Strategy to use Docker network aliases during build

Hello,
I’m trying to set up a small server using Gitea and Drone in Docker, with a Traefik proxy to handle external connections.

Here is my docker-compose.yml file

version: '2.1'
services:
  traefik:
    image: traefik
    container_name: traefik
    networks:
      traefik:
        aliases:
          - traefik.${MY_DOMAIN}
    ports:
      - "80:80"
      - "443:443"
    expose:
      - "8080"
    volumes:
      - "/srv/traefik/traefik.toml:/etc/traefik/traefik.toml"
      - "/srv/traefik/acme:/etc/traefik/acme"
      - /var/run/docker.sock:/var/run/docker.sock
    restart: always
    labels:
      - "traefik.frontend.rule=Host:traefik.${MY_DOMAIN}"
      - "traefik.backend=traefik"
      - "traefik.enable=true"
      - "traefik.port=8080"
      - "traefik.frontend.entryPoints=https"

  gitea:
    image: gitea/gitea:1
    container_name: gitea
    networks:
      traefik:
        aliases:
          - git.${MY_DOMAIN}
    ports:
      - "10022:22"
    expose:
      - "3000"
    environment:
      - SERVICE_NAME=gitea
      - USER_UID=1000
      - USER_GID=1000
      - RUN_MODE=prod
    restart: always
    volumes:
      - /srv/gitea:/data
    labels:
      - "traefik.frontend.rule=Host:git.${MY_DOMAIN}"
      - "traefik.backend=gitea"
      - "traefik.port=3000"
      - "traefik.enable=true"
      - "traefik.frontend.entryPoints=https"
      - "traefik.docker.network=traefik"

  drone:
    image: drone/drone:1.0.0-rc.5
    container_name: drone
    networks:
      traefik:
        aliases:
          - drone.${MY_DOMAIN}
    expose:
      - "443"
      - "80"
    environment:
      - DRONE_TLS_AUTOCERT=false
      - DRONE_GIT_ALWAYS_AUTH=false
      - DRONE_RUNNER_CAPACITY=2
      - DRONE_SERVER_HOST=drone.${MY_DOMAIN}
      - DRONE_SERVER_PROTO=http
      - DRONE_GITEA_SERVER=http://gitea:3000
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /srv/drone:/data
    labels:
      - "traefik.frontend.rule=Host:drone.${MY_DOMAIN}"
      - "traefik.port=80"
      - "traefik.backend=drone"
      - "traefik.enable=true"
      - "traefik.frontend.entryPoints=https"
      - "traefik.docker.network=traefik"

networks:
  traefik:
   external:
    name: traefik

Drone is able to reach Gitea server for authentication and repositories discovery.

The issue comes from the clone stage because webhooks contain the clone_url value as an “external” form:

Request URL: http://drone.my-domain/hook?secret=1234

{
  "repository": {
    "clone_url": "https://git.my-domain/someuser/somerepo.git"
  }
}

In this configuration, Drone is unable to access the repository: Could not resolve host: git.my-domain

My domain is only used in my local network, and I thought it will be fine with only Docker network’s aliases to redirect to the service. Is there a way to achieve the redirection without running a complete DNS server in my local network? (I use the web app on a single computer right now so editing /etc/hosts is not a problem)

I think you might be looking for DRONE_RUNNER_NETWORKS. You can search this forum and find people with a similar setup (Drone+Gitea on a single machine) that are using this setting to solve the same issue.

1 Like

Thank you, but i can’t see this variable in the current documentation:
https://docs.drone.io/reference

Wasn’t it an old variable for 0.8.x ? I am currently using 1.0.0-rc5.

EDIT 1 : It seems to work with DRONE_RUNNER_NETWORKS. It has resolved name resolution.

EDIT 2 : I think there’s an other issue, now i have this error :

Failed to connect to git.my-domain port 80: Connection refused

The error is visible on agent-side (i think, since it’s during git clone command, and i am able to log in with my Gitea credentials)

as an aside, if you are running everything on the same machine, why use an agent? Drone supports a single-machine install that runs a combined server+agent. https://docs.drone.io/installation/gitea/single-machine/

Failed to connect to git.my-domain port 80: Connection refused

drone is executing a standard git clone, from inside an alpine container [1]. It uses a netrc file for authentication so make sure gitea has git+http(s) cloning enabled. If a standard git clone fails, unfortunately, I am not sure there is much assistance I can offer you since this is happening outside the scope of the Drone codebase.

I would also recommend searching this forum for Connection refused clone errors. In my quick search it seems in all cases the reverse proxy is causing networking traffic to fail, or the source code management system disabled http cloning. I also recommend reserching other gitea posts with clone issues such at this.

[1] GitHub - drone/drone-git: Drone plugin for cloning Git repositories

I am actually using the single-machine setup. When i talk about “agent-side”, i mean requests which fail are from the runner, not the server.

If i try a simple git clone using my-domain on a machine in my local network :

git clone http://git.my-domain/someuser/somerepo.git
Cloning into 'somerepo'...
remote: Enumerating objects: 23, done.
remote: Counting objects: 100% (23/23), done.
remote: Compressing objects: 100% (21/21), done.
remote: Total 23 (delta 5), reused 0 (delta 0)
Unpacking objects: 100% (23/23), done.

Everything works fine, i can also push my commit without problems.

I have finally set up a DNS server in my local network, and add it in the docker-compose file on all my services instead of using network aliases. So each request with “my-domain” are handled by the reverse proxy, even requests made inside containers.

Even with the DNS server, the git command from the runner fails.

fatal: unable to access 'http://git.my-domain/someuser/somerepo.git/': Could not resolve host: git.my-domain

You can clearly see the unresolved name issue is back, so my guess is, the runner doesn’t use the same dns properties as the server (which can be normal for certain setup, but at least we need to have the option to use custom DNS servers).

the runner doesn’t use the same dns properties as the server

I think perhaps we are getting confused on terminology because the runner and server are the same thing. The server creates a user-defined network for every pipeline using docker network create and attaches this network to every container that it launches, including the clone container. It also attached networks that you provide via DRONE_RUNNER_NETWORKS.

I will admit that Drone was not created with this particular setup in mind, where it is co-located on the same machine as the version control system with custom networking and local DNS. It was built under the assumption that you are connecting to a central version control system (e.g. GitHub or GitHub enterprise) which is running on a separate server and accessible using a more traditional DNS configuration. People certainly find a way to hack everything to run on a single machine, however, this is not a configuration that I can personally support and help you triage because I lack the expertise. You may want to connect with other Gitea users in this forum that are running everything on the same machine and perhaps share notes.

I understood the server will attach “containers created by itself” (this is what i called “runner”) to DRONE_RUNNER_NETWORKS value. This is not enough to pass DNS properties unfortunately (you only get DNS made by Docker, which resolves docker service name with the right container).

I will try to find what’s going on in Drone source code and maybe make a PR.

Thank you for your support :wink:

EDIT : I have finally created a file at /etc/docker/daemon.json and place my dns server into it

{
  "dns": ["1.1.1.1", "1.0.0.1", "192.168.XXX.XXX"]
}

Then I restarted docker service

sudo systemctl restart docker

Everything is working fine now, the Docker daemon gives automatically theses DNS servers to any created containers, so now “runners” are able to reach others containers by passing through Traefik.

Thanks again.