serf and 0.6.0

[opyate]

I'm running the 0.6.0 docker container, and getting this output:

...
kong_1       | [INFO] Migrating response-ratelimiting on keyspace "kong" (cassandra)
kong_1       | [INFO] response-ratelimiting migrated up to: 2015-08-21_init_response-rate-limiting
kong_1       | [INFO] Migrating hmac-auth on keyspace "kong" (cassandra)
kong_1       | [INFO] hmac-auth migrated up to: 2015-09-16-132400_init_hmacauth
kong_1       | [INFO] dnsmasq............address=127.0.0.1:8053 dnsmasq=true port=8053
kong_1       | [INFO] Auto-generating the default SSL certificate and key...
kong_1       | [INFO] nginx .............admin_api_listen=0.0.0.0:8101 proxy_listen=0.0.0.0:8101 proxy_listen_ssl=0.0.0.0:8543
kong_1       | [INFO] serf ..............-profile=wan -rpc-addr=127.0.0.1:7373 -event-handler=member-join,member-leave,member-failed,member-update,member-reap,user:kong=/usr/local/kong/serf_event.sh -bind=0.0.0.0:7946 -node=1e2396c98d96_0.0.0.0:7946 -log-level=err
kong_1       | [INFO] Trying to auto-join Kong nodes, please wait..
kong_1       | [WARN] Cannot auto-join the cluster because no nodes were found
kong_1       | [OK] Started
devenv_kong_1 exited with code 0

I'm aware the 0.6.0 kong forces us to now use serf, but how does it relate to docker? Do I need a serf daemon on the kong container? Or a separate container with serf? Or how do I disable serf for development/testing purposes?

[opyate]

Just checking if something like the following needs to be added to the Dockerfile:

RUN yum install -y wget unzip
ENV SERF_VERSION 0.7.0
RUN cd /tmp \
 && wget https://releases.hashicorp.com/serf/${SERF_VERSION}/serf_${SERF_VERSION}_linux_amd64.zip \
 && unzip serf_${SERF_VERSION}_linux_amd64.zip \
 && rm -rf serf_${SERF_VERSION}_linux_amd64.zip \
 && mv serf /bin

(the yum bit before the existing clean all bit)

[ricardoccpaiva]

exact same issue here... did you manage to solve it ?

[subnetmarco]

This output is correct, I am not seeing anything wrong with it. The warning is just to tell the user that no nodes were found.

[ricardoccpaiva]

But when i try to do http get to Kong API it never responds. If i try a curl http://127.0.0.1:8001/apis within the container bash it never returns anything, it looks like the http request gets hanged somewhere... and i cant ser anything wrong in the log files.
I only can get this working if i downgrade to Kong v0.5 which doesnt support clusters... Any idea of what could be missing?

[gottfrois]

I'm seeing the same behavior with frozen curl requests. Also, not being able to connect to serf caused disk space issues #23

[ambrons]

Yeah I'm getting the exact same issue here with 0.6.1. Just upgraded from 0.5.4.

[ricardoccpaiva]

just downgraded to docker toolbox v1.8.3 and apparently it's working...
https://github.com/docker/toolbox/releases/tag/v1.8.3

can you give it a try ?

[ricardoccpaiva]

i've tested both on my personal / work osx and the problem is solved.
make sure you delete the virtual machine and turn off internet connection when installing docker toolbox 1.8.3 to disable boot2docker.iso update.

[gottfrois]

That's interesting to know but I would appreciate to use latest docker version, not 1.8.3. I do think that this issue is strongly related to #23 which has something to do with being unable to connect to default serf host (due to ipv6 errors)

[ambrons]

I agree that's interesting. Does anyone know the big changes between those 2 versions? I don't believe this is a valid solution for me as I'm packaging this all in a docker-compose as a closed box solution for developers to use while developing other microservices and I'd rather not have a dependency on an old version of docker toolbox.

@gottfrois Thanks for the link to the other issue. This does look like it could all be related.

[gottfrois]

Running kong like this seems to solve serf connection issues and therefor, curl command freezing:

docker run -d --name kong \
            --link cassandra:cassandra \
            -p 8000:8000 \
            -p 8443:8443 \
            -p 8001:8001 \
            -p 7946:7946 \
            -p 7946:7946/udp \
            --security-opt seccomp:unconfined \
            mashape/kong

See #21

[gottfrois]

@ambrons I want to use docker-compose too, just tried and you can throw the following to make it work:

  security_opt: ["seccomp:unconfined"]

Full example:

kong:
  image: mashape/kong
  links:
    - "cassandra:cassandra"
  ports:
    - "8000:8000"
    - "8443:8443"
    - "8001:8001"
    - "7946:7946"
    - "7946:7946/udp"
  security_opt: ["seccomp:unconfined"]

$ docker --version
Docker version 1.10.1, build 9e83765
$ docker-compose --version
docker-compose version 1.6.0, build unknown
$ docker-machine --version
docker-machine version 0.6.0, build e27fb87

[ambrons]

@gottfrois you're the man!

Did you override the command so that you can ensure that Cassandra has started first?

Here's my whole docker-compose.yml with your addition:

version: '2'
services:
  kong:
    image: mashape/kong:0.6.1
    ports:
      - "8000:8000"
      - "8443:8443"
      - "8001:8001"
      - "7946:7946"
      - "7946:7946/udp"
    links:
      - cassandra
    depends_on:
      - cassandra
    security_opt: ["seccomp:unconfined"]
    command: sh -c 'until nc --recv-only -i 0.1 cassandra 9042 2>&1 >/dev/null|grep timeout >/dev/null; do :; done; kong start && tail -f /usr/local/kong/logs/error.log'

  cassandra:
    image: cassandra:2.2.4
    ports:
      - "9042:9042"

[gottfrois]

@ambrons ah cool! I was missing this part, it was next on my todo ;) thx man

[subnetmarco]

Yep, you guys figured this out properly. From the Docker documentation at http://docs.docker.com.s3-website-us-east-1.amazonaws.com/engine/security/seccomp/

Docker’s default seccomp profile is a whitelist which specifies the calls that are allowed.

seccomp:unconfined will just allow every system call. I will update the instructions on the website.

[subnetmarco]

The documentation on the website has been updated. Thanks everybody.