I’ve been testing Tutum lately, a Docker hosting service, and have successfully deployed an app there. I’ve also deployed a staging version on Tutum, it was refreshingly easy to deploy parallel stacks (i.e. production and staging).

I’m using so-called stacks to deploy my two configurations (production/staging). A Tutum stack is basically a collection of services (corresponding to Docker containers); each of my stacks consists of three services: MongoDB, Meteor and Nginx (as a reverse proxy for HTTPS and www-redirection). I like Tutum’s stack concept, and thought it worked really well for deploying the production and stack configurations, which are identical except for software versions. Tutum has a command-line tool, which is what I use to deploy my stacks. I haven’t completely worked out the kinks when it comes to re-deploying stacks from the CLI, so I still have to use the Web interface to e.g. re-deploy individual services.

For reference, my production stack looks like this:

mongo-production:
  image: mongo:3.0.2
  command: --auth
  volumes:
    - /data/db
  ports:
    - "27017:27017"
  tags:
    - production
  autorestart: always
muzhack-production:
  image: aknudsen/muzhack:latest
  links:
    - mongo-production:db
  environment:
    - ROOT_URL=https://muzhack.com
    - MONGO_URL
    - METEOR_SETTINGS
  tags:
    - production
  autorestart: always
nginx-production:
  image: aknudsen/meteor-frontend-server
  command: /start.sh
  tags:
    - production
  autorestart: always
  ports:
    - "443:443"
    - "80:80"
  volumes:
    - /etc/nginx/ssl/bundle.crt:/bundle.crt
    - /etc/nginx/ssl/private.key:/private.key
  links:
    - muzhack-production:backend

I’m not using a load balancer, as I don’t foresee the need to scale for a while, but Tutum’s load balancer doesn’t currently support sticky sessions AFAIK, so it won’t work with Meteor unfortunately. Hopefully, they will sort this out with time, as I really like this platform so far.

FYI, Tutum’s haproxy image (and haproxy in general) does support sticky sessions.

https://github.com/tutumcloud/haproxy#affinity-and-session-stickiness

Thanks for the heads up @jeremy!

That’s all you have to say? Haha, I know you’ve been working on a big project with Tutum, Docker, and Meteor. Would love to see more insight on using Tutum and Docker for Meteor

Hi @aknudsen,

can you help me with the below configuration settings.

I have one web site hosted on Docker-engine + tutum-agent + nginx used as an docker container service and i want to install SSL certificate on this site.I am new to do administration of docker-engine and tutum-agent. i dont know how it works.I need urgent help to configure SSL on said configuration.Please help me to resolve this issue.

Regards,
Marius

@marius1987 You should simply mount your certificate files into the Nginx container. I do this via my Tutum stack definition, as you can see here. Then you can refer to the certificate files from your Nginx configuration in the normal manner.

Hi @aknudsen,

Thanks for prompt reply.

can you please suggest me a steps to do the changes and i cant find the .yml file for the site configuration.

I will appriciate your help.

Regards,
Marius

Hi @aknudsen,

Please find my configuration file details as below.

YML file:

hostname-client-blue:
image: 'tutum.co/foldername/hostname-client:latest’
deployment_strategy: high_availability
environment:
- NOMAD_ENV=prodtest
restart: always
expose:
- ‘80’
- '443’
links:
- hostname-api-lb.hostname-api:hostname-api-lb
- auth-lb.foldername-autentisering:auth-lb
volumes:
- '/home/foldername:/home/foldername’
tags:
- staging

hostname-client-green:
image: 'tutum.co/foldername/hostname-client:latest’
deployment_strategy: high_availability
environment:
- NOMAD_ENV=prodtest
restart: always
expose:
- ‘80’
- '443’
links:
- hostname-api-lb.hostname-api:hostname-api-lb
- auth-lb.foldername-autentisering:auth-lb
volumes:
- '/home/foldername:/home/foldername’
tags:
- staging

hostname-client-lb:
image: 'tutum/haproxy:latest’
expose:

- ‘443’

- '1936'

ports:
- ‘4001:80’
- '4001:443’
volumes:
- /etc/ssl/sslcert/certificate.crt:/certificate.crt
- /etc/ssl/sslcert/certificate.key:/certificate.key
links:
- helsegris-client-blue
restart: always
roles:
- global
tags:
- staging

NGINX configuration:

server {
listen 80;
server_name hostname.staging.domainname.no;

Setter opp client til å svare på /

location / {
proxy_pass http://staging-hostname-client-lb.staging-hostname-client.domainname.svc.tutum.io:4001;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
}

server {
server_name hostname.staging.domainname.no;
listen 443;
ssl on;
ssl_certificate /etc/ssl/sslcert/certificate.crt;
ssl_certificate_key /etc/ssl/sslcert/certificate.key;

location / {
    proxy_pass http://staging-hostname-client-lb.staging-hostname-client.domainname.svc.tutum.io:4001;
}

}

Please suggest.

I think you need to use /certificate.crt and /certificate.key for ssl_certificate and ssl_certificate_key respectively in your nginx configuration.

Hi @aknudsen,

The suggested configuration does not work.

i have added the configuration and restarted container successfully but it only opens port 80 and not 443.

daef969a2080 tutum/nginx:latest “/usr/sbin/nginx” 8 days ago Up 24 minutes 0.0.0.0:80->80/tcp nginx-1.be00f9f0

any suggestion for that.

What do you mean by suggested configuration? I guess the SSL now works? I’m not an Nginx expert.

Hi @aknudsen,

I mean to say i need to give absolute path of the certificate in the configuration file.

SSL configuration done in nginx and restarted docker container but i did not get SSL 443 port binded with the docker nginx site. i guise there is something required to bind the 443 port with docker site.

/certificate.crt and /certificate.key are absolute paths, and they should be correct within the container, so I don’t understand what you mean.

Regarding port 443, it looks as if you’re binding it as port 4001 on the host. I suggest you read Tutum’s Stack YAML reference to figure out what to do.

@aknudsen,

When i am trying to bind 443 with docker container it give me error.

COMMAND:
docker run -d -p 443:443 tutum/nginx:latest daef969a2080

ERROR:
277917eb33f439f6c87ab2175316a9cea6638c2b1642e42660072984a4448f5b
Error response from daemon: Cannot start container 277917eb33f439f6c87ab2175316a9cea6638c2b1642e42660072984a4448f5b: [8] System error: exec: “daef969a2080”: executable file not found in $PATH

@marius1987 Seems as if you should simply read Docker and Tutum’s documentation better, as you would easily find the answer to this particular issue f.ex. You can also visit Tutum’s Slack channel, for support. I will say though, that I cannot see why you would need the final argument on that command line (daef969a2080).

@aknudsen… SS certificate assigned successfully.i follow the configuration for YML configuration which mentioned here by you and did nginx configuration.

after nginx configuration itried to bind port 443 with the container which is not possible in docker so i need to create duplicate container using docker comit command and need to bind port 80 and 443 with that duplicate containner. this works for me.

Thanks for your help.

@aknudsen I notice you leave out the values of certain environment variables in your Stackfile. Is that simply for anonymization, or are you making use of some Tutum magic? I’m confused about how to scale Mongo and dynamically pass the Mongo URLs (and oplog URL) to Meteor. Tried asking on their Slack a couple times to no avail (maybe timezone incompatibility).

Leaving out the values of environment variables is a Tutum feature. It means to read those values from the invoking OS environment when updating the stack, for security reasons. By doing so, you don’t have to commit sensitive data to your repository.

Ah. And how does the OS environment get defined in Tutum?

No, I mean your OS environment when invoking the command to update the stack (tutum stack update).