Docker Community Forums

Share and learn in the Docker community.

HRM and interlock


(Cricen42) #1

Hello all,

I’m trying to use the new HRM and something just isn’t right with either what I’m doing or my install. I’m using this as my guide: https://docs.docker.com/ee/ucp/interlock/usage/#deploy-the-service but are there more detailed resources on this?

one of the main issues I’m having is that interlock-proxy container isn’t in my list of system containers. And i’ve been messing around with docker stack yaml. At one point I think my problem was that I was hogging the wrong ports but I’ve stopped that. Anyhow here is a sample of the stack I’m trying to deploy.

networks:
 t1-internal:
   driver: overlay
services:
 web:
   deploy:
     endpoint_mode: vip
     labels:
       com.docker.lb.hosts: myapp.my.org
       com.docker.lb.network: t1-internal
       com.docker.lb.port: '8080'
     replicas: 1
     resources:
       limits:
         cpus: '.25'
         memory: 2048M
     restart_policy:
       condition: on-failure
       delay: 5s
       max_attempts: 3
       window: 120s
   image: dtr.my.org/apps/myapp:1.00.00
   networks:
     - t1-internal
   ports:
- target: 8080
version: '3.3'

(Cricen42) #2

Still trying to resolve this. We’re working in AWS, I tried redeploying the UCP and DTR from on a new set. what I’m seeing is that the interlock-service container can’t communicate to the interlock-extension container.

Tried to update the interlock setting to disable SSL virification using: https://docs.docker.com/ee/ucp/interlock/deploy/configure/

interlock config file:

ListenAddr = ":8080"
DockerURL = "unix:///var/run/docker.sock"
AllowInsecure = true
PollInterval = "3s"

[Extensions]
  [Extensions.default]
    Image = "docker/ucp-interlock-extension:3.0.0"
    ServiceName = "ucp-interlock-extension"
    Args = [""]
    Constraints = ["node.labels.com.docker.ucp.orchestrator.swarm==true"]
    ProxyImage = "docker/ucp-interlock-proxy:3.0.0"
    ProxyServiceName = "ucp-interlock-proxy"
    ProxyConfigPath = "/etc/nginx/nginx.conf"
    ProxyReplicas = 4
    ProxyStopSignal = "SIGQUIT"
    ProxyStopGracePeriod = "5s"
    ProxyConstraints = ["node.labels.com.docker.ucp.orchestrator.swarm==true"]
    PublishMode = "ingress"
    PublishedPort = 80
    TargetPort = 80
    PublishedSSLPort = 8443
    TargetSSLPort = 443
    [Extensions.default.Labels]
      "com.docker.ucp.InstanceID" = "a4otxrsfrsigczcbe0gq6fmav"
    [Extensions.default.ContainerLabels]
      "com.docker.ucp.InstanceID" = "a4otxrsfrsigczcbe0gq6fmav"
    [Extensions.default.ProxyLabels]
      "com.docker.ucp.InstanceID" = "a4otxrsfrsigczcbe0gq6fmav"
    [Extensions.default.ProxyContainerLabels]
      "com.docker.ucp.InstanceID" = "a4otxrsfrsigczcbe0gq6fmav"
    [Extensions.default.Config]
      Version = ""
      User = "nginx"
      PidPath = "/var/run/proxy.pid"
      MaxConnections = 1024
      ConnectTimeout = 600
      SendTimeout = 600
      ReadTimeout = 600
      IPHash = false
      AdminUser = ""
      AdminPass = ""
      SSLOpts = ""
      SSLDefaultDHParam = 1024
      SSLDefaultDHParamPath = ""
      SSLVerify = "required"
      WorkerProcesses = 1
      RLimitNoFile = 65535
      SSLCiphers = "HIGH:!aNULL:!MD5"
      SSLProtocols = "TLSv1.2"
      AccessLogPath = "/dev/stdout"
      ErrorLogPath = "/dev/stdout"
      MainLogFormat = "'$remote_addr - $remote_user [$time_local] \"$request\" '\n\t\t    '$status $body_bytes_sent \"$http_referer\" '\n\t\t    '\"$http_user_agent\" \"$http_x_forwarded_for\"';"
      TraceLogFormat = "'$remote_addr - $remote_user [$time_local] \"$request\" $status '\n\t\t    '$body_bytes_sent \"$http_referer\" \"$http_user_agent\" '\n\t\t    '\"$http_x_forwarded_for\" $request_id $msec $request_time '\n\t\t    '$upstream_connect_time $upstream_header_time $upstream_response_time';"
      KeepaliveTimeout = "75s"
      ClientMaxBodySize = "32m"
      ClientBodyBufferSize = "8k"
      ClientHeaderBufferSize = "1k"
      LargeClientHeaderBuffers = "4 8k"
      ClientBodyTimeout = "60s"
      UnderscoresInHeaders = false

inerlock-service container log:

time="2018-05-11T20:35:17Z" level=info msg="interlock interlock/2.0.0-dev (4fde2235) linux/amd64"
.........
time="2018-05-11T21:09:05Z" level=info msg="update detected" currentVersion=3d11ce updatedVersion=c91604
time="2018-05-11T21:09:11Z" level=info msg="update detected" currentVersion=c91604 updatedVersion=2f738d

interlock-extension

0.0.0.2:8080: i/o timeout"; Reconnecting to {ucp-interlock:8080 <nil>}
time="2018-05-11T21:11:32Z" level=error msg="rpc error: code = Unavailable desc = grpc: the connection is unavailable"
time="2018-05-11T21:11:32Z" level=error msg="rpc error: code = Unavailable desc = grpc: the connection is unavailable"
INFO: 2018/05/11 21:13:35 grpc: addrConn.resetTransport failed to create client transport: connection error: desc = "transport: Error while dialing dial tcp 10.0.0.2:8080: i/o timeout"; Reconnecting to {ucp-interlock:8080 <nil>}
time="2018-05-11T21:13:35Z" level=error msg="rpc error: code = Unavailable desc = grpc: the connection is unavailable"
INFO: 2018/05/11 21:15:42 grpc: addrConn.resetTransport failed to create client transport: connection error: desc = "transport: Error while dialing dial tcp 10.0.0.2:8080: getsockopt: connection timed out"; Reconnecting to {ucp-interlock:8080 <nil>}
time="2018-05-11T21:15:42Z" level=error msg="rpc error: code = Unavailable desc = grpc: the connection is unavailable"
time="2018-05-11T21:15:42Z" level=error msg="rpc error: code = Unavailable desc = grpc: the connection is unavailable"
time="2018-05-11T21:15:46Z" level=error msg="rpc error: code = Unavailable desc = grpc: the connection is unavailable"

I’ve gone over the config, ports, security groups and route53 but nothing stands out. One issue I had is that I had to use the host name of the UCP manager rather than its DNS name for the client bundle scripts but that’s because we are just testing. Anyone out there have some ideas or have run into something similar?