Incomplete Docu

[Berndinox]

What version of Traefik are you using (traefik version)?

docker - traefik:latest

What is your environment & configuration (arguments, toml...)?

Trafik (proxy.yaml)

version: "3.0"

services:
  traefik:
    image: traefik
    networks:
     - proxy
    command: --web --docker.swarmmode --docker.domain=berndklaus.at --docker.watch --docker.endpoint=unix://var/run/docker.sock
    ports:
      - "80:80"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      #- ./traefik.toml:/etc/traefik/traefik.toml
    deploy:
      mode: global
      placement:
        constraints:
          - node.role == manager


networks:
  proxy:
    external: true

WhoamI (whoami.yaml)

networks:
  proxy:
    external: true
root@swarm1:~# cat whoami.yaml
version: "3"
services:
  web:
    image: emilevauge/whoami
    networks:
      - proxy
    deploy:
      labels:
        - "traefik.port=80"
        - "traefik.docker.network=proxy"
        - "traefik.frontend.rule=Host:whoami.berndklaus.at"
      replicas: 3

networks:
  proxy:
    external: true

What i wanna do:

Would like to enable SSL (Letsencrypt Support).

I'm new to traefik, and i do miss information:

• on howto add an costum configuration (.toml) within a docker compose swarm
• list of commands available. (I'm not able to exec into the container)
• do i need a costum configuration to enable Letsencrypt?
• if i do use a costum config, does the from docker backend generated config changes extend the costum config or otherwrite them?

May someone can help me ;)

[raarts]

I am having the exact same problem. How to enable letsencrypt with a docker deploy setup?

[raarts]

I found an example here #750, (specifying options on the traefik commandline) but it would require traefik to be restarted when adding a letsencrypt domain.

[raarts]

Ok, I got it to work with the following config:

version: "3"
services:
  proxy:
    image: traefik
    command: \
  --web --docker --docker.swarmmode --docker.domain=docker.localhost --docker.watch \
  --logLevel=DEBUG \
  --entryPoints='Name:http Address::80 Redirect.EntryPoint:https' \
  --entryPoints='Name:https Address::443 TLS' \
  --acme.entryPoint=https --acme.email=ron.arts@xxxxxx.com \
  --acme.storage=/etc/traefik/acme/acme.json \
  --acme.domains=xxxxxx.com \
  --acme.ondemand=true \
  --acme.onhostrule=true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - traefikdata:/etc/traefik/acme
    deploy:
      placement:
        constraints:
          - node.labels.env == prod
          - node.role == manager

volumes:
  traefikdata:
    driver: local-persist
    driver_opts:
      mountpoint: /data/traefik

networks:
  proxy:
    driver: overlay

Though, auto-redirect from 80 to 443 doesn't work yet.

[raarts]

Alright, auto-redirect works if you specify deploy labels like this:

  viz:
    image: manomarks/visualizer
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      proxy:
        aliases:
         - monitor_viz
    deploy:
      labels:
        - traefik.port=8080
        - traefik.backend=monitor_viz
        - traefik.docker.network=proxy
        - traefik.frontend.rule=Host:viz.xxxxx.com
        - traefik.frontend.entryPoints=http,https

networks:
  proxy:
    external:
      name: proxy_proxy

You need to specify both http and https as entrypoints.

[Berndinox]

HY @raarts , thanks for the Update. Amazing!

[raarts]

Note for keeping the downloaded certificated I used a host-mount with the local-persist driver. This means you still cannot move the treafik container around easily. Also treafik needs to run on a manager node. I prepared all my manager nodes with a /data/traefik directory

[Berndinox]

Thanks for the hint!!
I'll use this with a portworx shared volume across hosts in the swarm: https://github.com/Berndinox/swarm_portworx

[emilevauge]

@Berndinox @raarts if you think the documentation needs some upgrade, your help is welcome :)

[Berndinox]

@emilevauge atm i do not feel confident enough to do, but may i will.. ;)

All the docu is arround the toml.conf, but i think there should be more about docker specific things:

• how to create a traefik service in swarm
• best practices for configuring traefik inside docker
• real world examples (?)

BR

[raarts]

@emilevauge <https://github.com/emilevauge>, @Berndinox <https://github.com/Berndinox> I have cloned the repo, and am looking at learning how to extend the docs. No promises though.

…

On Thu, Feb 9, 2017 at 9:29 AM, Berndinox ***@***.***> wrote: @emilevauge <https://github.com/emilevauge> atm i do not feel confident enough to do, but may i will.. ;) All the docu is arround the toml.conf, but i think there should be more about docker specific things: - how to create a traefik service in swarm - best practices for configuring traefik inside docker - real world examples (?) BR — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1091 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADBXxdqgLfvlUeX_NGvqzkbjPFcZc_iGks5ras5egaJpZM4Lz52x> .

[Berndinox]

@raarts i got one other question, would it also work if i do not persist the acme folder into a volume.
Cause when i scale the traefik service the same volume is mapped multiple times, and so i got doubled entries for my subdomains. thanks :)

[raarts]

I don't think that will work. I think there are two approaches, (1) is to make sure only one container runs per host. Docker deploy does not support affinity yet, but you can claim for example cpu1 so docker will have no choice but to find another host*). (2) define two services traefik and traefik-letsencrypt, the first one is for scaling, has letsencrypt disabled, and mounts the volume read-only, and the second one has letsencrypt enabled, maybe even has proxying disabled, mounting read-write and isn't scaled.

*) Of course if you have multiple hosts, you still need one location to keep your data, so if you control the hosts, you can create a shared filesystem, using nfs or smbfs or something, and let the hosts mount those shares, the containers won't know or care. If you don't control the hosts, then I have no solution other than spending money on shared-storage-in-the-cloud somewhere, and using a volume driver.

[Berndinox]

The Read-Only approach seems to be nice! Thanks alot!

[raarts]

For read-only I think you need to append :ro

…

On Sun, Feb 12, 2017 at 5:10 PM, Berndinox ***@***.***> wrote: Hy @raarts <https://github.com/raarts>, i'd like the read only approach, however with compose v3 ready only volumes are not possible jet?!? I tested the following setup: version: '3' services: whoami1: image: jwilder/whoami deploy: replicas: 1 restart_policy: delay: 10s max_attempts: 10 window: 60s volumes: - data:/data whoami2: image: jwilder/whoami deploy: replicas: 1 restart_policy: delay: 10s max_attempts: 10 window: 60s volumes: - data:/data:r volumes: data: driver: local-persist driver_opts: mountpoint: /mnt/glusterfs/docker/whoami Shared Volume accross hosts is a gluster volume. Docker inspect show RW (Read and Write) on both containers. Also appending the config with "read_only: true" is ignored. :( — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1091 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADBXxTDLgDVIMLYZt3jt8OiBXHw53Ccyks5rby8EgaJpZM4Lz52x> .

[pascalandy]

Thanks for sharing!