I have docker-compose.yml to create my airflow environment. I tested in my local machine and everything is ok, but when I put on ec2, the flower and works logs is not acessible.
I already able the ports 5555 and 8793 in security groups, but isn't work.
Related
I have a fairly simple architecture with only two subnets: Public and private. In the same Public Subnet with Internet Gateway configured, I have two EC2 instances:
Linux EC2 instance (Where I run a REST API)
OpenVPN Access Server
https://i.stack.imgur.com/2MHco.png
The problem is, from the Linux EC2 instance, I cannot
ping for example cnn.com
aws ecr docker login (To pull docker images)
Python scripts sitting on the Linux EC2 instance also need call REST APIs from outside world
Thru trial and errors, I found out if I add a Inbound Rule to allow all traffic from 0.0.0.0/0, then I can ping and do those aws/docker commands. This approach is of course a security hole and less than ideal. Any suggestion please?
Thanks in advance.
Should I run consul slaves alongside nomad slaves or inside them?
The later might not make sense at all but I'm asking it just in case.
I brought my own nomad cluster up with consul slaves running alongside nomad slaves (inside worker nodes), my deployable artifacts are docker containers (java spring applications).
The issue with my current setup is that my applications can't access consul slaves (to read configurations) (none of 0.0.0.0, localhost, worker node ip worked)
Lets say my service exposes 8080, I configured docker part (in hcl file) to use bridge as network mode. Nomad maps 8080 to 43210.
Everything is fine until my service tries to reach the consul slave to read configuration. Ideally giving nomad worker node IP as consul host to Spring should suffice. But for some reason it's not.
I'm using latest version of nomad.
I configured my nomad slaves like https://github.com/bmd007/statefull-geofencing-faas/blob/master/infrastructure/nomad/client1.hcl
And the link below shows how I configured/ran my consul slave:
https://github.com/bmd007/statefull-geofencing-faas/blob/master/infrastructure/server2.yml
Note: if I use static port mapping and host as the network mode for docker (in nomad) I'll be fine but then I can't deploy more than one instance of each application in each worker node (due to port conflic)
Nomad jobs listen on a specific host/port pair.
You might want to ssh into the server and run docker ps to see what host/port pair the job is listening on.
a93c5cb46a3e image-name bash 2 hours ago Up 2 hours 10.0.47.2:21435->8000/tcp, 10.0.47.2:21435->8000/udp foo-bar
Additionally, you will need to ensure that the consul nomad job is listening on port 0.0.0.0, or the specific ip of the machine. I believe that is this config value: https://www.consul.io/docs/agent/options.html#_bind
All those will need to match up in order to consul to be reachable.
More generally, I might recommend: if you're going to run consul with nomad, you might want to switch to host networking, so that you don't have to deal with the specifics of the networking within a container. Additionally, you could schedule consul as a system job so that it is automatically present on every host.
So I managed to solve the issue like this:
nomad.job.group.network.mode = host
nomad.job.group.network.port: port "http" {}
nomad.job.group.task.driver = docker
nomad.job.group.task.config.network_mode = host
nomad.job.group.task.config.ports = ["http"]
nomad.job.group.task.service.connect: connect { native = true }
nomad.job.group.task.env: SERVER_PORT= "${NOMAD_PORT_http}"
nomad.job.group.task.env: SPRING_CLOUD_CONSUL_HOST = "localhost"
nomad.job.group.task.env: SPRING_CLOUD_SERVICE_REGISTRY_AUTO_REGISTRATION_ENABLED = "false"
Running consul agent (slaves) using docker-compose alongside nomad agent (slave) with host as network mode + exposing all required ports.
Example of nomad job: https://github.com/bmd007/statefull-geofencing-faas/blob/master/infrastructure/nomad/location-update-publisher.hcl
Example of consul agent config (docker-compose file): https://github.com/bmd007/statefull-geofencing-faas/blob/master/infrastructure/server2.yml
Disclaimer: The LAB is part of Cluster Visualization Framework called: LiteArch Trafik which I have created as an interesting exercise to understand Nomad and Consul.
It took me long time to shift my mind from K8S to Nomad and Consul,
Integration them was one of my effort I spent in the last year.
When service resolution doesn't work, I found out it's more or less the DNS configuration on servers.
There is a section for it on Hashicorp documentation called DNS Forwarding
Hashicorp DNS Forwarding
I have created a LAB which explains how to set up Nomad and Consul.
But you can use the LAB seperately.
I created the LAB after learning the hard way how to install the cluster and how to integrate Nomad and Consul.
With the LAB you need Ubuntu Multipass installed.
You execute one script and you will get full functional Cluster locally with three servers and three nodes.
It shows you as well how to install docker and integrate the services with Consul and DNS services on Ubuntu.
After running the LAB you will get the links to Nomad, Fabio, Consul.
Hopefully it will guide you through the learning process of Nomad and Consul
LAB: LAB
Trafik:Trafik Visualizer
I have installed rundeck in docker using ec2 instance.
When I run the image and start rundeck. It's fine.
Lynx http:localhost:4440
Us able to show rundeck dashboard.
But, how can I access this rundeck from Windows browser?
I tried using address but connection refused.
In order to access this from outside for your setup, you might have to ensure the following things:
Ensure that host server (ec2) is forwarding ports to the docker container. You should have used -p or -ports when launching the container for this.
Test: From your EC2 instance, you should be able to access: http://localhost:4440
Ensure you have a public IP assigned to your EC2. You should be able to see that from your aws ec2 console: http://console.aws.amazon.com/ec2
Ensure that your security group(s) for that instance has InBound connections to accept 4440 from your IP or rest of the world.
After this, your http://:4440 should work.
I hope I got your question correct.
Let me know how it goes,
Thanks,
Anoop
I'm looking to proxy docker containers as subdomains of the docker host as below. I've seen several solutions that can accomplish something similar, but none really fit our need.
Host Machine: Corporate VPS running RHEL 7.2
Host Domain: host.net (fakename - but it's behind a corporate intranet, not reachable from public)
DNS Server: DNS for host.net is delegated to the host machine, so I need to run a dns server on :53 (this is new, which is why one isn't already setup)
Host IP: 172.16.10.12
Docker: v1.10
Subnet: dockernet 192.168.222.1/24
Subnet dns (docker created): dnsmasq on 192.168.122.1:53
Goal:
dnsmasq on host machine to serve host.net from 172.16.10.12
proxy all subdomains (*.host.net) to subnet dockernet so that any container joined to dockernet would be reachable by containername.host.net, containerhostname.host.net, alias1.host.net, etc.
have this happen automatically for any container that connects to dockernet
to have containers treated as hosts so we don't have to manually open up ports through docker: ex: rediscontainer.host.net:6379
Questions / Issues:
can't start dnsmasq on host machine because docker has already bound 192.168.122.1:53 - I believe I can configure dnsmasq to not listen on a specific IP, but I'm new to this
what's a relatively easy way to configure this? I was hoping I could configure dnsmasq and iptables to do this, but I'm not sure how to go about it, or if these two could accomplish my goal.
I assume that docker's built in dns for user defined networks is the easiest way to automate container name resolution, but is there an easier way?
My apologies for any ambiguity as I'm new to dns, subnets, etc. Any help is greatly appreciated!
Eric
I implemented such dynamic subdomains per containers using nginx-proxy.
This article also explains how to achieve the same from nginx base image and dockergen to generate nginx conf from docker events.
Ok, I am quite a newbie of the salt-stack world, but after 2 days being stuck with this issue I'm starting to feel a bit stupid too.
I would like to have a simple 1:1 configuration:
[Master] Vagrant/VirtualBox/Ubuntu with salt & salt-cloud installed
[Minion] Amazon EC2 machine, conveniently provisioned with state files I have in [Master].
I have reached the step where I am able to create the Minion instance thanks to salt-cloud, but I am stuck at the next step: I don't know how I can
Transfer .sls files to the Minion
Run the top.sls at Minion side to perform the provision
The fact is that any salt-cloud command seems to work (I am able to create, list, delete the Amazon EC2 instance by command line), but I cannot connect to the Minion with any salt command, I just get timeout ("Minion did not return").
Moreover I am not comfortable with this architecture because the Minion could receive Master's requests, but on the other end it doesn't have visibility of the Master, since the Master is not publicly reachable (and I don't want to).
What am I missing to be able to have an architecture as simple as this?
The problem you're running into is that the Salt Minion probably can't find a route back to your laptop. Your laptop is most likely behind a nat firewall.
Your Salt Minion must be able to reach your Salt Master on ports 4505 and 4506. Once you've got that working, you should be fine. You're probably going to want to have your Salt Master on EC2 or somewhere that can be reached easily by your minion on EC2.