dev-resources.site

for different kinds of informations.

Traefik v2 with Docker Swarm

Published at

12/6/2019

Traefik v2 with Docker Swarm

I've been a happy user of Traefik all through the v1.x series but with v2.1 coming out I began to have a proper look at upgrading. The docs are very thorough, but as with a lot of thorough docs also not very enlightening about 'how do I do the thing?'.

So after a bit of faffing about, watching yotube videos (the files here are modified versions of the compose-style ones attached to the video) etc I've got something running. This is a very basic 'just get it up and running' example - mostly as an aide-memoire for myself and hopefully to give some pointers to other people migrating from v1 to v2. I'm assuming familiarity with Traefik v1 so I'm not documenting everything line by line.

The stack files

Our setup is a traefik instance running listening on an overlay network called 'proxy'. Any web apps that need to talk to the outside world also sit on that network and have the magic traefik labels set so they get picked up. So the v2 traefik file I have so far is :

version: "3.3"

services:
  traefik:
    image: traefik:v2.0
    restart: always
    container_name: traefik
    ports:
      - "80:80"
      - "8080:8080" # traefik dashboard
      - "443:443"
    command:
      - --api.insecure=true # set to 'false' on production
      - --api.dashboard=true # see https://docs.traefik.io/v2.0/operations/dashboard/#secure-mode for how to secure the dashboard
      - --api.debug=true # enable additional endpoints for debugging and profiling
      - --log.level=DEBUG # debug while we get it working, for more levels/info see https://docs.traefik.io/observability/logs/
      - --providers.docker=true
      - --providers.docker.swarmMode=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=proxy
      - --entrypoints.web.address=:80
      - --entrypoints.web-secured.address=:443
      - --certificatesresolvers.mytlschallenge.acme.httpChallenge.entrypoint=web
      - --certificatesresolvers.mytlschallenge.acme.email=you@whatever.com
      - --certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json
    volumes:
      - letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - proxy
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.api.rule=Host(`traefik.yourdomain.com`)"
        - "traefik.http.routers.api.service=api@internal" # Let the dashboard access the traefik api

networks:
  proxy:
    external: true

volumes:
  letsencrypt:

And a basic example wordpress stack file :

version: "3.3"

services:

  wordpress:
    image: wordpress
    restart: always
    container_name: wp
    environment:
      WORDPRESS_DB_HOST: db
      WORDPRESS_DB_USER: exampleuser
      WORDPRESS_DB_PASSWORD: examplepass
      WORDPRESS_DB_NAME: exampledb
    volumes:
      - wordpress:/var/www/html
    networks:
      - proxy
      - backend
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.wordpress.rule=Host(`wordpress.yourdomain.com`)"
        - "traefik.http.routers.wordpress.entrypoints=web"
        - "traefik.http.services.wordpress.loadbalancer.server.port=80" # it seems you always need to give traefik a port so it 'notices' the service
        - "traefik.http.routers.wordpress-secured.rule=Host(`wordpress.yourdomain.com`)"
        - "traefik.http.routers.wordpress-secured.entrypoints=web-secured"
        - "traefik.http.routers.wordpress-secured.tls.certresolver=mytlschallenge"

  db:
    image: mysql:5.7
    restart: always
    environment:
      MYSQL_DATABASE: exampledb
      MYSQL_USER: exampleuser
      MYSQL_PASSWORD: examplepass
      MYSQL_RANDOM_ROOT_PASSWORD: '1'
    volumes:
      - db:/var/lib/mysql
    networks:
      - backend

networks:
  backend:
  proxy:
    external: true

volumes:
  db:
  wordpress:

Using it

# assuming you are on a swarm master node
docker network create --driver=overlay proxy
docker stack deploy -c traefik.yml traefik
docker stack deploy -c wordpress.yml wordpress

After a short delay you should be able to visit the urls defined in the stack files on both http and https.

CI/CD

As each traefik-enabled service now has labels that have names to make them unique (eg, traefik.http.routers.wordpress.entrypoints=web) having a stack file with something like traefik.http.routers.${STACK_NAME}.entrypoints=web, traefik.http.routers.${STACK_NAME}-secured.entrypoints=web-secured is probably worth thinking about so you can do :

export STACK_NAME=wordpress
docker stack deploy -c wordpress.yml ${STACK_NAME}

and tie things together.

Further

Obviously this is a very basic setup. To take this into production you'd be looking at consul for the letsencrypt store, sensible deploy: flags, not giving traefik access
to the docker socket directly etc. But as a 'how on earth do I use v2' I hope it helps someone and saves them having to dig through things for
as long as I did.

swarm Article's

30 articles in total