16
Docker Swarm networking vs Docker Compose
(sh.itjust.works)
submitted
1 month ago* (last edited 1 month ago)
by
ohshit604@sh.itjust.works
to
c/selfhosted@lemmy.world
Evening y’all
I’ll try to keep it brief, I need to move my reverse proxy (traefik) to another machine and I’m opting to utilize Docker Swarm for the first time this way I’m not exposing a bunch of ports on my main server over my network, so ideally I’d like to have almost everything listening on local host while traefik does it’s thing in the background
Now I gotta ask, is Docker Swarm the best way to go about this? I know very little about Kubernetes and from what I’ve read/watched it seems like Swarm was designed for this very purpose however, I could be entirely wrong here.
What are some key changes that differ typical Compose files from Swarm?
Snippet of my current compose file:
services:
homepage:
image: ghcr.io/gethomepage/homepage
hostname: homepage
container_name: homepage
networks:
main:
ipv4_address: 172.18.0.2
environment:
PUID: 0 # optional, your user id
PGID: 0 # optional, your group id
HOMEPAGE_ALLOWED_HOSTS: MY.DOMAIN,*
ports:
- '127.0.0.1:80:3000'
volumes:
- ./config/homepage:/app/config # Make sure your local config directory exists
- /var/run/docker.sock:/var/run/docker.sock #:ro # optional, for docker integrations
- /home/user/Pictures:/app/public/icons
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.homepage.rule=Host(`MY.DOMAIN`)"
- "traefik.http.routers.homepage.entrypoints=https"
- "traefik.http.routers.homepage.tls=true"
- "traefik.http.services.homepage.loadbalancer.server.port=3000"
- "traefik.http.routers.homepage.middlewares=fail2ban@file"
traefik:
image: traefik:v3.2
container_name: traefik
hostname: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
main:
ipv4_address: 172.18.0.26
ports:
# Listen on port 80, default for HTTP, necessary to redirect to HTTPS
- target: 80
published: 55262
mode: host
# Listen on port 443, default for HTTPS
- target: 443
published: 57442
mode: host
environment:
CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
# CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN} # if using .env
TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
secrets:
- cf_api_token
env_file: .env # use .env
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./config/traefik/traefik.yml:/traefik.yml:ro
- ./config/traefik/acme.json:/acme.json
# - ./opt:/opt
#- ./config/traefik/config.yml:/config.yml:ro
- ./config/traefik/custom-yml:/custom
# - ./config/traefik/homebridge.yml:/homebridge.yml:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.MY.DOMAIN`)"
#- "traefik.http.middlewares.traefik-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.0/24, 208.118.140.130, 172.18.0.0/16"
#- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.MY.DOMAIN`)"
#- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=MY.DOMAIN"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.MY.DOMAIN"
- "traefik.http.routers.traefik-secure.service=api@internal"
- "traefik.http.routers.traefik.middlewares=fail2ban@file"
networks:
main:
external: true
ipam:
config:
- subnet: 172.18.0.0/16
gateway: 172.18.0.1
I censored out my actual domain with MY.DOMAIN so if that confuses people i apologize.
Well first off swarm doesn't work with environment variables, so if you pass any in you're going to need to pipe the output of docker compose read into docker swarm service create.
Your port settings are gonna give it a problem too, swarm doesn't support that new syntax, and as a result you can only assign a single network interface to a service.
Regarding networking, since the whole paradigm is that you're not defining a single container but a service that can live/move across multiple nodes; any traffic to any node in your swarm will be routed (round robin style) across the copies of that service. (This makes logging setup a PITA, ask me how I know!)
Bind mounts aren't recommended, volumes are preferred. Otherwise everything needs to be mirrored across all nodes, depends on the use case.
That being said I'm not convinced that swarm is the right answer here, I concur with @talentedkiwi@sh.itjust.works. You should just install pangolin on your second machine.