Traefik (Consul)

Overview

This is a flavour containing the traefik reverse proxy and load balancer preconfigured for usage with consul (e.g. consul pot image on potluck.

Installation

  • Create your local jail from the image or the flavour files.
  • Export the ports after creating the jail:
    pot export-ports -p <jailname> -e 8080:8080 -e 9002:9002
  • Adjust to your environment:
    sudo pot set-env -p <jailname> -E CONSULSERVER=<IP or hostname of consulserver>
  • Optional: Mount your traefik log storage directory into the jail:
    sudo pot mount-in -p <jailname> -m /var/log/traefik -d <logdirectory_on_host>
  • Start jail with pot start

Usage

traefik in the jail is listening on port 8080 (HTTP) and 8443 (HTTPS with self signed certificate).

You can connect to the dashboard on port 9002 of your jail IP address.

The services registered on your associated consul instance are available under their service name via the host: header (similar to e.g. Apache Virtual Hosts).
To test this, you can use curl -H 'host: my-consul-servicename' <jailip>:8080.

Getting Started

How To Use The Ready-Made Image

FreeBSD 12.1:
pot import -p traefik-consul-amd64-12_1 -t 1.2 -U https://potluck.honeyguide.net/traefik-consul

FreeBSD 11.4:
pot import -p traefik-consul-amd64-11_4 -t 1.2 -U https://potluck.honeyguide.net/traefik-consul

If you don’t want to use the default pot bridged network configuration but instead need an individual network setup (e.g. assign a host IP address), after importing it you can simply clone the jail like that (em0 is the host network adapter in this example):
pot clone -P traefik-consul-amd64-12_1 -p my-cloned-jail -N alias -i "em0|10.10.10.10"

Note: Some images might require specific network configuration, double check the Overview-chapter at the top.

Alternatively: Create a Jail With This Flavour Yourself

1. Create Flavour Files

Create the following
/usr/local/etc/pot/flavours/traefik-consul.sh
and
chmod ugo+x /usr/local/etc/pot/flavours/traefik-consul.sh

#!/bin/sh

# EDIT THE FOLLOWING FOR NEW FLAVOUR:
# 1. RUNS_IN_NOMAD - yes or no
# 2. Adjust package installation between BEGIN & END PACKAGE SETUP
# 3. Adjust jail configuration script generation between BEGIN & END COOK

# Set this to true if this jail flavour is to be created as a nomad (i.e. blocking) jail.
# You can then query it in the cook script generation below and the script is installed
# appropriately at the end of this script 
RUNS_IN_NOMAD=false

# -------------- BEGIN PACKAGE SETUP -------------
[ -w /etc/pkg/FreeBSD.conf ] && sed -i '' 's/quarterly/latest/' /etc/pkg/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap
touch /etc/rc.conf
sysrc sendmail_enable="NO"
sysrc traefik_enable="YES"

# Install packages
pkg install -y openssl traefik2
pkg clean -y

# To allow mount in of this directory, create mountpoint
mkdir -p /var/log/traefik
# -------------- END PACKAGE SETUP -------------

#
# Create configurations
#

#
# Now generate the run command script "cook"
# It configures the system on the first run by creating the config file(s) 
# On subsequent runs, it only starts sleeps (if nomad-jail) or simply exits 
#

# ----------------- BEGIN COOK ------------------ 
echo "#!/bin/sh
# No need to change this, just ensures configuration is done only once
if [ -e /usr/local/etc/pot-is-seasoned ]
then
    # If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
    # created by pot and we block indefinitely
    if [ ! -e /tmp/environment.sh ]
    then
        tail -f /dev/null 
    fi
    exit 0
fi
# ADJUST THIS: STOP SERVICES AS NEEDED BEFORE CONFIGURATION
/usr/local/etc/rc.d/traefik stop  || true
# No need to adjust this:
# If this pot flavour is not blocking, we need to read the environment first from /tmp/environment.sh
# where pot is storing it in this case
if [ -e /tmp/environment.sh ]
then
    . /tmp/environment.sh
fi
#
# ADJUST THIS BY CHECKING FOR ALL VARIABLES YOUR FLAVOUR NEEDS:
# Check config variables are set
#
if [ -z \${CONSULSERVER+x} ];
then
    echo 'CONSULSERVER is unset - see documentation how to configure this flavour'
    exit 1
fi

# ADJUST THIS BELOW: NOW ALL THE CONFIGURATION FILES NEED TO BE CREATED:
# Don't forget to double(!)-escape quotes and dollar signs in the config files
# Create traefik server config file 
echo \"
[entryPoints]
  [entryPoints.http]
    address = \\\"0.0.0.0:8080\\\"
  [entryPoints.traefik]
    address = \\\"0.0.0.0:9002\\\"
  [entryPoints.httpSSL]
    address = \\\"0.0.0.0:8443\\\"

[http.routers.my-api]
  entryPoints = [\\\"traefik\\\"]
  # Catch every request (only available rule for non-tls routers. See below.)
  rule = \\\"HostSNI(`*`)\\\"
  service = \\\"api@internal\\\"

[[tls.certificates]]
  certFile = \\\"/usr/local/etc/ssl/cert.crt\\\"
  keyFile = \\\"/usr/local/etc/ssl/cert.key\\\"

[tls.options]
  [tls.options.myTLSOptions]
    minVersion = \\\"VersionTLS12\\\"
    cipherSuites = [
      \\\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\\\",
      \\\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\\\",
      \\\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\\\",
      \\\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\\\",
      \\\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\\\",
      \\\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\\\",
    ]

[api]
  dashboard = true
  insecure = true

[log]
  filePath = \\\"/var/log/traefik/traefik.log\\\"
[accessLog]
  filePath = \\\"/var/log/traefik/traefik-access.log\\\"

[providers.consulCatalog]
  stale = false
  exposedByDefault = true
  [providers.consulCatalog.endpoint]
    address = \\\"\$CONSULSERVER:8500\\\"\" > /usr/local/etc/traefik.toml

echo \"traefik_conf=\\\"/usr/local/etc/traefik.toml\\\"\" >> /etc/rc.conf

touch /var/log/traefik/traefik.log
touch /var/log/traefik/traefik-access.log
chown traefik:traefik /var/log/traefik/traefik.log
chown traefik:traefik /var/log/traefik/traefik-access.log

mkdir -p /usr/local/etc/ssl/
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /usr/local/etc/ssl/cert.key -out /usr/local/etc/ssl/cert.crt -subj \"/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com\"
chmod 644 /usr/local/etc/ssl/cert.crt
chmod 600 /usr/local/etc/ssl/cert.key

# ADJUST THIS: START THE SERVICES AGAIN AFTER CONFIGURATION
/usr/local/etc/rc.d/traefik start
# Do not touch this:
touch /usr/local/etc/pot-is-seasoned
# If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
# created by pot and we now after configuration block indefinitely
if [ ! -e /tmp/environment.sh ]
then
    tail -f /dev/null
fi
" > /usr/local/bin/cook

# ----------------- END COOK ------------------


# ---------- NO NEED TO EDIT BELOW ------------

chmod u+x /usr/local/bin/cook

#
# There are two ways of running a pot jail: "Normal", non-blocking mode and
# "Nomad", i.e. blocking mode (the pot start command does not return until
# the jail is stopped).
# For the normal mode, we create a /usr/local/etc/rc.d script that starts
# the "cook" script generated above each time, for the "Nomad" mode, the cook
# script is started by pot (configuration through flavour file), therefore
# we do not need to do anything here.
# 

# Create rc.d script for "normal" mode:
echo "#!/bin/sh
#
# PROVIDE: cook 
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
. /etc/rc.subr
name=cook
rcvar=cook_enable
load_rc_config $name
: ${cook_enable:=\"NO\"}
: ${cook_env:=\"\"}
command=\"/usr/local/bin/cook\"
command_args=\"\"
run_rc_command \"\$1\"
" > /usr/local/etc/rc.d/cook

chmod u+x /usr/local/etc/rc.d/cook

if [ $RUNS_IN_NOMAD = false ]
then
    # This is a non-nomad (non-blocking) jail, so we need to make sure the script
    # gets started when the jail is started:
    # Otherwise, /usr/local/bin/cook will be set as start script by the pot flavour
    echo "cook_enable=\"YES\"" >> /etc/rc.conf
fi

2. Create Jail From Flavour

Run
pot create -b <FreeBSD Version> -p <jailname> -t single -N public-bridge -f fbsd-update -f traefik-consul

with your FreeBSD version (e.g. 12.1) and the name your jail should get.

Note: Some images might require specific network configuration, double check the Overview-chapter at the top.

Version History

1.2

  • Moved from traefik to traefik2 port
  • Support mounting of traefik log directory to persist access logs

1.1

  • Added HTTPS with self signed certificate (port 8443)

1.0

  • Initial commit

These images were built on Wed Aug 19 10:33:25 UTC 2020

Manual Image Download Links

traefik-consul-amd64-12_1_1.2.xz ( 221.62 MB )
traefik-consul-amd64-12_1_1.2.xz.skein ( 0.250977 KB )

traefik-consul-amd64-11_4_1.2.xz ( 185.965 MB )
traefik-consul-amd64-11_4_1.2.xz.skein ( 0.250977 KB )

Jenkins Pot Creation Logs

traefik-consul-amd64-12_1_1.2:


traefik-consul/traefik-consul:
traefik-consul/traefik-consul.sh:
#!/bin/sh

# EDIT THE FOLLOWING FOR NEW FLAVOUR:
# 1. RUNS_IN_NOMAD - yes or no
# 2. Adjust package installation between BEGIN & END PACKAGE SETUP
# 3. Adjust jail configuration script generation between BEGIN & END COOK

# Set this to true if this jail flavour is to be created as a nomad (i.e. blocking) jail.
# You can then query it in the cook script generation below and the script is installed
# appropriately at the end of this script 
RUNS_IN_NOMAD=false

# -------------- BEGIN PACKAGE SETUP -------------
[ -w /etc/pkg/FreeBSD.conf ] && sed -i '' 's/quarterly/latest/' /etc/pkg/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap
touch /etc/rc.conf
sysrc sendmail_enable="NO"
sysrc traefik_enable="YES"

# Install packages
pkg install -y openssl traefik2
pkg clean -y

# To allow mount in of this directory, create mountpoint
mkdir -p /var/log/traefik
# -------------- END PACKAGE SETUP -------------

#
# Create configurations
#

#
# Now generate the run command script "cook"
# It configures the system on the first run by creating the config file(s) 
# On subsequent runs, it only starts sleeps (if nomad-jail) or simply exits 
#

# ----------------- BEGIN COOK ------------------ 
echo "#!/bin/sh
# No need to change this, just ensures configuration is done only once
if [ -e /usr/local/etc/pot-is-seasoned ]
then
    # If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
    # created by pot and we block indefinitely
    if [ ! -e /tmp/environment.sh ]
    then
        tail -f /dev/null 
    fi
    exit 0
fi
# ADJUST THIS: STOP SERVICES AS NEEDED BEFORE CONFIGURATION
/usr/local/etc/rc.d/traefik stop  || true
# No need to adjust this:
# If this pot flavour is not blocking, we need to read the environment first from /tmp/environment.sh
# where pot is storing it in this case
if [ -e /tmp/environment.sh ]
then
    . /tmp/environment.sh
fi
#
# ADJUST THIS BY CHECKING FOR ALL VARIABLES YOUR FLAVOUR NEEDS:
# Check config variables are set
#
if [ -z \${CONSULSERVER+x} ];
then
    echo 'CONSULSERVER is unset - see documentation how to configure this flavour'
    exit 1
fi

# ADJUST THIS BELOW: NOW ALL THE CONFIGURATION FILES NEED TO BE CREATED:
# Don't forget to double(!)-escape quotes and dollar signs in the config files
# Create traefik server config file 
echo \"
[entryPoints]
  [entryPoints.http]
    address = \\\"0.0.0.0:8080\\\"
  [entryPoints.traefik]
    address = \\\"0.0.0.0:9002\\\"
  [entryPoints.httpSSL]
    address = \\\"0.0.0.0:8443\\\"

[http.routers.my-api]
  entryPoints = [\\\"traefik\\\"]
  # Catch every request (only available rule for non-tls routers. See below.)
  rule = \\\"HostSNI(`*`)\\\"
  service = \\\"api@internal\\\"

[[tls.certificates]]
  certFile = \\\"/usr/local/etc/ssl/cert.crt\\\"
  keyFile = \\\"/usr/local/etc/ssl/cert.key\\\"

[tls.options]
  [tls.options.myTLSOptions]
    minVersion = \\\"VersionTLS12\\\"
    cipherSuites = [
      \\\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\\\",
      \\\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\\\",
      \\\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\\\",
      \\\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\\\",
      \\\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\\\",
      \\\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\\\",
    ]

[api]
  dashboard = true
  insecure = true

[log]
  filePath = \\\"/var/log/traefik/traefik.log\\\"
[accessLog]
  filePath = \\\"/var/log/traefik/traefik-access.log\\\"

[providers.consulCatalog]
  stale = false
  exposedByDefault = true
  [providers.consulCatalog.endpoint]
    address = \\\"\$CONSULSERVER:8500\\\"\" > /usr/local/etc/traefik.toml

echo \"traefik_conf=\\\"/usr/local/etc/traefik.toml\\\"\" >> /etc/rc.conf

touch /var/log/traefik/traefik.log
touch /var/log/traefik/traefik-access.log
chown traefik:traefik /var/log/traefik/traefik.log
chown traefik:traefik /var/log/traefik/traefik-access.log

mkdir -p /usr/local/etc/ssl/
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /usr/local/etc/ssl/cert.key -out /usr/local/etc/ssl/cert.crt -subj \"/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com\"
chmod 644 /usr/local/etc/ssl/cert.crt
chmod 600 /usr/local/etc/ssl/cert.key

# ADJUST THIS: START THE SERVICES AGAIN AFTER CONFIGURATION
/usr/local/etc/rc.d/traefik start
# Do not touch this:
touch /usr/local/etc/pot-is-seasoned
# If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
# created by pot and we now after configuration block indefinitely
if [ ! -e /tmp/environment.sh ]
then
    tail -f /dev/null
fi
" > /usr/local/bin/cook

# ----------------- END COOK ------------------


# ---------- NO NEED TO EDIT BELOW ------------

chmod u+x /usr/local/bin/cook

#
# There are two ways of running a pot jail: "Normal", non-blocking mode and
# "Nomad", i.e. blocking mode (the pot start command does not return until
# the jail is stopped).
# For the normal mode, we create a /usr/local/etc/rc.d script that starts
# the "cook" script generated above each time, for the "Nomad" mode, the cook
# script is started by pot (configuration through flavour file), therefore
# we do not need to do anything here.
# 

# Create rc.d script for "normal" mode:
echo "#!/bin/sh
#
# PROVIDE: cook 
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
. /etc/rc.subr
name=cook
rcvar=cook_enable
load_rc_config $name
: ${cook_enable:=\"NO\"}
: ${cook_env:=\"\"}
command=\"/usr/local/bin/cook\"
command_args=\"\"
run_rc_command \"\$1\"
" > /usr/local/etc/rc.d/cook

chmod u+x /usr/local/etc/rc.d/cook

if [ $RUNS_IN_NOMAD = false ]
then
    # This is a non-nomad (non-blocking) jail, so we need to make sure the script
    # gets started when the jail is started:
    # Otherwise, /usr/local/bin/cook will be set as start script by the pot flavour
    echo "cook_enable=\"YES\"" >> /etc/rc.conf
fi

traefik-consul/traefik-consul+1:
traefik-consul/traefik-consul+1.sh:

traefik-consul/traefik-consul+2:
traefik-consul/traefik-consul+2.sh:

traefik-consul/traefik-consul+3:
traefik-consul/traefik-consul+3.sh:

traefik-consul/traefik-consul+4:
traefik-consul/traefik-consul+4.sh:
Password:=====>  -i auto: assigned 10.192.0.3
===>  Creating a new pot
===>  pot name : traefik-consul-amd64-12_1
===>  type : single
===>  base : 12.1
===>  pot_base :
===>  level : 0
===>  network-type: public-bridge
===>  ip : 10.192.0.3
===>  bridge :
===>  dns : inherit
===>  flavours : fbsd-update traefik-consul traefik-consul+1 traefik-consul+2 traefik-consul+3 traefik-consul+4
===>  Fetching FreeBSD 12.1
===>  Extract the tarball
=====>  Flavour: fbsd-update
=====>  Starting traefik-consul-amd64-12_1 pot for the initial bootstrap
=====>  mount /mnt/data/pot/jails/traefik-consul-amd64-12_1/m/tmp
defaultrouter: NO -> 10.192.0.1
===>  Starting the pot traefik-consul-amd64-12_1
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:db:c1:e9:71:0b
	inet 10.192.0.3 netmask 0xffc00000 broadcast 10.255.255.255
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Generating host.conf.
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related).
Updating motd:.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.

Wed Aug 19 10:28:01 UTC 2020
/usr/local/etc/pot/flavours/fbsd-update.sh -> /mnt/data/pot/jails/traefik-consul-amd64-12_1/m/tmp/fbsd-update.sh
=====>  Executing fbsd-update script on traefik-consul-amd64-12_1
src component not installed, skipped
freebsd-update fetch should not be run non-interactively.
Run freebsd-update cron instead.
src component not installed, skipped
No updates are available to install.
Run '/usr/sbin/freebsd-update fetch' first.
=====>  Stop the pot traefik-consul-amd64-12_1
=====>  Remove epair0[a|b] network interfaces
=====>  unmount /mnt/data/pot/jails/traefik-consul-amd64-12_1/m/tmp
=====>  unmount /mnt/data/pot/jails/traefik-consul-amd64-12_1/m/dev
=====>  Flavour: traefik-consul
=====>  Executing traefik-consul pot commands on traefik-consul-amd64-12_1
=====>  Starting traefik-consul-amd64-12_1 pot for the initial bootstrap
=====>  mount /mnt/data/pot/jails/traefik-consul-amd64-12_1/m/tmp
defaultrouter: 10.192.0.1 -> 10.192.0.1
===>  Starting the pot traefik-consul-amd64-12_1
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:63:83:bd:29:0b
	inet 10.192.0.3 netmask 0xffc00000 broadcast 10.255.255.255
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related).
Updating motd:.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.

Wed Aug 19 10:28:07 UTC 2020
/usr/local/etc/pot/flavours/traefik-consul.sh -> /mnt/data/pot/jails/traefik-consul-amd64-12_1/m/tmp/traefik-consul.sh
=====>  Executing traefik-consul script on traefik-consul-amd64-12_1
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] Installing pkg-1.14.6...
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] Extracting pkg-1.14.6: .......... done
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:12:amd64/latest, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
sendmail_enable: NO -> NO
traefik_enable:  -> YES
Updating FreeBSD repository catalogue...
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] Fetching meta.conf: . done
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] Fetching packagesite.txz: .......... done
Processing entries: .......... done
FreeBSD repository update completed. 31916 packages processed.
All repositories are up to date.
Updating database digests format: . done
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	openssl: 1.1.1g,1
	traefik2: 2.2.0

Number of packages to be installed: 2

The process will require 79 MiB more space.
18 MiB to be downloaded.
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] [1/2] Fetching openssl-1.1.1g,1.txz: .......... done
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] [2/2] Fetching traefik2-2.2.0.txz: .......... done
Checking integrity... done (0 conflicting)
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] [1/2] Installing openssl-1.1.1g,1...
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] [1/2] Extracting openssl-1.1.1g,1: .......... done
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] [2/2] Installing traefik2-2.2.0...
===> Creating groups.
Creating group 'traefik' with gid '475'.
===> Creating users
Creating user 'traefik' with uid '475'.
===> Creating homedir(s)
[traefik-consul-amd64-12_1.vsf00001.cpt.za.honeyguide.net] [2/2] Extracting traefik2-2.2.0: ...... done
=====
Message from traefik2-2.2.0:

--
Note that traefik starts as unprivileged user. Thus, it cannot
bind to privileged ports (by default, ports below 1024) and
will exit when configured to do so.

If traefik should serve ports in the privileged range, there
are options to achieve this:
- Have traffic bind to an unprivileged port and use the
  packet filter configuration to redirect requests to the
  desired privileged port to the unprivileged port in
  traefik's configuration file e.g. the rdr rules in pf(4).
- The mac_portacl kernel module allows unprivileged processes
  to bind to privileged ports.

Note: If you are upgrading from traefik 1.x keep in mind that
the configuration is not compatible.
Nothing to do.
/tmp/traefik-consul.sh: COPYRIGHT: not found
=====>  Stop the pot traefik-consul-amd64-12_1
=====>  Remove epair0[a|b] network interfaces
=====>  unmount /mnt/data/pot/jails/traefik-consul-amd64-12_1/m/tmp
=====>  unmount /mnt/data/pot/jails/traefik-consul-amd64-12_1/m/dev
=====>  Flavour: traefik-consul+1
=====>  Executing traefik-consul+1 pot commands on traefik-consul-amd64-12_1
=====>  No shell script available for the flavour traefik-consul+1
=====>  Flavour: traefik-consul+2
=====>  Executing traefik-consul+2 pot commands on traefik-consul-amd64-12_1
=====>  No shell script available for the flavour traefik-consul+2
=====>  Flavour: traefik-consul+3
=====>  Executing traefik-consul+3 pot commands on traefik-consul-amd64-12_1
=====>  No shell script available for the flavour traefik-consul+3
=====>  Flavour: traefik-consul+4
=====>  Executing traefik-consul+4 pot commands on traefik-consul-amd64-12_1
=====>  No shell script available for the flavour traefik-consul+4

traefik-consul-amd64-11_4_1.2:


traefik-consul/traefik-consul:
traefik-consul/traefik-consul.sh:
#!/bin/sh

# EDIT THE FOLLOWING FOR NEW FLAVOUR:
# 1. RUNS_IN_NOMAD - yes or no
# 2. Adjust package installation between BEGIN & END PACKAGE SETUP
# 3. Adjust jail configuration script generation between BEGIN & END COOK

# Set this to true if this jail flavour is to be created as a nomad (i.e. blocking) jail.
# You can then query it in the cook script generation below and the script is installed
# appropriately at the end of this script 
RUNS_IN_NOMAD=false

# -------------- BEGIN PACKAGE SETUP -------------
[ -w /etc/pkg/FreeBSD.conf ] && sed -i '' 's/quarterly/latest/' /etc/pkg/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap
touch /etc/rc.conf
sysrc sendmail_enable="NO"
sysrc traefik_enable="YES"

# Install packages
pkg install -y openssl traefik2
pkg clean -y

# To allow mount in of this directory, create mountpoint
mkdir -p /var/log/traefik
# -------------- END PACKAGE SETUP -------------

#
# Create configurations
#

#
# Now generate the run command script "cook"
# It configures the system on the first run by creating the config file(s) 
# On subsequent runs, it only starts sleeps (if nomad-jail) or simply exits 
#

# ----------------- BEGIN COOK ------------------ 
echo "#!/bin/sh
# No need to change this, just ensures configuration is done only once
if [ -e /usr/local/etc/pot-is-seasoned ]
then
    # If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
    # created by pot and we block indefinitely
    if [ ! -e /tmp/environment.sh ]
    then
        tail -f /dev/null 
    fi
    exit 0
fi
# ADJUST THIS: STOP SERVICES AS NEEDED BEFORE CONFIGURATION
/usr/local/etc/rc.d/traefik stop  || true
# No need to adjust this:
# If this pot flavour is not blocking, we need to read the environment first from /tmp/environment.sh
# where pot is storing it in this case
if [ -e /tmp/environment.sh ]
then
    . /tmp/environment.sh
fi
#
# ADJUST THIS BY CHECKING FOR ALL VARIABLES YOUR FLAVOUR NEEDS:
# Check config variables are set
#
if [ -z \${CONSULSERVER+x} ];
then
    echo 'CONSULSERVER is unset - see documentation how to configure this flavour'
    exit 1
fi

# ADJUST THIS BELOW: NOW ALL THE CONFIGURATION FILES NEED TO BE CREATED:
# Don't forget to double(!)-escape quotes and dollar signs in the config files
# Create traefik server config file 
echo \"
[entryPoints]
  [entryPoints.http]
    address = \\\"0.0.0.0:8080\\\"
  [entryPoints.traefik]
    address = \\\"0.0.0.0:9002\\\"
  [entryPoints.httpSSL]
    address = \\\"0.0.0.0:8443\\\"

[http.routers.my-api]
  entryPoints = [\\\"traefik\\\"]
  # Catch every request (only available rule for non-tls routers. See below.)
  rule = \\\"HostSNI(`*`)\\\"
  service = \\\"api@internal\\\"

[[tls.certificates]]
  certFile = \\\"/usr/local/etc/ssl/cert.crt\\\"
  keyFile = \\\"/usr/local/etc/ssl/cert.key\\\"

[tls.options]
  [tls.options.myTLSOptions]
    minVersion = \\\"VersionTLS12\\\"
    cipherSuites = [
      \\\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\\\",
      \\\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\\\",
      \\\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\\\",
      \\\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\\\",
      \\\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\\\",
      \\\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\\\",
    ]

[api]
  dashboard = true
  insecure = true

[log]
  filePath = \\\"/var/log/traefik/traefik.log\\\"
[accessLog]
  filePath = \\\"/var/log/traefik/traefik-access.log\\\"

[providers.consulCatalog]
  stale = false
  exposedByDefault = true
  [providers.consulCatalog.endpoint]
    address = \\\"\$CONSULSERVER:8500\\\"\" > /usr/local/etc/traefik.toml

echo \"traefik_conf=\\\"/usr/local/etc/traefik.toml\\\"\" >> /etc/rc.conf

touch /var/log/traefik/traefik.log
touch /var/log/traefik/traefik-access.log
chown traefik:traefik /var/log/traefik/traefik.log
chown traefik:traefik /var/log/traefik/traefik-access.log

mkdir -p /usr/local/etc/ssl/
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /usr/local/etc/ssl/cert.key -out /usr/local/etc/ssl/cert.crt -subj \"/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com\"
chmod 644 /usr/local/etc/ssl/cert.crt
chmod 600 /usr/local/etc/ssl/cert.key

# ADJUST THIS: START THE SERVICES AGAIN AFTER CONFIGURATION
/usr/local/etc/rc.d/traefik start
# Do not touch this:
touch /usr/local/etc/pot-is-seasoned
# If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
# created by pot and we now after configuration block indefinitely
if [ ! -e /tmp/environment.sh ]
then
    tail -f /dev/null
fi
" > /usr/local/bin/cook

# ----------------- END COOK ------------------


# ---------- NO NEED TO EDIT BELOW ------------

chmod u+x /usr/local/bin/cook

#
# There are two ways of running a pot jail: "Normal", non-blocking mode and
# "Nomad", i.e. blocking mode (the pot start command does not return until
# the jail is stopped).
# For the normal mode, we create a /usr/local/etc/rc.d script that starts
# the "cook" script generated above each time, for the "Nomad" mode, the cook
# script is started by pot (configuration through flavour file), therefore
# we do not need to do anything here.
# 

# Create rc.d script for "normal" mode:
echo "#!/bin/sh
#
# PROVIDE: cook 
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
. /etc/rc.subr
name=cook
rcvar=cook_enable
load_rc_config $name
: ${cook_enable:=\"NO\"}
: ${cook_env:=\"\"}
command=\"/usr/local/bin/cook\"
command_args=\"\"
run_rc_command \"\$1\"
" > /usr/local/etc/rc.d/cook

chmod u+x /usr/local/etc/rc.d/cook

if [ $RUNS_IN_NOMAD = false ]
then
    # This is a non-nomad (non-blocking) jail, so we need to make sure the script
    # gets started when the jail is started:
    # Otherwise, /usr/local/bin/cook will be set as start script by the pot flavour
    echo "cook_enable=\"YES\"" >> /etc/rc.conf
fi

traefik-consul/traefik-consul+1:
traefik-consul/traefik-consul+1.sh:

traefik-consul/traefik-consul+2:
traefik-consul/traefik-consul+2.sh:

traefik-consul/traefik-consul+3:
traefik-consul/traefik-consul+3.sh:

traefik-consul/traefik-consul+4:
traefik-consul/traefik-consul+4.sh:
Password:=====>  -i auto: assigned 10.192.0.4
===>  Creating a new pot
===>  pot name : traefik-consul-amd64-11_4
===>  type : single
===>  base : 11.4
===>  pot_base :
===>  level : 0
===>  network-type: public-bridge
===>  ip : 10.192.0.4
===>  bridge :
===>  dns : inherit
===>  flavours : fbsd-update traefik-consul traefik-consul+1 traefik-consul+2 traefik-consul+3 traefik-consul+4
===>  Fetching FreeBSD 11.4
===>  Extract the tarball
=====>  Flavour: fbsd-update
=====>  Starting traefik-consul-amd64-11_4 pot for the initial bootstrap
=====>  mount /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/tmp
defaultrouter: NO -> 10.192.0.1
===>  Starting the pot traefik-consul-amd64-11_4
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:a9:98:c9:bf:0b
	hwaddr 02:a9:98:c9:bf:0b
	inet 10.192.0.4 netmask 0xffc00000 broadcast 10.255.255.255
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	groups: epair
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Generating host.conf.
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related).
Updating motd:.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.

Wed Aug 19 10:30:59 UTC 2020
/usr/local/etc/pot/flavours/fbsd-update.sh -> /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/tmp/fbsd-update.sh
=====>  Executing fbsd-update script on traefik-consul-amd64-11_4
src component not installed, skipped
freebsd-update fetch should not be run non-interactively.
Run freebsd-update cron instead.
src component not installed, skipped
No updates are available to install.
Run '/usr/sbin/freebsd-update fetch' first.
=====>  Stop the pot traefik-consul-amd64-11_4
=====>  Remove epair0[a|b] network interfaces
=====>  unmount /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/tmp
=====>  unmount /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/dev
=====>  Flavour: traefik-consul
=====>  Executing traefik-consul pot commands on traefik-consul-amd64-11_4
=====>  Starting traefik-consul-amd64-11_4 pot for the initial bootstrap
=====>  mount /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/tmp
defaultrouter: 10.192.0.1 -> 10.192.0.1
===>  Starting the pot traefik-consul-amd64-11_4
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:a3:4f:7d:fc:0b
	hwaddr 02:a3:4f:7d:fc:0b
	inet 10.192.0.4 netmask 0xffc00000 broadcast 10.255.255.255
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	groups: epair
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related).
Updating motd:.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.

Wed Aug 19 10:31:04 UTC 2020
/usr/local/etc/pot/flavours/traefik-consul.sh -> /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/tmp/traefik-consul.sh
=====>  Executing traefik-consul script on traefik-consul-amd64-11_4
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] Installing pkg-1.14.6...
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] Extracting pkg-1.14.6: .......... done
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/latest, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
sendmail_enable: NO -> NO
traefik_enable:  -> YES
Updating FreeBSD repository catalogue...
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] Fetching meta.conf: . done
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] Fetching packagesite.txz: .......... done
Processing entries: .......... done
FreeBSD repository update completed. 30704 packages processed.
All repositories are up to date.
Updating database digests format: . done
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	openssl: 1.1.1g,1
	traefik2: 2.2.0

Number of packages to be installed: 2

The process will require 79 MiB more space.
18 MiB to be downloaded.
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] [1/2] Fetching openssl-1.1.1g,1.txz: .......... done
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] [2/2] Fetching traefik2-2.2.0.txz: .......... done
Checking integrity... done (0 conflicting)
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] [1/2] Installing openssl-1.1.1g,1...
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] [1/2] Extracting openssl-1.1.1g,1: .......... done
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] [2/2] Installing traefik2-2.2.0...
===> Creating groups.
Creating group 'traefik' with gid '475'.
===> Creating users
Creating user 'traefik' with uid '475'.
===> Creating homedir(s)
[traefik-consul-amd64-11_4.vsf00001.cpt.za.honeyguide.net] [2/2] Extracting traefik2-2.2.0: ...... done
=====
Message from traefik2-2.2.0:

--
Note that traefik starts as unprivileged user. Thus, it cannot
bind to privileged ports (by default, ports below 1024) and
will exit when configured to do so.

If traefik should serve ports in the privileged range, there
are options to achieve this:
- Have traffic bind to an unprivileged port and use the
  packet filter configuration to redirect requests to the
  desired privileged port to the unprivileged port in
  traefik's configuration file e.g. the rdr rules in pf(4).
- The mac_portacl kernel module allows unprivileged processes
  to bind to privileged ports.

Note: If you are upgrading from traefik 1.x keep in mind that
the configuration is not compatible.
Nothing to do.
/tmp/traefik-consul.sh: COPYRIGHT: not found
=====>  Stop the pot traefik-consul-amd64-11_4
=====>  Remove epair0[a|b] network interfaces
=====>  unmount /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/tmp
=====>  unmount /mnt/data/pot/jails/traefik-consul-amd64-11_4/m/dev
=====>  Flavour: traefik-consul+1
=====>  Executing traefik-consul+1 pot commands on traefik-consul-amd64-11_4
=====>  No shell script available for the flavour traefik-consul+1
=====>  Flavour: traefik-consul+2
=====>  Executing traefik-consul+2 pot commands on traefik-consul-amd64-11_4
=====>  No shell script available for the flavour traefik-consul+2
=====>  Flavour: traefik-consul+3
=====>  Executing traefik-consul+3 pot commands on traefik-consul-amd64-11_4
=====>  No shell script available for the flavour traefik-consul+3
=====>  Flavour: traefik-consul+4
=====>  Executing traefik-consul+4 pot commands on traefik-consul-amd64-11_4
=====>  No shell script available for the flavour traefik-consul+4

This site © Honeyguide Group (Pty) Ltd, all the hosted software their respective license owners 2020 - Disclaimer