And all this without reconfiguring your Rancher environment every time And we are using a total of 4 Amazon EC2 instances:<\/p>\n * You need to perform these actions on AWS before setting up the CI Be sure to select the appropriate VPC in the Security Group dialog. Create a new instance on EC2 console that uses rancheros-0.2.1 AMI, #!\/bin\/bash This will install and run Rancher Server 0.14.2 when the instance boots. In this section we are creating our Docker hosts. Go to Rancher UI and Now it\u2019s time to deploy our VPN server container that will extend the Now expand Advanced Options<\/em> section and follow these steps:<\/p>\n After a while you will see your rancher-vpn-server container running on To install Tomcat container you have to click Add Container<\/em> button on After a while you will see your Tomcat container running on your second Click Add Container button on your third host and execute the following Now expand Advanced Options<\/em> section and follow these steps:<\/p>\n After a while you will see your Jenkins container running on your third In this final step you are going to install and run the VPN client. sudo docker run -ti -d –privileged –name rancher-vpn-client -e VPN_SERVERS=54.149.62.184:1194 -e VPN_PASSWORD=mmAG840NGfKEXw73PP5m nixel\/rancher-vpn-client:latest<\/p>\n Adapt it to your environment. Then show rancher-vpn-client container sudo docker logs rancher-vpn-client<\/p>\n You will see a message printing the route you need to add in your system sudo route add -net 10.42.0.0\/16 gw 172.17.0.8<\/p>\n At this point you are able to ping all your containers, no matter in sshpass -p mmAG840NGfKEXw73PP5m ssh -p 2222 -o ConnectTimeout=4 -o UserKnownHostsFile=\/dev\/null -o StrictHostKeyChecking=no root@54.149.62.184 “get_vpn_client_conf.sh 54.149.62.184:1194” > RancherVPNClient.ovpn<\/p>\n Now, for example, you can execute OpenVPN executing this command:<\/p>\n \/usr\/sbin\/openvpn –config RancherVPNClient.ovpn<\/p>\n You can also use OpenVPN iOS\/Android application with this clean package tomcat7:redeploy -DTOMCAT_HOST=TOMCAT_CONTAINER_IP -DTOMCAT_PORT=8080 -DTOMCAT_USER=admin -DTOMCAT_PASS=TOMCAT_ADMIN_PASSWORD<\/p>\n I am setting this maven configuration:<\/p>\n clean package tomcat7:redeploy -DTOMCAT_HOST=10.42.236.18 -DTOMCAT_PORT=8080 -DTOMCAT_USER=admin -DTOMCAT_PASS=6xc3gzOi4pMG<\/p>\n In this post we have installed a basic Continuous Integration![\"RancherVPN\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/24142158\/RancherVPN-300x215.png\")
<\/a>Since
\nI started playing with Docker I have been thinking that its network
\nimplementation is something that will need to be improved before I could
\nreally use it in production. It is based on container links and service
\ndiscovery but it only works for host-local containers. This creates
\nissues for a few use cases, for example when you are setting up services
\nthat need advanced network features like broadcasting\/multicasting for
\nclustering. In this case you must deploy your application stack
\ncontainers in the same Docker host, but it makes no sense to deploy a
\nwhole cluster in the same physical or virtual host. Also I would like
\ncontainers networking to function without performing any action like
\nmanaging port mappings or exposing new ports. This is why networking is
\none of my favorite features of Rancher, because it overcomes Docker
\nnetwork limitations using a software defined network that connects all
\ndocker containers under the same network as if all of them were
\nphysically connected. This feature makes it much easier to interconnect
\nyour deployed services because you don\u2019t have to configure anything. It
\njust works. **** ****However I was still missing the possibility to
\neasily reach my containers and services from my PC as if I also was on
\nthe same network again without configuring new firewall rules or mapping
\nports. That is why I created a Docker image that extends Rancher network
\nusing OpenVPN. This allows any device that may run OpenVPN client
\nincluding PCs, gateways, and even mobile devices or embedded systems to
\naccess your Rancher network in an easy and secure way because all its
\ntraffic is encrypted. There are many use cases and possibilities for
\nusing this, I list some examples:<\/p>\n\n
\nany time<\/li>\n
\nat home to access your containers<\/li>\n<\/ul>\n
\nthat you grant access to someone. In this post we are installing a
\nminimalistic Continuous Integration (CI) environment on AWS using
\nRancher and RancherOS. The main idea is to create a scenario where a
\ndeveloper who teleworks can easily access our CI environment, without
\nadding IPs to a whitelist, exposing services to the Internet nor
\nperforming special configurations. To do so we are installing and
\nconfiguring these docker images:<\/p>\n\n
\ngithub. Jenkins will automatically deploy this application in tomcat
\nafter compiling it.<\/li>\n
\nspecially to extend Rancher network<\/li>\n<\/ul>\n\n
![\"RancherVPN\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/24142158\/RancherVPN-1024x735.png\")
<\/em>* At the end the
\ndeveloper will be able to browse to Jenkins and Tomcat webapp using his
\nVPN connection. As you will see, this is easy to achieve because you are
\nnot configuring anything for accessing Tomcat or Jenkins from your PC,
\nyou just launch a container and you are able to connect to it.<\/p>\nPreparing AWS cloud<\/h2>\n
\nenvironment. Creating a Key Pair Go to EC2 Console and enter Key
\nPairs<\/em> section. When you create the Key Pair your browser will download
\na private key that you will need later for connecting to your Rancher
\nServer instance using SSH if you want to. Save this file because you
\nwon\u2019t be able to download it from AWS anymore. Creating a Security
\nGroup Before creating a Security Group go to VPC Console and choose
\none VPC and Subnet where you will deploy your EC2 instances. Copy the
\nVPC ID and Subnet ID and CIDR. Go to EC2 Console and create a Security
\nGroup named Rancher which will allow this inbound traffic:<\/p>\n\n
\nfor Docker machine to provision hosts<\/li>\n
\nnetwork<\/li>\n
\nfeatures like graphs, view logs, and execute shell<\/li>\n
\nour VPN server container<\/li>\n<\/ul>\n
\nCreating an Access Key On EC2 Console click your name in the top
\nmenu bar and go to Security Credentials<\/em>. Expand Access Keys (Access
\nKey ID and Secret Access Key)<\/em> option and create a new Access Key.
\nFinally click Download Key File<\/em> because again you won\u2019t be able to do
\nit later. You will need this for Rancher Server to create Docker hosts
\nfor you.<\/p>\nInstalling Rancher Server<\/h2>\n
\nsearch for it in Community AMIS<\/em> section. For this tutorial I am using
\na basic t1.micro instance with 8GB disk, you may change this to better
\nfit your environment needs. Now enter Configure Instance Details<\/em>
\nscreen and select the appropriated Network<\/em> and Subnet<\/em>. Then expand
\nAdvanced Details<\/em> section and enter this user data:<\/p>\n
\ndocker run -d -p 8080:8080 rancher\/server:v0.14.2<\/p>\n
\nBefore launching the new instance be sure to choose the Security Group
\nand Key Pair we just created before. Finally go to Instances menu and
\nget your Rancher Server instance public IP. After some minutes navigate
\nto
\nhttp:\/\/RANCER_SERVER_PUBLIC_IP:8080<\/a>
\nand you will enter Rancher UI.<\/p>\nProvisioning Docker hosts<\/h2>\n
\nclick Add Host<\/em> button, confirm your Rancher Server public IP and then
\nclick Amazon EC2<\/em> provider. In this form you need to enter the
\nfollowing data: host name, Access Key, Secret Key, Region, Zone, VPC
\nID, Subnet ID,<\/em> and Security Group<\/em>. Be sure to enter the appropriated
\nvalues for Region, Zone, VPC ID<\/em> and Subnet ID<\/em> because they must
\nmatch those used by Rancher Server instance. You must specify Security
\nGroup name instead its ID, in our case it is named Rancher.
\n![\"rancher-create-host\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/24142158\/rancher-create-host.png\")
<\/a>
\nRepeat this step three times so Rancher will provision our three Docker
\nhosts. After some minutes you will see your hosts running in Rancher UI.<\/p>\n![\"rancher-hosts-list\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/24142158\/rancher-hosts-list.png\")
<\/a><\/p>\nInstalling VPN container<\/h2>\n
\nRancher network. Go to your first host, click Add Container<\/em> button and
\nfollow these steps:<\/p>\n\n
\n
\nconfiguration: \/etc\/openvpn:\/etc\/openvpn<\/li>\n
\ndocker0<\/em><\/li>\n
\nfull access to the host<\/em> checkbox<\/li>\n<\/ol>\n
\nyour first host.
\n![\"rancher-vpn-server-container\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/24142158\/rancher-vpn-server-container.png\")
<\/a>
\nNow you are about to use another nice Rancher feature. Expand your
\nrancher-vpn-server container menu and click View Logs button as you can
\nsee in the following image:
\n![\"rancher-tomcat-view-container-logs\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/24142158\/rancher-tomcat-view-container-logs.png\")
<\/a>
\nNow scroll to top and you will find the information you need in order to
\nconnect with your VPN client. We are using this data later.
\n**** ![\"rancher-vpn-server-logs\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/24142158\/rancher-vpn-server-logs.png\")
<\/a>****<\/p>\nInstalling Tomcat container<\/h2>\n
\nyour second host and follow these steps:<\/p>\n\n
\nselect Managed Network on docker0<\/em><\/li>\n<\/ol>\n
\nhost.
\n![\"rancher-tomcat-server-container\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/24142158\/rancher-tomcat-server-container.png\")
<\/a>
\nNow open Tomcat container logs in order to get its admin password, you
\nare needing it later when configuring Jenkins.
\n![\"rancher-tomcat-logs\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/24142158\/rancher-tomcat-logs.png\")
<\/a><\/p>\nInstalling Jenkins container<\/h2>\n
\nsteps:<\/p>\n\n
\n
\nconfiguration: \/var\/jenkins_home<\/li>\n
\ndocker0<\/em><\/li>\n<\/ol>\n
\nhost.
\n![\"rancher-jenkins-container\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/24142158\/rancher-jenkins-container.png\")
<\/a><\/p>\nPutting it all together<\/h2>\n
\nThere are two ways to get the client working: using a Docker image I
\nhave prepared that does not require any configuration, or using any
\nOpenVPN client that you will need to configure. Once the VPN client is
\nworking you are browsing to Jenkins in order to create an example CI job
\nthat will deploy the sample WAR application on Tomcat. You will finally
\nbrowse to the sample application so you can see how all this works
\ntogether. Installing Dockerized VPN client In a PC with Docker
\ninstalled you will execute the command that we saw before in
\nrancher-vpn-server container logs. According to my example I will
\nexecute this command:<\/p>\n
\nlogs:<\/p>\n
\nin order to be able to reach Rancher network.
\n![\"rancher-vpn-client-route\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/24142158\/rancher-vpn-client-route.png\")
<\/a>
\nIn my case I\u2019m executing this command:<\/p>\n
\nwhich host they run. Now your PC is actually connected to Rancher
\nnetwork and you can reach any container and service running on your
\nRancher infrastructure. If you repeat this step in a Linux Gateway at
\nyour office you will, in fact, expose Rancher network to all the
\ncomputers connected in your LAN, which is really interesting.
\nInstalling a custom OpenVPN client If you prefer to use an existing
\nor custom OpenVPN client, you can do it. You will need your OpenVPN
\nconfiguration file that you can get executing the SSH command that we
\ngot before in rancher-vpn-server container log. In my case I can get
\nRancherVPNClient.ovpn file executing this command:<\/p>\n
\nRancherVPNClient.ovpn file and you will also be able to access your
\nRancher network from your mobile or tablet. Again, you can extend your
\nVPN for all users in your LAN if you repeat this step in a Linux Gateway
\nin your office. Configuring Jenkins Now it\u2019s time to configure
\nJenkins to compile and deploy our sample WAR in Tomcat. Browse to
\nhttp:\/\/JENKINS_CONTAINER_IP:8080<\/a>
\n(in my case http:\/\/10.42.13.224:8080<\/a>) and you will see Jenkins
\nDashboard.
\n![\"jenkins-dashboard\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/24142158\/jenkins-dashboard.png\")
<\/a>
\nBefore starting you must install Github Plugin and Maven following these
\nsteps:<\/p>\n\n
\nPlugin\u201d. Activate its checkbox<\/li>\n
\ninstallation is complete and no jobs are running,<\/em> and then wait for
\nJenkins to be restarted<\/li>\n
\nConfigure System<\/em><\/li>\n
\ninstallation and choose last maven version.<\/li>\n![\"jenkins-install-maven\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/24142158\/jenkins-install-maven.png\")
<\/a>
\nWhen you are back in Dashboard click create new jobs<\/em> link and follow
\nthese instructions:<\/p>\n\n
\nRepository URL<\/em>: https:\/\/github.com\/nixelsolutions\/sample-war.git<\/a><\/li>\n<\/ul>\n![\"jenkins-git-url\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/24142158\/jenkins-git-url.png\")
<\/a><\/p>\n\n
\nReplace TOMCAT_CONTAINER_IP with the IP assigned to your
\nTomcat container (10.42.236.18 in my case) and
\nTOMCAT_ADMIN_PASSWORD with the password we saw before for
\nadmin user (6xc3gzOi4pMG in my case).<\/li>\n<\/ul>\n\n
![\"jenkins-maven-goals\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/24142158\/jenkins-maven-goals.png\")
<\/a>
\nNow you can click Build Now<\/em> button to run your job. Open your
\nexecution (listed in Build History<\/em> table) and then click Console
\nOutput<\/em> option. If you go to the bottom you will see something like
\nthis:
\n![\"jenkins-job-result\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/24142158\/jenkins-job-result.png\")
<\/a>
\nTesting the sample application Now browse to
\nhttp:\/\/TOMCAT_CONTAINER_IP:8080\/sample\/<\/a>
\nand you will see this page showing information about Tomcat server and
\nyour browser client.
\n![\"sample-application\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/24142158\/sample-application.png\")
<\/a><\/p>\nConclusion<\/h2>\n
\nenvironment as an example to make your Docker containers reachable from
\nyour PC, your LAN, and even a mobile device or any system that can
\nexecute an OpenVPN client. This is possible thanks to Rancher Network, a
\ngreat functionality that improves Docker networking by connecting your
\ncontainers under the same network. What we actually did was to extend
\nRancher network using an OpenVPN link that is really easy to configure
\nwith Docker, and secure to use because all your traffic is being
\nencrypted. This functionality can help many companies to better manage
\nthe way they give access to their containers from any unknown or
\nuncontrolled network. Now you don\u2019t need to think anymore about exposing
\nor mapping ports, changing firewall rules, or taking care about what
\nservices you publish to the Internet. For more information on managing
\ndocker with Rancher, please join our next online meetup, where we\u2019ll be
\ndemonstrating Rancher, Docker Compose, service discovery and many other
\ncapabilities. Manel Martinez is a Linux
\nsystems engineer with experience in the design and management of
\nscalable, distributable and highly available open source web
\ninfrastructures based on products like KVM, Docker, Apache, Nginx,
\nTomcat, Jboss, RabbitMQ, HAProxy, MySQL and XtraDB. He lives in Spain,
\nand you can find him on Twitter
\n@manel_martinezg<\/a>.<\/em><\/p>\n