5

I am using Rancher 1.6.21 (env: default Cattle) with Docker 18.06.1-ce and my problem is that in the same stack the links are not working so services cannot communicate.

I tried installing a Docker Registry stack from the Rancher Catalog and I am getting errors in the containers logs because hosts are not accessible, like 'db'. The links are present in the configuration, in the containers shell pinging a service by name (link name or container name) results in no host found but by IP it works. In the containers hosts file there is no entry for the respective links.

I also tried a couple of things like creating another stack with a simple mysql db container and a openjdk springboot hello-world app container and I'm having the same issue, and changing the network type from managed to bridged but this has the same effect. Strangely, the same configuration works on a different server with same specs (other client).

Any ideas on why this can happen? I am presuming there is something wrong in Rancher's configuration but cannot identify what.

Thanks in advance.

EDIT: After some more documentation I found that because we are using CATTLE orchestration in rancher all networking management is done by their services (a few containers, ipsec, cni-driver, metadata and network-manager) so I thought there might be the problem but after recreating the setup I still have the same issue, another weird thing is that creating a simple stack with 2 basic ubuntu containers and "linking" them they can see each other by their dns (network, no hosts entry) name. 

    db:
      image: mysql:5.7.10
      environment:
        MYSQL_DATABASE: portus
        MYSQL_ROOT_PASSWORD: ${ROOTPASSWORD}
        MYSQL_USER: portus
        MYSQL_PASSWORD: ${DBPASSWORD}
      tty: true
      stdin_open: true
      volumes:
      - ${DIR}/db:/var/lib/mysql
      labels:
        registry.portus.db: 1
    sslproxy:
      image: nginx:1.9.9
      tty: true
      stdin_open: true
      links:
      - portus:portus
      volumes:
      - ${DIR}/certs:/etc/nginx/certs:ro
      - ${DIR}/proxy:/etc/nginx/conf.d:ro
      labels:
        io.rancher.scheduler.affinity:container_label_soft: registry.portus.db=1
    registry:
      image: registry:2.3.1
      environment:
        REGISTRY_LOG_LEVEL: warn
        REGISTRY_STORAGE_DELETE_ENABLED: true
        REGISTRY_AUTH: token
        REGISTRY_AUTH_TOKEN_REALM: https://${DOMAIN}:${PPORT}/v2/token
        REGISTRY_AUTH_TOKEN_SERVICE: ${DOMAIN}:${RPORT}
        REGISTRY_AUTH_TOKEN_ISSUER: ${DOMAIN}
        REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /certs/registry.crt
        REGISTRY_HTTP_TLS_CERTIFICATE: /certs/registry.crt
        REGISTRY_HTTP_TLS_KEY: /certs/registry.key
        REGISTRY_HTTP_SECRET: httpsecret
        REGISTRY_NOTIFICATIONS_ENDPOINTS: >
          - name: portus
            url: http://portus:3000/v2/webhooks/events
            timeout: 500
            threshold: 5
            backoff: 1
      tty: true
      stdin_open: true
      links:
      - portus:portus
      volumes:
      - ${DIR}/certs:/certs
      - ${DIR}/data:/var/lib/registry
    lb:
      image: rancher/load-balancer-service
      tty: true
      stdin_open: true
      ports:
      - ${RPORT}:5000/tcp
      - ${PPORT}:443/tcp
      labels:
        io.rancher.loadbalancer.target.sslproxy: ${PPORT}=443
        io.rancher.loadbalancer.target.registry: ${RPORT}=5000
        io.rancher.scheduler.global: 'true'
        io.rancher.scheduler.affinity:not_host_label: lb=0
        io.rancher.scheduler.affinity:not_host_label: registry.enabled=false
      links:
      - registry:registry
      - sslproxy:sslproxy
    portus:
      image: sshipway/portus:2.0.5
      environment: 
        PORTUS_MACHINE_FQDN: ${DOMAIN}
        PORTUS_PRODUCTION_HOST: db
        PORTUS_PRODUCTION_DATABASE: portus
        PORTUS_PRODUCTION_USERNAME: portus
        PORTUS_PRODUCTION_PASSWORD: ${DBPASSWORD}
        PORTUS_GRAVATAR_ENABLED: true
        PORTUS_KEY_PATH: /certs/registry.key
        PORTUS_PASSWORD: ${DBPASSWORD}
        PORTUS_SECRET_KEY_BASE: ${ROOTPASSWORD}
        PORTUS_CHECK_SSL_USAGE_ENABLED: true
        PORTUS_SMTP_ENABLED: false
        PORTUS_LDAP_ENABLED: ${LDAP}
        PORTUS_LDAP_HOSTNAME: ${LDAPHOST}
        PORTUS_LDAP_PORT: ${LDAPPORT}
        PORTUS_LDAP_METHOD: ${LDAPTLS}
        PORTUS_LDAP_BASE: ${LDAPBASE}
        PORTUS_LDAP_UID: cn
        PORTUS_LDAP_AUTHENTICATION_ENABLED: ${LDAPBIND}
        PORTUS_LDAP_AUTHENTICATION_BIND_DN: ${LDAPBINDDN}
        PORTUS_LDAP_AUTHENTICATION_PASSWORD: ${LDAPBINDPASS}
        PORTUS_LDAP_GUESS_EMAIL_ENABLED: true
        PORTUS_LDAP_GUESS_EMAIL_ATTR: mail
        PORTUS_PORT: ${PPORT}
        REGISTRY_SSL_ENABLED: true
        REGISTRY_HOSTNAME: ${DOMAIN}
        REGISTRY_PORT: ${RPORT}
        REGISTRY_NAME: Registry
      tty: true
      stdin_open: true
      volumes:
      - ${DIR}/certs:/certs
      - ${DIR}/proxy:/etc/nginx/conf.d
      links:
      - db:db
      labels:
        io.rancher.container.pull_image: always
        io.rancher.scheduler.affinity:container_label_soft: registry.portus.db=1
        registry.portus.app: 1
hypnus
  • 111
  • 1
  • 1
  • 9
  • I thought links were obsolete and not to be used? (replaced by networks) – VonC Oct 08 '18 at 12:19
  • can you add more information like dockerfile, docker run, docker-compose file? Because without seeing how you are running docker container. It's difficult to understand and answer the question. – Mani Oct 10 '18 at 14:55
  • Thanks for the support, @VonC: yes, the links are absolete but still working, for some reason in Rancher 1.6 they are still being this approach. Rancher 1.6 also has a custom network defined as *managed* but even with this (using network approach) I have the same issue.@Mani: Rancher uses docker-compose and services are wrapped in a custom deliverable package in their Catalog system so I am just clicking install on a Catalog item "Docker Registry" and it deploys the stuff as I did for the other instance of Rancher where it works. – hypnus Oct 12 '18 at 07:27
  • Any link to docker-compose file like their github page/official website/documentation to view docker-compose file? – Mani Oct 12 '18 at 11:06
  • Hey Mani, thank your first, I could not find the rancher registry repo on github even though they have most of the project in github but I can paste the docker-compose.yml to the post. – hypnus Oct 17 '18 at 08:20

1 Answers1

0

Links are deprecated in latest version of docker and you can use docker networks as a successor of links. Information from official documentation of docker

 Warning: The --link flag is a legacy feature of Docker. It may eventually be 
 removed. Unless you absolutely need to continue using it, we recommend that you use 
 user-defined networks to facilitate communication between two containers instead of 
 using --link. One feature that user-defined networks do not support that you can do 
 with --link is sharing environmental variables between containers. However, you can 
 use other mechanisms such as volumes to share environment variables between 
 containers in a more controlled way.

Ref: https://docs.docker.com/network/links/

You can use alteration of --links like user-defined bridge network or default bridge network.

Ref : https://docs.docker.com/network/bridge/##differences-between-user-defined-bridges-and-the-default-bridge

I also tried to change the network type from managed to bridged but this has the same effect. Strangely, the same configuration works on a different server (other client).

Answer for above question:

Because your other client may be using older version of docker or docker-compose V2(or less than) where links are available.

Prem
  • 1,188
  • 7
  • 13
  • Thank you @Prem for your answer, I know links are deprecated but they still work even in *Docker 18* (the one I am using) as legacy. *Rancher 1.6* still uses the --links approach but also has a custom network defined (**managed**), I tried both strategies and the services cannot see each other by name *only* by IP. And yes, Rancher uses docker-compose V2. – hypnus Oct 12 '18 at 07:34