Overview
This is a flavour containing the traefik reverse proxy and load balancer preconfigured for usage with consul (e.g. consul pot image on potluck.
Installation
- Create your local jail from the image or the flavour files.
- Export the ports after creating the jail:
pot export-ports -p <jailname> -e 8080:8080 -e 9002:9002 - Adjust to your environment:
sudo pot set-env -p <jailname> -E CONSULSERVER=<IP or hostname of consulserver> - Optional: Mount your traefik log storage directory into the jail:
sudo pot mount-in -p <jailname> -m /var/log/traefik -d <logdirectory_on_host> - Start jail with
pot start
Usage
traefik in the jail is listening on port 8080 (HTTP) and 8443 (HTTPS with self signed certificate).
You can connect to the dashboard on port 9002 of your jail IP address.
The services registered on your associated consul instance are available under their service name via the host: header (similar to e.g. Apache Virtual Hosts).
To test this, you can use curl -H 'host: my-consul-servicename' <jailip>:8080.
Getting Started
- Image Readme
- How To Use The Ready-Made Image
- Alternatively: Create a Jail With This Flavour Yourself
- Version History
- Manual Image Download Links
- Jenkins Pot Creation Logs
How To Use The Ready-Made Image
FreeBSD 12.2:
pot import -p traefik-consul-amd64-12_2 -t 1.2.1 -U https://potluck.honeyguide.net/traefik-consul
FreeBSD 11.4:
pot import -p traefik-consul-amd64-11_4 -t 1.2.1 -U https://potluck.honeyguide.net/traefik-consul
If you don’t want to use the default pot bridged network configuration but instead need an individual network setup (e.g. assign a host IP address), after importing it you can simply clone the jail like that (em0 is the host network adapter in this example):
pot clone -P traefik-consul-amd64-12_2 -p my-cloned-jail -N alias -i "em0|10.10.10.10"
Note: Some images might require specific network configuration, double check the Overview-chapter at the top.
Alternatively: Create a Jail With This Flavour Yourself
1. Create Flavour Files
Save all files and directories from https://github.com/hny-gd/potluck/tree/master/traefik-consul to /usr/local/etc/pot/flavours/
2. Create Jail From Flavour
Run
pot create -b <FreeBSD Version> -p <jailname> -t single -N public-bridge -f fbsd-update
with your FreeBSD version (e.g. 12.1) and the name your jail should get.
Note: Some images might require specific network configuration, double check the Overview-chapter at the top.
Version History
1.2.1
- Trigger build of FreeBSD 12.2 image & rebuild FreeBSD 11.4 image to update packages
1.2
- Moved from traefik to traefik2 port
- Support mounting of traefik log directory to persist access logs
1.1
- Added HTTPS with self signed certificate (port 8443)
1.0
- Initial commit
These images were built on Sun Nov 1 08:09:11 UTC 2020
Manual Image Download Links
traefik-consul-amd64-12_2_1.2.1.xz (
225.034 MB
)
traefik-consul-amd64-12_2_1.2.1.xz.skein (
0.250977 KB
)
traefik-consul-amd64-11_4_1.2.1.xz (
297.29 MB
)
traefik-consul-amd64-11_4_1.2.1.xz.skein (
0.250977 KB
)
Jenkins Pot Creation Logs
traefik-consul-amd64-12_2_1.2.1:
traefik-consul/traefik-consul:
traefik-consul/traefik-consul.sh:
#!/bin/sh
# EDIT THE FOLLOWING FOR NEW FLAVOUR:
# 1. RUNS_IN_NOMAD - yes or no
# 2. Adjust package installation between BEGIN & END PACKAGE SETUP
# 3. Adjust jail configuration script generation between BEGIN & END COOK
# Set this to true if this jail flavour is to be created as a nomad (i.e. blocking) jail.
# You can then query it in the cook script generation below and the script is installed
# appropriately at the end of this script
RUNS_IN_NOMAD=false
# -------------- BEGIN PACKAGE SETUP -------------
[ -w /etc/pkg/FreeBSD.conf ] && sed -i '' 's/quarterly/latest/' /etc/pkg/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap
touch /etc/rc.conf
sysrc sendmail_enable="NO"
sysrc traefik_enable="YES"
# Install packages
pkg install -y openssl traefik2
pkg clean -y
# To allow mount in of this directory, create mountpoint
mkdir -p /var/log/traefik
# -------------- END PACKAGE SETUP -------------
#
# Create configurations
#
#
# Now generate the run command script "cook"
# It configures the system on the first run by creating the config file(s)
# On subsequent runs, it only starts sleeps (if nomad-jail) or simply exits
#
# ----------------- BEGIN COOK ------------------
echo "#!/bin/sh
# No need to change this, just ensures configuration is done only once
if [ -e /usr/local/etc/pot-is-seasoned ]
then
# If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
# created by pot and we block indefinitely
if [ ! -e /tmp/environment.sh ]
then
tail -f /dev/null
fi
exit 0
fi
# ADJUST THIS: STOP SERVICES AS NEEDED BEFORE CONFIGURATION
/usr/local/etc/rc.d/traefik stop || true
# No need to adjust this:
# If this pot flavour is not blocking, we need to read the environment first from /tmp/environment.sh
# where pot is storing it in this case
if [ -e /tmp/environment.sh ]
then
. /tmp/environment.sh
fi
#
# ADJUST THIS BY CHECKING FOR ALL VARIABLES YOUR FLAVOUR NEEDS:
# Check config variables are set
#
if [ -z \${CONSULSERVER+x} ];
then
echo 'CONSULSERVER is unset - see documentation how to configure this flavour'
exit 1
fi
# ADJUST THIS BELOW: NOW ALL THE CONFIGURATION FILES NEED TO BE CREATED:
# Don't forget to double(!)-escape quotes and dollar signs in the config files
# Create traefik server config file
echo \"
[entryPoints]
[entryPoints.http]
address = \\\"0.0.0.0:8080\\\"
[entryPoints.traefik]
address = \\\"0.0.0.0:9002\\\"
[entryPoints.httpSSL]
address = \\\"0.0.0.0:8443\\\"
[http.routers.my-api]
entryPoints = [\\\"traefik\\\"]
# Catch every request (only available rule for non-tls routers. See below.)
rule = \\\"HostSNI(`*`)\\\"
service = \\\"api@internal\\\"
[[tls.certificates]]
certFile = \\\"/usr/local/etc/ssl/cert.crt\\\"
keyFile = \\\"/usr/local/etc/ssl/cert.key\\\"
[tls.options]
[tls.options.myTLSOptions]
minVersion = \\\"VersionTLS12\\\"
cipherSuites = [
\\\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\\\",
\\\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\\\",
\\\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\\\",
\\\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\\\",
\\\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\\\",
\\\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\\\",
]
[api]
dashboard = true
insecure = true
[log]
filePath = \\\"/var/log/traefik/traefik.log\\\"
[accessLog]
filePath = \\\"/var/log/traefik/traefik-access.log\\\"
[providers.consulCatalog]
stale = false
exposedByDefault = true
[providers.consulCatalog.endpoint]
address = \\\"\$CONSULSERVER:8500\\\"\" > /usr/local/etc/traefik.toml
echo \"traefik_conf=\\\"/usr/local/etc/traefik.toml\\\"\" >> /etc/rc.conf
touch /var/log/traefik/traefik.log
touch /var/log/traefik/traefik-access.log
chown traefik:traefik /var/log/traefik/traefik.log
chown traefik:traefik /var/log/traefik/traefik-access.log
mkdir -p /usr/local/etc/ssl/
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /usr/local/etc/ssl/cert.key -out /usr/local/etc/ssl/cert.crt -subj \"/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com\"
chmod 644 /usr/local/etc/ssl/cert.crt
chmod 600 /usr/local/etc/ssl/cert.key
# ADJUST THIS: START THE SERVICES AGAIN AFTER CONFIGURATION
/usr/local/etc/rc.d/traefik start
# Do not touch this:
touch /usr/local/etc/pot-is-seasoned
# If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
# created by pot and we now after configuration block indefinitely
if [ ! -e /tmp/environment.sh ]
then
tail -f /dev/null
fi
" > /usr/local/bin/cook
# ----------------- END COOK ------------------
# ---------- NO NEED TO EDIT BELOW ------------
chmod u+x /usr/local/bin/cook
#
# There are two ways of running a pot jail: "Normal", non-blocking mode and
# "Nomad", i.e. blocking mode (the pot start command does not return until
# the jail is stopped).
# For the normal mode, we create a /usr/local/etc/rc.d script that starts
# the "cook" script generated above each time, for the "Nomad" mode, the cook
# script is started by pot (configuration through flavour file), therefore
# we do not need to do anything here.
#
# Create rc.d script for "normal" mode:
echo "#!/bin/sh
#
# PROVIDE: cook
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
. /etc/rc.subr
name=cook
rcvar=cook_enable
load_rc_config $name
: ${cook_enable:=\"NO\"}
: ${cook_env:=\"\"}
command=\"/usr/local/bin/cook\"
command_args=\"\"
run_rc_command \"\$1\"
" > /usr/local/etc/rc.d/cook
chmod u+x /usr/local/etc/rc.d/cook
if [ $RUNS_IN_NOMAD = false ]
then
# This is a non-nomad (non-blocking) jail, so we need to make sure the script
# gets started when the jail is started:
# Otherwise, /usr/local/bin/cook will be set as start script by the pot flavour
echo "cook_enable=\"YES\"" >> /etc/rc.conf
fi
traefik-consul/traefik-consul+1:
traefik-consul/traefik-consul+1.sh:
traefik-consul/traefik-consul+2:
traefik-consul/traefik-consul+2.sh:
traefik-consul/traefik-consul+3:
traefik-consul/traefik-consul+3.sh:
traefik-consul/traefik-consul+4:
traefik-consul/traefik-consul+4.sh:
Password:===> Creating a new pot
===> pot name : traefik-consul-amd64-12_2
===> type : single
===> base : 12.2
===> pot_base :
===> level : 0
===> network-type : public-bridge
===> network-stack: ipv4
===> ip : 10.192.0.3
===> bridge :
===> dns : inherit
===> flavours : fbsd-update traefik-consul traefik-consul+1 traefik-consul+2 traefik-consul+3 traefik-consul+4
===> Fetching FreeBSD 12.2
/tmp/12.2-RELEASE_base.txz 174 MB 4309 kBps 41s
===> Extract the tarball
=====> Flavour: fbsd-update
=====> Starting traefik-consul-amd64-12_2 pot for the initial bootstrap
=====> mount /mnt/data/pot/jails/traefik-consul-amd64-12_2/m/tmp
===> Internal network not found! Calling vnet-start to fix the issue
net.inet.ip.forwarding: 0 -> 1
=====> Bridge created bridge0
=====> Bridge bridge0 configured with IP 10.192.0.1 netmask 255.192.0.0
=====> Pot anchors are missing - load /etc/pf.conf
nat on em0 inet from 10.192.0.0/10 to any -> (em0) round-robin
pf enabled
defaultrouter: NO -> 10.192.0.1
===> Starting the pot traefik-consul-amd64-12_2
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:fe:6c:93:79:0b
inet 10.192.0.3 netmask 0xffc00000 broadcast 10.255.255.255
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Generating host.conf.
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related).
Updating motd:.
Updating /var/run/os-release done.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.
Sun Nov 1 08:02:11 UTC 2020
/usr/local/etc/pot/flavours/fbsd-update.sh -> /mnt/data/pot/jails/traefik-consul-amd64-12_2/m/tmp/fbsd-update.sh
=====> Executing fbsd-update script on traefik-consul-amd64-12_2
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching public key from update2.freebsd.org... done.
Fetching metadata signature for 12.2-RELEASE from update2.freebsd.org... done.
Fetching metadata index... done.
Fetching 1 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
No updates needed to update system to 12.2-RELEASE-p0.
No updates are available to install.
=====> Stop the pot traefik-consul-amd64-12_2
=====> Remove epair0[a|b] network interfaces
=====> unmount /mnt/data/pot/jails/traefik-consul-amd64-12_2/m/tmp
=====> unmount /mnt/data/pot/jails/traefik-consul-amd64-12_2/m/dev
=====> Flavour: traefik-consul
=====> Executing traefik-consul pot commands on traefik-consul-amd64-12_2
=====> Starting traefik-consul-amd64-12_2 pot for the initial bootstrap
=====> mount /mnt/data/pot/jails/traefik-consul-amd64-12_2/m/tmp
defaultrouter: 10.192.0.1 -> 10.192.0.1
===> Starting the pot traefik-consul-amd64-12_2
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:11:32:bf:8d:0b
inet 10.192.0.3 netmask 0xffc00000 broadcast 10.255.255.255
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related).
Updating motd:.
Updating /var/run/os-release done.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.
Sun Nov 1 08:02:23 UTC 2020
/usr/local/etc/pot/flavours/traefik-consul.sh -> /mnt/data/pot/jails/traefik-consul-amd64-12_2/m/tmp/traefik-consul.sh
=====> Executing traefik-consul script on traefik-consul-amd64-12_2
[traefik-consul-amd64-12_2.vsf00001.cpt.za.honeyguide.net] Installing pkg-1.15.10...
[traefik-consul-amd64-12_2.vsf00001.cpt.za.honeyguide.net] Extracting pkg-1.15.10: .......... done
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:12:amd64/latest, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
sendmail_enable: NO -> NO
traefik_enable: -> YES
Updating FreeBSD repository catalogue...
[traefik-consul-amd64-12_2.vsf00001.cpt.za.honeyguide.net] Fetching meta.conf: . done
[traefik-consul-amd64-12_2.vsf00001.cpt.za.honeyguide.net] Fetching packagesite.txz: .......... done
Processing entries: .......... done
FreeBSD repository update completed. 32306 packages processed.
All repositories are up to date.
Updating database digests format: . done
The following 2 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
openssl: 1.1.1h_1,1
traefik2: 2.2.0
Number of packages to be installed: 2
The process will require 75 MiB more space.
17 MiB to be downloaded.
[traefik-consul-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/2] Fetching openssl-1.1.1h_1,1.txz: .......... done
[traefik-consul-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/2] Fetching traefik2-2.2.0.txz: .......... done
Checking integrity... done (0 conflicting)
[traefik-consul-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/2] Installing openssl-1.1.1h_1,1...
[traefik-consul-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/2] Extracting openssl-1.1.1h_1,1: .......... done
[traefik-consul-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/2] Installing traefik2-2.2.0...
===> Creating groups.
Creating group 'traefik' with gid '475'.
===> Creating users
Creating user 'traefik' with uid '475'.
===> Creating homedir(s)
[traefik-consul-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/2] Extracting traefik2-2.2.0: ...... done
=====
Message from traefik2-2.2.0:
--
Note that traefik starts as unprivileged user. Thus, it cannot
bind to privileged ports (by default, ports below 1024) and
will exit when configured to do so.
If traefik should serve ports in the privileged range, there
are options to achieve this:
- Have traffic bind to an unprivileged port and use the
packet filter configuration to redirect requests to the
desired privileged port to the unprivileged port in
traefik's configuration file e.g. the rdr rules in pf(4).
- The mac_portacl kernel module allows unprivileged processes
to bind to privileged ports.
Note: If you are upgrading from traefik 1.x keep in mind that
the configuration is not compatible.
The following package files will be deleted:
/var/cache/pkg/traefik2-2.2.0~c305a681e8.txz
/var/cache/pkg/openssl-1.1.1h_1,1~6642e9b6b6.txz
/var/cache/pkg/traefik2-2.2.0.txz
/var/cache/pkg/openssl-1.1.1h_1,1.txz
The cleanup will free 17 MiB
Deleting files: .... done
All done
/tmp/traefik-consul.sh: COPYRIGHT: not found
=====> Stop the pot traefik-consul-amd64-12_2
=====> Remove epair0[a|b] network interfaces
=====> unmount /mnt/data/pot/jails/traefik-consul-amd64-12_2/m/tmp
=====> unmount /mnt/data/pot/jails/traefik-consul-amd64-12_2/m/dev
=====> Flavour: traefik-consul+1
=====> Executing traefik-consul+1 pot commands on traefik-consul-amd64-12_2
=====> No shell script available for the flavour traefik-consul+1
=====> Flavour: traefik-consul+2
=====> Executing traefik-consul+2 pot commands on traefik-consul-amd64-12_2
=====> No shell script available for the flavour traefik-consul+2
=====> Flavour: traefik-consul+3
=====> Executing traefik-consul+3 pot commands on traefik-consul-amd64-12_2
=====> No shell script available for the flavour traefik-consul+3
=====> Flavour: traefik-consul+4
=====> Executing traefik-consul+4 pot commands on traefik-consul-amd64-12_2
=====> No shell script available for the flavour traefik-consul+4
traefik-consul-amd64-11_4_1.2.1:
traefik-consul/traefik-consul:
traefik-consul/traefik-consul.sh:
#!/bin/sh
# EDIT THE FOLLOWING FOR NEW FLAVOUR:
# 1. RUNS_IN_NOMAD - yes or no
# 2. Adjust package installation between BEGIN & END PACKAGE SETUP
# 3. Adjust jail configuration script generation between BEGIN & END COOK
# Set this to true if this jail flavour is to be created as a nomad (i.e. blocking) jail.
# You can then query it in the cook script generation below and the script is installed
# appropriately at the end of this script
RUNS_IN_NOMAD=false
# -------------- BEGIN PACKAGE SETUP -------------
[ -w /etc/pkg/FreeBSD.conf ] && sed -i '' 's/quarterly/latest/' /etc/pkg/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap
touch /etc/rc.conf
sysrc sendmail_enable="NO"
sysrc traefik_enable="YES"
# Install packages
pkg install -y openssl traefik2
pkg clean -y
# To allow mount in of this directory, create mountpoint
mkdir -p /var/log/traefik
# -------------- END PACKAGE SETUP -------------
#
# Create configurations
#
#
# Now generate the run command script "cook"
# It configures the system on the first run by creating the config file(s)
# On subsequent runs, it only starts sleeps (if nomad-jail) or simply exits
#
# ----------------- BEGIN COOK ------------------
echo "#!/bin/sh
# No need to change this, just ensures configuration is done only once
if [ -e /usr/local/etc/pot-is-seasoned ]
then
# If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
# created by pot and we block indefinitely
if [ ! -e /tmp/environment.sh ]
then
tail -f /dev/null
fi
exit 0
fi
# ADJUST THIS: STOP SERVICES AS NEEDED BEFORE CONFIGURATION
/usr/local/etc/rc.d/traefik stop || true
# No need to adjust this:
# If this pot flavour is not blocking, we need to read the environment first from /tmp/environment.sh
# where pot is storing it in this case
if [ -e /tmp/environment.sh ]
then
. /tmp/environment.sh
fi
#
# ADJUST THIS BY CHECKING FOR ALL VARIABLES YOUR FLAVOUR NEEDS:
# Check config variables are set
#
if [ -z \${CONSULSERVER+x} ];
then
echo 'CONSULSERVER is unset - see documentation how to configure this flavour'
exit 1
fi
# ADJUST THIS BELOW: NOW ALL THE CONFIGURATION FILES NEED TO BE CREATED:
# Don't forget to double(!)-escape quotes and dollar signs in the config files
# Create traefik server config file
echo \"
[entryPoints]
[entryPoints.http]
address = \\\"0.0.0.0:8080\\\"
[entryPoints.traefik]
address = \\\"0.0.0.0:9002\\\"
[entryPoints.httpSSL]
address = \\\"0.0.0.0:8443\\\"
[http.routers.my-api]
entryPoints = [\\\"traefik\\\"]
# Catch every request (only available rule for non-tls routers. See below.)
rule = \\\"HostSNI(`*`)\\\"
service = \\\"api@internal\\\"
[[tls.certificates]]
certFile = \\\"/usr/local/etc/ssl/cert.crt\\\"
keyFile = \\\"/usr/local/etc/ssl/cert.key\\\"
[tls.options]
[tls.options.myTLSOptions]
minVersion = \\\"VersionTLS12\\\"
cipherSuites = [
\\\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\\\",
\\\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\\\",
\\\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\\\",
\\\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\\\",
\\\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\\\",
\\\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\\\",
]
[api]
dashboard = true
insecure = true
[log]
filePath = \\\"/var/log/traefik/traefik.log\\\"
[accessLog]
filePath = \\\"/var/log/traefik/traefik-access.log\\\"
[providers.consulCatalog]
stale = false
exposedByDefault = true
[providers.consulCatalog.endpoint]
address = \\\"\$CONSULSERVER:8500\\\"\" > /usr/local/etc/traefik.toml
echo \"traefik_conf=\\\"/usr/local/etc/traefik.toml\\\"\" >> /etc/rc.conf
touch /var/log/traefik/traefik.log
touch /var/log/traefik/traefik-access.log
chown traefik:traefik /var/log/traefik/traefik.log
chown traefik:traefik /var/log/traefik/traefik-access.log
mkdir -p /usr/local/etc/ssl/
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /usr/local/etc/ssl/cert.key -out /usr/local/etc/ssl/cert.crt -subj \"/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com\"
chmod 644 /usr/local/etc/ssl/cert.crt
chmod 600 /usr/local/etc/ssl/cert.key
# ADJUST THIS: START THE SERVICES AGAIN AFTER CONFIGURATION
/usr/local/etc/rc.d/traefik start
# Do not touch this:
touch /usr/local/etc/pot-is-seasoned
# If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
# created by pot and we now after configuration block indefinitely
if [ ! -e /tmp/environment.sh ]
then
tail -f /dev/null
fi
" > /usr/local/bin/cook
# ----------------- END COOK ------------------
# ---------- NO NEED TO EDIT BELOW ------------
chmod u+x /usr/local/bin/cook
#
# There are two ways of running a pot jail: "Normal", non-blocking mode and
# "Nomad", i.e. blocking mode (the pot start command does not return until
# the jail is stopped).
# For the normal mode, we create a /usr/local/etc/rc.d script that starts
# the "cook" script generated above each time, for the "Nomad" mode, the cook
# script is started by pot (configuration through flavour file), therefore
# we do not need to do anything here.
#
# Create rc.d script for "normal" mode:
echo "#!/bin/sh
#
# PROVIDE: cook
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
. /etc/rc.subr
name=cook
rcvar=cook_enable
load_rc_config $name
: ${cook_enable:=\"NO\"}
: ${cook_env:=\"\"}
command=\"/usr/local/bin/cook\"
command_args=\"\"
run_rc_command \"\$1\"
" > /usr/local/etc/rc.d/cook
chmod u+x /usr/local/etc/rc.d/cook
if [ $RUNS_IN_NOMAD = false ]
then
# This is a non-nomad (non-blocking) jail, so we need to make sure the script
# gets started when the jail is started:
# Otherwise, /usr/local/bin/cook will be set as start script by the pot flavour
echo "cook_enable=\"YES\"" >> /etc/rc.conf
fi
traefik-consul/traefik-consul+1:
traefik-consul/traefik-consul+1.sh:
traefik-consul/traefik-consul+2:
traefik-consul/traefik-consul+2.sh:
traefik-consul/traefik-consul+3:
traefik-consul/traefik-consul+3.sh:
traefik-consul/traefik-consul+4:
traefik-consul/traefik-consul+4.sh:
Password:===> Creating a new pot
===> pot name : traefik-consul-amd64-11_4
===> type : single
===> base : 11.4
===> pot_base :
===> level : 0
===> network-type : public-bridge
===> network-stack: ipv4
===> ip : 10.192.0.4
===> bridge :
===> dns : inherit
===> flavours : fbsd-update traefik-consul traefik-consul+1 traefik-consul+2 traefik-consul+3 traefik-consul+4
===> Fetching FreeBSD 11.4
/tmp/11.4-RELEASE_base.txz 125 MB 7822 kBps 16s
===> Extract the tarball
=====> Flavour: fbsd-update
=====> Starting traefik-consul-amd64-11_4 pot for the initial bootstrap
=====> mount /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/tmp
defaultrouter: NO -> 10.192.0.1
===> Starting the pot traefik-consul-amd64-11_4
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:2d:bf:50:da:0b
hwaddr 02:2d:bf:50:da:0b
inet 10.192.0.4 netmask 0xffc00000 broadcast 10.255.255.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
groups: epair
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Generating host.conf.
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related).
Updating motd:.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.
Sun Nov 1 08:05:22 UTC 2020
/usr/local/etc/pot/flavours/fbsd-update.sh -> /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/tmp/fbsd-update.sh
=====> Executing fbsd-update script on traefik-consul-amd64-11_4
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching public key from update2.freebsd.org... done.
Fetching metadata signature for 11.4-RELEASE from update2.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 42 patches.....10....20....30....40. done.
Applying patches... done.
The following files will be updated as part of updating to
11.4-RELEASE-p4:
/bin/freebsd-version
/lib/libc.so.7
/libexec/ld-elf.so.1
/rescue/[
/rescue/atmconfig
/rescue/badsect
/rescue/bectl
/rescue/bsdlabel
/rescue/bunzip2
/rescue/bzcat
/rescue/bzip2
/rescue/camcontrol
/rescue/cat
/rescue/ccdconfig
/rescue/chflags
/rescue/chgrp
/rescue/chio
/rescue/chmod
/rescue/chown
/rescue/chroot
/rescue/clri
/rescue/cp
/rescue/csh
/rescue/date
/rescue/dd
/rescue/devfs
/rescue/df
/rescue/dhclient
/rescue/disklabel
/rescue/dmesg
/rescue/dump
/rescue/dumpfs
/rescue/dumpon
/rescue/echo
/rescue/ed
/rescue/ex
/rescue/expr
/rescue/fastboot
/rescue/fasthalt
/rescue/fdisk
/rescue/fsck
/rescue/fsck_4.2bsd
/rescue/fsck_ffs
/rescue/fsck_msdosfs
/rescue/fsck_ufs
/rescue/fsdb
/rescue/fsirand
/rescue/gbde
/rescue/geom
/rescue/getfacl
/rescue/glabel
/rescue/gpart
/rescue/groups
/rescue/gunzip
/rescue/gzcat
/rescue/gzip
/rescue/halt
/rescue/head
/rescue/hostname
/rescue/id
/rescue/ifconfig
/rescue/init
/rescue/ipf
/rescue/iscsictl
/rescue/iscsid
/rescue/kenv
/rescue/kill
/rescue/kldconfig
/rescue/kldload
/rescue/kldstat
/rescue/kldunload
/rescue/ldconfig
/rescue/less
/rescue/link
/rescue/ln
/rescue/ls
/rescue/lzcat
/rescue/lzma
/rescue/md5
/rescue/mdconfig
/rescue/mdmfs
/rescue/mkdir
/rescue/mknod
/rescue/more
/rescue/mount
/rescue/mount_cd9660
/rescue/mount_msdosfs
/rescue/mount_nfs
/rescue/mount_nullfs
/rescue/mount_udf
/rescue/mount_unionfs
/rescue/mt
/rescue/mv
/rescue/nc
/rescue/newfs
/rescue/newfs_msdos
/rescue/nos-tun
/rescue/pgrep
/rescue/ping
/rescue/ping6
/rescue/pkill
/rescue/poweroff
/rescue/ps
/rescue/pwd
/rescue/rcorder
/rescue/rcp
/rescue/rdump
/rescue/realpath
/rescue/reboot
/rescue/red
/rescue/rescue
/rescue/restore
/rescue/rm
/rescue/rmdir
/rescue/route
/rescue/routed
/rescue/rrestore
/rescue/rtquery
/rescue/rtsol
/rescue/savecore
/rescue/sed
/rescue/setfacl
/rescue/sh
/rescue/shutdown
/rescue/sleep
/rescue/spppcontrol
/rescue/stty
/rescue/swapon
/rescue/sync
/rescue/sysctl
/rescue/tail
/rescue/tar
/rescue/tcsh
/rescue/tee
/rescue/test
/rescue/tunefs
/rescue/umount
/rescue/unlink
/rescue/unlzma
/rescue/unxz
/rescue/vi
/rescue/whoami
/rescue/xz
/rescue/xzcat
/rescue/zcat
/rescue/zdb
/rescue/zfs
/rescue/zpool
/sbin/devd
/sbin/dhclient
/sbin/init
/usr/bin/ar
/usr/bin/as
/usr/bin/c++
/usr/bin/cc
/usr/bin/clang
/usr/bin/clang++
/usr/bin/clang-cpp
/usr/bin/cpp
/usr/bin/ld
/usr/bin/ld.bfd
/usr/bin/ld.lld
/usr/bin/make
/usr/bin/ranlib
/usr/bin/svnlite
/usr/bin/svnliteadmin
/usr/bin/svnlitebench
/usr/bin/svnlitedumpfilter
/usr/bin/svnlitefsfs
/usr/bin/svnlitelook
/usr/bin/svnlitemucc
/usr/bin/svnliterdump
/usr/bin/svnliteserve
/usr/bin/svnlitesync
/usr/bin/svnliteversion
/usr/include/netinet/sctp_structs.h
/usr/include/netinet/sctputil.h
/usr/lib/libc.a
/usr/lib/libc_p.a
/usr/lib/libc_pic.a
/usr/lib/libhdb.so.11
/usr/lib/libprivatesqlite3.a
/usr/lib/libprivatesqlite3.so.0
/usr/lib/libprivatesqlite3_p.a
/usr/lib/libprivateunbound.a
/usr/lib/libprivateunbound.so.5
/usr/lib/libprivateunbound_p.a
/usr/libexec/ftpd
/usr/sbin/local-unbound
/usr/sbin/local-unbound-anchor
/usr/sbin/local-unbound-checkconf
/usr/sbin/local-unbound-control
/usr/sbin/nologin
Installing updates...Scanning //usr/share/certs/blacklisted for certificates...
Scanning //usr/share/certs/trusted for certificates...
done.
=====> Stop the pot traefik-consul-amd64-11_4
=====> Remove epair0[a|b] network interfaces
=====> unmount /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/tmp
=====> unmount /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/dev
=====> Flavour: traefik-consul
=====> Executing traefik-consul pot commands on traefik-consul-amd64-11_4
=====> Starting traefik-consul-amd64-11_4 pot for the initial bootstrap
=====> mount /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/tmp
defaultrouter: 10.192.0.1 -> 10.192.0.1
===> Starting the pot traefik-consul-amd64-11_4
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:6d:8f:21:9b:0b
hwaddr 02:6d:8f:21:9b:0b
inet 10.192.0.4 netmask 0xffc00000 broadcast 10.255.255.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
groups: epair
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related).
Updating motd:.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.
Sun Nov 1 08:06:10 UTC 2020
/usr/local/etc/pot/flavours/traefik-consul.sh -> /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/tmp/traefik-consul.sh
=====> Executing traefik-consul script on traefik-consul-amd64-11_4
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] Installing pkg-1.15.10...
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] Extracting pkg-1.15.10: .......... done
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/latest, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
sendmail_enable: NO -> NO
traefik_enable: -> YES
Updating FreeBSD repository catalogue...
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] Fetching meta.conf: . done
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] Fetching packagesite.txz: .......... done
Processing entries: .......... done
FreeBSD repository update completed. 30939 packages processed.
All repositories are up to date.
Updating database digests format: . done
The following 2 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
openssl: 1.1.1h_1,1
traefik2: 2.2.0
Number of packages to be installed: 2
The process will require 75 MiB more space.
17 MiB to be downloaded.
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] [1/2] Fetching openssl-1.1.1h_1,1.txz: .......... done
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] [2/2] Fetching traefik2-2.2.0.txz: .......... done
Checking integrity... done (0 conflicting)
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] [1/2] Installing openssl-1.1.1h_1,1...
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] [1/2] Extracting openssl-1.1.1h_1,1: .......... done
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] [2/2] Installing traefik2-2.2.0...
===> Creating groups.
Creating group 'traefik' with gid '475'.
===> Creating users
Creating user 'traefik' with uid '475'.
===> Creating homedir(s)
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] [2/2] Extracting traefik2-2.2.0: ...... done
=====
Message from traefik2-2.2.0:
--
Note that traefik starts as unprivileged user. Thus, it cannot
bind to privileged ports (by default, ports below 1024) and
will exit when configured to do so.
If traefik should serve ports in the privileged range, there
are options to achieve this:
- Have traffic bind to an unprivileged port and use the
packet filter configuration to redirect requests to the
desired privileged port to the unprivileged port in
traefik's configuration file e.g. the rdr rules in pf(4).
- The mac_portacl kernel module allows unprivileged processes
to bind to privileged ports.
Note: If you are upgrading from traefik 1.x keep in mind that
the configuration is not compatible.
The following package files will be deleted:
/var/cache/pkg/traefik2-2.2.0~1ff6129dea.txz
/var/cache/pkg/traefik2-2.2.0.txz
/var/cache/pkg/openssl-1.1.1h_1,1.txz
/var/cache/pkg/openssl-1.1.1h_1,1~e0fb346881.txz
The cleanup will free 17 MiB
Deleting files: .... done
All done
/tmp/traefik-consul.sh: COPYRIGHT: not found
=====> Stop the pot traefik-consul-amd64-11_4
=====> Remove epair0[a|b] network interfaces
=====> unmount /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/tmp
=====> unmount /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/dev
=====> Flavour: traefik-consul+1
=====> Executing traefik-consul+1 pot commands on traefik-consul-amd64-11_4
=====> No shell script available for the flavour traefik-consul+1
=====> Flavour: traefik-consul+2
=====> Executing traefik-consul+2 pot commands on traefik-consul-amd64-11_4
=====> No shell script available for the flavour traefik-consul+2
=====> Flavour: traefik-consul+3
=====> Executing traefik-consul+3 pot commands on traefik-consul-amd64-11_4
=====> No shell script available for the flavour traefik-consul+3
=====> Flavour: traefik-consul+4
=====> Executing traefik-consul+4 pot commands on traefik-consul-amd64-11_4
=====> No shell script available for the flavour traefik-consul+4