Traefik routes requests to the IP/port of the matching container. =unix:///var/run/docker.sock useBindPortIP ¶ These are the nodes that Traefik should be scheduled on by deploying Traefik with a constraint on the node "role": Since the Swarm API is only exposed on the manager nodes, Docker API Access ¶ĭocker Swarm Mode follows the same rules as Docker API Access. (Check the reference for this label in the routing section for Docker). Therefore, you must specify the port to use for communication by using the label .server.port Port Detection ¶ĭocker Swarm does not provide any port detection information to Traefik. This behavior is only enabled for docker-compose version 3+ ( Compose file reference). Therefore, if you use a compose file with Swarm Mode, labels should be defined in the While in Swarm Mode, Traefik uses labels found on services, not on individual containers. To enable Docker Swarm (instead of standalone Docker) as a configuration provider, Traefik issue GH-4174 about security with Docker socket.A thread on Stack Overflow about sharing the /var/run/docker.sock file.Don't expose the Docker socket (not even to a container).KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice.Traefik and Docker: A Discussion with Docker Captain, Bret Fisher."Paranoid about mounting /var/run/docker.sock?".SSH public key authentication (SSH is supported with Docker > 18.09).Accounting at kernel level, by enforcing kernel calls with mechanisms like SELinux, to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).With Swarm mode, it allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |