Any step by step guides to using Portainer and YNH?

omg I finally got something to work!

I’m not sure what I did right so here’s a list of the final actions I took to get grocy to work. Using portainer I:

  1. copied the volume patterning of portainer—i.e. container /config and host /home/yunohost.docker/portainer/grocy/config. Maybe this could just be in /home/yunohost.docker/grocy/config though? that might be safer.
  2. Network: I changed this to bridge like portainer instead of grocy_default. Are there security issues with this?
  3. I removed the APP_URL env variable.
  4. Redirect app:

book.domain.com
/
http://localhost:9283/
nginx proxy pass (the one for logged in users)

  1. restarted nginix.
  2. logged in through webadmin.
  3. went to book.domain.com

it works! :open_mouth:

I will have to try for other apps now. Is any of this helpful @tituspijean in realizing what I was doing wrong in the fiirst place? I’d like to make a guide on using portainer in yunohost (because trying to package an app is super confusing to me)

updates: it has to be on a primary domain. book.domain.com/grocy does not work. I don’t know if this is a result of something I did wrong on portainer. It also looks like it has to be nginix proxy pass for allowed users. restarting nginx does not seem necessary.

I also managed to get lazylibrarian set up using this process. it did require restarting nginix though. or maybe it didn’t and it just took longer. not sure yet.

1 Like

In my tests I usually put ./folder:/folder for the volumes. (beware of the dot!) It means that the data for the container will be put in the directory where the docker-compose.yml file lies.


So, I removed everything related to Bookstack too, and tried Lazylibrarian. It worked right away !

LazyLibrarian setup
---
version: "2.1"
services:
  lazylibrarian:
    image: linuxserver/lazylibrarian
    container_name: lazylibrarian
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/London
      - DOCKER_MODS=linuxserver/calibre-web:calibre|linuxserver/mods:lazylibrarian-ffmpeg #optional
    volumes:
      - ./config:/config
      - ./downloads:/downloads
      - ./books:/books
    ports:
      - 5299:5299
    restart: unless-stopped
cd $your_path_to_yml_file
docker-compose up -d
# It will take some time to initialize after starting up the container
# Meanwhile
yunohost app install redirect -a "label=LazyLibrarian&domain=book.domain.com&path=/&redirect_path=http://127.0.0.1:5299&redirect_type=private_proxy"

And it worked directly.


I cannot quite acknowledge everything you did and tried, but I will try.

  1. I am not sure what you copied and where to. This kind of this should be managed by Portainer, you should not have to tinker into that. :confused:
  2. Regarding the network : a bridge, as far as my limited knowledge allows me to understand, makes the container available on a subnetworks managed by the host. Some explainations can be found here. But that’s the default Docker behaviour. There should not be issues as long as you do not open ports on the host or create routing rules between your main network interface and the containers subnetwork.
  3. Yeah, that variable is most likely specific to Bookstack, it tells it to expect browsing with URL starting by that.
  4. For your guide: always use the proxy options (either public or private, that’s up to you). It will not work if you choose the 301 or 302 options. These two latter options will basically make Nginx tell your visitors to go to http://127.0.0.1:port or whatever. But that’s on their own computer, not your host. With the proxy options, it tells Nginx to fetch itself the http://127.0.0.1:port pages, which are indeed the container’s, and serve it to the visitors. So to summarize:
    • public_302 and public_301: not OK
    • public_proxy and private_proxy: OK
  5. Regarding the possibility to have a domain.com/path instead of app.domain.com: that’s up to how the app is made. You have to check the apps README to find out. For Bookstack, since it has a APP_URL variable (it can be named differently for other apps, it’s only a variable), I guess it is open to different paths.
  1. I think you misunderstood—but only because I wasn’t clear! What I meant is that I copied the volume variables (and I think the network ones) from the “portainer” container to another container and that is what made things work.
  2. I read that page too! I don’t know if yunohost changes things, but I’ve had best luck with keeping things on bridge network but I’m still expirementing.

Thanks for #4+5, that’s helpful to know. For the most part I’ve just been making new domains but now I’m pushing 30+ domains and holy hell the diagnosis feature really slows down with a lot more.

Here are the apps I have tried and confirmed working:

  • trillium
  • pinry (but I am having a lot of issues trying to get the initial first user registered? i followed the instructions in the docs but it’s not kicking off)
  • Omeka (right now it’s erroring out but that I think is because I need to do initial setup stuff)
  • VSCodeServer
  • Bookstack
  • Grocy
  • vabene1111/recipes
  • iqVoc (semantic thesaurus management)
  • dillinger
  • grocy
2 Likes

Thanks for this interesting thread! I came across while looking for the same information in this thread, and I’m happy to see a more detailed discussion going on! However, as explained in the other thread, I lack a bit of insight in how to link up everything (specifically the parts on referral links, ports, etc…, I am not really used to work with these)… I saw that you mentioned writing a short guideline… if it can be of help/motivation: I would be glad to use it/test it out! :slight_smile:

:pray:

for anyone in the future: Docker Container, redirect? - #7 by brimwats

1 Like

I would also like to thank you for rolling this thread out. I got useful hints, and stayed for three nights with testing.
It’s actually pretty easy.

But first I must say, that my goal was to get portainer and nginx proxy manager running on my vps. I wanted nginx proxy manager to manage certificates, etc.
That wasn’t working in any way.
The good news is, you can use portainer and install any other docker apps, but you don’t need (cannot use) the nginx proxy manager. Instead, you can (you must) use yunohost.

1
So, at first you have to install docker for debian. Just follow the official guides.
Get the apt-key for the docker repository, add the repository, update apt and then install docker.

curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -

add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/debian \
$(lsb_release -cs) \
stable"

apt update

apt install docker-ce docker-ce-cli containerd.io

It seems portainer has docker-compose inside. But it’s no problem, and a good idea anyway to install the newest version on your host, seperatly.

apt install docker-compose

2
So, you got docker, and now it’s time to install portainer.
At first create a volume for portainer

docker volume create portainer_data

Then run and install the community edition

docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce

Next step is to set-up portainer with your credentials. Call your server with the IP address over port 9000.
http://1.2.3.4:9000

3
To reach portainer, or later other docker apps on your server over a FQDN or sub domain, you must add a DNS entry.
Go to your registrar and add an A-Record or CNAME for portainer.example.org that hints the IP of your server.

On yunohost, add this domain or subdomain to the list of managed names.

4
Then install the younohost app → redirect

You can install the app several times. Any other instance needs this app again!

In this example you will setup the app for
portainer.example.org

Label for Redirect: just give it a name
Redirect-portainer

Choose the (sub-)domain for your app instance
portainer.example.org

Choose the path for this app (leave empty)
/

Redirect destination path
(YOU NEED THE docker portainer → any INSTANCE IP OF THE CONTAINER AND THE PORT to point at), for example:
http://172.18.0.1:9000/

For nginx proxy manager it would have been http://172.19.0.4:81 // just an example // not important anymore.

VERY IMPORTANT IS THE
Redirect type

CHOOSE
Proxy, invisible (nginx proxy_pass). Everybody will be able to access it.

Then click install to get the yunohost redirect app running.

5
Go back to yunohost domains and request a Let’s encrypt certificate for the sub-domain where the docker-app (portainer) runs.

Finally call your project at portainer.example.org

Repeat this for other docker-apps in portainer on your yunohost.

5 Likes

Hey @jensensen2 and @brimwats. It seems I was too confidently cheering on my success in installing portainer/redirect some apps here, as I now get suddenly the error 502 Bad Gateway nginx at all of them.

I don’t know the technical details in depth, but I assume this has to do either with:

  1. Insufficient memory allocation, as indicated in an error log that popped up while trying to create a redirect-appI assume this was temporary, and not the primary reason for the bad gateway (?) Around the time of this error one of the portainer-containers (Metabase) did shut itself down. On other fora I’ve read that this might be due to insufficient RAM (I have 2 GB for ± 8 YunoHost apps + 2 on portainer)
  2. the thing on ngix you mention here: ?

What I did previously: make a redirect to appname.my.yunohost.me:first portnumber indicated in container (portainer), for example: huginn.my.yunohost.me:49156

In your use-case you use two different IP-addresses and ports. To which do they relate?

Hi floriandierickx

it’s the same to me. Anyway, the 5 point guide as mentioned above is okay.
But (still) there are some drawbacks.

When you restart docker the containers may get different IPs. In portainer itself you could/should enter a distinctive static address for each container. Also keep in mind the networks of your apps!

The error 502 Bad Gateway occurs, because the redirect ip changed, and now cannot be reached.
You get rid of it when you give nginx proxy the right IP address.
The ad-hoc workaround would be, changing the proxy settings to the actual, new container IP.

Right now, the greatest disadvantage obviously of the YNH redirect app is, that you cannot edit settings afterwards over GUI.

To do this you can edit the setting files manually:
It’s just the workaround!

nano /etc/nginx/conf.d/SUB.DOMAIN.XY.d/redirect.conf

Change the IP to point to the right container:
proxy_pass http://172.19.0.4:9000;

Then restart the proxy
systemctl restart nginx

And then call the server again
SUB.DOMAIN.XY

It should run. But this kind of frickle-frackle is not, what we want.

On the other hand, as mentioned in the description of the YNH redirect app, we should use a local ip.
Test what you get using curl. For example

curl http://127.0.0.1:9000
curl http://127.0.0.1:81
curl http://172.19.0.4:81

Okay, so now, for portainer I edited

nano /etc/nginx/conf.d/portainer.example.org.d/redirect.conf

change proxy_pass and then restart nginx.

proxy_pass http://127.0.0.1:9000

With the installation of the YNH redirect app (see step 4 above) it would be the
Redirect destination path:

http://127.0.0.1:9000

Now call the server again over secured https

https://portainer.example.org

and you will get the login screen of portainer.

1 Like

why do you need to install ngnix on docker? YNH has nginix

No, no, I think there is a misunderstanding.
I didn’t want to install nginx. As I mentioned before, my first idea was, to install portainer, and inside of it, nginx proxy manager.

Anyway, here we are talking about Portainer.

So, by now, portainer (and other container apps) can be reached over secured sub domains. But there’s one problem left.

The server can be reached by HTTPS, but also over its IP. Thus you have to close the exposed public ports.

For this, you need another taskforce.

1 Like

When you deploy a container, or restart docker, your iptables are completely different of your main rules.

Have a look at the rules settings
iptables -nvL
after

  1. deploying a container, or restarting docker and

  2. after restoring your own rules with
    iptables-restore < /etc/iptables/rules.v4

ad 1:
very complex

ad 2:
likely easy structured, just your own rules

Now, when you restore your own rules first and then restart docker, you get a combination of both!!!

Now iptables shows your own rules and the docker rules.
iptables -nvL

It seems this combination of the firewall settings should be the state, your server must use!!!???

Therefore, the tip would be, first restore your own rules and then restart docker! Then the combination of both is active!!!

The question now, what is the role of the YNH firewall with its poor gui?

1 Like

It is a security issue as Docker opens this port to the internet without ssl.

2 Likes

BTW:
I have tried to fix this with portainer testing package. Its failing on CI, but works for me.
It can be tested by:
$ yunohost app install --debug https://github.com/YunoHost-Apps/portainer_ynh/tree/testing

Will love to have feedback.

2 Likes

Thank you kanhu.
I had to fix some things during last days.
And to be honest, I’m a little bit afraid, to install the --debug for testing.

What I know so far additionally, is that after reboot, YNH exposes all docker ports to the public.

On the other hand, docker adds many rules to the iptables chains.

After restart the iptables contains even your own settings of the
/etc/yunohost/hooks.d/post_iptable_rules/95--my--hooks

Right after rebooting the machine, it seems very important to restart the YNH firewall, also [when you have docker installed].

But before that, it could be a good idea to wait a few seconds, to be shure docker has started.

Now, after restarting the YNH firewall, the iptables differ a lot those after restart.

This seems exactly what you want:
The YNH settings are good.
Docker is working and the exposed ports are closed.
The settings of the
/etc/yunohost/hooks.d/post_iptable_rules/...
are working.

With docker installed you must restart the YNH firewall right after a reboot.

Hey, kanhu, your testing --debug is to proof that?

I would do so, but I have already installed docker and portainer.
I don’t want to spend days repairing again.

What to do // what could we do now?

Uninstall docker and portainer, or
uninstall only portainer…???

Give us some advice!! Thanks.

I’m using the .local domains and I’m running into similar issues, any idea on how to proceed from here? I just can’t seem to reach anything once it’s running in portainer.

Unfortunately, using the package is giving me the same error as manually installing and configuring a Redirect/Reverse Proxy. Some resources are being SSOed despite being logged in, so I can’t even get past Portainer’s admin setup page.

This is on a request to https://portainer.mydomain.tld/api/users/admin/check

Editing /etc/ssowat/conf.json.persistent with the lines below does nothing…

{
    "permissions": {
        "portainerapi": {
            "auth_header": false,
            "label": "Portainer (api)",
            "public": true,
            "show_tile": true,
            "uris": [
                "portainer.mydomain.tld/api/"
            ],
            "users": []
        }
    }
}

Can someone shed a light to a fix?

1 Like

Your screenshot doesn’t mention what’s the HTTP status code … é_è

My bad! It returns 404.

Then 404 probably means that the sso does let the request through, but the requested endpoint really does not exists, and/or there’s whatever issue in the reverse proxy configuration or the app configuration …

The response header even include some “Content-Type: application/json” … doesn’t that json contain any info …?