portainer: Can't deploy a Compose stack via Portainer Agent without Swarm

Looks like #2001 is still there in some form.

Bug Description Can’t deploy a Compose stack on a node managed via Portainer Agent without Swarm.

Actual behavior

  1. Run Portainer Server on a non-Swarm node
  2. Run Portainer Agent on a non-Swarm node in non-edge mode (the same host in my case)
  3. Add the agent to the server
  4. Try deploying a v2 stack
  5. Could not load X509 key pair: open /.docker/cert.pem: no such file

Technical details:

  • Portainer version: 1.22.2
  • Docker version: 19.03.4
  • Platform: linux
  • Command used to start Portainer: docker run -d --name portainer --network main -p 8000:8000 --restart=always -v portainer_data:/data portainer/portainer
  • Command used to start Portainer Agent: docker run -d --name portainer_agent --network main --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/docker/volumes:/var/lib/docker/volumes portainer/agent

Additional context There are three ways to workaround this problem and I don’t like them all:

  1. Use direct Docker connection from server. (I like Agent because it gives some additional features like volumes browsing)
  2. Use Portainer Agent in an edge mode. (I don’t like Edge mode because it’s slower and looks like overhead in case when server and agent are on the same host)
  3. Use Server and Agent in Swarm mode. This would even allow v3 stacks! (I don’t like Swarm because all my nodes are for specific tasks and I don’t want to manage with these hard-to-understand Swarm-features, plain Docker is good for me)

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 8
  • Comments: 17 (2 by maintainers)

Commits related to this issue

Most upvoted comments

After investigation this seems to have been introduced when we updated the version of libcompose. The latest version seems to use default TLS certificate files.

As @aprosvetova suggested, I believe this can only be fixed by altering libcompose. This is not in our scope at the moment, we’re currently thinking about replacing libcompose entirely as it has been causing a lot of issues with standalone stack management.

This issue will be referenced in a master topic about replacing libcompose.

+6
deviantony on Apr 23, 2020

@paulz1 nope.

I researched a bit. There are two steps to fix this issue:

  1. Fix a bug in libcompose that makes it ask for cert even when TLSVerify is false. (should be easy)
  2. Add X-PortainerAgent-Signature support to libcompose (might be hard)

I used a VERY dirty workaround to fix v2 stacks on non-swarm Agents. I patched Agent so it would start in unsecured (non-TLS) mode with EDGE disabled. Then I added this Agent to master Portainer as a non-TLS endpoint. Of course it’s very insecure, so I whitelisted master IP on my Agent machine so firewall blocks all potential intruders.

+1
aprosvetova on Apr 1, 2020

I can’t use Portainer at all because of this. 😦

+1
aprosvetova on Jan 14, 2020
Read more comments on GitHub
← portainer: Can't delete / stop /update stack : Failure failed to deploy a stack: "XXX" is not a valid project name
portainer: Can't get Portainer working behind nginx proxy - persistent connection closed →