Coder Social home page Coder Social logo

devture / com.devture.ansible.role.traefik Goto Github PK

View Code? Open in Web Editor NEW
6.0 2.0 7.0 68 KB

An Ansible role which installs [Traefik](https://traefik.io/) to run as a Docker container wrapped in a systemd service

License: GNU Affero General Public License v3.0

Makefile 1.69% Jinja 98.31%
traefik ansible-role docker

com.devture.ansible.role.traefik's Introduction

Traefik reverse-proxy Ansible role

This is an Ansible role which installs Traefik to run as a Docker container wrapped in a systemd service.

This role implicitly depends on the com.devture.ansible.role.systemd_docker_base role.

Usage

Example playbook:

- hosts: servers
  roles:
    - role: galaxy/com.devture.ansible.role.systemd_docker_base

    - role: galaxy/com.devture.ansible.role.traefik

    - role: another_role

Example playbook configuration (group_vars/servers or other):

devture_traefik_container_network: "{{ my_container_network }}"

devture_traefik_uid: "{{ my_uid }}"
devture_traefik_gid: "{{ my_gid }}"

Security hardening

To avoid the Traefik container from mounting and using the Docker UNIX socket (/var/run/docker.sock) directly, you can also make it talk to the Docker API via TCP using Tecnativa/docker-socket-proxy. The Traefik container can then run with reduced privileges (non-root user, dropped capabilities, etc).

To get this socket proxy installed, you can use the com.devture.ansible.role.container_socket_proxy role.

Here's some example configuration (e.g. group_vars/servers) which optionally wires them together:

#
# Container Socket Proxy role configuration
#
devture_container_socket_proxy_enabled: true

devture_container_socket_proxy_uid: "{{ my_uid }}"
devture_container_socket_proxy_gid: "{{ my_gid }}"

# Traefik requires read access to the containers APIs to do its job
devture_container_socket_proxy_api_containers_enabled: true

#
# Traefik role configuration
#

# Base Traefik configuration here (see above).

devture_traefik_config_providers_docker_endpoint: "{{ devture_container_socket_proxy_endpoint if devture_container_socket_proxy_enabled else 'unix:///var/run/docker.sock' }}"

devture_traefik_container_additional_networks: |
  {{
    ([devture_container_socket_proxy_container_network] if devture_container_socket_proxy_enabled else [])
  }}

devture_traefik_systemd_required_services_list: |
  {{
    (['docker.service'])
    +
    ([devture_container_socket_proxy_identifier + '.service'] if devture_container_socket_proxy_enabled else [])
  }}

com.devture.ansible.role.traefik's People

Contributors

chagai95 avatar iucca avatar michielappelman avatar moan0s avatar nielscil avatar spantaleev avatar

Stargazers

avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

marwel smargold476 nielscil moan0s michielappelman iucca chagai95

com.devture.ansible.role.traefik's Issues

Trefik unable to resolve matrix-container-socket-proxy dns

Describe the bug

After upgrading traefik cannot resolve the ip address for the container matrix-container-socket-proxy as seen by the following error logs.

Dec 25 07:16:40 matrix.example.lan matrix-traefik[2458633]: time="2023-12-25T12:16:40Z" level=error msg="Provider connection error error during connect: Get \"http://matrix-container-socket-proxy:2375/v1.24/version\": dial tcp: lookup matrix-container-socket-proxy on 127.0.0.11:53: server misbehaving, retrying in 26.521230813s" providerName=docker
Dec 25 07:16:43 matrix.example.lan matrix-traefik[2458633]: 10.0.1.84 - - [25/Dec/2023:12:16:43 +0000] "GET /_matrix/client/v3/sync?full_state=false&timeout=30000&since=s40044_1494058_26_17202_36448_16_9656_168_0_1 HTTP/1.1" 404 19 "-" "-" 81 "-" "-" 0ms
Dec 25 07:16:46 matrix.example.lan matrix-traefik[2458633]: 71.27.185.41 - - [25/Dec/2023:12:16:46 +0000] "GET /_matrix/client/versions HTTP/2.0" 404 19 "-" "-" 82 "-" "-" 0ms
Dec 25 07:16:47 matrix.example.lan matrix-traefik[2458633]: 10.0.1.3 - - [25/Dec/2023:12:16:47 +0000] "HEAD / HTTP/2.0" 404 19 "-" "-" 83 "-" "-" 0ms
Dec 25 07:16:49 matrix.example.lan matrix-traefik[2458633]: 10.0.1.84 - - [25/Dec/2023:12:16:49 +0000] "GET /_matrix/client/v3/sync?full_state=false&timeout=30000&since=s40044_1494058_26_17202_36448_16_9656_168_0_1 HTTP/1.1" 404 19 "-" "-" 84 "-" "-" 0ms
Dec 25 07:16:50 matrix.example.lan systemd[1]: run-docker-runtime\x2drunc-moby-1f88275785b3c6aa7bf2396ea8db8a166a651fbfe0afc4007f978ef368f753e1-runc.zb8jxa.mount: Deactivated successfully.
Dec 25 07:16:50 matrix.example.lan systemd[1]: run-docker-runtime\x2drunc-moby-35b2c3ecdb06e5daf7b2ca25b34406bc6cb37eda243597a27e90750750f9958e-runc.rpVMOn.mount: Deactivated successfully.
Dec 25 07:16:53 matrix.example.lan matrix-traefik[2458633]: 71.27.185.41 - - [25/Dec/2023:12:16:53 +0000] "GET /_matrix/client/versions HTTP/2.0" 404 19 "-" "-" 85 "-" "-" 0ms

After troubleshooting this appears to be because traefik and were not on the same network. matrix-container-socket-proxy was on its own network by itself and traefik was on the traefik network.

This occured for me when upgrading via the ansible matrix plays from commit 3dc77c4f9a1277f2338f2cd3664186fd94b93292 ( Synapse 1.96.1 ) to commit da27655ef34999fa924bc0a5e641dbd9ba06f133 [December 23, 2023 Merge pull request] (spantaleev/matrix-docker-ansible-deploy#3060 from etkecc/fix-chatgpt-auth)

Work Around
Set the following in my matrix variables:

devture_container_socket_proxy_enabled: false

Matrix Server:

  • OS: Ubuntu 22.04
  • Architecture: amd64

Additional context
Add any other context about the problem here.

traefik_ssl_email_address is required with web_secure_enabled: false

Describe the bug / feature request
devture_traefik_ssl_email_address is required to be set even with devture_traefik_config_entrypoint_web_secure_enabled: false.

Expected behavior
Leaving devture_traefik_ssl_email_address empty if TLS termination is disabled.

That is even stated here in matrix-docker-ansible-deploy:

https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ecde8a46f88dac66cdd61bb983a3c889f583f955/roles/custom/matrix-base/defaults/main.yml#L286

Additional context
I was opening this bug report in matrix-docker-ansible-deploy but I decided to open it here because it seems that only this repo needs to be changed to fix this.

PS: This (matrix-docker-ansible-deploy) Ansible playbook saves me a ton of work. Thanks for maintaining & open sourcing it.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.