Closed DBiernat closed 1 year ago
@tfenster do you know what's going on here?
@DBiernat is the container healthy according to docker ps
? And do you see the services, routers and middlewares for that container in the Traefik dashboard?
@tfenster according to the output I would say, the container is healthy.
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 6d582663cd24 traefik:v1.7-windowsservercore-1809 "/traefik --docker.e…" 5 days ago Up 5 days 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:8080->8080/tcp magical_sammet
Dashboard:
@DBiernat actually not, which at least explains the behavior. A healthy container should have a status of Up (healthy)
, e.g. like this:
PS [worker000001]:C:\Users\vm-administrator> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5d369e114ae5 bcartifacts/cosmo-bc:onprem-19.1.31886.32186-nl "powershell -Command…" 6 hours ago Up 6 hours (healthy) ef5c753dd577.1.pokupveb224zyjlq2z6bp14u1
Now that I know what to look for, I can see this in your log, where it explicitly states that the health check returns False
:
...
Initialization took 48 seconds
Ready for connections!
Reading CustomSettings.config from TEST
Container TEST successfully created
Because of Traefik, the following URLs need to be used when accessing the container from outside your Docker host:
Web Client: https://{host}.{fqdn}/TEST
SOAP WebServices: https://{host}.{fqdn}/TESTsoap
OData WebServices: https://{host}.{fqdn}/TESTrest
Dev Service: https://{host}.{fqdn}/TESTdev
Snapshot Service: https://{host}.{fqdn}/TESTsnap
File downloads: https://{host}.{fqdn}/TESTdl
Health check returns False, restarting container
Removing Session TEST
TEST
Waiting for container TEST to be ready
Initializing...
Setting host.containerhelper.internal to 172.23.80.1 in container hosts file
Restarting Container
...
@freddydk: Have you seen something like this before? And is the health check ignored on the second try?
@tfenster nevermind, you're absolutly rigth! The container isn't healthy. I really didn't notice that.
A quick look into the container log shows the following error (again and again):
2022/09/29 12:18:39 Using high precision timer
time="2022-09-29T12:18:40+02:00" level=error msg="Failed to retrieve information of the docker client and server host: error during connect: Get \"http://%2F%2F.%2Fpipe%2Fdocker_engine/v1.24/version\": open //./pipe/docker_engine: message readmode pipes not supported In the default daemon configuration on Windows, the docker client must be run elevated to connect. This error may also indicate that the docker daemon is not running."
time="2022-09-29T12:18:40+02:00" level=error msg="Provider connection error error during connect: Get \"http://%2F%2F.%2Fpipe%2Fdocker_engine/v1.24/version\": open //./pipe/docker_engine: message readmode pipes not supported In the default daemon configuration on Windows, the docker client must be run elevated to connect. This error may also indicate that the docker daemon is not running., retrying in 466.264916ms"
The host is a Windows Server 2022 Standard (Hyper-V host with Hyper-V) and Docker is running under "Local System".
@DBiernat Interesting, have never seen that before. But that is only Traefik indicating a problem, which might or might not be a real issue. It doesn't explain why the BC container isn't healthy. Do you see anything in the logs of the BC container or with Get-BCContainerEventLog
?
@tfenster just to be sure talking about the same thing: The Traefik Container is Up and running without status and the BC Container is Up and Healthy, at least at the end.
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6d582663cd24 traefik:v1.7-windowsservercore-1809 "/traefik --docker.e…" 5 days ago Up 5 days 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:8080->8080/tcp magical_sammet
6778712ee1de mcr.microsoft.com/businesscentral:10.0.20348.887 "powershell -Command…" 5 days ago Up 5 days (healthy) 80/tcp, 443/tcp, 1433/tcp, 7045-7049/tcp, 7083/tcp, 8080/tcp TEST
The event log I will check tomorrow.
Ah sorry, I didn't realize that. That actually looks good. The BC container is healthy and the traefik container doesn't have a health check, so that is fine as well. Can you share the output of docker inspect magical_sammet
?
Ah sorry, I didn't realize that. That actually looks good. The BC container is healthy and the traefik container doesn't have a health check, so that is fine as well. Can you share the output of
docker inspect magical_sammet
?
{
"Id": "6d582663cd24c7e4d05d884720b753995a476122668c69fcbb9bdfae0dd10af1",
"Created": "2022-09-29T10:17:52.6523891Z",
"Path": "/traefik",
"Args": [
"--docker.endpoint=npipe:////./pipe/docker_engine"
],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 1280,
"ExitCode": 0,
"Error": "",
"StartedAt": "2022-09-29T10:22:13.4153635Z",
"FinishedAt": "2022-09-29T12:21:46.4784299+02:00"
},
"Image": "sha256:0fe8cd7f2792b2846bba0ec097dd8b13686688eaacc32a4e789952137e619ede",
"ResolvConfPath": "",
"HostnamePath": "",
"HostsPath": "",
"LogPath": "C:\\ProgramData\\docker\\containers\\6d582663cd24c7e4d05d884720b753995a476122668c69fcbb9bdfae0dd10af1\\6d582663cd24c7e4d05d884720b753995a476122668c69fcbb9bdfae0dd10af1-json.log",
"Name": "/magical_sammet",
"RestartCount": 0,
"Driver": "windowsfilter",
"Platform": "windows",
"MountLabel": "",
"ProcessLabel": "",
"AppArmorProfile": "",
"ExecIDs": null,
"HostConfig": {
"Binds": [
"c:\\programdata\\bccontainerhelper\\traefikforbc\\config:c:/etc/traefik",
"\\\\.\\pipe\\docker_engine:\\\\.\\pipe\\docker_engine"
],
"ContainerIDFile": "",
"LogConfig": {
"Type": "json-file",
"Config": {}
},
"NetworkMode": "default",
"PortBindings": {
"443/tcp": [
{
"HostIp": "",
"HostPort": "443"
}
],
"80/tcp": [
{
"HostIp": "",
"HostPort": "80"
}
],
"8080/tcp": [
{
"HostIp": "",
"HostPort": "8080"
}
]
},
"RestartPolicy": {
"Name": "always",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": null,
"CapDrop": null,
"CgroupnsMode": "",
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "",
"Cgroup": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"UsernsMode": "",
"ShmSize": 0,
"ConsoleSize": [
0,
0
],
"Isolation": "hyperv",
"CpuShares": 0,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": [],
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"DeviceCgroupRules": null,
"DeviceRequests": null,
"KernelMemory": 0,
"KernelMemoryTCP": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": null,
"OomKillDisable": false,
"PidsLimit": null,
"Ulimits": null,
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0,
"MaskedPaths": null,
"ReadonlyPaths": null
},
"GraphDriver": {
"Data": {
"dir": "C:\\ProgramData\\docker\\windowsfilter\\6d582663cd24c7e4d05d884720b753995a476122668c69fcbb9bdfae0dd10af1"
},
"Name": "windowsfilter"
},
"Mounts": [
{
"Type": "bind",
"Source": "c:\\programdata\\bccontainerhelper\\traefikforbc\\config",
"Destination": "c:\\etc\\traefik",
"Mode": "",
"RW": true,
"Propagation": ""
},
{
"Type": "npipe",
"Source": "\\\\.\\pipe\\docker_engine",
"Destination": "\\\\.\\pipe\\docker_engine",
"Mode": "",
"RW": true,
"Propagation": ""
}
],
"Config": {
"Hostname": "6d582663cd24",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"443/tcp": {},
"80/tcp": {},
"8080/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": null,
"Cmd": [
"--docker.endpoint=npipe:////./pipe/docker_engine"
],
"Image": "traefik:v1.7-windowsservercore-1809",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": [
"/traefik"
],
"OnBuild": null,
"Labels": {
"org.opencontainers.image.description": "A modern reverse-proxy",
"org.opencontainers.image.documentation": "https://docs.traefik.io",
"org.opencontainers.image.title": "Traefik",
"org.opencontainers.image.url": "https://traefik.io",
"org.opencontainers.image.vendor": "Traefik Labs",
"org.opencontainers.image.version": "v1.7.34"
}
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "6d582663cd24c7e4d05d884720b753995a476122668c69fcbb9bdfae0dd10af1",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {
"443/tcp": [
{
"HostIp": "0.0.0.0",
"HostPort": "443"
}
],
"80/tcp": [
{
"HostIp": "0.0.0.0",
"HostPort": "80"
}
],
"8080/tcp": [
{
"HostIp": "0.0.0.0",
"HostPort": "8080"
}
]
},
"SandboxKey": "6d582663cd24c7e4d05d884720b753995a476122668c69fcbb9bdfae0dd10af1",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "",
"Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "",
"IPPrefixLen": 0,
"IPv6Gateway": "",
"MacAddress": "",
"Networks": {
"nat": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "c5decb2a4f0a5d20e04cf539cfbacff157ad661fed6d6f81e70cfe3f89757f66",
"EndpointID": "d4342d82a3bb4b161764398ef0c824707038c3abf6acde67e6ba5b3c57fd6bb7",
"Gateway": "172.23.80.1",
"IPAddress": "172.23.91.216",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "00:15:5d:9c:15:56",
"DriverOpts": null
}
}
}
}
@tfenster Do we still need the BcContainer event logs? If that is the case, then I would recreate the container again.
@tfenster Do we still need the BcContainer event logs? If that is the case, then I would recreate the container again.
No, I don't think so. I need to figure out what changed, but it looks like the Docker engine is not accessible from within the traefik container, maybe because of the hyperv setup
@DBiernat Could you try to run your Setup-TraefikContainerForBcContainers
command again, but with the additional parameters -traefikImage "traefik:v1.7.33-windowsservercore-1809" -recreate
? I have to be honest, I am guessing a bit here...
@tfenster That doesn't make a difference. Same error(s) inside the Traefik container. Is there anything else I can do?
@DBiernat No, I'll try to repro on my side. Did you create this VM through aka.ms/getbc?
@tfenster No, it is an OnPrem Hyper-V Server, where Hyper-V is activated on the virtual machine.
ok, I'll try to see whether I can repro on an Azure VM (luckily I don't have OnPrem infra anymore ;) ). Let's see if it behaves the same or differently there. Do you have the exact steps to set up the machine? Install docker, install bcch etc? I would try to stay as close as possible to your environment
It's been a while, since I installed that machine, but basically the following steps have been done (if I remember correctly):
OK, thanks. Just to be sure: With step 3 and installing WAC, you automatically got Docker?
This is at least what I remember. The following article describes this as well, may be on manually installing Containers Extension from the WAC.
OK, understood. I'll try to repro on my side, but it might take a couple of days until I find the time
Couldn't resist 😂 And indeed, I could repro. The problem seems to be hyperv isolation, maybe a security "feature" that changed in the latest releases. So I created a new traefik image for ltsc2022 (see https://github.com/tfenster/traefik-for-windows/actions/runs/3199935607/jobs/5226307992 for the build and https://github.com/tfenster/traefik-for-windows/blob/1.7/Dockerfile for the Dockerfile), which can also be used with process isolation on Windows Server 2022. With that, it works for me. Could you try to run your Setup-TraefikContainerForBcContainers
command once more, but this time with the additional parameters -traefikImage "tobiasfenster/traefik-for-windows:v1.7.34" -recreate
? For me, that makes it work
Reading this, I actually thought about (in the ARM templates) to build the traefik container on the fly instead of using a pre-built image.
@tfenster Unfortunately, that did not work either.
PS C:\Users\Administrator.GLI-BS> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
635c63804eae mcr.microsoft.com/businesscentral:10.0.20348.1006 "powershell -Command…" 7 minutes ago Up 3 minutes (healthy) 80/tcp, 443/tcp, 1433/tcp, 7045-7049/tcp, 7083/tcp, 8080/tcp TEST
9da3688de27f tobiasfenster/traefik-for-windows:v1.7.34 "/traefik --docker.e…" 11 minutes ago Up 11 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:8080->8080/tcp pensive_jennings
PS C:\Users\Administrator.GLI-BS> docker container logs 9da3688de27f
2022/10/07 12:37:21 Using high precision timer
time="2022-10-07T12:37:22+02:00" level=error msg="Failed to retrieve information of the docker client and server host: error during connect: Get \"http://%2F%2F.%2Fpipe%2Fdocker_engine/v1.24/version\": open //./pipe/docker_engine: message readmode pipes not supported In the default daemon configuration on Windows, the docker client must be run elevated to connect. This error may also indicate that the docker daemon is not running."
time="2022-10-07T12:37:22+02:00" level=error msg="Provider connection error error during connect: Get \"http://%2F%2F.%2Fpipe%2Fdocker_engine/v1.24/version\": open //./pipe/docker_engine: message readmode pipes not supported In the default daemon configuration on Windows, the docker client must be run elevated to connect. This error may also indicate that the docker daemon is not running., retrying in 628.867277ms"
Sorry, please remove the -isolation hyperv
as well
@tfenster That's better, it's working now. Just to be clear, normally it should work with isolation Hyper-V as well, right?
It has worked in the past, but Microsoft might have changed the security policy, so that non-admin users from a container can no longer access the docker engine pipe in hyperv iso. But running traefik in process isolation makes more sense anyway
@freddydk Would you accept a PR to fix this with my image?
@tfenster - sure - and thanks
This PR was merged yesterday and is available in the latest prerelease, Thanks @tfenster
Shipped in 4.0.6
Describe the issue I'm getting a "page not found" error message by calling the web client (https://{host}.{fqdn}/{containerName}). Calling the web client on the host (https://{containerName}/{containerName}) is working. Traefik Dashbord (host.ipAddress:8080/dashboard/) is reachable.
I dont't have a clue, where the problem is.
Scripts used to create container and cause the issue
Full output of scripts
Additional context
Traefik setup script
Full output of Traefik script
Mode LastWriteTime Length Name
d----- 29.09.2022 12:17 traefikforbc
Mode LastWriteTime Length Name
-a---- 29.09.2022 12:17 0 traefik.txt d----- 29.09.2022 12:17 my d----- 29.09.2022 12:17 config
Mode LastWriteTime Length Name
-a---- 29.09.2022 12:17 0 acme.json Create traefik config file Traefik image already up to date Running traefik 6d582663cd24c7e4d05d884720b753995a476122668c69fcbb9bdfae0dd10af1 True
debug = false defaultEntryPoints = ["https","http"] insecureSkipVerify = true
[api]
Check https://docs.traefik.io/v1.7/configuration/api/#security
to enable authentication on the dashboard for extra security
[docker] domain = "{host}.{fqdn}" watch = true endpoint = "npipe:////./pipe/docker_engine"
[entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] minVersion = "VersionTLS12" [[entryPoints.https.tls.certificates]] certFile = "c:/etc/traefik/certificate.crt" keyFile = "c:/etc/traefik/certificate.key"
[acme] email = "Development@{fqdn}" storage = "c:/etc/traefik/acme.json" entryPoint = "https" [acme.httpChallenge] entryPoint = "http" [[acme.domains]] main = "{host}.{fqdn}"