Simple Alpine-built scratch-runtime Dockerfile for cloudflared, with support for multiple architectures.
Home Page: https://hub.docker.com/r/erisamoe/cloudflared
License: Other
Just had a situation where I was locked out of Portainer after a reboot because I had stopped all containers before rebooting and was using the "unless-stopped" policy. In hindsight, it makes perfect sense and did exactly as it was instructed, but unfortunately my setup had become too dependent on the cloudflare tunnel. I had setup OAuth on Portainer and had hidden the internal authentication prompt, and since OAuth used my tunnel domain which was broken without the cloudflared container running, and the default password prompt wasn't available, I thought I was stuck.
Fortunately the internal authentication for Portainer is just hidden and there's a URL to log back in using the original user's password, so I was able to get back in and restart my containers, but this wouldn't have happened if I had used the "always" restart policy. I have since gone in and updated that policy for any other mission critical containers that can cause havoc when down. If I really want to keep these containers stopped after a restart then I'll just stop the stack in Portainer which is unaffected by the containers restart policy. Not sure if someone using the stock docker-compose instead of Portainer would have that luxury, and for them perhaps "unless-stopped" makes sense.
Lastly, perhaps I shouldn't bother stopping containers before a reboot or shutdown? If I hadn't done that step, I wouldn't have gotten myself into this situation.
How would one go about setting up health checks for their container if (as mentioned in issue #1) the binary is the only thing available?
I am trying to build the Dockerfile locally to test some chages. On my Mac it is working fine, unfortunately it is not on Pi OS, I ran into an error:
docker build -t ha-cloudflared .
Sending build context to Docker daemon 87.04kB
Step 1/17 : ARG GOVERSION=1.17.3
Step 2/17 : FROM --platform=${BUILDPLATFORM} golang:$GOVERSION-alpine AS build`
failed to parse platform : "" is an invalid component of "": platform specifier component must match "^[A-Za-z0-9_-]+$": invalid argument
I am not sure if this is a specific problem of your Dockerfile or if this is a general docker build problem, which leads to the variable BUILDPLATFORM being empty.
Any idea?
Hi,
I love this project and been using it for ages. However I noticed that the binary's RAM and CPU usage is a bit higher if ran in a container than on bare metal. I did some looking around and noticed that you don't strip the binaries:
cloudflared: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=WIGUFXRhdqRh0lpdulgZ/skCE_Q5T2mBNT3a53QMd/ynKtNIxt2cfOrDim5siM/dHrRvKapzlHgCpAOIfCo, with debug_info, not stripped
May I request that you strip the debug infos? I believe it shouldn't be too hard to do so and it doesn't make much sense to have it not stripped in a production build.
Thanks a lot
What about instead of:
# Build container
ARG GOVERSION=1.21.6
ARG ALPINEVERSION=3.19
The hashes of the containers are used like this:
ARG GOHASH=2523a6f68a0f515fe251aad40b18545155135ca6a5b2e61da8254df9153e3648 # golang:1.21.6-alpine3.19
FROM --platform=${BUILDPLATFORM} \
golang@sha256:$GOHASH AS build
This would make the container more secure by guaranteeing that the images won't change unless the sha256 is updated manually, so no malicious code will be executed. Version tags on the other hand can be easily overwritten
Routine upgrade to 2023.2.2 is failing the hello world test, appears to be independent of Go version.
@Erisa ➜ /workspaces/cloudflared-docker (main) $ cat Dockerfile | grep VERSION=
ARG GOVERSION=1.19.6
ARG ALPINEVERSION=3.17
ARG VERSION=2023.2.2
@Erisa ➜ /workspaces/cloudflared-docker (main) $ docker build -t test .
[+] Building 39.4s (7/10)
=> [internal] load build definition from Dockerf 0.2s
=> => transferring dockerfile: 747B 0.0s
=> [internal] load .dockerignore 0.2s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/librar 1.1s
=> [build 1/5] FROM docker.io/library/golang:1.1 9.0s
[+] Building 39.6s (7/10)
=> => sha256:31c62d91ada60d52cd2 1.65kB / 1.65kB 0.0s
=> => sha256:f2e0acaf7c628cd819b 1.16kB / 1.16kB 0.0s
=> => sha256:04c13dd25b45aee7195 5.11kB / 5.11kB 0.0s
=> => sha256:63b65145d645c1250c3 3.37MB / 3.37MB 0.2s
=> => sha256:f790f4c5274f100 122.36MB / 122.36MB 1.4s
=> => sha256:a2d21d5440ebff5 284.82kB / 284.82kB 0.4s
[+] Building 82.6s (11/11) FINISHED
=> [internal] load build definition from Dockerf 0.2s
=> => transferring dockerfile: 747B 0.0s
=> [internal] load .dockerignore 0.2s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/librar 1.1s
=> [build 1/5] FROM docker.io/library/golang:1.1 9.0s
=> => resolve docker.io/library/golang:1.19.6-al 0.1s
=> => sha256:31c62d91ada60d52cd2 1.65kB / 1.65kB 0.0s
=> => sha256:f2e0acaf7c628cd819b 1.16kB / 1.16kB 0.0s
=> => sha256:04c13dd25b45aee7195 5.11kB / 5.11kB 0.0s
=> => sha256:63b65145d645c1250c3 3.37MB / 3.37MB 0.2s
=> => sha256:f790f4c5274f100 122.36MB / 122.36MB 1.4s
=> => sha256:a2d21d5440ebff5 284.82kB / 284.82kB 0.4s
=> => extracting sha256:63b65145d645c1250c391b2d 0.3s
=> => sha256:c7bf170fd9e6726c86c0d4b 155B / 155B 0.5s
=> => extracting sha256:a2d21d5440ebff5aaaaeb115 0.1s
=> => extracting sha256:f790f4c5274f100158d4c23b 4.9s
=> => extracting sha256:c7bf170fd9e6726c86c0d4b4 0.0s
=> [build 2/5] WORKDIR /src 0.3s
=> [build 3/5] RUN apk --no-cache add git build- 4.1s
=> [build 4/5] RUN git clone https://github.com/ 3.5s
=> [build 5/5] RUN GOOS=linux GOARCH=amd64 make 61.8s
=> [stage-1 1/3] COPY --from=build /src/cloudfla 0.3s
=> [stage-1 2/3] COPY --from=build /etc/ssl/cert 0.4s
=> exporting to image 1.0s
=> => exporting layers 1.0s
=> => writing image sha256:3c4d9cac3d90b6681564a 0.0s
=> => naming to docker.io/library/test 0.0s
@Erisa ➜ /workspaces/cloudflared-docker (main) $ docker run test --hello-world
2023-03-01T00:42:41Z INF Thank you for trying Cloudflare Tunnel. Doing so, without a Cloudflare account, is a quick way to experiment and try it out. However, be aware that these account-less Tunnels have no uptime guarantee. If you intend to use Tunnels in production you should use a pre-created named tunnel by following: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
2023-03-01T00:42:41Z INF Requesting new quick Tunnel on trycloudflare.com...
2023-03-01T00:42:43Z INF +--------------------------------------------------------------------------------------------+
2023-03-01T00:42:43Z INF | Your quick Tunnel has been created! Visit it at (it may take some time to be reachable): |
2023-03-01T00:42:43Z INF | https://rocks-forgot-periodically-bass.trycloudflare.com |
2023-03-01T00:42:43Z INF +--------------------------------------------------------------------------------------------+
2023-03-01T00:42:43Z INF Cannot determine default configuration path. No file [config.yml config.yaml] in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared]
2023-03-01T00:42:43Z INF Version 2023.2.2
2023-03-01T00:42:43Z INF GOOS: linux, GOVersion: go1.19.6, GoArch: amd64
2023-03-01T00:42:43Z INF Settings: map[hello-world:true no-autoupdate:true protocol:quic]
2023-03-01T00:42:43Z INF Environmental variables map[TUNNEL_ORIGIN_CERT:/etc/cloudflared/cert.pem]
2023-03-01T00:42:43Z INF Generated Connector ID: b7f74f4c-0845-4863-b6de-4d17f41419f3
2023-03-01T00:42:43Z INF Initial protocol quic
2023-03-01T00:42:43Z INF ICMP proxy will use 172.17.0.2 as source for IPv4
2023-03-01T00:42:43Z INF ICMP proxy will use :: as source for IPv6
2023-03-01T00:42:43Z INF Starting metrics server on 127.0.0.1:43563/metrics
2023/03/01 00:42:43 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details.
2023-03-01T00:42:44Z INF Connection 195ae8b8-6c29-46d1-a114-959079beda83 registered with protocol: quic connIndex=0 ip=198.41.200.43 location=MAN
2023-03-01T00:42:44Z INF Connection 8e706b68-d4cd-47df-ac8f-155e43247a7f registered with protocol: quic connIndex=1 ip=198.41.192.67 location=AMS
2023-03-01T00:42:45Z INF Connection cf2a5517-05a9-4945-8e9f-d2c296dc9d7a registered with protocol: quic connIndex=2 ip=198.41.200.63 location=MAN
2023-03-01T00:42:47Z INF Connection 4bbe56ad-be17-4c01-9969-0c3bae72960e registered with protocol: quic connIndex=3 ip=198.41.192.7 location=AMS
panic: runtime error: index out of range [-1]
goroutine 227 [running]:
github.com/cloudflare/cloudflared/ingress.Ingress.FindMatchingRule({{0x0, 0x0, 0x0}, {{0x0}, {0x0}, {0x0}, 0x0, {0x0}, 0x0, {0x0, ...}, ...}}, ...)
/src/ingress/ingress.go:51 +0xef
github.com/cloudflare/cloudflared/proxy.(*Proxy).ProxyHTTP(0xc0003a1440, {0x13d0d38?, 0xc0008e7590}, 0xc0007e1890, 0xb0?)
/src/proxy/proxy.go:96 +0x465
github.com/cloudflare/cloudflared/connection.(*QUICConnection).dispatchRequest(0xc0001c1ab0, {0x13d36b8, 0xc0008ec4c0}, 0xc0008e74b0, {0x10?, 0xc00023bc00?}, 0xc0008f0d20)
/src/connection/quic.go:268 +0x263
github.com/cloudflare/cloudflared/connection.(*QUICConnection).handleDataStream(0xc0001c1ab0, {0x13d36b8, 0xc0008ec4c0}, 0xc00023bc00?)
/src/connection/quic.go:235 +0x79
github.com/cloudflare/cloudflared/connection.(*QUICConnection).handleStream(0xc0005d4d01?, {0x13d36b8, 0xc0008ec4c0}, {0x13d0d68?, 0xc0007e1800})
/src/connection/quic.go:217 +0x175
github.com/cloudflare/cloudflared/connection.(*QUICConnection).runStream(0xc0001c1ab0, {0x7f75cbb1d178, 0xc000456b40})
/src/connection/quic.go:197 +0x128
created by github.com/cloudflare/cloudflared/connection.(*QUICConnection).acceptStream
/src/connection/quic.go:183 +0x88
@Erisa ➜ /workspaces/cloudflared-docker (main) $
Is anyone else getting this error after days of no problems with the tunnel?
calibre-web-cloudflared | 2022-04-23T14:15:54Z ERR Connection terminated error="you are using Cloudflare Tunnel in a (legacy) way that is no longer supported.Migrate to Named Tunnels to continue exposing your private origin through Cloudflare's Network.You can follow this guide: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/do-more-with-tunnels/migrate-legacy-tunnels as an example.Alternatively, you can go to https://dash.teams.cloudflare.com/ -> Access -> Tunnels -> Create and rely on the User Interface instead." connIndex=3
My docker compose is very simple, and has been working until just today
cloudflared:
image: erisamoe/cloudflared
container_name: calibre-web-cloudflared
volumes:
- ./cloudflared:/etc/cloudflared
command: --hostname xxxx.xxxxx.com --url http://nginx:80
depends_on:
- nginx
I see this notice in the logs:
my-tunnel: failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details.
The link recommends:
sysctl -w net.core.rmem_max=2500000
Does it make sense to incorporate this in your Dockerfile?
Hi,
after failing to get the docker compose example to run (exited with code 0), I tried to run the command
docker run -v $PWD/cloudflared:/.cloudflared erisamoe/cloudflared:latest login
directly.
That also failed (No more output after 'Status: Downloaded ...').
So I started to try out older images and the first one working was erisamoe/cloudflared:2023.10.0.
Greetings!
Anyway we can add a configuration file for cloudflared to look at? Did not see it mention anywhere so asked
Refer to cloudflare/cloudflared#1131 for further information
# Stage 1: Build container
# Use a specific Golang version and Alpine Linux as the base image
ARG GOVERSION=1.20.12
ARG ALPINEVERSION=3.19
FROM --platform=${BUILDPLATFORM} \
golang:$GOVERSION-alpine${ALPINEVERSION} AS build
# Set the working directory for the build
WORKDIR /src
# Install necessary dependencies for building
RUN apk --no-cache -U add git build-base curl jq
# Fetch the latest release version using GitHub API
RUN VERSION=$(curl -s https://api.github.com/repos/cloudflare/cloudflared/releases/latest | jq -r .tag_name) \
&& git clone https://github.com/cloudflare/cloudflared --depth=1 --branch ${VERSION} .
# Build the cloudflared binary for Linux amd64
ARG TARGETOS
ARG TARGETARCH
RUN GO111MODULE=on CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} make cloudflared
# Stage 2: Runtime container
FROM scratch
# Copy the built cloudflared binary and required files
COPY --from=build /src/cloudflared .
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
# Copy curl binary from a docker image
COPY --from=ghcr.io/tarampampam/curl /bin/curl /bin/curl
# Set environment variable for the cloudflared origin certificate
ENV TUNNEL_ORIGIN_CERT=/etc/cloudflared/cert.pem
ENTRYPOINT ["/cloudflared", "--no-autoupdate"]
CMD ["version"]
WORKDIR / layer in the runtime container because it is not needed. Workdir is automatically set to /.Hi there,
Maybe a silly question... I can't find a way to enter a my containers to run commands. Is there no shell inside the container?
So far I've tried
docker exec -it cloudflared-mycontainer /bin/sh
docker exec -it cloudflared-mycontainer /bin/ash
docker exec -it cloudflared-mycontainer /bin/bash
If I delete these containers I don't think the actual Cloudflare Tunnel is removed just the container, so what I'm trying to do is run commands like this
cloudflared tunnel list
cloudflared tunnel delete -f <NAME>
Is there some other way I should be doing it? Should I be running these commands and managing the tunnels from my local shell?
For DoH, need to add --address 0.0.0.0, in order for resolver to accept and listen for DNS requests from LAN subnets. Took a while to figure it out... maybe good to add this argument.
https://github.com/cloudflare/cloudflared/issues/6#issuecomment-379165518
user@server:~/docker$ sudo docker compose up
[+] Running 7/7
⠿ nginx Pulled 4.4s
⠿ df9b9388f04a Already exists 0.0s
⠿ a285f0f83eed Pull complete 1.7s
⠿ e00351ea626c Pull complete 1.7s
⠿ 06f5cb628050 Pull complete 1.8s
⠿ 32261d4e220f Pull complete 1.8s
⠿ 9da77f8e409e Pull complete
[+] Running 2/2
⠿ Container docker-nginx-1 Created 0.2s
⠿ Container cloudflared Recreated 0.0s
Attaching to docker-cloudflared-1, docker-nginx-1, jellyfin
docker-nginx-1 | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
docker-nginx-1 | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
docker-nginx-1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
docker-nginx-1 | 10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
docker-nginx-1 | 10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
docker-nginx-1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
docker-nginx-1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
docker-nginx-1 | /docker-entrypoint.sh: Configuration complete; ready for start up
docker-nginx-1 | 2022/05/21 10:53:48 [notice] 1#1: using the "epoll" event method
docker-nginx-1 | 2022/05/21 10:53:48 [notice] 1#1: nginx/1.21.6
docker-nginx-1 | 2022/05/21 10:53:48 [notice] 1#1: built by gcc 10.3.1 20211027 (Alpine 10.3.1_git20211027)
docker-nginx-1 | 2022/05/21 10:53:48 [notice] 1#1: OS: Linux 5.15.0-30-generic
docker-nginx-1 | 2022/05/21 10:53:48 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
docker-nginx-1 | 2022/05/21 10:53:48 [notice] 1#1: start worker processes
docker-nginx-1 | 2022/05/21 10:53:48 [notice] 1#1: start worker process 32
docker-nginx-1 | 2022/05/21 10:53:48 [notice] 1#1: start worker process 33
docker-nginx-1 | 2022/05/21 10:53:48 [notice] 1#1: start worker process 34
docker-nginx-1 | 2022/05/21 10:53:48 [notice] 1#1: start worker process 35
docker-cloudflared-1 | Use `cloudflared tunnel run` to start tunnel c18d8a1f-f9f8-4bf6-8fXX-XXXXXXXXX
docker-cloudflared-1 exited with code 1
When creating a tunnel using this Docker image I get the above error, my configuration is correctly setup as I can run it directly via the CLI. However I wished to containerize this.
version: "2"
services:
nginx:
image: nginx:alpine
cloudflared:
image: erisamoe/cloudflared
volumes:
- ./cloudflared-config:/etc/cloudflared
command: --hostname nginx.example.com --url http://nginx:80
depends_on:
- nginxI suspect this may be due to lack of support of the tunnels being written in the new way.
2024.3.0 is available, the changes don't seem to be major https://github.com/cloudflare/cloudflared/blob/master/RELEASE_NOTES
Bump ARG GOVERSION=1.20.10 to ARG GOVERSION=1.20.12 and ARG ALPINEVERSION=3.18 to ARG ALPINEVERSION=3.19 in order to mitigate 4 security vulnerabilities:
https://hub.docker.com/layers/library/golang/1.20.10-alpine3.18/images/sha256-227c6cde748db2128aa5112d3cfa0e092e12f2d271247333f59ba6e1b6f91cfb?context=explore
Also note that after the release of go 1.22rc1 major changes in quic-go are happening. Support for 1.20 will be dropped and rc1 will be supported!
It is expected that quic-go will support newer go versions way faster in the future.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.