Octopus Server Linux Container

Given the following scenario where we have a production Octopus instance that was built using a single EC2 instance in AWS, and we now want to transition to an HA setup using the Octopus Server linux containers in AWS EKS ( kubernetes ) but maintain the existing database. How do we go about configuring the server nodes in the containers?

For example the base image already has its ENTRYPOINT defined, as well as it’s reading in the config from the existing database. We can’t run commands in the containers that will allow us to reconfigure the nodes for things like --forceWebSSL=True, or changing web bindings so that we can utilize HTTPS because this requires the service to restart, which requires SUDO ( not part of the image ), and being containers if you restart them they re-create and wipe away the config changes you made.

Do you have suggestions for how to configure the container server nodes when using an already existing database?

Hi @swalsh1,

Thanks for reaching out, I’d be happy to help with your Octopus Server migration to EKS!

It’s definitely worth checking out our guide specifically for Migrating to Octopus Server Linux Container from Windows Server if you haven’t seen it already!

In regards to configuring the Server containers, we expose an additional Docker Environment variable OCTOPUS_SERVER_CONFIGURATION_DIRECTORY which allows you to specify an exisiting configuration file for the Octopus Server to use instead of creating a new one, allowing you bring over your existing configurations or configure settings such as: --forceWebSSL=True.

Let me know if that helps with your migration or you have any questions or run into any issues at all!

Best Regards,

Sweet this might work, I’ll test out those env vars for the config file location and let you know if that was successful.

2 Likes

Hi @finnian.dempsey I wanted to follow up. So I was able to set the configuration directory, as well as downloading the base image and then tweaking the install.sh script to configure the server with --webForceSSL=True and --webListenPrefixes=“https://localhost,http://localhost:8080

However when we launch that the server crashes with the following error ( because there is no SSL certificate installed )

Starting "Kestrel" HTTP Listener on "https://localhost:443/ and http://localhost:8080/"
Storing keys in a directory '"/root/.aspnet/DataProtection-Keys"' that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed.
The Octopus server exited unexpectedly.
Autofac.Core.DependencyResolutionException: An exception was thrown while activating λ:Microsoft.Extensions.Hosting.IHostedService[] -> λ:Microsoft.Extensions.Hosting.IHostedService[] -> Microsoft.AspNetCore.Hosting.GenericWebHostService -> Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.
 ---> Autofac.Core.DependencyResolutionException: An exception was thrown while invoking the constructor 'Void .ctor(Microsoft.Extensions.Options.IOptions`1[Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerOptions], System.Collections.Generic.IEnumerable`1[Microsoft.AspNetCore.Connections.IConnectionListenerFactory], System.Collections.Generic.IEnumerable`1[Microsoft.AspNetCore.Connections.IMultiplexedConnectionListenerFactory], Microsoft.Extensions.Logging.ILoggerFactory, System.Diagnostics.DiagnosticSource)' on type 'KestrelServerImpl'.
 ---> System.Exception: Server has been configured to use https but no matching certificates were found in the server configuration
   at Octopus.Server.Web.KestrelWebHostBuilder.ServerCertificateSelector(Int32 port) in ./source/Octopus.Server/Web/KestrelWebHostBuilder.cs:line 61

When I remove the webListenPrefix for HTTPS it will launch, and I can see that Force SSL == True. However the site still only comes up on HTTP. Is the forcing SSL not working on linux, or is there a documented way to setup a cert on the host ( what path are you reading certs from on the linux OS for Kestrel ? ), and does the format need to be PFX even though it’s Linux?

I would like to get SSL working without having to go through the hassle of setting up an NGINX proxy sidecar if possible so any guidance you have would be great.

Hi @swalsh1,

Great to hear you’ve nearly got it all configured, sorry for not including this in my previous message!

We actually recommend adding the certificate as a TLS secret in Kubernetes and leveraging an NGINX ingress controller for access. We briefly cover this in our Kubernetes guide here, however feel free to let me know if you have any questions about getting it setup.

Hopefully that sets you in the right direction, looking forward to hearing how you get on!

Best Regards,