I am running a traefik in a container, together with other containers, most notably docker-socket-proxy so traefik can run as non-root. My compose works, but there is a warning message that tells me this is more luck than skill. The warning message is:
rna-webserver-traefik | time="2023-01-26T13:09:10Z" level=warning msg="Could not find network named 'webserver_dockersocketproxynet' for container '/rna-webserver-whoami'! Maybe you're missing the project's prefix in the label? Defaulting to first available network." serviceName=rna-webserver-whoami-webserver providerName=docker container=rna-webserver-whoami-webserver-e8d9d6cbca99e8e81841bdf39bac028ad1063498b881928d109f6f4e0d60e6ce
docker-compose.yml:
networks:
rna-docker-exposed:
external: true # means it is a fixed docker network created with "docker network create rna-docker-exposed"
name: rna-docker-exposed # docker create network rna-docker-exposed
dockersocketproxynet:
internal: true # means it gets created especially for this compose and is called <dirname>_rna-docker-nonexposed
services:
rna-webserver-dockerproxy: # see https://github.com/Tecnativa/docker-socket-proxy
container_name: rna-webserver-dockerproxy
image: ghcr.io/tecnativa/docker-socket-proxy:0.1.1 # this image is rather old but used to have a pinned version
# newer version is ghcr.io/tecnativa/docker-socket-proxy:edge
restart: unless-stopped
mem_limit: 2G
cpus: 0.75
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro # never expose this container to the internet!
environment:
- CONTAINERS=1
- LOG_LEVEL=debug
networks:
- dockersocketproxynet # use only internal network
rna-webserver-traefik:
container_name: rna-webserver-traefik
restart: unless-stopped
read_only: true
mem_limit: 2G
cpus: 0.75
depends_on:
- rna-webserver-dockerproxy
security_opt:
- no-new-privileges:true
image: traefik:v2.9.4
volumes:
- /srv/docker/webserver/traefik.toml:/etc/traefik/traefik.toml:ro
- /srv/docker/webserver/shared_providers_dynamic.toml:/etc/traefik/shared_providers_dynamic.toml:ro
- /srv/docker/webserver/rna.nl.fullchain.pem:/rna.nl.fullchain.pem:ro
- /srv/docker/webserver/rna.nl.privkey.pem:/rna.nl.privkey.pem:ro
user: 115:120
ports:
- "80:10080" # high nr so we don't need to be root to bind
- "443:10443" # ditto
labels:
- "traefik.enable=true"
- "traefik.docker.network=webserver_dockersocketproxynet"
# Configure Traefik dashboard & api on secure entrypoint (":443"), for local LAN clients only
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
- "traefik.http.routers.traefik-dashboard.tls=true"
- "traefik.http.routers.traefik-dashboard.rule=Host(`foo.rna.nl`) && ClientIP(`192.168.2.1/24`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.traefik-dashboard.service=api@internal"
- "traefik.http.routers.traefik-dashboard.middlewares=simpleAuth@file,rnalanWhitelist@file" # double on IP whitelist, this and ClientIP ...
networks:
- dockersocketproxynet
- rna-docker-exposed
rna-webserver-whoami:
image: traefik/whoami
container_name: rna-webserver-whoami
restart: unless-stopped
user: 117:122
depends_on:
- rna-webserver-traefik
labels:
- "traefik.enable=true"
- "traefik.docker.network=webserver_dockersocketproxynet"
- "traefik.http.routers.whoami.rule=Host(`foo.rna.nl`) && PathPrefix(`/whoami`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls=true"
networks:
- rna-docker-exposed
traefik.toml:
[providers.docker]
watch = true
exposedbydefault = false
endpoint = "tcp://rna-webserver-dockerproxy:2375"
# network = "webserver_dockersocketproxynet"
The outcommented line in traefik.toml is something I have included in several forms or left out, but the behaviour is the same.
Using this setup, whoami works. But I think this is sheer luck because of that warning. WHat am I doing wrong / what do I not properly understand here?
The directory of the docker-compose.yml is called webserver.
