Browsed by
Tag: dockerswarm

Pi-Hole on Docker Swarm (behind SSL proxy)

Pi-Hole on Docker Swarm (behind SSL proxy)

This is my simple config for running Pi-Hole on Docker Swarm. pfsense is configured as a DNS forwarder pulling from three dockerswarm nodes. I only run one instance of Pi-Hole (they need to lock the sqlite db), but docker swarm takes care of availability/resiliency.

As I hit Pi-Hole through an SSL terminating proxy I set the ServerIP as This resolves blocked domains to with no major side effects.

docker service create --name pihole \
    --mount type=bind,src=/data/docker/pihole/pihole,dst=/etc/pihole \
    --mount type=bind,src=/data/docker/pihole/dnsmasq.d,dst=/etc/dnsmasq.d \
    --replicas=1 \
    -e ServerIP= \
    -e \
    -e WEBPASSWORD=myPassword \
    --publish published=9053,target=80,protocol=tcp \
    --publish published=53,target=53,protocol=tcp \
    --publish published=53,target=53,protocol=udp \
Unifi to Grafana (using Prometheus and unifi_exporter)

Unifi to Grafana (using Prometheus and unifi_exporter)

Documenting the process of getting this up and running. We already had Prometheus and Grafana running on our docker swarm cluster (we promise to document this all one day).

There was only one up to date image of unifi_exporter in DockerHub and it had no documentation so we were not comfortable using it.

1) Download, build and push unifi_exporter.

$ git clone [email protected]:mdlayher/unifi_exporter.git
$ cd unifi_exporter
$ sudo docker build -t louisvernon/unifi_exporter:$(git describe --tags) . # yields a tag like 0.4.0-18-g85455df
$ sudo docker push louisvernon/unifi_exporter:$(git describe --tags)

2) Create read only admin user for unifi_exporter service:

3) Create config.yml on storage mounted on dockerswarm node. In our case we have a glusterfs volume mounted across all nodes. If you are using the self-signed cert on your unifi controller then you will need to set insecure to true.

$ $ cat /data/docker/unifi-exporter/config.yml 
  address: :9130
  metricspath: /metrics
  username: unifiexporter
  password: random_password
  site: Default 
  insecure: false
  timeout: 5s

4) Deploy to docker swarm. The docker image does not contain any trusted certs, so we mounted the host certs as readonly.

$ docker service create --replicas 1 --name unifi_exporter \
    --mount type=bind,src=/data/docker/unifi-exporter/config.yml,dst=/config.yml \
    --mount type=bind,src=/etc/ssl,dst=/etc/ssl,readonly \
    --publish 9130:9130 \
    --replicas=1 \
    louisvernon/unifi_exporter:0.4.0-18-g85455df -config.file=/config.yml

5) You should see something like this from the logs (we use portainer to quickly inspect our services).

2018/06/12 01:10:47 [INFO] successfully authenticated to UniFi controller
2018/06/12 01:10:47 Starting UniFi exporter on ":9130" for site(s): Default

First time around (before we bind mounted /etc/ssl) we had an x509 error due to the missing trusted certs..

6) Add unifi_exporter as a new target for prometheus.

$ cat /data/docker/prometheus/config/prometheus.yml
  - job_name: 'unifi_exporter'
      - targets: ['dockerswarm:9130']
          alias: unifi_exporter

7) Point your browser at http://dockerswarm:9130/metrics and make sure you see stats. In our case the payload was 267 lines.

8) Restart the prometheus service: `docker service update –force prometheus`

9) Hop on over to prometheus to make sure the new target is listed and UP: http://dockerswarm:9090/targets

10) Finally we import the dashboard into Grafana. Our options are a little sparse right now, but this dashboard gives us somewhere to start. we made some tweaks to this to make it multi-AP friendly with some some extra stats:

The result: