Overview
This is a flavour containing the traefik reverse proxy and load balancer preconfigured for usage with consul (e.g. consul pot image on potluck.
Installation
- Create your local jail from the image or the flavour files.
- Export the ports after creating the jail:
pot export-ports -p <jailname> -e 8080:8080 -e 9002:9002 - Adjust to your environment:
sudo pot set-env -p <jailname> -E CONSULSERVER=<IP or hostname of consulserver> - Optional: Mount your traefik log storage directory into the jail:
sudo pot mount-in -p <jailname> -m /var/log/traefik -d <logdirectory_on_host> - Start jail with
pot start
Usage
traefik in the jail is listening on port 8080 (HTTP) and 8443 (HTTPS with self signed certificate).
You can connect to the dashboard on port 9002 of your jail IP address.
The services registered on your associated consul instance are available under their service name via the host: header (similar to e.g. Apache Virtual Hosts).
To test this, you can use curl -H 'host: my-consul-servicename' <jailip>:8080.
Getting Started
- Image Readme
- How To Use The Ready-Made Image
- Alternatively: Create a Jail With This Flavour Yourself
- Version History
- Manual Image Download Links
- Jenkins Pot Creation Logs
How To Use The Ready-Made Image
FreeBSD 12.1:
pot import -p traefik-consul-amd64-12_1 -t 1.2 -U https://potluck.honeyguide.net/traefik-consul
FreeBSD 11.4:
pot import -p traefik-consul-amd64-11_4 -t 1.2 -U https://potluck.honeyguide.net/traefik-consul
If you don’t want to use the default pot bridged network configuration but instead need an individual network setup (e.g. assign a host IP address), after importing it you can simply clone the jail like that (em0 is the host network adapter in this example):
pot clone -P traefik-consul-amd64-12_1 -p my-cloned-jail -N alias -i "em0|10.10.10.10"
Note: Some images might require specific network configuration, double check the Overview-chapter at the top.
Alternatively: Create a Jail With This Flavour Yourself
1. Create Flavour Files
Create the following
/usr/local/etc/pot/flavours/traefik-consul.sh
and
chmod ugo+x /usr/local/etc/pot/flavours/traefik-consul.sh
#!/bin/sh
# EDIT THE FOLLOWING FOR NEW FLAVOUR:
# 1. RUNS_IN_NOMAD - yes or no
# 2. Adjust package installation between BEGIN & END PACKAGE SETUP
# 3. Adjust jail configuration script generation between BEGIN & END COOK
# Set this to true if this jail flavour is to be created as a nomad (i.e. blocking) jail.
# You can then query it in the cook script generation below and the script is installed
# appropriately at the end of this script
RUNS_IN_NOMAD=false
# -------------- BEGIN PACKAGE SETUP -------------
[ -w /etc/pkg/FreeBSD.conf ] && sed -i '' 's/quarterly/latest/' /etc/pkg/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap
touch /etc/rc.conf
sysrc sendmail_enable="NO"
sysrc traefik_enable="YES"
# Install packages
pkg install -y openssl traefik2
pkg clean -y
# To allow mount in of this directory, create mountpoint
mkdir -p /var/log/traefik
# -------------- END PACKAGE SETUP -------------
#
# Create configurations
#
#
# Now generate the run command script "cook"
# It configures the system on the first run by creating the config file(s)
# On subsequent runs, it only starts sleeps (if nomad-jail) or simply exits
#
# ----------------- BEGIN COOK ------------------
echo "#!/bin/sh
# No need to change this, just ensures configuration is done only once
if [ -e /usr/local/etc/pot-is-seasoned ]
then
# If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
# created by pot and we block indefinitely
if [ ! -e /tmp/environment.sh ]
then
tail -f /dev/null
fi
exit 0
fi
# ADJUST THIS: STOP SERVICES AS NEEDED BEFORE CONFIGURATION
/usr/local/etc/rc.d/traefik stop || true
# No need to adjust this:
# If this pot flavour is not blocking, we need to read the environment first from /tmp/environment.sh
# where pot is storing it in this case
if [ -e /tmp/environment.sh ]
then
. /tmp/environment.sh
fi
#
# ADJUST THIS BY CHECKING FOR ALL VARIABLES YOUR FLAVOUR NEEDS:
# Check config variables are set
#
if [ -z \${CONSULSERVER+x} ];
then
echo 'CONSULSERVER is unset - see documentation how to configure this flavour'
exit 1
fi
# ADJUST THIS BELOW: NOW ALL THE CONFIGURATION FILES NEED TO BE CREATED:
# Don't forget to double(!)-escape quotes and dollar signs in the config files
# Create traefik server config file
echo \"
[entryPoints]
[entryPoints.http]
address = \\\"0.0.0.0:8080\\\"
[entryPoints.traefik]
address = \\\"0.0.0.0:9002\\\"
[entryPoints.httpSSL]
address = \\\"0.0.0.0:8443\\\"
[http.routers.my-api]
entryPoints = [\\\"traefik\\\"]
# Catch every request (only available rule for non-tls routers. See below.)
rule = \\\"HostSNI(`*`)\\\"
service = \\\"api@internal\\\"
[[tls.certificates]]
certFile = \\\"/usr/local/etc/ssl/cert.crt\\\"
keyFile = \\\"/usr/local/etc/ssl/cert.key\\\"
[tls.options]
[tls.options.myTLSOptions]
minVersion = \\\"VersionTLS12\\\"
cipherSuites = [
\\\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\\\",
\\\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\\\",
\\\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\\\",
\\\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\\\",
\\\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\\\",
\\\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\\\",
]
[api]
dashboard = true
insecure = true
[log]
filePath = \\\"/var/log/traefik/traefik.log\\\"
[accessLog]
filePath = \\\"/var/log/traefik/traefik-access.log\\\"
[providers.consulCatalog]
stale = false
exposedByDefault = true
[providers.consulCatalog.endpoint]
address = \\\"\$CONSULSERVER:8500\\\"\" > /usr/local/etc/traefik.toml
echo \"traefik_conf=\\\"/usr/local/etc/traefik.toml\\\"\" >> /etc/rc.conf
touch /var/log/traefik/traefik.log
touch /var/log/traefik/traefik-access.log
chown traefik:traefik /var/log/traefik/traefik.log
chown traefik:traefik /var/log/traefik/traefik-access.log
mkdir -p /usr/local/etc/ssl/
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /usr/local/etc/ssl/cert.key -out /usr/local/etc/ssl/cert.crt -subj \"/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com\"
chmod 644 /usr/local/etc/ssl/cert.crt
chmod 600 /usr/local/etc/ssl/cert.key
# ADJUST THIS: START THE SERVICES AGAIN AFTER CONFIGURATION
/usr/local/etc/rc.d/traefik start
# Do not touch this:
touch /usr/local/etc/pot-is-seasoned
# If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
# created by pot and we now after configuration block indefinitely
if [ ! -e /tmp/environment.sh ]
then
tail -f /dev/null
fi
" > /usr/local/bin/cook
# ----------------- END COOK ------------------
# ---------- NO NEED TO EDIT BELOW ------------
chmod u+x /usr/local/bin/cook
#
# There are two ways of running a pot jail: "Normal", non-blocking mode and
# "Nomad", i.e. blocking mode (the pot start command does not return until
# the jail is stopped).
# For the normal mode, we create a /usr/local/etc/rc.d script that starts
# the "cook" script generated above each time, for the "Nomad" mode, the cook
# script is started by pot (configuration through flavour file), therefore
# we do not need to do anything here.
#
# Create rc.d script for "normal" mode:
echo "#!/bin/sh
#
# PROVIDE: cook
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
. /etc/rc.subr
name=cook
rcvar=cook_enable
load_rc_config $name
: ${cook_enable:=\"NO\"}
: ${cook_env:=\"\"}
command=\"/usr/local/bin/cook\"
command_args=\"\"
run_rc_command \"\$1\"
" > /usr/local/etc/rc.d/cook
chmod u+x /usr/local/etc/rc.d/cook
if [ $RUNS_IN_NOMAD = false ]
then
# This is a non-nomad (non-blocking) jail, so we need to make sure the script
# gets started when the jail is started:
# Otherwise, /usr/local/bin/cook will be set as start script by the pot flavour
echo "cook_enable=\"YES\"" >> /etc/rc.conf
fi
2. Create Jail From Flavour
Run
pot create -b <FreeBSD Version> -p <jailname> -t single -N public-bridge -f fbsd-update -f traefik-consul
with your FreeBSD version (e.g. 12.1) and the name your jail should get.
Note: Some images might require specific network configuration, double check the Overview-chapter at the top.
Version History
1.2
- Moved from traefik to traefik2 port
- Support mounting of traefik log directory to persist access logs
1.1
- Added HTTPS with self signed certificate (port 8443)
1.0
- Initial commit
These images were built on Wed Aug 19 10:33:25 UTC 2020
Manual Image Download Links
traefik-consul-amd64-12_1_1.2.xz (
221.62 MB
)
traefik-consul-amd64-12_1_1.2.xz.skein (
0.250977 KB
)
traefik-consul-amd64-11_4_1.2.xz (
185.965 MB
)
traefik-consul-amd64-11_4_1.2.xz.skein (
0.250977 KB
)
Jenkins Pot Creation Logs
traefik-consul-amd64-12_1_1.2:
traefik-consul/traefik-consul:
traefik-consul/traefik-consul.sh:
#!/bin/sh
# EDIT THE FOLLOWING FOR NEW FLAVOUR:
# 1. RUNS_IN_NOMAD - yes or no
# 2. Adjust package installation between BEGIN & END PACKAGE SETUP
# 3. Adjust jail configuration script generation between BEGIN & END COOK
# Set this to true if this jail flavour is to be created as a nomad (i.e. blocking) jail.
# You can then query it in the cook script generation below and the script is installed
# appropriately at the end of this script
RUNS_IN_NOMAD=false
# -------------- BEGIN PACKAGE SETUP -------------
[ -w /etc/pkg/FreeBSD.conf ] && sed -i '' 's/quarterly/latest/' /etc/pkg/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap
touch /etc/rc.conf
sysrc sendmail_enable="NO"
sysrc traefik_enable="YES"
# Install packages
pkg install -y openssl traefik2
pkg clean -y
# To allow mount in of this directory, create mountpoint
mkdir -p /var/log/traefik
# -------------- END PACKAGE SETUP -------------
#
# Create configurations
#
#
# Now generate the run command script "cook"
# It configures the system on the first run by creating the config file(s)
# On subsequent runs, it only starts sleeps (if nomad-jail) or simply exits
#
# ----------------- BEGIN COOK ------------------
echo "#!/bin/sh
# No need to change this, just ensures configuration is done only once
if [ -e /usr/local/etc/pot-is-seasoned ]
then
# If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
# created by pot and we block indefinitely
if [ ! -e /tmp/environment.sh ]
then
tail -f /dev/null
fi
exit 0
fi
# ADJUST THIS: STOP SERVICES AS NEEDED BEFORE CONFIGURATION
/usr/local/etc/rc.d/traefik stop || true
# No need to adjust this:
# If this pot flavour is not blocking, we need to read the environment first from /tmp/environment.sh
# where pot is storing it in this case
if [ -e /tmp/environment.sh ]
then
. /tmp/environment.sh
fi
#
# ADJUST THIS BY CHECKING FOR ALL VARIABLES YOUR FLAVOUR NEEDS:
# Check config variables are set
#
if [ -z \${CONSULSERVER+x} ];
then
echo 'CONSULSERVER is unset - see documentation how to configure this flavour'
exit 1
fi
# ADJUST THIS BELOW: NOW ALL THE CONFIGURATION FILES NEED TO BE CREATED:
# Don't forget to double(!)-escape quotes and dollar signs in the config files
# Create traefik server config file
echo \"
[entryPoints]
[entryPoints.http]
address = \\\"0.0.0.0:8080\\\"
[entryPoints.traefik]
address = \\\"0.0.0.0:9002\\\"
[entryPoints.httpSSL]
address = \\\"0.0.0.0:8443\\\"
[http.routers.my-api]
entryPoints = [\\\"traefik\\\"]
# Catch every request (only available rule for non-tls routers. See below.)
rule = \\\"HostSNI(`*`)\\\"
service = \\\"api@internal\\\"
[[tls.certificates]]
certFile = \\\"/usr/local/etc/ssl/cert.crt\\\"
keyFile = \\\"/usr/local/etc/ssl/cert.key\\\"
[tls.options]
[tls.options.myTLSOptions]
minVersion = \\\"VersionTLS12\\\"
cipherSuites = [
\\\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\\\",
\\\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\\\",
\\\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\\\",
\\\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\\\",
\\\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\\\",
\\\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\\\",
]
[api]
dashboard = true
insecure = true
[log]
filePath = \\\"/var/log/traefik/traefik.log\\\"
[accessLog]
filePath = \\\"/var/log/traefik/traefik-access.log\\\"
[providers.consulCatalog]
stale = false
exposedByDefault = true
[providers.consulCatalog.endpoint]
address = \\\"\$CONSULSERVER:8500\\\"\" > /usr/local/etc/traefik.toml
echo \"traefik_conf=\\\"/usr/local/etc/traefik.toml\\\"\" >> /etc/rc.conf
touch /var/log/traefik/traefik.log
touch /var/log/traefik/traefik-access.log
chown traefik:traefik /var/log/traefik/traefik.log
chown traefik:traefik /var/log/traefik/traefik-access.log
mkdir -p /usr/local/etc/ssl/
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /usr/local/etc/ssl/cert.key -out /usr/local/etc/ssl/cert.crt -subj \"/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com\"
chmod 644 /usr/local/etc/ssl/cert.crt
chmod 600 /usr/local/etc/ssl/cert.key
# ADJUST THIS: START THE SERVICES AGAIN AFTER CONFIGURATION
/usr/local/etc/rc.d/traefik start
# Do not touch this:
touch /usr/local/etc/pot-is-seasoned
# If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
# created by pot and we now after configuration block indefinitely
if [ ! -e /tmp/environment.sh ]
then
tail -f /dev/null
fi
" > /usr/local/bin/cook
# ----------------- END COOK ------------------
# ---------- NO NEED TO EDIT BELOW ------------
chmod u+x /usr/local/bin/cook
#
# There are two ways of running a pot jail: "Normal", non-blocking mode and
# "Nomad", i.e. blocking mode (the pot start command does not return until
# the jail is stopped).
# For the normal mode, we create a /usr/local/etc/rc.d script that starts
# the "cook" script generated above each time, for the "Nomad" mode, the cook
# script is started by pot (configuration through flavour file), therefore
# we do not need to do anything here.
#
# Create rc.d script for "normal" mode:
echo "#!/bin/sh
#
# PROVIDE: cook
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
. /etc/rc.subr
name=cook
rcvar=cook_enable
load_rc_config $name
: ${cook_enable:=\"NO\"}
: ${cook_env:=\"\"}
command=\"/usr/local/bin/cook\"
command_args=\"\"
run_rc_command \"\$1\"
" > /usr/local/etc/rc.d/cook
chmod u+x /usr/local/etc/rc.d/cook
if [ $RUNS_IN_NOMAD = false ]
then
# This is a non-nomad (non-blocking) jail, so we need to make sure the script
# gets started when the jail is started:
# Otherwise, /usr/local/bin/cook will be set as start script by the pot flavour
echo "cook_enable=\"YES\"" >> /etc/rc.conf
fi
traefik-consul/traefik-consul+1:
traefik-consul/traefik-consul+1.sh:
traefik-consul/traefik-consul+2:
traefik-consul/traefik-consul+2.sh:
traefik-consul/traefik-consul+3:
traefik-consul/traefik-consul+3.sh:
traefik-consul/traefik-consul+4:
traefik-consul/traefik-consul+4.sh:
Password:=====> -i auto: assigned 10.192.0.3
===> Creating a new pot
===> pot name : traefik-consul-amd64-12_1
===> type : single
===> base : 12.1
===> pot_base :
===> level : 0
===> network-type: public-bridge
===> ip : 10.192.0.3
===> bridge :
===> dns : inherit
===> flavours : fbsd-update traefik-consul traefik-consul+1 traefik-consul+2 traefik-consul+3 traefik-consul+4
===> Fetching FreeBSD 12.1
===> Extract the tarball
=====> Flavour: fbsd-update
=====> Starting traefik-consul-amd64-12_1 pot for the initial bootstrap
=====> mount /mnt/data/pot/jails/traefik-consul-amd64-12_1/m/tmp
defaultrouter: NO -> 10.192.0.1
===> Starting the pot traefik-consul-amd64-12_1
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:db:c1:e9:71:0b
inet 10.192.0.3 netmask 0xffc00000 broadcast 10.255.255.255
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Generating host.conf.
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related).
Updating motd:.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.
Wed Aug 19 10:28:01 UTC 2020
/usr/local/etc/pot/flavours/fbsd-update.sh -> /mnt/data/pot/jails/traefik-consul-amd64-12_1/m/tmp/fbsd-update.sh
=====> Executing fbsd-update script on traefik-consul-amd64-12_1
src component not installed, skipped
freebsd-update fetch should not be run non-interactively.
Run freebsd-update cron instead.
src component not installed, skipped
No updates are available to install.
Run '/usr/sbin/freebsd-update fetch' first.
=====> Stop the pot traefik-consul-amd64-12_1
=====> Remove epair0[a|b] network interfaces
=====> unmount /mnt/data/pot/jails/traefik-consul-amd64-12_1/m/tmp
=====> unmount /mnt/data/pot/jails/traefik-consul-amd64-12_1/m/dev
=====> Flavour: traefik-consul
=====> Executing traefik-consul pot commands on traefik-consul-amd64-12_1
=====> Starting traefik-consul-amd64-12_1 pot for the initial bootstrap
=====> mount /mnt/data/pot/jails/traefik-consul-amd64-12_1/m/tmp
defaultrouter: 10.192.0.1 -> 10.192.0.1
===> Starting the pot traefik-consul-amd64-12_1
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:63:83:bd:29:0b
inet 10.192.0.3 netmask 0xffc00000 broadcast 10.255.255.255
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related).
Updating motd:.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.
Wed Aug 19 10:28:07 UTC 2020
/usr/local/etc/pot/flavours/traefik-consul.sh -> /mnt/data/pot/jails/traefik-consul-amd64-12_1/m/tmp/traefik-consul.sh
=====> Executing traefik-consul script on traefik-consul-amd64-12_1
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] Installing pkg-1.14.6...
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] Extracting pkg-1.14.6: .......... done
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:12:amd64/latest, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
sendmail_enable: NO -> NO
traefik_enable: -> YES
Updating FreeBSD repository catalogue...
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] Fetching meta.conf: . done
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] Fetching packagesite.txz: .......... done
Processing entries: .......... done
FreeBSD repository update completed. 31916 packages processed.
All repositories are up to date.
Updating database digests format: . done
The following 2 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
openssl: 1.1.1g,1
traefik2: 2.2.0
Number of packages to be installed: 2
The process will require 79 MiB more space.
18 MiB to be downloaded.
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] [1/2] Fetching openssl-1.1.1g,1.txz: .......... done
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] [2/2] Fetching traefik2-2.2.0.txz: .......... done
Checking integrity... done (0 conflicting)
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] [1/2] Installing openssl-1.1.1g,1...
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] [1/2] Extracting openssl-1.1.1g,1: .......... done
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] [2/2] Installing traefik2-2.2.0...
===> Creating groups.
Creating group 'traefik' with gid '475'.
===> Creating users
Creating user 'traefik' with uid '475'.
===> Creating homedir(s)
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] [2/2] Extracting traefik2-2.2.0: ...... done
=====
Message from traefik2-2.2.0:
--
Note that traefik starts as unprivileged user. Thus, it cannot
bind to privileged ports (by default, ports below 1024) and
will exit when configured to do so.
If traefik should serve ports in the privileged range, there
are options to achieve this:
- Have traffic bind to an unprivileged port and use the
packet filter configuration to redirect requests to the
desired privileged port to the unprivileged port in
traefik's configuration file e.g. the rdr rules in pf(4).
- The mac_portacl kernel module allows unprivileged processes
to bind to privileged ports.
Note: If you are upgrading from traefik 1.x keep in mind that
the configuration is not compatible.
Nothing to do.
/tmp/traefik-consul.sh: COPYRIGHT: not found
=====> Stop the pot traefik-consul-amd64-12_1
=====> Remove epair0[a|b] network interfaces
=====> unmount /mnt/data/pot/jails/traefik-consul-amd64-12_1/m/tmp
=====> unmount /mnt/data/pot/jails/traefik-consul-amd64-12_1/m/dev
=====> Flavour: traefik-consul+1
=====> Executing traefik-consul+1 pot commands on traefik-consul-amd64-12_1
=====> No shell script available for the flavour traefik-consul+1
=====> Flavour: traefik-consul+2
=====> Executing traefik-consul+2 pot commands on traefik-consul-amd64-12_1
=====> No shell script available for the flavour traefik-consul+2
=====> Flavour: traefik-consul+3
=====> Executing traefik-consul+3 pot commands on traefik-consul-amd64-12_1
=====> No shell script available for the flavour traefik-consul+3
=====> Flavour: traefik-consul+4
=====> Executing traefik-consul+4 pot commands on traefik-consul-amd64-12_1
=====> No shell script available for the flavour traefik-consul+4
traefik-consul-amd64-11_4_1.2:
traefik-consul/traefik-consul:
traefik-consul/traefik-consul.sh:
#!/bin/sh
# EDIT THE FOLLOWING FOR NEW FLAVOUR:
# 1. RUNS_IN_NOMAD - yes or no
# 2. Adjust package installation between BEGIN & END PACKAGE SETUP
# 3. Adjust jail configuration script generation between BEGIN & END COOK
# Set this to true if this jail flavour is to be created as a nomad (i.e. blocking) jail.
# You can then query it in the cook script generation below and the script is installed
# appropriately at the end of this script
RUNS_IN_NOMAD=false
# -------------- BEGIN PACKAGE SETUP -------------
[ -w /etc/pkg/FreeBSD.conf ] && sed -i '' 's/quarterly/latest/' /etc/pkg/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap
touch /etc/rc.conf
sysrc sendmail_enable="NO"
sysrc traefik_enable="YES"
# Install packages
pkg install -y openssl traefik2
pkg clean -y
# To allow mount in of this directory, create mountpoint
mkdir -p /var/log/traefik
# -------------- END PACKAGE SETUP -------------
#
# Create configurations
#
#
# Now generate the run command script "cook"
# It configures the system on the first run by creating the config file(s)
# On subsequent runs, it only starts sleeps (if nomad-jail) or simply exits
#
# ----------------- BEGIN COOK ------------------
echo "#!/bin/sh
# No need to change this, just ensures configuration is done only once
if [ -e /usr/local/etc/pot-is-seasoned ]
then
# If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
# created by pot and we block indefinitely
if [ ! -e /tmp/environment.sh ]
then
tail -f /dev/null
fi
exit 0
fi
# ADJUST THIS: STOP SERVICES AS NEEDED BEFORE CONFIGURATION
/usr/local/etc/rc.d/traefik stop || true
# No need to adjust this:
# If this pot flavour is not blocking, we need to read the environment first from /tmp/environment.sh
# where pot is storing it in this case
if [ -e /tmp/environment.sh ]
then
. /tmp/environment.sh
fi
#
# ADJUST THIS BY CHECKING FOR ALL VARIABLES YOUR FLAVOUR NEEDS:
# Check config variables are set
#
if [ -z \${CONSULSERVER+x} ];
then
echo 'CONSULSERVER is unset - see documentation how to configure this flavour'
exit 1
fi
# ADJUST THIS BELOW: NOW ALL THE CONFIGURATION FILES NEED TO BE CREATED:
# Don't forget to double(!)-escape quotes and dollar signs in the config files
# Create traefik server config file
echo \"
[entryPoints]
[entryPoints.http]
address = \\\"0.0.0.0:8080\\\"
[entryPoints.traefik]
address = \\\"0.0.0.0:9002\\\"
[entryPoints.httpSSL]
address = \\\"0.0.0.0:8443\\\"
[http.routers.my-api]
entryPoints = [\\\"traefik\\\"]
# Catch every request (only available rule for non-tls routers. See below.)
rule = \\\"HostSNI(`*`)\\\"
service = \\\"api@internal\\\"
[[tls.certificates]]
certFile = \\\"/usr/local/etc/ssl/cert.crt\\\"
keyFile = \\\"/usr/local/etc/ssl/cert.key\\\"
[tls.options]
[tls.options.myTLSOptions]
minVersion = \\\"VersionTLS12\\\"
cipherSuites = [
\\\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\\\",
\\\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\\\",
\\\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\\\",
\\\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\\\",
\\\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\\\",
\\\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\\\",
]
[api]
dashboard = true
insecure = true
[log]
filePath = \\\"/var/log/traefik/traefik.log\\\"
[accessLog]
filePath = \\\"/var/log/traefik/traefik-access.log\\\"
[providers.consulCatalog]
stale = false
exposedByDefault = true
[providers.consulCatalog.endpoint]
address = \\\"\$CONSULSERVER:8500\\\"\" > /usr/local/etc/traefik.toml
echo \"traefik_conf=\\\"/usr/local/etc/traefik.toml\\\"\" >> /etc/rc.conf
touch /var/log/traefik/traefik.log
touch /var/log/traefik/traefik-access.log
chown traefik:traefik /var/log/traefik/traefik.log
chown traefik:traefik /var/log/traefik/traefik-access.log
mkdir -p /usr/local/etc/ssl/
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /usr/local/etc/ssl/cert.key -out /usr/local/etc/ssl/cert.crt -subj \"/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com\"
chmod 644 /usr/local/etc/ssl/cert.crt
chmod 600 /usr/local/etc/ssl/cert.key
# ADJUST THIS: START THE SERVICES AGAIN AFTER CONFIGURATION
/usr/local/etc/rc.d/traefik start
# Do not touch this:
touch /usr/local/etc/pot-is-seasoned
# If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
# created by pot and we now after configuration block indefinitely
if [ ! -e /tmp/environment.sh ]
then
tail -f /dev/null
fi
" > /usr/local/bin/cook
# ----------------- END COOK ------------------
# ---------- NO NEED TO EDIT BELOW ------------
chmod u+x /usr/local/bin/cook
#
# There are two ways of running a pot jail: "Normal", non-blocking mode and
# "Nomad", i.e. blocking mode (the pot start command does not return until
# the jail is stopped).
# For the normal mode, we create a /usr/local/etc/rc.d script that starts
# the "cook" script generated above each time, for the "Nomad" mode, the cook
# script is started by pot (configuration through flavour file), therefore
# we do not need to do anything here.
#
# Create rc.d script for "normal" mode:
echo "#!/bin/sh
#
# PROVIDE: cook
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
. /etc/rc.subr
name=cook
rcvar=cook_enable
load_rc_config $name
: ${cook_enable:=\"NO\"}
: ${cook_env:=\"\"}
command=\"/usr/local/bin/cook\"
command_args=\"\"
run_rc_command \"\$1\"
" > /usr/local/etc/rc.d/cook
chmod u+x /usr/local/etc/rc.d/cook
if [ $RUNS_IN_NOMAD = false ]
then
# This is a non-nomad (non-blocking) jail, so we need to make sure the script
# gets started when the jail is started:
# Otherwise, /usr/local/bin/cook will be set as start script by the pot flavour
echo "cook_enable=\"YES\"" >> /etc/rc.conf
fi
traefik-consul/traefik-consul+1:
traefik-consul/traefik-consul+1.sh:
traefik-consul/traefik-consul+2:
traefik-consul/traefik-consul+2.sh:
traefik-consul/traefik-consul+3:
traefik-consul/traefik-consul+3.sh:
traefik-consul/traefik-consul+4:
traefik-consul/traefik-consul+4.sh:
Password:=====> -i auto: assigned 10.192.0.4
===> Creating a new pot
===> pot name : traefik-consul-amd64-11_4
===> type : single
===> base : 11.4
===> pot_base :
===> level : 0
===> network-type: public-bridge
===> ip : 10.192.0.4
===> bridge :
===> dns : inherit
===> flavours : fbsd-update traefik-consul traefik-consul+1 traefik-consul+2 traefik-consul+3 traefik-consul+4
===> Fetching FreeBSD 11.4
===> Extract the tarball
=====> Flavour: fbsd-update
=====> Starting traefik-consul-amd64-11_4 pot for the initial bootstrap
=====> mount /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/tmp
defaultrouter: NO -> 10.192.0.1
===> Starting the pot traefik-consul-amd64-11_4
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:a9:98:c9:bf:0b
hwaddr 02:a9:98:c9:bf:0b
inet 10.192.0.4 netmask 0xffc00000 broadcast 10.255.255.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
groups: epair
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Generating host.conf.
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related).
Updating motd:.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.
Wed Aug 19 10:30:59 UTC 2020
/usr/local/etc/pot/flavours/fbsd-update.sh -> /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/tmp/fbsd-update.sh
=====> Executing fbsd-update script on traefik-consul-amd64-11_4
src component not installed, skipped
freebsd-update fetch should not be run non-interactively.
Run freebsd-update cron instead.
src component not installed, skipped
No updates are available to install.
Run '/usr/sbin/freebsd-update fetch' first.
=====> Stop the pot traefik-consul-amd64-11_4
=====> Remove epair0[a|b] network interfaces
=====> unmount /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/tmp
=====> unmount /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/dev
=====> Flavour: traefik-consul
=====> Executing traefik-consul pot commands on traefik-consul-amd64-11_4
=====> Starting traefik-consul-amd64-11_4 pot for the initial bootstrap
=====> mount /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/tmp
defaultrouter: 10.192.0.1 -> 10.192.0.1
===> Starting the pot traefik-consul-amd64-11_4
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:a3:4f:7d:fc:0b
hwaddr 02:a3:4f:7d:fc:0b
inet 10.192.0.4 netmask 0xffc00000 broadcast 10.255.255.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
groups: epair
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related).
Updating motd:.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.
Wed Aug 19 10:31:04 UTC 2020
/usr/local/etc/pot/flavours/traefik-consul.sh -> /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/tmp/traefik-consul.sh
=====> Executing traefik-consul script on traefik-consul-amd64-11_4
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] Installing pkg-1.14.6...
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] Extracting pkg-1.14.6: .......... done
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/latest, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
sendmail_enable: NO -> NO
traefik_enable: -> YES
Updating FreeBSD repository catalogue...
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] Fetching meta.conf: . done
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] Fetching packagesite.txz: .......... done
Processing entries: .......... done
FreeBSD repository update completed. 30704 packages processed.
All repositories are up to date.
Updating database digests format: . done
The following 2 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
openssl: 1.1.1g,1
traefik2: 2.2.0
Number of packages to be installed: 2
The process will require 79 MiB more space.
18 MiB to be downloaded.
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] [1/2] Fetching openssl-1.1.1g,1.txz: .......... done
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] [2/2] Fetching traefik2-2.2.0.txz: .......... done
Checking integrity... done (0 conflicting)
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] [1/2] Installing openssl-1.1.1g,1...
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] [1/2] Extracting openssl-1.1.1g,1: .......... done
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] [2/2] Installing traefik2-2.2.0...
===> Creating groups.
Creating group 'traefik' with gid '475'.
===> Creating users
Creating user 'traefik' with uid '475'.
===> Creating homedir(s)
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] [2/2] Extracting traefik2-2.2.0: ...... done
=====
Message from traefik2-2.2.0:
--
Note that traefik starts as unprivileged user. Thus, it cannot
bind to privileged ports (by default, ports below 1024) and
will exit when configured to do so.
If traefik should serve ports in the privileged range, there
are options to achieve this:
- Have traffic bind to an unprivileged port and use the
packet filter configuration to redirect requests to the
desired privileged port to the unprivileged port in
traefik's configuration file e.g. the rdr rules in pf(4).
- The mac_portacl kernel module allows unprivileged processes
to bind to privileged ports.
Note: If you are upgrading from traefik 1.x keep in mind that
the configuration is not compatible.
Nothing to do.
/tmp/traefik-consul.sh: COPYRIGHT: not found
=====> Stop the pot traefik-consul-amd64-11_4
=====> Remove epair0[a|b] network interfaces
=====> unmount /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/tmp
=====> unmount /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/dev
=====> Flavour: traefik-consul+1
=====> Executing traefik-consul+1 pot commands on traefik-consul-amd64-11_4
=====> No shell script available for the flavour traefik-consul+1
=====> Flavour: traefik-consul+2
=====> Executing traefik-consul+2 pot commands on traefik-consul-amd64-11_4
=====> No shell script available for the flavour traefik-consul+2
=====> Flavour: traefik-consul+3
=====> Executing traefik-consul+3 pot commands on traefik-consul-amd64-11_4
=====> No shell script available for the flavour traefik-consul+3
=====> Flavour: traefik-consul+4
=====> Executing traefik-consul+4 pot commands on traefik-consul-amd64-11_4
=====> No shell script available for the flavour traefik-consul+4