Configure service clusters¶
Note
The provided instruction is based on the presumption that certain prerequisites have been met:
You have an operational MKE cluster with at least two worker nodes (
mke-node-0
andmke-node-1
), to use as dedicated proxy servers for two independent Interlock service clusters.You have enabled Interlock with
80
as an HTTP port and8443
as an HTTPS port.
From a manager node, apply node labels to the MKE workers that you have chosen to use as your proxy servers:
docker node update --label-add nodetype=loadbalancer --label-add region=east mke-node-0 docker node update --label-add nodetype=loadbalancer --label-add region=west mke-node-1
In this example,
mke-node-0
serves as the proxy for theeast
region andmke-node-1
serves as the proxy for thewest
region.Create a dedicated overlay network for each region proxy to manage traffic:
docker network create --driver overlay eastnet docker network create --driver overlay westnet
Modify the Interlock configuration to create two service clusters:
CURRENT_CONFIG_NAME=$(docker service inspect --format '{{ \ (index .Spec.TaskTemplate.ContainerSpec.Configs 0).ConfigName }}' \ ucp-interlock) docker config inspect --format '{{ printf "%s" .Spec.Data }}' \ $CURRENT_CONFIG_NAME > old_config.toml
Create the following
config.toml
file that declares two service clusters,east
andwest
:ListenAddr = ":8080" DockerURL = "unix:///var/run/docker.sock" AllowInsecure = false PollInterval = "3s" [Extensions] [Extensions.east] Image = "mirantis/ucp-interlock-extension:3.2.3" ServiceName = "ucp-interlock-extension-east" Args = [] Constraints = ["node.labels.com.docker.ucp.orchestrator.swarm==true", "node.platform.os==linux"] ConfigImage = "mirantis/ucp-interlock-config:3.2.3" ConfigServiceName = "ucp-interlock-config-east" ProxyImage = "mirantis/ucp-interlock-proxy:3.2.3" ProxyServiceName = "ucp-interlock-proxy-east" ServiceCluster="east" Networks=["eastnet"] ProxyConfigPath = "/etc/nginx/nginx.conf" ProxyReplicas = 1 ProxyStopSignal = "SIGQUIT" ProxyStopGracePeriod = "5s" ProxyConstraints = ["node.labels.com.docker.ucp.orchestrator.swarm==true", "node.platform.os==linux", "node.labels.region==east"] PublishMode = "host" PublishedPort = 80 TargetPort = 80 PublishedSSLPort = 8443 TargetSSLPort = 443 [Extensions.east.Labels] "ext_region" = "east" "com.docker.ucp.InstanceID" = "vl5umu06ryluu66uzjcv5h1bo" [Extensions.east.ContainerLabels] "com.docker.ucp.InstanceID" = "vl5umu06ryluu66uzjcv5h1bo" [Extensions.east.ProxyLabels] "proxy_region" = "east" "com.docker.ucp.InstanceID" = "vl5umu06ryluu66uzjcv5h1bo" [Extensions.east.ProxyContainerLabels] "com.docker.ucp.InstanceID" = "vl5umu06ryluu66uzjcv5h1bo" [Extensions.east.Config] Version = "" HTTPVersion = "1.1" User = "nginx" PidPath = "/var/run/proxy.pid" MaxConnections = 1024 ConnectTimeout = 5 SendTimeout = 600 ReadTimeout = 600 IPHash = false AdminUser = "" AdminPass = "" SSLOpts = "" SSLDefaultDHParam = 1024 SSLDefaultDHParamPath = "" SSLVerify = "required" WorkerProcesses = 1 RLimitNoFile = 65535 SSLCiphers = "HIGH:!aNULL:!MD5" SSLProtocols = "TLSv1.2" AccessLogPath = "/dev/stdout" ErrorLogPath = "/dev/stdout" MainLogFormat = "'$remote_addr - $remote_user [$time_local] \"$request\" '\n\t\t '$status $body_bytes_sent \"$http_referer\" '\n\t\t '\"$http_user_agent\" \"$http_x_forwarded_for\"';" TraceLogFormat = "'$remote_addr - $remote_user [$time_local] \"$request\" $status '\n\t\t '$body_bytes_sent \"$http_referer\" \"$http_user_agent\" '\n\t\t '\"$http_x_forwarded_for\" $reqid $msec $request_time '\n\t\t '$upstream_connect_time $upstream_header_time $upstream_response_time';" KeepaliveTimeout = "75s" ClientMaxBodySize = "32m" ClientBodyBufferSize = "8k" ClientHeaderBufferSize = "1k" LargeClientHeaderBuffers = "4 8k" ClientBodyTimeout = "60s" UnderscoresInHeaders = false UpstreamZoneSize = 64 ServerNamesHashBucketSize = 128 GlobalOptions = [] HTTPOptions = [] TCPOptions = [] HideInfoHeaders = false [Extensions.west] Image = "mirantis/ucp-interlock-extension:3.2.3" ServiceName = "ucp-interlock-extension-west" Args = [] Constraints = ["node.labels.com.docker.ucp.orchestrator.swarm==true", "node.platform.os==linux"] ConfigImage = "mirantis/ucp-interlock-config:3.2.3" ConfigServiceName = "ucp-interlock-config-west" ProxyImage = "mirantis/ucp-interlock-proxy:3.2.3" ProxyServiceName = "ucp-interlock-proxy-west" ServiceCluster="west" Networks=["westnet"] ProxyConfigPath = "/etc/nginx/nginx.conf" ProxyReplicas = 1 ProxyStopSignal = "SIGQUIT" ProxyStopGracePeriod = "5s" ProxyConstraints = ["node.labels.com.docker.ucp.orchestrator.swarm==true", "node.platform.os==linux", "node.labels.region==west"] PublishMode = "host" PublishedPort = 80 TargetPort = 80 PublishedSSLPort = 8443 TargetSSLPort = 443 [Extensions.west.Labels] "ext_region" = "west" "com.docker.ucp.InstanceID" = "vl5umu06ryluu66uzjcv5h1bo" [Extensions.west.ContainerLabels] "com.docker.ucp.InstanceID" = "vl5umu06ryluu66uzjcv5h1bo" [Extensions.west.ProxyLabels] "proxy_region" = "west" "com.docker.ucp.InstanceID" = "vl5umu06ryluu66uzjcv5h1bo" [Extensions.west.ProxyContainerLabels] "com.docker.ucp.InstanceID" = "vl5umu06ryluu66uzjcv5h1bo" [Extensions.west.Config] Version = "" HTTPVersion = "1.1" User = "nginx" PidPath = "/var/run/proxy.pid" MaxConnections = 1024 ConnectTimeout = 5 SendTimeout = 600 ReadTimeout = 600 IPHash = false AdminUser = "" AdminPass = "" SSLOpts = "" SSLDefaultDHParam = 1024 SSLDefaultDHParamPath = "" SSLVerify = "required" WorkerProcesses = 1 RLimitNoFile = 65535 SSLCiphers = "HIGH:!aNULL:!MD5" SSLProtocols = "TLSv1.2" AccessLogPath = "/dev/stdout" ErrorLogPath = "/dev/stdout" MainLogFormat = "'$remote_addr - $remote_user [$time_local] \"$request\" '\n\t\t '$status $body_bytes_sent \"$http_referer\" '\n\t\t '\"$http_user_agent\" \"$http_x_forwarded_for\"';" TraceLogFormat = "'$remote_addr - $remote_user [$time_local] \"$request\" $status '\n\t\t '$body_bytes_sent \"$http_referer\" \"$http_user_agent\" '\n\t\t '\"$http_x_forwarded_for\" $reqid $msec $request_time '\n\t\t '$upstream_connect_time $upstream_header_time $upstream_response_time';" KeepaliveTimeout = "75s" ClientMaxBodySize = "32m" ClientBodyBufferSize = "8k" ClientHeaderBufferSize = "1k" LargeClientHeaderBuffers = "4 8k" ClientBodyTimeout = "60s" UnderscoresInHeaders = false UpstreamZoneSize = 64 ServerNamesHashBucketSize = 128 GlobalOptions = [] HTTPOptions = [] TCPOptions = [] HideInfoHeaders = false
Note
Change all instances of the MKE version and
*.ucp.InstanceID
in the above to match your deployment.Optional. Modify the configuration file that Interlock creates by default:
Replace
[Extensions.default]
with[Extensions.east]
.Change
ServiceName
to"ucp-interlock-extension-east"
.Change
ConfigServiceName
to"ucp-interlock-config-east"
.Change
ProxyServiceName
to"ucp-interlock-proxy-east"
.Add the
"node.labels.region==east"
constraint to theProxyConstraints
list.Add the
ServiceCluster="east"
key immediately below and inline withProxyServiceName
.Add the
Networks=["eastnet"]
key immediately below and inline withServiceCluster
. This list can contain as many overlay networks as you require. Interlock only connects to the specified networks and connects to them all at startup.Change
PublishMode="ingress"
toPublishMode="host"
.Change the
[Extensions.default.Labels]
section title to[Extensions.east.Labels]
.Add the
"ext_region" = "east"
key under the[Extensions.east.Labels]
section.Change the
[Extensions.default.ContainerLabels]
section title to[Extensions.east.ContainerLabels]
.Change the
[Extensions.default.ProxyLabels]
section title to[Extensions.east.ProxyLabels]
.Add the
"proxy_region" = "east"
key under the[Extensions.east.ProxyLabels]
section.Change the
[Extensions.default.ProxyContainerLabels]
section title to[Extensions.east.ProxyContainerLabels]
.Change the
[Extensions.default.Config]
section title to[Extensions.east.Config]
.Optional. Change
ProxyReplicas=2
toProxyReplicas=1
. This is only necessary if there is a single node labeled as a proxy for each service cluster.Configure your
west
service cluster by duplicating the entire[Extensions.east]
block and changing all instances ofeast
towest
.
Create a new
docker config
object from theconfig.toml
file:NEW_CONFIG_NAME="com.docker.ucp.interlock.conf-$(( \ $(cut -d '-' -f 2 <<< "$CURRENT_CONFIG_NAME") + 1 ))" docker config create $NEW_CONFIG_NAME config.toml
Update the
ucp-interlock
service to start using the new configuration:docker service update \ --config-rm $CURRENT_CONFIG_NAME \ --config-add source=$NEW_CONFIG_NAME,target=/config.toml \ ucp-interlock
View your service clusters:
docker service ls
The following two proxy services will display:
ucp-interlock-proxy-east
anducp-interlock-proxy-west
.Note
If only one proxy service displays, delete it using
docker service rm
and rerundocker service ls
to display the two new proxy services.