Run sshd and openshift-router on the same port using HAProxy on CentOS7

TL;DHTTW (Don’t Have Time To Write 🙂 )

Remove firewalls and only use iptables, because there are non trivial interactions that makes stuff complicated:
sudo systemctl stop firewalld && sudo systemctl start iptables; sudo systemctl start ip6tables

oc cluster up --image=registry.access.redhat.com/openshift3/ose --version=v3.3 --metrics --routing-suffix=paas.mycompany.com --public-hostname= paas.mycompany.com --use-existing-config

Change router default port:

oc env dc/router ROUTER_SERVICE_HTTPS_PORT=9443

Also edit dc router and change hostNetwork: true to false and hostPort form 443 to 9443

Then, here is the haproxy.cfg that you may need:

global
    log         127.0.0.1 local2
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    stats socket /var/lib/haproxy/stats
defaults
    log                     global
    option                  dontlognull
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000
listen ssl :443
  tcp-request inspect-delay 4s
  acl is_ssl req_ssl_ver 2:3.1
  tcp-request content accept if is_ssl
  use_backend ssh if !is_ssl
  server www-ssl 172.17.0.3:9443
  timeout client 2h
backend ssh
  mode tcp
  server ssh :22
  timeout server 2h

And finally, you will need to allow HAProxy to use port 443 by adding the following SELinux boolean:

setsebool -P haproxy_connect_any 1

Adding/setting insecure-registry to docker machine afterwards

Running docker on non-Linux based environment became very convenient and easy with docker-machine which is the successor of docker-boot.

Basically, docker-machine allows you to manage multiple virtual machines running Linux to host your docker installation and then allows you to run your containers.
More than a fantastic tool for OSX and Windows, it is also a very clever and practical way to develop multiple container images or several applications (for different project for examples) using containers.

If you want your docker-machine to use an your own in-house registry or any other, it is not a big issue, until the registry uses HTTPS, and in most of the cases you will get the following error:

docker tag -f my-app/my-app-server:v1.0.14-25-gfefb196 dockerhub.rnd.mycompany.net:5000/my-app/my-app-server:v1.0.14-25-gfefb196
docker push dockerhub.rnd.mycompany.net:5000/my-app/my-app-server:v1.0.14-25-gfefb196
The push refers to a repository [dockerhub.rnd.mycompany.net:5000/my-app/my-app-server] (len: 1)
unable to ping registry endpoint https://dockerhub.rnd.mycompany.net:5000/v0/
v2 ping attempt failed with error: Get https://dockerhub.rnd.mycompany.net:5000/v2/: x509: certificate signed by unknown authority
 v1 ping attempt failed
 with error: Get https://dockerhub.rnd.mycompany.net:5000/v1/_ping: x509: certificate signed by unknown authority

For this case, docker-machine has a fantastic option which is available on creation of a machine:

docker-machine create --driver virtualbox --engine-insecure-registry myregistry:5000 mycompany

But, suppose that you want to add another registry once your docker-machine is created: Unfortunately, I can’t find an option yet to edit the existing configuration of a VM.
You will have to edit your configuration file which is located on your host system (your OSX or Windows home) and add it manually:

vim  ~/.docker/machine/machines/mycompany/config.json

Then, you’ll have to edit the config.json file and locate the array named:InsecureRegistry and simply append an element on it.
It should looks like this:

{
  "ConfigVersion": 1,
 // Truncated for readability 
  "DriverName": "virtualbox",
  "HostOptions": {
    "Driver": "",
    "Memory": 0,
    "Disk": 0,
    "EngineOptions": {
      "ArbitraryFlags": [],
      "Dns": null,
      "GraphDir": "",
      "Env": [],
      "Ipv6": false,
      "InsecureRegistry": [
        "dockerhub.rnd.mycompany.net:5002",
        "dockerhub.rnd.mycompany.net:5000",
        "dockerhub.rnd.mycompany.net:5001"
      ],
      // Truncated for readability 
  },
  "StorePath": "/Users/Akram/.docker/machine/machines/mycompany"
}