I’m not sure what I did right so here’s a list of the final actions I took to get grocy to work. Using portainer I:
copied the volume patterning of portainer—i.e. container /config and host /home/yunohost.docker/portainer/grocy/config. Maybe this could just be in /home/yunohost.docker/grocy/config though? that might be safer.
Network: I changed this to bridge like portainer instead of grocy_default. Are there security issues with this?
I will have to try for other apps now. Is any of this helpful @tituspijean in realizing what I was doing wrong in the fiirst place? I’d like to make a guide on using portainer in yunohost (because trying to package an app is super confusing to me)
updates: it has to be on a primary domain. book.domain.com/grocy does not work. I don’t know if this is a result of something I did wrong on portainer. It also looks like it has to be nginix proxy pass for allowed users. restarting nginx does not seem necessary.
I also managed to get lazylibrarian set up using this process. it did require restarting nginix though. or maybe it didn’t and it just took longer. not sure yet.
In my tests I usually put ./folder:/folder for the volumes. (beware of the dot!) It means that the data for the container will be put in the directory where the docker-compose.yml file lies.
So, I removed everything related to Bookstack too, and tried Lazylibrarian. It worked right away !
cd $your_path_to_yml_file
docker-compose up -d
# It will take some time to initialize after starting up the container
# Meanwhile
yunohost app install redirect -a "label=LazyLibrarian&domain=book.domain.com&path=/&redirect_path=http://127.0.0.1:5299&redirect_type=private_proxy"
And it worked directly.
I cannot quite acknowledge everything you did and tried, but I will try.
I am not sure what you copied and where to. This kind of this should be managed by Portainer, you should not have to tinker into that.
Regarding the network : a bridge, as far as my limited knowledge allows me to understand, makes the container available on a subnetworks managed by the host. Some explainations can be found here. But that’s the default Docker behaviour. There should not be issues as long as you do not open ports on the host or create routing rules between your main network interface and the containers subnetwork.
Yeah, that variable is most likely specific to Bookstack, it tells it to expect browsing with URL starting by that.
For your guide: always use the proxy options (either public or private, that’s up to you). It will not work if you choose the 301 or 302 options. These two latter options will basically make Nginx tell your visitors to go to http://127.0.0.1:port or whatever. But that’s on their own computer, not your host. With the proxy options, it tells Nginx to fetch itself the http://127.0.0.1:port pages, which are indeed the container’s, and serve it to the visitors. So to summarize:
public_302 and public_301: not OK
public_proxy and private_proxy: OK
Regarding the possibility to have a domain.com/path instead of app.domain.com: that’s up to how the app is made. You have to check the apps README to find out. For Bookstack, since it has a APP_URL variable (it can be named differently for other apps, it’s only a variable), I guess it is open to different paths.
I think you misunderstood—but only because I wasn’t clear! What I meant is that I copied the volume variables (and I think the network ones) from the “portainer” container to another container and that is what made things work.
I read that page too! I don’t know if yunohost changes things, but I’ve had best luck with keeping things on bridge network but I’m still expirementing.
Thanks for #4+5, that’s helpful to know. For the most part I’ve just been making new domains but now I’m pushing 30+ domains and holy hell the diagnosis feature really slows down with a lot more.
Here are the apps I have tried and confirmed working:
trillium
pinry (but I am having a lot of issues trying to get the initial first user registered? i followed the instructions in the docs but it’s not kicking off)
Omeka (right now it’s erroring out but that I think is because I need to do initial setup stuff)
Thanks for this interesting thread! I came across while looking for the same information in this thread, and I’m happy to see a more detailed discussion going on! However, as explained in the other thread, I lack a bit of insight in how to link up everything (specifically the parts on referral links, ports, etc…, I am not really used to work with these)… I saw that you mentioned writing a short guideline… if it can be of help/motivation: I would be glad to use it/test it out!
I would also like to thank you for rolling this thread out. I got useful hints, and stayed for three nights with testing.
It’s actually pretty easy.
But first I must say, that my goal was to get portainer and nginx proxy manager running on my vps. I wanted nginx proxy manager to manage certificates, etc.
That wasn’t working in any way.
The good news is, you can use portainer and install any other docker apps, but you don’t need (cannot use) the nginx proxy manager. Instead, you can (you must) use yunohost.
1
So, at first you have to install docker for debian. Just follow the official guides.
Get the apt-key for the docker repository, add the repository, update apt and then install docker.
Next step is to set-up portainer with your credentials. Call your server with the IP address over port 9000. http://1.2.3.4:9000
3
To reach portainer, or later other docker apps on your server over a FQDN or sub domain, you must add a DNS entry.
Go to your registrar and add an A-Record or CNAME for portainer.example.org that hints the IP of your server.
On yunohost, add this domain or subdomain to the list of managed names.
4 Then install the younohost app → redirect
You can install the app several times. Any other instance needs this app again!
Label for Redirect: just give it a name Redirect-portainer
Choose the (sub-)domain for your app instance portainer.example.org
Choose the path for this app (leave empty) /
Redirect destination path
(YOU NEED THE docker portainer → any INSTANCE IP OF THE CONTAINER AND THE PORT to point at), for example: http://172.18.0.1:9000/
For nginx proxy manager it would have been http://172.19.0.4:81 // just an example // not important anymore.
VERY IMPORTANT IS THE Redirect type
CHOOSE Proxy, invisible (nginx proxy_pass). Everybody will be able to access it.
Then click install to get the yunohost redirect app running.
5
Go back to yunohost domains and request a Let’s encrypt certificate for the sub-domain where the docker-app (portainer) runs.
Hey @jensensen2 and @brimwats. It seems I was too confidently cheering on my success in installing portainer/redirect some apps here, as I now get suddenly the error 502 Bad Gateway nginx at all of them.
I don’t know the technical details in depth, but I assume this has to do either with:
Insufficient memory allocation, as indicated in an error log that popped up while trying to create a redirect-app → I assume this was temporary, and not the primary reason for the bad gateway (?) Around the time of this error one of the portainer-containers (Metabase) did shut itself down. On other fora I’ve read that this might be due to insufficient RAM (I have 2 GB for ± 8 YunoHost apps + 2 on portainer)
the thing on ngix you mention here: ?
What I did previously: make a redirect to appname.my.yunohost.me:first portnumber indicated in container (portainer), for example: huginn.my.yunohost.me:49156
it’s the same to me. Anyway, the 5 point guide as mentioned above is okay.
But (still) there are some drawbacks.
When you restart docker the containers may get different IPs. In portainer itself you could/should enter a distinctive static address for each container. Also keep in mind the networks of your apps!
The error 502 Bad Gateway occurs, because the redirect ip changed, and now cannot be reached.
You get rid of it when you give nginx proxy the right IP address.
The ad-hoc workaround would be, changing the proxy settings to the actual, new container IP.
Right now, the greatest disadvantage obviously of the YNH redirect app is, that you cannot edit settings afterwards over GUI.
To do this you can edit the setting files manually:
It’s just the workaround!
No, no, I think there is a misunderstanding.
I didn’t want to install nginx. As I mentioned before, my first idea was, to install portainer, and inside of it, nginx proxy manager.
Anyway, here we are talking about Portainer.
So, by now, portainer (and other container apps) can be reached over secured sub domains. But there’s one problem left.
The server can be reached by HTTPS, but also over its IP. Thus you have to close the exposed public ports.
BTW:
I have tried to fix this with portainer testing package. Its failing on CI, but works for me.
It can be tested by: $ yunohost app install --debug https://github.com/YunoHost-Apps/portainer_ynh/tree/testing
Thank you kanhu.
I had to fix some things during last days.
And to be honest, I’m a little bit afraid, to install the --debug for testing.
What I know so far additionally, is that after reboot, YNH exposes all docker ports to the public.
On the other hand, docker adds many rules to the iptables chains.
After restart the iptables contains even your own settings of the /etc/yunohost/hooks.d/post_iptable_rules/95--my--hooks
Right after rebooting the machine, it seems very important to restart the YNH firewall, also [when you have docker installed].
But before that, it could be a good idea to wait a few seconds, to be shure docker has started.
Now, after restarting the YNH firewall, the iptables differ a lot those after restart.
This seems exactly what you want:
The YNH settings are good.
Docker is working and the exposed ports are closed.
The settings of the /etc/yunohost/hooks.d/post_iptable_rules/...
are working.
With docker installed you must restart the YNH firewall right after a reboot.
Hey, kanhu, your testing --debug is to proof that?
I would do so, but I have already installed docker and portainer.
I don’t want to spend days repairing again.
What to do // what could we do now?
Uninstall docker and portainer, or
uninstall only portainer…???
I’m using the .local domains and I’m running into similar issues, any idea on how to proceed from here? I just can’t seem to reach anything once it’s running in portainer.
Unfortunately, using the package is giving me the same error as manually installing and configuring a Redirect/Reverse Proxy. Some resources are being SSOed despite being logged in, so I can’t even get past Portainer’s admin setup page.
Then 404 probably means that the sso does let the request through, but the requested endpoint really does not exists, and/or there’s whatever issue in the reverse proxy configuration or the app configuration …