Sidecar Container Pattern With Docker Compose
Few weeks ago, I just think how to applying a sidecar container pattern on Docker then how to make it as keep it simple s*****, also the main goal it’s trying to tunnel my Raspberry Pi to my VPS (Virtual Private Server).
For the goals about tunneling my old Raspberry Pi to VPS, around 1 years ago I was trying to install VPN like wireguard and tailscale. Both VPN’s look like running fine without issue for me (yeah, just personal use :D).
Wireguard sidecar
First things it’s install Wireguard
server to your VPS, i just go with an awesome bash script from angristan/wireguard-install
that also can handle simple add and revoke users to get the .conf files.
Grab the .conf file and place it to your client host (in my case it’s Rpi). Spin up the docker-compose.yaml which example like below,
version: "3"
services:
wireguard:
image: linuxserver/wireguard:latest
cap_add:
- net_admin
- sys_module
environment:
- PUID=1000
- PGID=1000
- TZ=Asia/Jakarta # For better time :)
healthcheck:
test: ["CMD", "/bin/ping", "-c", "4", "10.123.123.1"]
interval: 120s
timeout: 15s
retries: 3
start_period: 40s
volumes:
- ./wg0.conf:/config/wg0.conf
- /lib/modules:/lib/modules
ports:
- 53333:53333/udp # Wireguard server Port
- 32222:32222 # Wireguard sidecar Port
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv6.conf.all.disable_ipv6=0
web-server:
image: nginx:alpine
network_mode: service:wireguard
Notes
- When handling with network things like vpn, tunneling and routing between *nix host and container you should enable
NET_ADMINand because Wireguard run on Kernel level, we should enableSYS_MODULEtoo. Careful privilege issue⚠️. PUIDandPGIDto make the Wireguard container able to mount your.conffile and/lib/moduleskernel. Permission things ⚠️.- Set
net.ipv4.conf.all.src_valid_markas true or1to enable kernel parameters to reach out or talk with network level host or your other container. Magic things about sidecar pattern 🤔 - The last my fit is enable the
healthcheckon your sidecar level, Why did I add this? Becase I faced the issue that sometimes I got http code50xcausing timeout communication between my Wireguard client (Rpi - sidecar container) with Wireguard Server (on VPS) so I keep it always communicate.
Tailscale
Another solution and can solve the budget issue it’s use Tailscale as your sidecar, You can grab FREE for personal usage. So just signup your email to tailscale and works fine smoothly. Below is the example how to run it:
version: "3"
services:
tailscale:
hostname: rpi-container
image: jauderho/tailscale:v1.14.4
volumes:
- "./tailscale_var_lib:/var/lib" # Persistance conf, log, etc
- "/dev/net/tun:/dev/net/tun"
cap_add:
- net_admin
- sys_module
command: tailscaled
ngix:
image: nginx:alpine
network_mode: service:tailscale
Notes
- Grab the image from
jauderho/tailscale. - Mount or load
tuntapnetwork interface for Tailscale. - Enable
NET_ADMINandSYS_MODULEsame like Wireguard. Careful privilege issue⚠️ command: tailscaledto run Tailscale as daemon.- Define
hostnamefor better label look in Tailscale Dashboard 😃.
After run it, Check the logs and you will find logs like this:
tailscale_1 | 2021/12/11 19:57:04 stopEngineAndWait: done.
tailscale_1 | 2021/12/11 19:57:04 authReconfig: blocked, skipping.
tailscale_1 | 2021/12/11 19:57:04 control: authRoutine: state:url-visit-required; wantLoggedIn=true
tailscale_1 | 2021/12/11 19:57:04 control: direct.WaitLoginURL
tailscale_1 |
tailscale_1 | To authenticate, visit:
tailscale_1 |
tailscale_1 | https://login.tailscale.com/a/xaxaxaxaxax
tailscale_1 |
tailscale_1 | 2021/12/11 19:57:04 control: doLogin(regen=false, hasUrl=true)
tailscale_1 | 2021/12/11 19:57:04 control: RegisterReq: onode=[AAAAA] node=[SzMMO] fup=true
Click the url and will redirect to your browser, Login it and Viola Magic Happens.
Summary
- I run this method to host my super web at https://riskiwah.xyz/
- For learning purposes, I go with Wireguard way.
. . .
Thanks!