Lösungen
Märkte
Referenzen
Services
Unternehmen
Traefik support for navcontainerhelper, the NAV ARM templates for Azure VMs and local environments

Traefik support for navcontainerhelper, the NAV ARM templates for Azure VMs and local environments

1. Juni 2019

Traefik support for navcontainerhelper, the NAV ARM templates for Azure VMs and local environments

I had recently written about the usage of traefik as reverse proxy for multiple Business Central containers on an Azure VM. While I tried to make that setup quite easy, as always there was room for improvement. With the help of Freddy Kristiansen I therefore implemented two additions to navcontainerhelper and the NAV ARM templates (the technology driving https://aka.ms/getbc and similar offerings) which Freddy was kind enough to accept.

The TL;DR

When you use one of the ARM templates, you now have a switch „use Traefik“. If you enable that and also provide a Let’s encrypt contact email, the VM will automatically be set up with the necessary config files and also run traefik in a container.

The second part is navcontainerhelper which now also has a switch -useTraefik. When that is used, the labels needed for traefik are automatically added when your container is started. You just do the same as always and add -useTraefik, e.g. New-NavContainer -accept_eula -containerName imau -imageName mcr.microsoft.com/businesscentral/onprem:de -useTraefik. The output will let you know how to reach your traefik endpoints, e.g. as follows:

Host is Microsoft Windows Server 2019 Datacenter - ltsc2019
Docker Client Version is 18.09.4
Docker Server Version is 18.09.4
Using image mcr.microsoft.com/businesscentral/onprem:de-ltsc2019
PublicDnsName is traef-test10.westeurope.cloudapp.azure.com
Creating Nav container imau
...
Nav container imau successfully created
Because of Traefik, the following URLs need to be used when accessing the container from outside your Docker host:
Web Client:        https://traef-test10.westeurope.cloudapp.azure.com/imau/
SOAP WebServices:  https://traef-test10.westeurope.cloudapp.azure.com/imausoap
OData WebServices: https://traef-test10.westeurope.cloudapp.azure.com/imaurest
Dev Service:       https://traef-test10.westeurope.cloudapp.azure.com/imaudev
File downloads:    https://traef-test10.westeurope.cloudapp.azure.com/imaudl

The details for Azure VMs

I have explained the workings of traefik together with Business Central already in the blog post mentioned above and the mechanism used now is exactly the same. Check the New-NavContainer implementation here and here for the main parts of the actual code, but it should work straight forward. Still, there are a couple of things to note:

Don’t try this at home

Just kidding, of course you can also try this at home, i.e. on premise. It works the same with one exception: In the configuration provided through navcontainerhelper, traefik will try to get an SSL certificate from Let’s Encrypt. That means that your Docker host needs to be accessible from the internet with the same public DNS name and traefik needs to own port 80. If that is the case, you can just do the exact same thing on premise: First call Setup-TraefikContainerForNavContainers once and then call New-NavContainer with -useTraefik every time you need a new container.

If your host is not reachable from the internet with the same name or port 80 can’t be used by traefik, you can use your own certificate (publicly valid or self-signed). The first step also is Setup-TraefikContainerForNavContainers. Assuming that my host is called t00-dev-tfe05.axians-infoma.de, the command is something like the following. Note that I am not giving it a valid email address as Let’s Encrypt won’t work anyways.

Setup-TraefikContainerForBCContainers -PublicDnsName t00-dev-tfe05.axians-infoma.de -ContactEMailForLetsEncrypt noneed

If you check the logs of the traefik container afterwards, you will see something like this as is to be expected:

2019/05/31 12:46:29 Using high precision timer
time="2019-05-31T12:46:33+02:00" level=error msg="Unable to obtain ACME certificate for domains \"t00-dev-tfe05.axians-infoma.de\" : cannot get ACME client acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:invalidEmail :: Error creating new account :: not a valid e-mail address, url: "

I assume that you have a valid certificate called traefik.crt and a key file traefik.key for the public DNS name of your Docker host. To use them, you need to do the following:

With that in place, the traefik endpoints should just work as expected


5 Kommentare zu “Traefik support for navcontainerhelper, the NAV ARM templates for Azure VMs and local environments”

  1. Hi Tobias! Great Post!

    I’ve tried the script and I’ve seen that what Freddy has added in Navcontainerhelper is the same.
    I have a question about how to use Traefik if I have two or more instances of NAV running inside the same container. I have seen that Trafik’s rule always directs towards / NAV / and for more tests I do I am not able to adapt this to a generic URL in order to have more services inside. Can you think of anything?

    Thank you!

    1. Hi Robert,

      thanks for your feedback. Starting multiple instances in a container is not supported for the NAV/BC images, so I don’t think there is a good way to do it and I wouldn’t invest in that direction. Why do you want to have multiple instances in the same container?

      Tobias

  2. Basically my problem is that we have a development server with several teams working. We have about 10 BC projects currently under development and we have encountered different problems.
    The first is that if we assemble a container for each project, each container consumes 4GB of memory and for this reason we need the host machine to have more than 64GB of RAM and the more projects more RAM.

    However, of these 10 projects by subtracting all in the same CU, what we have done has been a single container with an instance for each project, in this way the host machine works correctly with 16GB of RAM.

    Now we have the problem of using with Traefik … since we want to deploy our BC extensions from the developer’s laptop and not from a server … and here we are.

    Is this approach correct? Which would be correct? Can you help me?

    Thank you so much for everything.

  3. Hi Tobias,
    Can you help me.
    When I create
    ———————————————————————————————————————————-
    PS C:\Users\vmadmin>
    >> Setup-TraefikContainerForBCContainers -PublicDnsName nameofdomain.westeurope.cloudapp.azure.com -ContactEMailForLetsEncrypt noneed
    Creating folder structure at c:\programdata\navcontainerhelper\traefikforbc

    Directory: C:\programdata\navcontainerhelper

    Mode LastWriteTime Length Name
    —- ————- —— —-
    d—– 12/25/2019 10:03 AM traefikforbc

    Directory: C:\programdata\navcontainerhelper\traefikforbc

    Mode LastWriteTime Length Name
    —- ————- —— —-
    -a—- 12/25/2019 10:03 AM 0 traefik.txt
    d—– 12/25/2019 10:03 AM my
    d—– 12/25/2019 10:03 AM config

    Directory: C:\programdata\navcontainerhelper\traefikforbc\config

    Mode LastWriteTime Length Name
    —- ————- —— —-
    -a—- 12/25/2019 10:03 AM 0 acme.json
    Create traefik config file
    Pulling and running traefik
    v1.7.12: Pulling from stefanscherer/traefik-windows
    f07e9c2b1e53: Pull complete
    854e291a28cb: Pull complete
    140212929c9c: Pull complete
    3e239756fe48: Pull complete
    229331a84b1f: Pull complete
    38bee0d3de9c: Pull complete
    7d1d400b1f6b: Pull complete
    f942c8d53593: Pull complete
    Digest: sha256:235da52aebc77926e2d87e18e39bb760d7ea3a22239f8809c0aae2c4c1054c60
    Status: Downloaded newer image for stefanscherer/traefik-windows:v1.7.12
    docker.io/stefanscherer/traefik-windows:v1.7.12
    dfe39b2187bc0e209afbd0c829fd635cbb5cc43931d00a7012f55be94d3bce0a
    C:\Program Files\Docker\docker.exe: Error response from daemon: failed to create endpoint xenodochial_gagarin on network nat: hnsCall failed in Win32: The process cannot access the file because it is being used by another process. (0x20).
    ———————————————————————————————————————————-
    And after creating container, I cannot access to him.

  4. Hi

    We keep having issues with the certificate. When we check the log we get the following:

    time=“2020-01-17T14:00:24Z“ level=error msg=“failed to load X509 key pair: tls: failed to find any PEM data in certificate input“
    time=“2020-01-17T14:00:26Z“ level=error msg=“failed to load X509 key pair: tls: failed to find any PEM data in certificate input“

    We created the self-signed certificate and eventually worked out how to generate the .key file but now are stuck.

    Can you help or suggest a guide to creating the certificates with the .key please?

    Thanks

    Chris


Schreibe einen Kommentar