Impossible to use consul connect with the deprecated port_map syntax

[lonk]

Hi there !

Nomad version

Nomad v0.12.7

Operating system and Environment details

Debian Buster

Issue

I'm trying to get Consul Connect working to allow my backend to reach my redis server.
I'm using the deprecated port_map syntax as adviced in the issue #8780 as I need healthchecks and service tags, but as soon as I add the network stanza in bridge mode, I'm getting the following error when deploying:

failed to create container: API error (400): conflicting options: port publishing and the container type network mode

If I delete my task-service stanza, and use the new syntax, everything runs fine, but I actually need my healthchecks and tags.

Is there anything I'm missing ? Is there a workaround to get it work ?

Job file

Here is a snippet of my job file, especially the task group in error

   group "backend" {
    network {
        mode = "bridge"
    }

    service {
        name = "backend"

        connect {
            sidecar_service {
                proxy {
                    upstreams {
                        destination_name = "redis"
                        local_bind_port  = 6379
                    }
                }
            }
        }
    }

    task "server" {
        driver = "docker"

        config {
            image = "server"

            port_map {
                http = 3000
            }
        }

        resources {
            network {
                port "http" {}
            }
        }

        service {
            name = "buckless-server"
            port = "http"
            tags = [
                "traefik.enable=true",
                "traefik.http.routers.server.rule=Host(`api.foo.com`)",
                "traefik.http.routers.server.tls=true",
                "traefik.http.routers.server.tls.certresolver=letsencrypt",
                "traefik.http.routers.server.tls.domains[0].main=api.foo.com"
            ]

            check {
                type = "http"
                path = "/healthcheck"
                interval = "10s"
                timeout = "2s"
            }
        }
    }
}

Thank you for your help :)

[idrennanvmware]

Apologies for the brevity but I'm on my phone 😀 The service stanza, even for the HC, needs to be at the group level. Here's a snippet from one of our job files

group "redacted" {
    count = [[ .api.count ]]

    network {
      mode = "bridge"
      port "api_http"{}
    }

    service {
      name = "redacted"
      port = "api_http"
      tags = ["http", "urlprefix-/redacted"]

      check {
        type     = "http"
        port     = "api_http"
        path     = "/hc"
        interval = "10s"
        timeout  = "60s"
      }
    }

    service {
      name = "redacted"
      tags = ["http"]

      port = "api_http"

      check {
        type     = "http"
        port     = "api_http"
        path     = "/hc"
        interval = "10s"
        timeout  = "60s"
      }

      connect {
        sidecar_service {
          proxy {}
        }
      }
    }

Task starts here

Note that the network section of your task will need to be removed too

It's also possible to use the expose tag (which I can provide an example of too) if all you're trying to do is keep the health check. Just depends on your use case

Hopefully this gets your started but if not I can give you a more flushed out sample in the morning

[lonk]

Hi @idrennanvmware !

Thank you for the example, it works perfectly fine for our needs :)
I never thought to put the service stanza at the group level as it was a bit unclear in the docs !

Thank you for your help :)

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.