Installing Traefik Enterprise Edition On-Premise

This installation guide is for users who want to install a cluster on-premise.

Requirements

In order to start a TraefikEE cluster with 1 controller and 2 proxies, ensure that:

  • There are at least 3 Hosts/Virtual Machines
  • Network stack allows communication on required ports
  • Controller Host/VM can reach https://v3.license.containous.cloud
  • The teectl binary is installed, for cluster management

Networking

Only the hosts which run proxies have to be reachable from the internet. On Linux, root access is needed to bind to ports below 1024.

Default TraefikEE paths

The default configration paths for traefikee includes: - /var/run/traefikee - /var/lib/traefikee - /var/run/secrets Read and write access are required on then. See the teectl referece for customization options.

Please refer to the documentation for more information

Multiple instances on the same Host/VM

Running multiple controllers or proxies on the same host is not recommended, and should be used only when upgrading a cluster for which there are no spare hosts.

Installation behind a proxy

In order to be able to install TraefikEE behind a proxy, you must make sure that each TraefikEE instance has the proper HTTP_PROXY and HTTPS_PROXY environment variables defined.

State Directory Management

By default, the statedir path is /var/lib/traefikee.

  • The state directory's contents are used to recover a cluster's state in the event of a controller restart. It has to persist between two executions.
  • In order to re-initialize a cluster, you have to delete the state directory before re-installing it. If this is not done, it will recover its previous state.

Install traefikee

First, download traefikee on each virtual machine, by using one of the following links:

Check the integrity of the downloaded file

Use the sha256 checksums of the binaries:

# Compare this value to the one found in traefikee_checksums.txt
sha256sum ./traefikee_v2.1.7_linux_amd64.tar.gz
# Compare this value to the one found in traefikee_checksums.txt
shasum -a256 ./traefikee_v2.1.7_darwin_amd64.tar.gz
# Compare this value to the one found in traefikee_checksums.txt
Get-FileHash traefikee_v2.1.7_windows_amd64.zip -Algorithm SHA256
Extract the downloaded archive

Use the following commands to extract the archive:

# Compare this value to the one found in traefikee_checksums.txt
tar -zxvf traefikee_v2.1.7_linux_amd64.tar.gz
# Compare this value to the one found in traefikee_checksums.txt
tar -zxvf -a256 ./traefikee_v2.1.7_darwin_amd64.tar.gz
# Compare this value to the one found in traefikee_checksums.txt
Expand-Archive traefikee_v2.1.7_windows_amd64.zip

Copy the traefikee binary to your PATH or add its location to your environment ($PATH or %PATH% depending on your OS) and make sure it's executable:

# Example with /usr/local/bin
# These command may need sudo rights
cp traefikee /usr/local/bin/traefikee
chmod a+x /usr/local/bin/traefikee

# Should print "/usr/local/bin/traefikee"
command -v traefikee
# Example with C:\Program Files
Copy-Item "traefikee.exe" -Destination "C:\Program Files\traefikee.exe"

# Should print "C:\Program Files\traefikee.exe"
where traefikee

You can now test your installation by executing traefikee:

traefikee --help
traefikee    TraefikEE (Enterprise Edition) is a Cloud Native Edge Routing Platform based on Traefik,
a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
Complete documentation is available at https://docs.containo.us.

Usage: traefikee [command] [resource] [flags]

Use "traefikee [command] --help" for help on any command.

Commands:
    controller    Start a new controller
    proxy         Start a new proxy
    tokens        Get tokens from the cluster
    version       Print version

Install teectl (optional)

Install the teectl management tool on a machine that has access to a controller node by following the instructions on this guide.

Once teectl is installed, it is possible to generate a set of cluster credentials that enables remote access to the API:

teectl setup --onpremise.hosts="10.0.0.1" --cluster="mycluster"

Using the resulting bundle.zip on the controller startup arguments, as traefikee controller --api.bundle="bundle.zip", will enable remote access to the cluster when using teectl.

Start the Controller(s)

Start a new controller by specifying the advertise address and TraefikEE license:

traefikee controller --advertise="10.0.0.1:4242" --license="<your-license-key>"
traefikee controller --advertise="10.0.0.1:4242" --license="<your-license-key>" --discovery.static.peers="10.0.0.1:4242,10.0.0.2:4242,10.0.0.3:4242"
traefikee controller --advertise="10.0.0.1:4242" --license="<your-license-key>" --discovery.dns.domain="traefikee.mydomain" --discovery.dns.port="4242" --discovery.dns.bootstrapexpected=2
INFO[2020-01-20T15:00:35-03:00] Using static discovery to discover other controllers  node=controller-0 role=controller
INFO[2020-01-20T15:00:35-03:00] Initializing a new node                       role=controller node=controller-0
INFO[2020-01-20T15:00:35-03:00] Discovering cluster                           node=controller-0 role=controller
INFO[2020-01-20T15:00:35-03:00] Found peers [10.0.0.1:4242]                    node=controller-0 role=controller
INFO[2020-01-20T15:00:35-03:00] Initial leader runs at 10.0.0.1:4242           node=controller-0 role=controller
INFO[2020-01-20T15:00:35-03:00] Initializing a new TraefikEE cluster          node=controller-0 role=controller
INFO[2020-01-20T15:00:35-03:00] API started                                   role=controller node=controller-0
INFO[2020-01-20T15:00:35-03:00] Node started                                  role=controller node=controller-0
INFO[2020-01-20T15:00:36-03:00] Node is ready                                 node=controller-0 role=controller
INFO[2020-01-20T15:00:36-03:00] Running the cluster info controller           service=provider node=controller-0 role=controller
INFO[2020-01-20T15:00:36-03:00] Running the cluster license controller with frequency "24h0m0s"  node=controller-0 role=controller service=cleanup
INFO[2020-01-20T15:00:36-03:00] Running the cluster cleanup controller        role=controller node=controller-0 service=cleanup

Node Name

By default TraefikEE will use the hostname as the node. This behavior can be overridden by specifying the --name flag on the controller command.

Multi Controller with DNS

When using DNS as the discovery method it is a good practice to set the flag discovery.dns.bootstrapexpected, as this will make the controllers wait until the specified number of nodes are reachable before bootstraping the cluster.

Get the Proxy Token

Get the proxy node token generated by the controller:

traefikee tokens | grep 'TRAEFIKEE_PROXY_TOKEN' | cut -d '=' -f2
How to use the token?

All proxies require a token to start. The token can be stored in an environment variable on each host machine, by setting it over SSH for example. In the following commands, the proxy token has been stored in an environment variable named ${PROXY_NODE_TOKEN}.

Start Proxies

Start a proxy by specifying the controller discovery method, static in this example, and the join token:

traefikee proxy --jointoken.value="$PROXY_NODE_TOKEN" --discovery.static.peers="10.0.0.1:4242"
traefikee proxy --jointoken.value="$PROXY_NODE_TOKEN" --discovery.dns.domain="traefikee.mydomain"
INFO[2020-01-20T15:09:47-03:00] Applying a new static configuration           node=proxy-0 role=proxy module=server
INFO[2020-01-20T15:09:47-03:00] Using static discovery                        node=proxy-0 role=proxy peers="10.0.0.1:4242"
INFO[2020-01-20T15:09:47-03:00] Discovering controllers                       node=proxy-0 role=proxy
INFO[2020-01-20T15:09:47-03:00] Found controllers [10.0.0.1:4242]             node=proxy-0 role=proxy
INFO[2020-01-20T15:09:47-03:00] Waiting for the join tokens to be available   node=proxy-0 role=proxy
INFO[2020-01-20T15:09:47-03:00] Looking for a reachable peer                  role=proxy node=proxy-0
INFO[2020-01-20T15:09:47-03:00] Joining cluster                               role=proxy joined-peer="10.0.0.1:4242" node=proxy-0
INFO[2020-01-20T15:09:47-03:00] Node started                                  node=proxy-0 role=proxy
INFO[2020-01-20T15:09:47-03:00] Node is ready                                 node=proxy-0 role=proxy

Repeat the steps above for each proxy, then verify that the TraefikEE installation was successful:

teectl get nodes
ID                         NAME           STATUS  ROLE
mmc2qofw8hkudf8vcrs1k8cnw  controller-0   Ready   Controller (Leader)
oncgmk54uuipcj7jnt0lhwwqy  proxy-0        Ready   Proxy
u122z00fgr2cqrp78jc5em0fi  proxy-1        Ready   Proxy

Apply a Static Configuration

A TraefikEE cluster is created without any default configuration. To allow the controller to listen to a provider and proxies to manage incoming traffic, it is necessary to apply a static configuration.

Below is an example of a static configuration:

File provider

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

providers:
  file:
    filename: dynamic_conf.yml
[entryPoints]
  [entryPoints.web]
    address = ":80"
  [entryPoints.websecure]
    address = ":443"

[providers]
  [providers.file]
    filename = "/etc/traefikee/dynamic_conf.toml"

Important

When running multiple controllers, make sure to replicate the configuration file on all nodes at the same path.

Apply the configuration using the following command:

teectl apply --file=config.yaml --socket=/var/run/traefikee/teectl.sock
teectl apply --file=config.toml --socket=/var/run/traefikee/teectl.sock

Systemd (Linux only)

When installing under Linux, you can leverage systemd to improve the management of a TraefikEE deployment while also allowing it to run as a daemon.

Another benefit is the ability to load a file of environment variables, which may contain your license key, node join token, and other sensitive information. This avoids setting variables on the host terminal or exposing the keys directly in the unit file.

VM/host preparation

It is always recommended to run system processes unprivileged. For that, a specific user and group must be created on each host/VM (shown here with example user and group IDs of 1500):

groupadd -g 1500 traefikee
useradd -g traefikee --no-user-group --home-dir="/opt/traefikee" --shell="/usr/sbin/nologin" --system --uid="1500" traefikee

OS Compatibility

This guide, including any example config files, was created using Debian Linux. There may be slight differences on other distributions.

Unit File Placement

Usually, systemd files can be placed under /etc/systemd/system, but this may not be the case on all distributions.

Unit Install Target

The examples use network-online as the target group dependency, but this may not be the same on distributions other than Debian. To find out what targets are actually available, run: systemctl list-units --type target

Controllers

Env File (optional)

Store the license key and the bind address for the controller into a new environment file.

Sensitive Information

Make sure this file has restricted permissions.

File permissions

We recommend giving this file restricted access as it contains sensitive information.

# Saved as /opt/traefikee/controller.env, update the bind address on each host according to your needs.
CONTROLLER_BIND_ADDRESS="10.0.0.10:4242"
TEE_LICENSE_KEY="<my-license>"

Unit File

[Unit]
Description=TraefikEE Controller
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
EnvironmentFile=-/opt/traefikee/controller.env
Restart=on-abnormal
User=traefikee
Group=traefikee
ExecStart=/opt/traefikee/bin/traefikee controller --advertise=${CONTROLLER_BIND_ADDRESS} --license=${TEE_LICENSE_KEY} --api.socket=/opt/traefikee/run/teectl.sock --socket=/opt/traefikee/run/cluster.sock --statedir=/opt/traefikee/data --jointoken.file.path=/opt/traefikee/tokens
PrivateTmp=true
PrivateDevices=false
ProtectHome=true
ProtectSystem=full
ReadWritePaths=/opt/traefikee
PermissionsStartOnly=true
ExecStartPre=mkdir -p /opt/traefikee/run /opt/traefikee/data /opt/traefikee/tokens
ExecStartPre=-chown -R traefikee.traefikee /opt/traefikee
ExecStartPre=-chmod -R 700 /opt/traefikee

NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

For this guide, the systemd unit below was saved as /etc/systemd/system/traefikee-controller.service.

Proxies

Env File (optional)

Store the list of controller peers to connect to and the node join token into a new environment file.

File permissions

We recommend giving this file restricted access as it contains sensitive information.

# Saved as /opt/traefikee/proxies.env
CONTROLLER_PEERS="10.0.0.10:4242"
PROXY_NODE_TOKEN="<my-token>"

Unit File

[Unit]
Description=TraefikEE proxy
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
EnvironmentFile=-/opt/traefikee/traefikee.env
Restart=on-abnormal
User=traefikee
Group=traefikee
ExecStart=/opt/traefikee/bin/traefikee proxy --jointoken.value=${PROXY_NODE_TOKEN} --discovery.static.peers=${CONTROLLER_PEERS} --statedir=/opt/traefikee/data
PrivateTmp=true
PrivateDevices=false
ProtectHome=true
ProtectSystem=full
ReadWritePaths=/opt/traefikee
ExecStartPre=mkdir -p /opt/traefikee/data

; The following additional security directives only work with systemd v229 or later.
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

For this guide, the systemd unit below was saved as /etc/systemd/system/traefikee-proxy.service.

Tip

For the first boot, the node join token must be retrieved from a controller and updated on each proxy node before starting them. This can be automated or handled manually as a one-time operation.

With everything in place, proceed to enable the units files on systemd with:

systemctl enable traefikee-controller
systemctl enable traefikee-proxy
Created symlink /etc/systemd/system/multi-user.target.wants/traefikee-controller.service → /etc/systemd/system/traefikee-controller.service.
Created symlink /etc/systemd/system/multi-user.target.wants/traefikee-proxy.service → /etc/systemd/system/traefikee-proxy.service.

Now both the controller and proxies should be manageable by systemd as usual:

systemctl start traefikee-controller
systemctl start traefikee-proxy

What's Next?

Now that the cluster is ready, we recommend reading the various operating guides to dive into all features that TraefikEE provides.