4 Important Services Everyone Should Deploy In A Docker Swarm

paulknulst

Paul Knulst

Posted on July 29, 2023

4 Important Services Everyone Should Deploy In A Docker Swarm

Enhance your Docker Swarm with four important services that you will love: Traefik, Portainer, Registry, FTP

In a previous article, I showed how a Docker Swarm is set up in ~15 minutes.

Remember: Whenever you read “Docker Swarm” we are talking about “Docker in Docker Swarm mode”

Within this article, I will show and explain four services everyone should use in their Docker Swarm: traefik, Portainer, Docker-Registry, FTP.

Traefik

Makes Networking Boring
Cloud-Native Networking Stack That Just Works.

One important service in any Docker Swarm is traefik. I use this for assigning domains/subdomains to every docker service. A simple docker-compose.yml can be found on my FTP here. To use this file it is necessary to update the labels for your docker swarm by executing:

export NODE_ID=$(docker info -f '{{.Swarm.NodeID}}')
docker node update --label-add traefik-public.traefik-public-certificates=true $NODE_ID
Enter fullscreen mode Exit fullscreen mode

These two commands assume that you want to have traefik on your manager node! To understand what a manager node have a look at the docker documentation.

Another VERY important step is creating a file named acme.json within the folder where the docker-compose will be stored and do:

chmod 600 acme.json
Enter fullscreen mode Exit fullscreen mode

Furthermore, you have to define a TRAEFIK_USERNAME, TRAEFIK_HASHED_PASSWORD, TRAEFIK_DOMAIN and TRAEFIK_SSLEMAIL:

export TRAEFIK_USERNAME=admin
export TRAEFIK_HASHED_PASSWORD=$(openssl passwd -apr1 testpassword)
export TRAEFIK_DOMAIN=dashboard.YOUR_DOMAIN.tld
export TRAEFIK_SSLEMAIL=your_email@address.de
Enter fullscreen mode Exit fullscreen mode

The last command which has to be executed before you can deploy the service is creating the traefik-public network which will be used across all containers:

docker network create --driver=overlay traefik-public
Enter fullscreen mode Exit fullscreen mode

After this is done it is possible to deploy traefik to your docker swarm:

docker stack deploy -c docker-compose.traefik.yml
Enter fullscreen mode Exit fullscreen mode

Just test it by launching https://dashboard.YOUR_DOMAIN.tld. This domain will use an SSL certificate and you can log in with admin/testpassword if you followed the above instructions.

Portainer

Portainer is a powerful, GUI-based Container-as-a-Service solution that helps organizations manage and deploy cloud-native applications easily and securely.

My docker-compose.yml for Portainer is not special. You can find it here if you need it. Normally there are no differences between my and the one you find if you google for Portainer service.

If you use mine you have to *add a label to your manager!* *This is very important* because Portainer needs a connection to your docker socket. You can add the label with these commands:

export NODE_ID=$(docker info -f '{{.Swarm.NodeID}}')
docker node update --label-add portainer.portainer-data=true $NODE_ID
Enter fullscreen mode Exit fullscreen mode

Furthermore declare the PORTAINER_DOMAIN which will be used.

export PORTAINER_DOMAIN=portainer.$PRIMARY_DOMAIN
Enter fullscreen mode Exit fullscreen mode

After you have done this you can deploy Portainer:

docker stack deploy -c docker-compose.portainer.yml portainer
Enter fullscreen mode Exit fullscreen mode

Timing Note: Make sure you log in and create your credentials soon after Portainer is ready, or it will automatically shut down itself for security. If you didn’t create the credentials on time and it shut down itself automatically, you can force it to restart with:

docker service update portainer_portainer --force
Enter fullscreen mode Exit fullscreen mode

Docker Registry

The Registry is a stateless, highly scalable server side application that stores and lets you distribute Docker images. The Registry is open-source, under the permissive Apache license.

The docker registry is important to have in a swarm environment if you don't want to upload your code/data to a public registry. If you don't have any private registry for yourself you have to upload the resulting image to docker-hub each time you extend an official image with your application code. While this is great if you only want to extend functionality in a general way it is not advisable if you copy your website with your closed source code into the image.

Imagine you have a modified Nginx image where the HTML folder is copied into the image:

FROM nginx
COPY html /usr/share/nginx/html
Enter fullscreen mode Exit fullscreen mode

In many cases the html folder will contain your website which you don't want someone to use. If you have a private registry you can build the image and upload it but if you don't have one you have to use a public registry.

That's why I think that every swarm needs to have access to a private registry. And that's why I created one. Normally you can set up a registry with a simple docker run command but I wanted to have a registry that can be reached from everywhere. Because of that, I created a registry that could be accessed by username and password.

My personal docker-compose.yml can be downloaded here. It will run within my Traefik environment and create a new registry that I can use from every node in my swarm. To deploy the service you have to declare some environment variables which are used while deploying: REGISTRY_USERNAME, REGISTRY_HASHED_PASSWORD and REGISTRY_HOST:

export REGISTRY_USERNAME=reg_adm
export REGISTRY_HASHED_PASSWORD=$(openssl passwd -apr1 regsupersecret)
export REGISTRY_HOST=reg.YOUR_DOMAIN.tld
Enter fullscreen mode Exit fullscreen mode

With these variables you can deploy the service:

docker stack deploy -c docker-compose.registry.yml registry
Enter fullscreen mode Exit fullscreen mode

To use the registry you have to do two more things. The first thing is a quality of life feature to easily change the domain of the registry without affecting every container which uses an image from the private registry. *Add DOCKER_REGISTRY to .profile for* ****root**** *or whatever user you are using so it is known if docker-compose files should be pushed/downloaded*. The second task is very important. You have to execute docker login on every node of your swarm so that every node is allowed to pull images.

Now you can start using your private registry in docker-compose.yml. If you created a DOCKER_REGISTRY environment variable you can use it like this in your docker-compose.yml:

myapp:
    image: ${DOCKER_REGISTRY}/simple-app
    build:
      context: ./
      dockerfile: Dockerfile
Enter fullscreen mode Exit fullscreen mode

If you want to deploy a service that contains the above part you have to build and push your image to deploy it correctly:

docker-compose build
docker-compose push
docker stack deploy -c docker-compose.yml www
Enter fullscreen mode Exit fullscreen mode

If you only build and deploy it other nodes in your swarm cannot pull the image and so the service cannot be deployed.

FTP

Another important service is an FTP server for saving files you want to use anywhere in any app or service you create while working with the swarm.

I decided to use “pure-ftp” because it was the one I found while googling for a nice FTP server that runs within a docker environment. Because I want to keep it simple I created an FTP server without any traefik configuration. BUT I did a simple trick in putting the FTP server together with a website in a docker-compose.yml. I have done this because I want to have the possibility to download files from the server over https which I uploaded with ftp.

After configuration, I came up with this docker-compose.yml. Within the file, you can see that I use a custom Dockerfile for the web service which contains:

FROM nginx
COPY html /usr/share/nginx/html
Enter fullscreen mode Exit fullscreen mode

The trick I describe is just the defined volume within the docker-compose.yml. As you can see I defined data in both services. Within web-service I just have an extra folder within the Nginx HTML folder so that I can access it from the web. And within the ftp-service I define data as the place where user can upload their data.

Before it is possible to deploy this service you have to declare environment variables: FTP_USERNAME, FTP_PASSWORD, FTP_DOMAIN_FOR_CERT, FTP_ORG_FOR_CERT, FTP_COUNTRYCODE_FOR_CERT and WEBSERVICE_DOMAIN:

export WEBSERVICE_DOMAIN=www.MYDOMAIN.tld
export FTP_USERNAME=SUPERUSER
export FTP_PASSWORD=clearTextPW
export FTP_DOMAIN_FOR_CERT=$WEBSERVICE_DOMAIN
export FTP_ORG_FOR_CERT=mybusiness
export FTP_COUNTRYCODE_FOR_CERT=DE
Enter fullscreen mode Exit fullscreen mode

Furthermore, you have to add a label to any node of your swarm. To achieve this use docker node ls to find out the ID from every node and execute:

docker node update --label-add www.ftp-data=true ID_OF_NODE_TO_USE
Enter fullscreen mode Exit fullscreen mode

After this is done you can safely deploy your website with enabled FTP

docker stack deploy -c docker-compose.web.yml webandftp
Enter fullscreen mode Exit fullscreen mode

Now it is possible to connect with an FTP client to your WEBSERVICE_DOMAIN and upload a file (test.txt) which then can be accessed by this URL: WEBSERVICE_DOMAIN/data/test.txt

The whole FTP docker service can be downloaded from my GitHub:

https://github.com/paulscode-de/ftp-server

It is very important to say that you only can connect with your WEBSERVICE_DOMAIN if this domain also has an A record to your manager node!

5. Closing Notes

I hope you find this article helpful and can use my provided files to set up these services within your own Docker Swarm.

In my humble opinion, these four services should be present in every Docker Swarm environment because they are mandatory (or exchanged with function-like services).

This article was originally published on my blog at https://www.paulsblog.dev/services-you-want-to-have-in-a-swarm-environment/

Feel free to connect with me on my blog, Medium, LinkedIn, Twitter, and GitHub.


🙌 Support this content

If you like this content, please consider supporting me. You can share it on social media or buy me a coffee! Any support helps!

Furthermore, you can sign up for my newsletter to show your contribution to my content. See the contribute page for all (free or paid) ways to say thank you!

Thanks! 🥰


Photo by frank mckenna / Unsplash

💖 💪 🙅 🚩
paulknulst
Paul Knulst

Posted on July 29, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related