wekan

Docker Compose: A better way to deploy Rocketchat, Wekan, and MongoDB

dave — Mon, 22 May 2017 23:03:29 +0000

Docker Compose: A better way to deploy Rocketchat, Wekan, and MongoDB

Blog tags

docker-compose

rocket.chat

wekan

ubuntu linux

16.04

docker

mongodb

nginx

dave Tue 23/05/2017 - 11:03

A few months back, I posted instructions on deploying Rocket.Chat and Wekan instances (and their mutual dependency, MongoDB) individually. Since then, I've spent some time with Docker Compose, a set of scripts which help you to define, build, and manage a set of Docker containers. Docker Compose is a thing of beauty. This is the way I now deploy Rocket.Chat, Wekan, and MongoDB together.

Install Docker and Docker Compose

Install Docker (including the "post-installation" steps to allow non-root users to run Docker) and Docker Compose on your server (we recommend Ubuntu 16.04 or the older 14.04). We recommend using the "pip" (Python package manager) to do the install.

Create your Docker Compose recipe

We recommend creating a directory with an obvious name - in my case, it's /home/www/docker-rocketchat-wekan-mongo

In that directory, I create a file called docker-compose.yml containing (I've removed implementation specific details and replaced them with [placeholders]):

version: '2' services: mongo: restart: unless-stopped image: mongo volumes: - [data directory path]:/data/db - [backup directory path]:/backups command: --smallfiles rocketchat-oeru: restart: unless-stopped image: rocketchat/rocket.chat ports: - "127.0.0.1:[port number]:3000" # should be a free port above 1024 depends_on: - mongo environment: - MONGO_URL=mongodb://mongo/rocket - ROOT_URL=[domain name (including schema, e.g. http://)] volumes: - [upload directory path]:/var/www/rocket.chat/uploads wekan: restart: unless-stopped image: mquandalle/wekan ports: - "127.0.0.1:[port number]:80" # should be a free port above 1024 depends_on: - mongo environment: - VIRTUAL_HOST=[domain name (don't include schema, e.g. https://)] - MONGO_URL=mongodb://mongo/plan - ROOT_URL=[domain name (include schema, e.g. https://)] - MAIL_URL=smtp://[smtp username]:[smtp password]@[server name or IP]:[port: 25, 465, or 587]/ volumes: - [path to public content]:/built_app/programs/web.browser/app

Note, you can include multiple instances of either Rocket.Chat or Wekan simply by providing a new name (e.g. rocketchat2 or wekan2 or similar) and a new set of properties - just make sure you're using a unique (and otherwise unused) port number! You can check what's on your server's ports using netstat -punta | less to make sure you're not doubling up.

In case it's not obvious, you can leave out either the rocketchat or wekan definitions if you don't want to run those services!

Creating and Running the Docker Containers

It's easy to create the containers: simply run

docker pull mongo docker pull rocket.chat docker pull mquandalle/wekan

and when it's finished, run

docker-compose up

which should start all your containers, but leave you with a running log - this is great for testing, but when you're happy it's all running you hit CTRL-C (to shut down the current set of containers) and then run

docker-compose up -d

which runs the containers in daemon mode, without the running log. You can then log out of your server, and your containers will continue running!

Based on the configuration above (the "unless-stopped" directive), your containers will restart automatically if your server is rebooted. If you do want to stop them for some reason, you can via

docker-compose stop

Easy.

Serving them to the Web

Once you've got your containers running, you need to make sure you've got a web server running on your host to act as the reverse proxy so that external requests get sent to them reliably! We use Nginx.

RocketChat Nginx

Here's our configuration (with appropriate [substitutions]) - you can create it as /etc/nginx/sites-available/[domain name]:

server { listen 80; server_name [domain name];

## Access and error logs. access_log /var/log/nginx/[domain name]_access.log; error_log /var/log/nginx/[domain name]_error.log;

# see https://tech.oeru.org/protecting-your-users-lets-encrypt-ssl-certs include /etc/nginx/includes/letsencrypt.conf

# we use a 302 temporary redirect rather than a 301 permanent redir
location / { return 302 https://[domain name]$request_uri; } } server { listen 443 ssl; ssl on;
# see https://tech.oeru.org/protecting-your-users-lets-encrypt-ssl-certs ssl_certificate /etc/letsencrypt/live/[domain name]/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/[domain name]/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_dhparam /etc/ssl/certs/dhparam.pem;

keepalive_timeout 20s;

root /var/www/html; index index.html index.htm;

server_name [domain name];

## Access and error logs. access_log /var/log/nginx/[domain name]_access.log; error_log /var/log/nginx/[domain name]_error.log;

location / { proxy_pass http://127.0.0.1:[your rocketchat port]; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forward-Proto http; proxy_set_header X-Nginx-Proxy true; proxy_redirect off; } }

Wekan Nginx

Here's our configuration (with appropriate [substitutions]) - you can create it as /etc/nginx/sites-available/[domain name]:

# from https://github.com/wekan/wekan/wiki/Install-Wekan-Docker-in-production upstream websocket { server 127.0.0.1:[wekan port]; }

map $http_upgrade $connection_upgrade { default upgrade; '' close; }

server { listen 80; root /var/www/html; index index.html index.htm;

# Make site accessible from http://localhost/ server_name [domain name];

access_log /var/log/nginx/[domain name]_access.log; error_log /var/log/nginx/[domain name]_error.log;

# see https://tech.oeru.org/protecting-your-users-lets-encrypt-ssl-certs include /etc/nginx/includes/letsencrypt.conf

location / { return 302 https://[domain name]$request_uri; } }

server { listen 443 ssl; ssl on;
# see https://tech.oeru.org/protecting-your-users-lets-encrypt-ssl-certs ssl_certificate /etc/letsencrypt/live/[domain name]/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/[domain name]/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_dhparam /etc/ssl/certs/dhparam.pem;

keepalive_timeout 20s;

access_log /var/log/nginx/[domain name]_access.log; error_log /var/log/nginx/[domain name]_error.log;

root /var/www/html; index index.html index.htm;

server_name [domain name];

location / { proxy_read_timeout 300; proxy_connect_timeout 300; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto scheme; proxy_pass http://127.0.0.1:[your wekan port]; proxy_set_header Host $host; }

location ~ websocket$ { proxy_pass http://websocket; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; }
}

Enable Nginx Configuration

To make your configurations active, do the following for each of your Nginx configurations:

cd /etc/nginx/sites-enabled

Do this for each file:
ln -sf ../sites-available/[filename] .

To check if there are any errors in the files, run

nginx -t

If not, you can restart Nginx to incorporate the new configuration files:

sudo service nginx reload

You can check for errors in the relevant log files specified in your nginx configurations above in /var/log/nginx/*_error.log or /var/log/nginx/*_access.log.

Protecting your users and reputation with encryption

We encourage you to ensure that these services are made available with full encryption to protect your users' privacy. It's easy (and no cost) to set up! The "include" directive in the Nginx configuration files above are examples of this approach.

Upgrades and Backups

We also encourage you to keep your services upgraded. It's easy to do and you'll experience little if any perceptible down time!

Simply re-pull the containers and restart them - the updated containers will be launched without loss of data!

docker pull mongo docker pull rocket.chat docker pull mquandalle/wekan

docker-compose up -d

If you want to back up your data - you need to do normal file backups of the directories on your local server that you've configured in the docker-compose.yml file, and you can do MongoDB backups based on our previous article on the topic!

Add new comment

Upgrading your Docker Apps: MongoDB, Wekan, and Rocket.Chat

dave — Wed, 23 Nov 2016 21:56:41 +0000

Upgrading your Docker Apps: MongoDB, Wekan, and Rocket.Chat

Blog tags

wekan

rocket.chat

mongodb

dave Thu 24/11/2016 - 10:56

(Update 2017-05-24: see an easier way to run Wekan, Rocketchat, and MongoDB) You may not have all of these installed, but if you're running Wekan or Rocket.Chat based on our instructions, you'll also have MongoDB, and the need to keep them all up-to-date to benefit from their rapid development processes (quick bug fixes and new and improved features every few days!).

I'd recommend doing an upgrade monthly or more rapidly if you hear about security issues, or fixes to any bugs which might be affecting you.

Upgrading Step By Step

1. find the 3 IDs of the mquandalle/wekan, rocketchat/rocket.chat, and mongo containers you're running via

docker ps

The output might look something like this:

5c35737f4de2 mongo "/entrypoint.sh mongo" 45 hours ago Up 45 hours 27017/tcp oeru-mongo 7e8ef524ba0a mquandalle/wekan "/bin/sh -c 'bash $ME" 45 hours ago Up 45 hours 127.0.0.1:5555->80/tcp plan b370ad72f358 rocketchat/rocket.chat "node main.js" 45 hours ago Up 45 hours 127.0.0.1:7996->3000/tcp chat

in this case, the relevant IDs are 5c35737f4de2, 7e8ef524ba0a, and b370ad72f358

2. Stop the containers:

docker stop 5c35737f4de2 7e8ef524ba0a b370ad72f358

3. Remove the old containers (not the images):

docker rm 5c35737f4de2 7e8ef524ba0a b370ad72f358

4. Update the images to the latest versions for each.

docker pull mongo docker pull mquandalle/wekan docker pull rocketchat/rocket.chat

5. restart updated MongoDB (create new container) using the same "docker run" command you used initially.

6. similarly restart your updated Rocket.Chat and Wekan containers, using exactly the same "docker run" command you used initially.

Add new comment

Installing Wekan with Docker on Ubuntu Linux 14.04

dave — Thu, 27 Oct 2016 01:12:48 +0000

Installing Wekan with Docker on Ubuntu Linux 14.04

Blog tags

install

ubuntu linux

14.04

mongodb

wekan

docker

let's encrypt

dave Thu 27/10/2016 - 14:12

Wekan is an excellent, easy-to-use "kanban board" project management support tool, suitable for all manner of projects. For those who have used the highly marketed Trello kanban service, Wekan is functionally similar open source alternative that organisations can host and control for themselves. They can also enhance it in whatever ways they are moved to do so. We encourage our partner institutions to consider this path as a way of reducing costs as well as increasing freedom and privacy. To make migrating a win-win, we have also found that Wekan is able to import entire Trello boards, preserving your data. (Update: 2017-05-24 we've just published an easier way to run Wekan and MongoDB)

The OERu provides a Wekan instance that has proven very popular with our Open Education Resource designers and collaborators.

Wekan instances store their data in another open source tool, a key-value storage engine called MongoDB - these instructions assume that you have already got a running MongoDB installed, and to facilitate that, we've provided this handy MongoDB install guide as a companion.

This guide will cover both configuring and launching a Docker container with a working instance of Wekan. It will, in turn, be linked to another Docker container running MongoDB, and both will be capable of sending email via external authenticating email server. External user access to Wekan is provided by the Nginx web server (as a forward proxy). User interaction with Wekan is (and should always be) encrypted via recognised SSL certificates using the brilliant (and gratis) Let's Encrypt service.

This instruction set assumes that you have command-line access (via SSH, in most cases) to your server, running Ubuntu Linux 14.04, probably a Virtual Machine hosted in a data centre somewhere - a very inexpensive way to do this is, for example, via DigitalOcean (for the record, we have no relationship with DigitalOcean, I simply have substantial experience with their services), but there are many many options worldwide. These instructions will need to be modified slightly for other versions of Linux (e.g. Debian 8 or Ubuntu 16.04 or CentOS or others), but should be mostly valid. We'd be grateful to hear about anyone else's experiences in the comments below!

Installing Docker

See our instructions in the MongoDB blog post.

Installing Wekan

First, we would normally create a wekan user:

sudo adduser wekan

and then create a directory in that user's space to store Wekan-related data (so it survives updates to the Docker image):

sudo -u wekan mkdir /home/wekan/public

Assuming you've got Docker installed properly, to install the official Wekan Docker image, you can just run:

docker pull mquandalle/wekan

Then you can launch it by running this by first launching your MongoDB container, and then running this (assumes you've named your MongoDB instance "mongodb" as per our instructions):

docker run -d --name wekan -p 127.0.0.1:5555:80 \ -h [your_Wekan_domain] -e "VIRTUAL_HOST=[your_Wekan_domain]" \ -v /home/wekan/public:/built_app/programs/web.browser/app \ -e "MAIL_URL=[outgoing_mail_server]" \ --link mongodb:mongo -e "MONGO_URL=mongodb://mongo/plan" \ -e "ROOT_URL=http://[your_Wekan_domain]" \ --restart unless-stopped mquandalle/wekan

Note: Please copy and paste the exact text of your "docker run" command into a reference file (I usually have a "README.oeru" reference file in the home directory of each Docker-based app I run) as you will want to refer to it when doing upgrades!

You'll need to make sure you set appropriate values for [your_Wekan_domain] and details for an SMTP (outgoing mail) server, because Wekan needs to send emails. You can use either a local mail server on the Docker host, in which case you'd put the local IP address of your server, as it would be seen by the Docker container, so 172.17.42.1 is the default IP of a Docker host. You could also use an authenticating SMTP server, and specify the details like this: smtp://[username]:[password]@[IP-or-domainname]:[port, usually 25, 465, or 587]. Here's a what a made-up example might look like:

-e "MAIL_URL=smtp://smtpmail:blahdiblah88@mail.oeru.org:25"

Note, the --restart unless-stopped will ensure that this container is restarted on a reboot unless it's explicitly stopped, like via a docker stop wekan, like you might to update the Docker container.

Setting up Nginx as a proxy server

Having set up the Docker container, which is listening on port 5555 on the Docker container's host, you'll need to set up a reverse proxy on that host to make the site visible to the broader internet on your public IP address (you'll want to make sure the domain you specified above points to that IP address or is a CNAME to a domain that does).

Once you've got that, you can proceed. In /etc/nginx/sites-available, I create a file called plan (as we use plan.oeru.org as our domain). Note, I use "vim" as my text editor. If you don't know it, perhaps use "nano" instead. It's much less powerful, but easier to use...

sudo vim /etc/nginx/sites-available/plan

Here're the contents - you'll want to change the domain name to suit your own choices. Similarly the names of SSL files and logs. The following file has a chunk in the middle commented out with "#s". More on that below:

# from https://github.com/wekan/wekan/wiki/Install-Wekan-Docker-in-production upstream websocket { server 127.0.0.1:5555; }

map $http_upgrade $connection_upgrade { default upgrade; '' close; }

server {         listen 80; # this is one of our external IPs on the server.         #listen   [::]:80 default ipv6only=on; ## listen for ipv6         root /usr/share/nginx/www;         index index.html index.htm;         server_name plan.oeru.org;         access_log /var/log/nginx/plan.oeru.org_access.log;         error_log /var/log/nginx/plan.oeru.org_error.log;         location /.well-known {                 root /var/www/html;                 default_type text/plain;         } #        location / { #                return 301 https://plan.oeru.org$request_uri; #        }      #} # #server { #        listen 443 ssl; #        ssl on; #        ssl_certificate /etc/letsencrypt/live/plan.oeru.org/fullchain.pem; #        ssl_certificate_key /etc/letsencrypt/live/plan.oeru.org/privkey.pem;
#        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #        ssl_dhparam /etc/ssl/certs/dhparam.pem; #        keepalive_timeout 20s; # #        access_log /var/log/nginx/plan.oeru.org_access.log; #        error_log /var/log/nginx/plan.oeru.org_error.log;
#        root /var/www/html; #        index index.html index.htm;
#        server_name plan.oeru.org; # #        location /.well-known { #                root /var/www/html; #                default_type text/plain; #        }

location / { proxy_read_timeout 300; proxy_connect_timeout 300; proxy_redirect off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:5555; proxy_set_header Host $host; }

location ~ websocket$ { proxy_pass http://websocket; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } }

When you've set up the file, you can enable it:

sudo ln -sf /etc/nginx/sites-available/plan /etc/nginx/sites-enabled

Test the file to ensure there aren't any syntax errors before reloading nginx:

sudo nginx -t

If this shows an error, you'll need to fix the file. If all's well, reload nginx to include the new configuration:

sudo service nginx reload

You should now be able to point your browser at your domain name, and you should get your Wekan site via the HTTP (not encrypted) protocol.

A word to the wise - if it doesn't work, check your firewall settings!

In the next step, we'll sort out your SSL certificate from Let's Encrypt.

Protecting your users

Have a look at our Let's Encrypt howto.

Upgrading Wekan

You should periodically upgrade Wekan, say every couple months, to benefit from improved features... The upgrade process usually means a few minutes of down time for the site, so pick a time when it isn't likely to be heavily used... You'll normally want to upgrade any dependent Docker containers at the same time (like your MongoDB and Rocket.Chat) so we have a dedicated Upgrade article for that.