys/fs/cgroup
/dev/mmcblk0p2 487634 78217 379721 18% /boot
/dev/mmcblk0p9 258095 242 257853 1% /boot/efi
/dev/mmcblk0p8 4062912 611272 3225544 16% /data
/dev/mmcblk0p7 999320 222032 708476 24% /log
/dev/mmcblk0p5 1998672 969612 907820 52% /media/home-ro
/dev/mmcblk0p6 1998672 808728 1068704 44% /media/home-rw
overlay 1998672 808728 1068704 44% /home
/dev/mmcblk0p4 3546848 372176 2974788 12% /var/lib/docker
/dev/sda1 491207920 73764 466112444 1% /mnt
tmpfs 20480 272 20208 2% /alog
tmpfs 808308 0 808308 0% /run/user/1000
tmpfs 30720 288 30432 1% /bspool

Should i instead edit the compose file and change the volume paths? is this why i see /dev/mmcblk0p4 with 12% now instead of /dev/sda1 like i was expecting?
0

Comment actions Permalink
David Koppenhofer

November 14, 2022 06:32
Was it working before you followed the optional steps to remove the old docker data?

A reboot should run the script that sets the docker root to the external card / drive.
0

Comment actions Permalink
David Koppenhofer

November 14, 2022 06:38
The docker-compose.yaml doesn't go in /mnt/docker. It needs to go in a subdir of /home/pi/.firewalla/run/docker/
0

Comment actions Permalink
Lynk

November 14, 2022 06:42
docker ps showed it running before the optional step yes
0

Comment actions Permalink
Lynk

November 14, 2022 06:42
when i did the prune, docker ps was empty
0

Comment actions Permalink
Lynk

November 14, 2022 06:44
ahh, ok missed this. Going to rm -rf * in /mnt then after stopping docker and try again.
0

Comment actions Permalink
Lynk

November 14, 2022 06:45
"The docker-compose.yaml doesn't go in /mnt/docker. It needs to go in a subdir of /home/pi/.firewalla/run/docker/"

This subdir should be on firewalla side, not the ssd?
0

Comment actions Permalink
Lynk

November 14, 2022 07:00
Ok so cleared out /mnt/docker
```
sudo rsync -aP /var/lib/docker/ /mnt/docker
```
completed and see files in /mnt/docker

root@firewalla:/home/pi/.firewalla/run/docker/pi-hole# df
Filesystem 1K-blocks Used Available Use% Mounted on
udev 4011396 0 4011396 0% /dev
tmpfs 808308 77464 730844 10% /run
/dev/mmcblk0p3 3546848 2843428 503536 85% /media/root-ro
tmpfs-root 204800 27352 177448 14% /media/root-rw
overlayroot 204800 27352 177448 14% /
tmpfs 4041540 4 4041536 1% /dev/shm
tmpfs 5120 0 5120 0% /run/lock
tmpfs 4041540 0 4041540 0% /sys/fs/cgroup
/dev/mmcblk0p2 487634 78217 379721 18% /boot
/dev/mmcblk0p9 258095 242 257853 1% /boot/efi
/dev/mmcblk0p8 4062912 611576 3225240 16% /data
/dev/mmcblk0p7 999320 221572 708936 24% /log
/dev/mmcblk0p5 1998672 969612 907820 52% /media/home-ro
/dev/mmcblk0p6 1998672 808728 1068704 44% /media/home-rw
overlay 1998672 808728 1068704 44% /home
/dev/mmcblk0p4 3546848 372560 2974404 12% /var/lib/docker
/dev/sda1 491207920 435796 465750412 1% /mnt
tmpfs 20480 556 19924 3% /alog
tmpfs 808308 0 808308 0% /run/user/1000
tmpfs 30720 432 30288 2% /bspool
```
/home/pi/.firewalla/config/post_main.d/sdcard_docker.sh
```
root@firewalla:/mnt/docker# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
90bc3b7cd271 pihole/pihole:latest "/s6-init" 38 minutes ago Up 3 seconds (health: starting) 53/udp, 53/tcp, 80/tcp, 67/udp pihole
0

Comment actions Permalink
Lynk

November 14, 2022 07:01
now i clear out /var/lib/docker following the same steps here?

https://help.firewalla.com/hc/en-us/articles/360060535553-Guide-How-to-reset-your-docker-service-Beta-
0

Comment actions Permalink
David Koppenhofer

November 14, 2022 07:20
I'd run your current config for a while before clearing out the old docker directory, just to make sure everything's good.

Especially check that 'sudo docker info' shows 'Docker Root Dir: /mnt/docker', and that it persists through reboots.
0

Comment actions Permalink
Lynk

November 14, 2022 07:26
ok thanks, i see 'Docker Root Dir: /mnt/docker' as expected.

When i previously ran that prune command, i got a warning for any stopped docker containers along with those with no network would be removed. I hit yes, saw "% space reclaimed" and then no docker ids in 'docker ps' and pi-hole inaccessible.
0

Comment actions Permalink
David Koppenhofer

November 14, 2022 15:41
Oh, I think I understand. That must have been the old containers that you were cleaning up when you saw the reclaimed space and no docker ids.

Looks like everything's running in the right place for you now, though. Glad it worked out!
0

Comment actions Permalink
David Koppenhofer

November 14, 2022 15:55
I updated the other post to clarify the final steps, including how to check that docker root is set correctly, and more details about cleanup.

If you have the chance, let me know if the updates would have helped you. 🙂
0

Comment actions Permalink
Lynk

November 14, 2022 19:49
If that cleaned up the old containers, i should have still seen my current running containers afterwords from 'docker ps' right?

Will look at the edits you made and follow up, thanks.
0

Comment actions Permalink
Lynk

November 14, 2022 19:53
hesitant to do the cleanup per the firewalla instructions linked as this is what deleted everything.
0

Comment actions Permalink
Lynk

November 14, 2022 20:01
ok so i see the edits you made. Will try in this order.
0

Comment actions Permalink
Lynk

November 15, 2022 01:07
after reboot to test the script, my docker for pihole is up and running, subnet in table but pihole URL timing out. I can ping pihole as well.

still see correct root path under info for docker as well.
0

Comment actions Permalink

Lynk

November 15, 2022 01:16

odd, had to follow steps here to get pihole gui working again:

cd /home/pi/.firewalla/run/docker/pi-hole
sudo systemctl start docker
sudo docker-compose pull
sudo docker-compose up --no-start
sudo ip route add 172.16.0.0/24 dev br-$(sudo docker network inspect pi-hole_default |jq -r '.[0].Id[0:12]') table lan_routable
sudo ip route add 172.16.0.0/24 dev br-$(sudo docker network inspect pi-hole_default |jq -r '.[0].Id[0:12]') table wan_routable
sudo docker-compose up --detach

Lynk

November 15, 2022 01:31
root@firewalla:/home/pi/.firewalla/run/docker/pi-hole# sudo docker info
Client:
Debug Mode: false

Server:
Containers: 2
Running: 1
Paused: 0
Stopped: 1
Images: 3
Server Version: 19.03.6
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-70-generic
Operating System: Ubuntu 18.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.709GiB
Name: firewalla
ID: P2L4:TU7N:JEN4:2ZVC:TLKX:MJDV:72E2:5LMH:24XS:E76J:7VAR:H2V6
Docker Root Dir: /mnt/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support
0

Comment actions Permalink
Lynk

November 15, 2022 01:33
so with pihole running, what would i check if again after reboot i get into the situation of conatiner running but GUI timing out?
0

Comment actions Permalink
Lynk

November 15, 2022 01:39
ill check the container logs after if it happens again
0

Comment actions Permalink
Lynk

November 15, 2022 04:27
same deal, after reboot, logs show:

s6-rc: info: service _startup successfully started
s6-rc: info: service pihole-FTL: starting
s6-rc: info: service pihole-FTL successfully started
s6-rc: info: service lighttpd: starting
s6-rc: info: service lighttpd successfully started
s6-rc: info: service _postFTL: starting
s6-rc: info: service _postFTL successfully started
Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf
s6-rc: info: service legacy-services: starting
s6-rc: info: service legacy-services successfully started
[✗] DNS resolution is currently unavailable
pi@firewalla:~ (Firewalla) $
0

Comment actions Permalink
Lynk

November 15, 2022 04:28
docker info this after reboot; warnings at bottom

pi@firewalla:~ (Firewalla) $ sudo docker info
Client:
Debug Mode: false

Server:
Containers: 2
Running: 2
Paused: 0
Stopped: 0
Images: 3
Server Version: 19.03.6
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-70-generic
Operating System: Ubuntu 18.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.709GiB
Name: firewalla
ID: YLMP:UMTV:PNXC:DSJI:JM72:NVYK:BHXG:HWRW:IAHA:5N3F:YQZ7:CDHH
Docker Root Dir: /mnt/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
0

Comment actions Permalink
David Koppenhofer

November 15, 2022 05:16
I'm sorry, I'm not adept at networking, much less docker networking, and have never installed or used pihole. I'm pretty sure there is a guide or community post that could help out with pihole config. 🤷‍♂️
0

Comment actions Permalink
Lynk

November 23, 2022 07:17

Edited
I can't seem to figure out where i'm going wrong in traefik and wilcard certs with Cloudflare.

Traefik container is running but throwing this error: '****' for redactions

Unable to obtain ACME certificate for domains \"local.****.com,*.local.****.com\"" providerName=cloudflare.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" error="cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:46406->127.0.0.11:53: i/o timeout" routerName=traefik-secure@docker rule="Host(`traefik-dashboard-internal.local.****.com`)"

Created dir /mnt/traefik which contains:
'docker-compose.yml'
/data

/mnt/traefik/data which contains:
'config.yml'
'traefik.yml'
'acme.json' with permission 600

'docker-compose.yml':

root@firewalla:/mnt/traefik# cat docker-compose.yml

version: '3'

services:

traefik:

image: traefik:latest

container_name: traefik

restart: unless-stopped

security_opt:

- no-new-privileges:true

networks:

- proxy

ports:

- 80:80

- 443:443

environment:

- CF_API_EMAIL=****

- CF_DNS_API_TOKEN=****

# - CF_API_KEY=YOU_API_KEY

# be sure to use the correct one depending on if you are using a token or key

volumes:

- /etc/localtime:/etc/localtime:ro

- /var/run/docker.sock:/var/run/docker.sock:ro

- /mnt/traefik/data/traefik.yml:/traefik.yml:ro

- /mnt/traefik/data/acme.json:/acme.json

- /mnt/traefik/data/config.yml:/config.yml:ro

labels:

- "traefik.enable=true"

- "traefik.http.routers.traefik.entrypoints=http"

- "traefik.http.routers.traefik.rule=Host(`traefik-dashboard-internal.local.****.com`)"

- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:****"

- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"

- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"

- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"

- "traefik.http.routers.traefik-secure.entrypoints=https"

- "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard-internal.local.****.com`)"

- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"

- "traefik.http.routers.traefik-secure.tls=true"

- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"

- "traefik.http.routers.traefik-secure.tls.domains[0].main=local.****.com"

- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.****.com"

- "traefik.http.routers.traefik-secure.service=api@internal"

networks:

proxy:

external: true

'traefik.yml':

api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yml
certificatesResolvers:
cloudflare:
acme:
email: ****
storage: acme.json
dnsChallenge:
provider: cloudflare
#disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"

From traefik container i can ping:
'proxy' network GW 172.18.0.1
'pi-hole' 172.16.0.2

127.0.0.11
can't ping anything outside my network nor can i nslookup external

Cloudflare DNS config just has A record matching my domain and WAN IP with grey cloud (no proxy).

Pi-hole pointed to cloudflare DNS

Pi-hole is working fine

Anything i missed here causing my timeout? i also see this timeout accessing 'https://traefik-dashboard-internal.local.****.com'
0

Comment actions Permalink
Kay

December 02, 2022 19:00
Hi Lynk,

I have a FWG and I an trying to install Traefik on a docker host outside of the Firewalla. I am having similar issues where I cannot get the certs and it tends to be a config issue with routers. I was wondering if you have made any progress on your side?

Also I am wondering what you get when your perform

$ curl -vvv https://acme-v02.api.letsencrypt.org/directory

Thank you.
0

Comment actions Permalink
Lynk

December 02, 2022 21:18

Edited
I found out i needed to manually add in the routes:

sudo ip route add 172.18.0.0/16 dev br-$(sudo docker network inspect proxy |jq -r '.[0].Id[0:12]') table lan_routable
sudo ip route add 172.18.0.0/16 dev br-$(sudo docker network inspect proxy |jq -r '.[0].Id[0:12]') table wan_routable

You can try to ping from inside the container to verify if this is the same fix for you that worked for me.
0

Comment actions Permalink

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?