Reputation: 47
I've been trying to get a dev setup up revolving around Nomad/Consul with a Traefik reverse proxy, and while Nomad and Consul run fine in dev mode on WSL (Ubuntu 22.04), I'm having issues getting Traefik to work. The job runs, deployes, it gets successfully registered in Consul, but it's producing no logs whatsoever and I can't access the dashboard at all (Connection reset, connection refused, etc.) whatsoever. I'm not super familiar with WSL and I'm assuming it's a networking issue, but I have literally ran out of options. Below are my configs/commands and what I've tried so far. (ran this on the WSL VM)
set -e
exec > >(sudo tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1
# Config bridge and firewall --------------------------------
sudo modprobe bridge
sudo ufw disable || echo "ufw not installed"
# Install common deps ---------------------------------------
sudo apt-get update
sudo apt-get install -y apt-transport-https gpg wget curl coreutils ca-certificates
# Install nomad ---------------------------------------------
sudo wget -O- | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt-get update && sudo apt-get install nomad
# Install consul --------------------------------------------
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt-get update && sudo apt-get install -y consul
# Install CNI -----------------------------------------------
export ARCH_CNI=$( [ $(uname -m) = aarch64 ] && echo arm64 || echo amd64)
export CNI_PLUGIN_VERSION=v1.6.2
sudo curl -L -o cni-plugins.tgz "${CNI_PLUGIN_VERSION}/cni-plugins-linux-${ARCH_CNI}-${CNI_PLUGIN_VERSION}".tgz
sudo mkdir -p /opt/cni/bin
sudo tar -C /opt/cni/bin -xzf cni-plugins.tgz
sudo apt-get update && sudo apt-get install -y consul-cni
# Install Docker
for pkg in docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do sudo apt-get remove $pkg; done
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update && sudo apt-get install -y docker-ce docker-ce-cli docker-buildx-plugin docker-compose-plugin
# Install Temurin ------------------------------------------
sudo wget -qO - | gpg --dearmor | tee /etc/apt/trusted.gpg.d/adoptium.gpg > /dev/null
sudo echo "deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" | sudo tee /etc/apt/sources.list.d/adoptium.list
sudo apt-get update && sudo apt-get install -y temurin-21-jdk
# Set ENV variables ------------------------------------------
export NOMAD_ADDR=http://localhost:4646
export JAVA_HOME=/usr/lib/jvm/temurin-21-jdk-amd64
# Install phase finish ---------------------------------------
sudo apt-get clean
echo "Install complete"
sudo systemctl start docker
sleep 3
# Set configs ------------------------------------------------
echo " $(hostname)" | sudo tee --append /etc/hosts
DOCKER_BRIDGE_IP_ADDRESS=$(ip -4 addr show docker0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
if [[ "$(uname -r)" == *"microsoft"* ]]; then
echo "Detected WSL: Preventing /etc/resolv.conf from being reset..."
sudo sh -c 'echo "[network]" > /etc/wsl.conf'
sudo sh -c 'echo "generateResolvConf = false" >> /etc/wsl.conf'
sudo chattr -i /etc/resolv.conf 2>/dev/null || true
echo "nameserver $DOCKER_BRIDGE_IP_ADDRESS" | sudo tee /etc/
cat /etc/resolv.conf | sudo tee --append /etc/
sudo mv /etc/ /etc/resolv.conf
if [[ "$(uname -r)" == *"microsoft"* ]]; then
sudo chattr +i /etc/resolv.conf
# Set env vars
echo "export NOMAD_ADDR=http://localhost:4646" | sudo tee --append /home/$HOME_DIR/.bashrc
echo "export JAVA_HOME=/usr/lib/jvm/temurin-21-jdk-amd64" | sudo tee --append /home/$HOME_DIR/.bashrc
# Server setup phase finish -----------------------------------
Then I run Nomad and Consul with (these work OK and are available on localhost on the Windows environment):
sudo consul agent -dev -bind
sudo nomad agent -dev -bind -network-interface='{{ GetDefaultInterfaces | attr "name" }}''
I then run the Traefik job:
job "traefik" {
region = "global"
datacenters = ["dc1"]
type = "service"
group "traefik" {
count = 1
network {
port "http"{
static = 8080
port "admin"{
static = 48080
service {
name = "traefik"
check {
name = "alive"
type = "tcp"
port = "http"
interval = "10s"
timeout = "2s"
task "server" {
driver = "docker"
config {
image = "traefik:3.3"
ports = ["http", "admin"]
artifact {
source = "[redacted]traefik/traefik.yml"
destination = "etc/traefik"
options {
filename = "traefik.yml"
artifact {
source = "[redacted]traefik/dynamic.yml"
destination = "etc/traefik"
options {
filename = "dynamic.yml"
At this point Traefik gets discovered by Consul, the health check is successful and it points to the IP address of my WSL VM (e.g. XXX.XXX.XXX.XXX:8080). Accessing it on localhost, however on :48080/dashboard/ gives a connection reset and I see no logs whatsoever in the Nomad allocation (no failures, files are mounted successfully).
I also tried the below commands to attempt to forward the traffic (since I have no idea at this point):
sudo netsh interface portproxy add v4tov4 listenport=8080 listenaddress= connectport=8080 connectaddress=
sudo netsh interface portproxy add v4tov4 listenport=48080 listenaddress= connectport=48080 connectaddress=
and I added a rule in the firewall for WSL:
New-NetFirewallRule -DisplayName "WSL" -Direction Inbound -InterfaceAlias "vEthernet (WSL)" -Action Allow
I have also tried setting network_mode = "host" on the Traefik job, but that shows the docker container without ports (so I assume it's incorrect). Bridge network mode doesn't seem to change anything. Docker Desktop is updated/functional and it's running Linux containers.
This is Traefik's static config:
dashboard: true
insecure: true
accessLog: {}
address: ':8080'
address: ':48080'
exposedByDefault: false
connectAware: true
connectByDefault: true
address: 'host.docker.internal:8500'
scheme: http
filename: '/etc/traefik/dynamic.yml'
level: DEBUG
The only explanation I come to is that Traefik is not binding to the Windows machine and is remaining bound to the WSL VM (but I have no idea why no logs are produced).
If anyone has any ideas or sees something wrong, any help would be greatly appreciated.
Upvotes: 0
Views: 57
Reputation: 47
So apparently it was a WSL networking issue and a Nomad/Traefik issue, two in one.
I had to mount the traefik config files from Nomad to Docker like:
volumes = [
Then I had to remove the port forwarding since Nomad does automatic NAT translation when bound to, then bind the ports in the hcl setup so that Nomad can handle that:
ports = ["admin", "http"]
That results in Traefik being available on the WSL IP address (not localhost, as it's not found to and is able to handle incoming traffic.
Upvotes: 1