Docker compose with automatic restore, gateway network connections have to be approved again?

Pdeswert · November 12, 2024, 2:36pm

I am working on a docker compose stack for a test environment, meant for internal training of junior profiles

There are 5 containers:

Postgres database
Ignition front-end master
Ignition front-end backup
Ignition Back-end
Ignition Historian

The back-end and historian containers have an auto restore of a gateway backup configured and enabled. In those backups, a gateway connection between those 2 is configured.

however I noticed 2 things:

Connections between 2 gateways no longer work and have to be approved again
Redundancy settings (not configured in example) are simply gone

Is this normal behavior or not ?

Docker compose file:

services:

db:
  image: postgres
  restart: always
  # set shared memory limit when using docker-compose
  shm_size: 128mb
  # or set shared memory limit when deploy via swarm stack
  #volumes:
  #  - type: tmpfs
  #    target: /dev/shm
  #    tmpfs:
  #      size: 134217728 # 128*2^20 bytes = 128Mb

  networks:
    network1:
      ipv4_address: 192.168.0.101
  volumes:
    - postgres:/var/lib/postgresql/data
  environment:
    POSTGRES_USER: admin
    POSTGRES_PASSWORD: admin
    POSTGRES_DB: ignition
  


# Front ends
Frontend1:
  image: inductiveautomation/ignition:latest

  networks:
    network1:
      ipv4_address: 192.168.0.50
  volumes:
    - gw-data:/usr/local/bin/ignition/data
  # env_file: ignition.env  # optionally specify variables in a file, or using `environment:` below
  environment:
    - ACCEPT_IGNITION_EULA=Y
    - GATEWAY_ADMIN_USERNAME=admin
    - GATEWAY_ADMIN_PASSWORD=admin
    - IGNITION_EDITION=standard
    - TZ=Europe/Brussels  # see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List

  command: >
    -n Frontend1
    -m 1024


Frontend2:
  image: inductiveautomation/ignition:latest

  networks:
    network1:
      ipv4_address: 192.168.0.51
  volumes:
    - gw-data2:/usr/local/bin/ignition/data
  # env_file: ignition.env  # optionally specify variables in a file, or using `environment:` below
  environment:
    - ACCEPT_IGNITION_EULA=Y
    - GATEWAY_ADMIN_USERNAME=admin
    - GATEWAY_ADMIN_PASSWORD=admin
    - IGNITION_EDITION=standard
    - TZ=Europe/Brussels  # see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List

  command: >
    -n frontend2
    -m 1024


# back ends
Backend1:
  image: inductiveautomation/ignition:latest

  networks:
    network1:
      ipv4_address: 192.168.0.52
  volumes:
    - gw-data3:/usr/local/bin/ignition/data
    - /home/adminin/gwbk/backend-master.gwbk:/restore.gwbk
  # env_file: ignition.env  # optionally specify variables in a file, or using `environment:` below
  environment:
    - ACCEPT_IGNITION_EULA=Y
    - GATEWAY_ADMIN_USERNAME=admin
    - GATEWAY_ADMIN_PASSWORD=admin
    - IGNITION_EDITION=standard
    - TZ=Europe/Brussels  # see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List

  command: >
    -n backend1
    -m 1024
    -r /restore.gwbk




Historian:
  image: inductiveautomation/ignition:latest

  networks:
    network1:
      ipv4_address: 192.168.0.54
  volumes:
    - gw-data5:/usr/local/bin/ignition/data
    - /home/adminin/gwbk/historian.gwbk:/restore.gwbk
  # env_file: ignition.env  # optionally specify variables in a file, or using `environment:` below
  environment:
    - ACCEPT_IGNITION_EULA=Y
    - GATEWAY_ADMIN_USERNAME=admin
    - GATEWAY_ADMIN_PASSWORD=admin
    - IGNITION_EDITION=standard
    - TZ=Europe/Brussels  # see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List

  command: >
    -n historian
    -m 1024
    -r /restore.gwbk

volumes:
gw-data:
gw-data2:
gw-data3:

gw-data5:
postgres:

networks:
network1:
name: macvlan0
external: true

pturmel · November 12, 2024, 2:57pm

Certificates and keys are not part of a gateway backup. (v8.3 deals with this by moving secrets to an external vault.)
Redundancy settings are not part of a gateway backup (cannot be, as that is the medium for synchronizing).

Your container startup command will need extra actions to retrieve the appropriate details. (Perhaps check the supported environment variables...)

Kevin.Collins · November 14, 2024, 3:32am

If it is just for training purposes, you could also disable TLS for the gateway network connections. See my ignition-examples repo as reference.

Otherwise, you'll need to preserve (and bind-mount these into place individually):

/usr/local/bin/ignition/data/.uuid (for Gateway Network identity)
/usr/local/bin/ignition/data/local/metro-keystore (Gateway Network keystore)