containous / traefik-library-image Goto Github PK

View Code? Open in Web Editor NEW

221.0 26.0 60.0 2.13 GB

ARCHIVED

Home Page: https://github.com/traefik/traefik-library-image

License: Apache License 2.0

Shell 27.87% Dockerfile 72.13%

traefik docker-image

traefik-library-image's People

Contributors

Stargazers

Watchers

Forkers

ekozan trauma dacode45 vinpel sequenceiq atbore-phx jsrz pipill sigtom jmptrader mohammedzee1000 dennis8274 myang32 wenzowski jacobsvante jimrobinson-croud sebastianhutter forging2012 nirineben gmarceau kautsig arunvc jon-nunan j0wi gentunian enterstudio yuanfeng0905 joshuaalewis art3mk chabokci mprasil gauntletwizard guddukhan1987 crossan007 yijxiang jwlogemann autumn1023 strikingraghu anhongyang125 mareksuscak thoorium jhult vshan robertox79 aklyachkin vbohinc kopax adamjm abmruman kouadioeric georgechang knovus romathur jaslin lexfrei jeanfrancoislarente behoyh opbro colincci

traefik-library-image's Issues

Use Alpine:3.14 to address CVE-2021-36159

I am getting flagged for an open CVE when using Traefik Docker images. Anchore is reporting an open CVE with Alpine:3.11 - CVE-2021-36159. It goes away when you update to Alpine:3.14

Volume at /tmp

Hi there,

the Dockerfile requests a volume to be mounted at /tmp. In case no volume is explicitly mounted when the container is started, Docker creates a new volume every time the container is created. Since the documentation does not advice to mount a volume to /tmp, it seems that this volume is not needed. It would be great if someone could confirm that there is no need for the /tmp volume and drop the VOLUME clauses from the Dockerfiles.

Regards,

Fabian

DockerHub does not have the v2.0.2 AMD64 version

amd64 image is missing on docker tag 1.7.15

The amd64 image is missing on docker hub for all 1.7.15 version tags.

https://hub.docker.com/_/traefik?tab=tags&page=1&name=1.7.15

looks like #20

Traefik serves default cert when restarting the container

When I manually restart the container with docker restart traefik-cont-name and go to my webpage again it is now served with Traefik's default certificate. How can I prevent this?

I made sure everything is correctly placed in the container through docker exec -it src-api-traefik /bin/ash and looked into every file. All seems fine.

/etc/traefik/traefik.yaml:

#
# Providers
#

providers:
  docker:
    exposedByDefault: false
    network: public
    watch: true
  file:
    filename: "/etc/traefik/dynamic-conf.yaml"
    watch: true

#
# Entrypoints
#

entryPoints:
  web:
    address: ":80"
  web-secure:
    address: ":443"

#
# Traefik API
#
api:
  insecure: true
  dashboard: true

#
# Logs
#
log:
  filePath: "/var/log/traefik/traefik.log"

accessLog:
  filePath: "/var/log/traefik/access.log"

Modified version of /etc/traefik/dynamic_conf.yaml:

http:
  routers:
    srv-router-http:
      entryPoints:
        - web
      middlewares:
        - redirect_https
      rule: "Host(`hostname.lcl`)"
      service: src-chat

    srv-router-https:
      entryPoints:
        - web-secure
      middlewares:
        - srv_headers
      rule: "Host(`hostname.lcl`)"
      service: srv-chat
      tls: {}

  middlewares:
    redirect_https:
      redirectScheme:
        scheme: https
    srv_headers:
      headers:
        accessControlAllowOrigin:
          - https://localhost:8100

  services:
    srv-chat:
      loadBalancer:
        servers:
          - url: http://docker-network-alias:port
        healthCheck:
          path: /health
          interval: "10s"
          timeout: "3s"

tls:
  options:
    default:
      sniStrict: true
      minVersion: VersionTLS12
  stores:
    default:
      defaultCertificate:
        certFile: /etc/certs/server.crt
        keyFile: /etc/certs/server.key
  certificates:
    - certFile: /etc/certs/server.crt
      keyFile: /etc/certs/server.key

Dockerfile:

FROM traefik:latest

COPY ./config/ /etc/traefik/
COPY ./certs/ /etc/certs/

Modified version of docker-compose.yml:

version: "3.7"

#
# [ services ]
#
services:
  traefik:
    image: "srv-api:traefik"
    build:
      context: ./docker/traefik
    container_name: srv-api-traefik
    volumes:
      - type: bind
        source: ./docker/traefik/config
        target: /etc/traefik/
      - type: bind
        source: ./docker/traefik/certs
        target: /etc/certs
      - type: bind
        read_only: true
        source: /var/run/docker.sock
        target: /var/run/docker.sock
      - type: bind
        consistency: consistent
        source: ./logs/traefik
        target: /var/log/traefik
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    networks:
      private:
      public:
        aliases:
          - traefik

#
# [ networks ]
#
networks:
  public:
    driver: bridge
  private:
    driver: bridge

maybe a Traefik error, not a container error

I switched Traefik Docker Image version v2.0 à Traefik v2.2, and suddenly I experienced major anomalies :

I have access to Traefik's webui
ingress routes like the one I give as YAML below, are not picked up by Traefik anymore :

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: simpleingressroute
  namespace: default
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`saint-nectaire.mycompany.io`) && PathPrefix(`/notls`)
    kind: Rule
    services:
    # Who am i ? I am Saint Nectaire.
    - name: whoami
      port: 80

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutetls
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`bleu-de-laqueuille.mycompany.io`) && PathPrefix(`/tls`)
    kind: Rule
    services:
    - name: whoami
      port: 80
  tls:
    certResolver: default

It's stange, it seems like Traefik exposes the Kubernetes cluster's API... :
my traefik's version :

$ kubectl exec -it pod/traefik-755d59454c-bc7bm -- traefik version
Version:      2.2.1
Codename:     chevrotin
Go version:   go1.14.2
Built:        2020-04-29T18:02:09Z
OS/Arch:      linux/amd64

Here are the logs of the traefik v2.2.1 Kubernetes service :

E0514 23:56:17.638098       1 reflector.go:153] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:105: Failed to list *v1alpha1.TLSStore: tlsstores.traefik.containo.us is forbidden: User "system:serviceaccount:default:traefik-ingress-controller" cannot list resource "tlsstores" in API group "traefik.containo.us" at the cluster scope
E0514 23:56:17.639364       1 reflector.go:153] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:105: Failed to list *v1alpha1.IngressRouteUDP: ingressrouteudps.traefik.containo.us is forbidden: User "system:serviceaccount:default:traefik-ingress-controller" cannot list resource "ingressrouteudps" in API group "traefik.containo.us" at the cluster scope
E0514 23:56:18.639500       1 reflector.go:153] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:105: Failed to list *v1alpha1.TraefikService: traefikservices.traefik.containo.us is forbidden: User "system:serviceaccount:default:traefik-ingress-controller" cannot list resource "traefikservices" in API group "traefik.containo.us" at the cluster scope
E0514 23:56:18.640369       1 reflector.go:153] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:105: Failed to list *v1alpha1.TLSStore: tlsstores.traefik.containo.us is forbidden: User "system:serviceaccount:default:traefik-ingress-controller" cannot list resource "tlsstores" in API group "traefik.containo.us" at the cluster scope
E0514 23:56:18.641299       1 reflector.go:153] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:105: Failed to list *v1alpha1.IngressRouteUDP: ingressrouteudps.traefik.containo.us is forbidden: User "system:serviceaccount:default:traefik-ingress-controller" cannot list resource "ingressrouteudps" in API group "traefik.containo.us" at the cluster scope
E0514 23:56:19.641553       1 reflector.go:153] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:105: Failed to list *v1alpha1.TraefikService: traefikservices.traefik.containo.us is forbidden: User "system:serviceaccount:default:traefik-ingress-controller" cannot list resource "traefikservices" in API group "traefik.containo.us" at the cluster scope
E0514 23:56:19.642222       1 reflector.go:153] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:105: Failed to list *v1alpha1.TLSStore: tlsstores.traefik.containo.us is forbidden: User "system:serviceaccount:default:traefik-ingress-controller" cannot list resource "tlsstores" in API group "traefik.containo.us" at the cluster scope
E0514 23:56:19.643079       1 reflector.go:153] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:105: Failed to list *v1alpha1.IngressRouteUDP: ingressrouteudps.traefik.containo.us is forbidden: User "system:serviceaccount:default:traefik-ingress-controller" cannot list resource "ingressrouteudps" in API group "traefik.containo.us" at the cluster scope
E0514 23:56:20.643653       1 reflector.go:153] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:105: Failed to list *v1alpha1.TraefikService: traefikservices.traefik.containo.us is forbidden: User "system:serviceaccount:default:traefik-ingress-controller" cannot list resource "traefikservices" in API group "traefik.containo.us" at the cluster scope
E0514 23:56:20.644730       1 reflector.go:153] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:105: Failed to list *v1alpha1.TLSStore: tlsstores.traefik.containo.us is forbidden: User "system:serviceaccount:default:traefik-ingress-controller" cannot list resource "tlsstores" in API group "traefik.containo.us" at the cluster scope
E0514 23:56:20.645312       1 reflector.go:153] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:105: Failed to list *v1alpha1.IngressRouteUDP: ingressrouteudps.traefik.containo.us is forbidden: User "system:serviceaccount:default:traefik-ingress-controller" cannot list resource "ingressrouteudps" in API group "traefik.containo.us" at the cluster scope
127.0.0.1 - - [14/May/2020:23:56:21 +0000] "GET /api/overview HTTP/1.1" 200 442 "-" "-" 721 "api@internal" "-" 0ms
E0514 23:56:21.645713       1 reflector.go:153] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:105: Failed to list *v1alpha1.TraefikService: traefikservices.traefik.containo.us is forbidden: User "system:serviceaccount:default:traefik-ingress-controller" cannot list resource "traefikservices" in API group "traefik.containo.us" at the cluster scope
E0514 23:56:21.646170       1 reflector.go:153] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:105: Failed to list *v1alpha1.TLSStore: tlsstores.traefik.containo.us is forbidden: User "system:serviceaccount:default:traefik-ingress-controller" cannot list resource "tlsstores" in API group "traefik.containo.us" at the cluster scope
E0514 23:56:21.647250       1 reflector.go:153] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:105: Failed to list *v1alpha1.IngressRouteUDP: ingressrouteudps.traefik.containo.us is forbidden: User "system:serviceaccount:default:traefik-ingress-controller" cannot list resource "ingressrouteudps" in API group "traefik.containo.us" at the cluster scope
127.0.0.1 - - [14/May/2020:23:56:22 +0000] "GET /api/overview HTTP/1.1" 200 442 "-" "-" 722 "api@internal" "-" 0ms

here is what I see in traefik dashboard (K8S API exposed...?) :

It really looks like a Traefik error itself, but I still want to make sure it is not a docker image level issue. Never the elss, traefik trying to expose the cluser K8S API ...?

waiting for you te tell me ...

Oh , I also give you here what the deployment yaml looks like :

---
kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: default
  name: traefik
  labels:
    app: traefik

spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      containers:
        - name: traefik
          image: traefik:v2.2
          # image: traefik:v2.0
          args:
            - --api.insecure
            - --accesslog
            - --entrypoints.web.Address=:8000
            - --entrypoints.websecure.Address=:4443
            - --providers.kubernetescrd
            - --certificatesresolvers.default.acme.tlschallenge
            - [email protected]
            - --certificatesresolvers.default.acme.storage=acme.json
            # Please note that this is the staging Let's Encrypt server.
            # Once you get things working, you should remove that whole line altogether.
            - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
          ports:
            - name: web
              containerPort: 8000
            - name: websecure
              containerPort: 4443
            - name: admin
              containerPort: 8080

Add 'beta' / 'development' tag to latest (beta/development) image

It would be nice to be able to use the latest (non-stable) built of traefik; Therefore I suggest a tag that is always attached to the very latest non-stable build.

Follow windows containers lifecycle

https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/base-image-lifecycle

Proxy error with multiple docker network on local environment

Hi,

I setup two network: frontend and backend into docker-compose.yml

version: '2.3'

networks:
  backend:
  frontend:

volumes:
  varlibldap:
    driver: local
  etcldapslapdd:
    driver: local
  varwwwphpldapadmin:
    driver: local

services:

  traefik:
    image: traefik:2.2
    networks:
      frontend:
    ports:
      - "80:80"
      - "8080:8080"
      - "443:443"
    command:
      - "--api.insecure=true"
      - "--accesslog=true"
      - "--providers.docker.exposedByDefault=false"
      - "--entryPoints.http.address=:80"
      - "--entryPoints.https.address=:443"
      - "--log.level=DEBUG"
      - "--providers.docker"
      - "--providers.docker.network=frontend"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

  ldap:
    image: osixia/openldap:1.3.0
    hostname: ldap.docker.local
    networks:
      backend:
    environment:
      LDAP_ORGANISATION: "ACME Inc."
      LDAP_DOMAIN: "corp.acme.com"
      LDAP_ADMIN_PASSWORD: "JonSn0w"
      LDAP_TLS: 'true'
    volumes:
      - varlibldap:/var/lib/ldap
      - etcldapslapdd:/etc/ldap/slapd.d

  phpldapadmin:
    image: osixia/phpldapadmin:0.9.0
    hostname: phpldapadmin.docker.local
    networks:
      frontend:
        aliases: 
          - phpldapadmin.docker.local
      backend:
    environment:
      PHPLDAPADMIN_LDAP_HOSTS: ldap
      PHPLDAPADMIN_HTTPS: 'false'
    volumes:
      - varwwwphpldapadmin:/var/www/phpldapadmin
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=frontend"
      # http entrypoint
      - "traefik.http.middlewares.phpldapadmin-http2https.redirectscheme.permanent=true"
      - "traefik.http.middlewares.phpldapadmin-http2https.redirectscheme.scheme=https"
      - "traefik.http.routers.phpldapadmin-http.entryPoints=http"
      - "traefik.http.routers.phpldapadmin-http.rule=Host(`phpldapadmin.docker.local`)"
      - "traefik.http.routers.phpldapadmin-http.middlewares=phpldapadmin-http2https"
      # https entrypoint
      - "traefik.http.routers.phpldapadmin-https.entryPoints=https"
      - "traefik.http.routers.phpldapadmin-https.rule=Host(`phpldapadmin.docker.local`)"
      - "traefik.http.routers.phpldapadmin-https.service=phpldapadmin-https"
      - "traefik.http.routers.phpldapadmin-https.tls=true"
      - "traefik.http.services.phpldapadmin-https.loadbalancer.passhostheader=true"
      - "traefik.http.services.phpldapadmin-https.loadbalancer.server.port=80"
      - "traefik.http.services.phpldapadmin-https.loadbalancer.server.scheme=http"

Both traefik and phpldapadmin containers are in the same network as showed below:

❯ docker network inspect ldap_frontend
[
    {
        "Name": "ldap_frontend",
        "Id": "d84a4c4dfaf229bd68b33ec1eee21d43d4f8631cd3aaf6788d37c799e9422d48",
        "Created": "2020-03-28T12:32:16.752088842Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.20.0.0/16",
                    "Gateway": "172.20.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": true,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "48ad2ff71b46d7c1c8a742366e683eb24d55ad36792c6268fec439296143b267": {
                "Name": "ldap_phpldapadmin_1",
                "EndpointID": "c288b66d01eccf90f79fef07aaba4874f0f7a3817521a1c86d244ca88a26cb43",
                "MacAddress": "02:42:ac:14:00:02",
                "IPv4Address": "172.20.0.2/16",
                "IPv6Address": ""
            },
            "df8352145f9307d09579d5745411abc51d786f627aa04ea21ba1d70d4c87fac3": {
                "Name": "ldap_traefik_1",
                "EndpointID": "458c136de2b4ea35ce0d5fdaa44dbeb26df71efaf82d0eb7ba1ac9e0d4bbc38c",
                "MacAddress": "02:42:ac:14:00:03",
                "IPv4Address": "172.20.0.3/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {
            "com.docker.compose.network": "frontend",
            "com.docker.compose.project": "ldap",
            "com.docker.compose.version": "1.25.4"
        }
    }
]

❯ docker network inspect ldap_backend
[
    {
        "Name": "ldap_backend",
        "Id": "210404e96a48fae8bc0fc689f834133c619f56d91e0d07511ae59599adc6d199",
        "Created": "2020-03-28T12:32:16.795605381Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.21.0.0/16",
                    "Gateway": "172.21.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": true,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "48ad2ff71b46d7c1c8a742366e683eb24d55ad36792c6268fec439296143b267": {
                "Name": "ldap_phpldapadmin_1",
                "EndpointID": "98f3d4a93c01c9ad9db5e1d4eacdf2bdff003a51c314d1bbd74178a0544b67c4",
                "MacAddress": "02:42:ac:15:00:03",
                "IPv4Address": "172.21.0.3/16",
                "IPv6Address": ""
            },
            "dea2ed5f1185353775d37c762e03812cbbf9ed91162a4be8d3f7b1b65faa7eec": {
                "Name": "ldap_ldap_1",
                "EndpointID": "195048371e1dbd131cbf2d0c8a6f432feb90228bd981ded04592a862a570cb9e",
                "MacAddress": "02:42:ac:15:00:02",
                "IPv4Address": "172.21.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {
            "com.docker.compose.network": "backend",
            "com.docker.compose.project": "ldap",
            "com.docker.compose.version": "1.25.4"
        }
    }
]

When I check traefik logs, I found that traefik use backend network to proxy on phpldapadmin:

traefik_1 | 172.20.0.1 - - [28/Mar/2020:12:32:56 +0000] "GET / HTTP/2.0" 504 15 "-" "-" 1 "phpldapadmin-https@docker" "http://172.21.0.3:80" 30006ms

I have configured traefik to use only the frontend network, so how is it possible that traefik tries to use the backend network?

This problem has been encountered with both version 2.1 and 2.2 of traefik.

Broken automated builds on Docker Hub

Building fails with "Build failed: Dockerfile not found at ./Dockerfile". Problem appeared after v1.4.0-rc1 https://hub.docker.com/r/containous/traefik/builds/

Docker 'experimental' image?

I would like to use the new feature of 301 redirects for HTTP to HTTPS redirections.
However, it looks like the feature is added to the v1.6 milestone. The Docker image currently uses v1.5.4 and does not have it. Is there any chance we can build a Docker image using the 'master' branch?

Thanks.

Missing Windows Server 2019 Image

These images don't seem to be compatible with Server 2019, presumably because they are based on Server 2016:

traefik             nanoserver                  353cb508ac13        2 weeks ago         1.24GB
traefik             v1.7.6-nanoserver-sac2016   353cb508ac13        2 weeks ago         1.24GB

Trying to run either of these images on Windows Server 2019, and I get:

C:\Program Files\Docker\docker.exe: Error response from daemon: CreateComputeSystem a23f4b47a46a902c1690906ca7e33dd4e868804ec1932d86d0a12f72bbc83b34: The container operating system does not match the host operating system.
(extra info: {
    "SystemType": "Container",
    "Name": "a23f4b47a46a902c1690906ca7e33dd4e868804ec1932d86d0a12f72bbc83b34",
    "Owner": "docker",
    "VolumePath": "\\\\?\\Volume{c7e8345b-0263-4414-ab90-07731f30fce0}",
    "IgnoreFlushesDuringBoot": true,
    "LayerFolderPath": "C:\\ProgramData\\docker\\windowsfilter\\a23f4b47a46a902c1690906ca7e33dd4e868804ec1932d86d0a12f72bbc83b34",
    "Layers": [
        {
            "ID": "ce56e41a-b3a1-568d-95bd-561cb8d22679",
            "Path": "C:\\ProgramData\\docker\\windowsfilter\\0ad821e002431021d9419398ca2fce0f5b65f6b6f5243cf01e18b3e5af338097"
        },
        {
            "ID": "b9ba4f2b-8464-56b0-bb12-d91ed53c812c",
            "Path": "C:\\ProgramData\\docker\\windowsfilter\\9a25a52f638e01349af3452555e7bb6e9b4cf769d2dc5aef0eaa2ce231fcddd8"
        },
        {
            "ID": "1bc1fd4a-a21f-5099-a36b-53e255746556",
            "Path": "C:\\ProgramData\\docker\\windowsfilter\\d3c02c2cc7053432c6b9cd368a774fcabd3aa34ae766bbf72b536123063c9707"
        },
        {
            "ID": "f34ac827-af1d-590e-ae68-1da3d2f914a6",
            "Path": "C:\\ProgramData\\docker\\windowsfilter\\84f264e447c50812749efcd090cbe78daccba73e718feab4b2298f759677cfad"
        },
        {
            "ID": "eb18cb63-9d38-5b03-b34a-b728e15ba854",
            "Path": "C:\\ProgramData\\docker\\windowsfilter\\4cfc7b4b0f0d5d079c6a015ef7c874d782df91c5a16e3a9a6aafe098f84d0f89"
        },
        {
            "ID": "b543f2a2-5299-5578-bd3c-98c3bbac9106",
            "Path": "C:\\ProgramData\\docker\\windowsfilter\\a2402de0be1e905f4868994126df284de50f20db90022630851197872010465d"
        }
    ],
    "HostName": "a23f4b47a46a",
    "MappedDirectories": [
        {
            "HostPath": "c:\\etc\\traefik",
            "ContainerPath": "c:\\etc\\traefik",
            "ReadOnly": false,
            "BandwidthMaximum": 0,
            "IOPSMaximum": 0,
            "CreateInUtilityVM": false
        }
    ],
    "HvPartition": false,
    "EndpointList": [
        "BDDEE7DD-7E3F-4BCA-AA85-EE4B8DA8A1CB"
    ],
    "AllowUnqualifiedDNSQuery": true
}).

1.4.2 image is stuck in Pending state

On our test rig we noticed that Traefik 1.4.2 becomes stuck in Pending state because "no suitable node (scheduling constraints not satisfied on 3 nodes; unsupported platform on 3 nodes)" even though its constraints are identical to other, successfully deployable services.

I'm happy to debug this further for you as I don't know if you can reproduce the issue or need any further information.

As it is we had to pin our images to version 1.4.1 as Traefik 1.4.2 wouldn't start at all.

can't log into container

I have a Kubernetes cluster with traffic app installed. I can't log into container from host.


# docker ps
CONTAINER ID        IMAGE                                 COMMAND                  CREATED             STATUS              PORTS               NAMES
10cfcdca52d9        traefik                               "/traefik"               About an hour ago   Up About an hour                        k8s_mytraffic_mytraffic-7bdc7b7b9d-65m8q_default_acbbab56-49f7-11e8-a9bc-fa163e771c4c_0
# docker exec -ti 10cfcdca52d9 bash 
OCI runtime exec failed: exec failed: container_linux.go:296: starting container process caused "exec: \"bash\": executable file not found in $PATH": unknown
# docker exec -ti 10cfcdca52d9 /bin/bash
OCI runtime exec failed: exec failed: container_linux.go:296: starting container process caused "exec: \"/bin/bash\": stat /bin/bash: no such file or directory": unknown

Host is fedora 27, Kubernetes is 1.10.
I use Rancher to manage the cluster, and when using the Rancher web UI to open a shell inside container, the shell windows open then quickly closes.

Routing Docker Swarm

I'm sorry for posting it here, I'm sure it's not an issue but I'm doing something wrong but I'm quite desperate.

I have a django app and want to load static files by nginx. But somehow the routing refuses to go to nginx for anything. nginx shows 0 logs of activity, as if traefik is not talking to that service.

Here's my code:

web-nginx.yml:


services:
  web:
    #build: ./web
    image: web:production
    command: gunicorn web.wsgi:application --bind 0.0.0.0:8000
    volumes:
      - static_volume:/usr/src/app/static
    ports:
      - "8000:8000"
    networks:
      - traefik-public
    env_file:
      - .env
    #depends_on:
    #  - migration_and_static
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.web.rule=Host(`example`)"
        - "traefik.http.routers.web.entrypoints=websecure"
        - "traefik.http.routers.static.priority=1"
        - "traefik.http.routers.web.tls.certresolver=letsencryptresolver"
        - "traefik.http.services.web.loadbalancer.server.port=8000"
      update_config:
        delay: 10s

  static:
   image: nginx
   volumes:
     - static_volume:/usr/share/nginx/html:ro
   networks:
     - traefik-public
   labels:
     - "traefik.enable=true"
     - "traefik.http.routers.static.rule=Host(`example.com`) && PathPrefix(`/static`)"
     - "traefik.http.routers.static.entrypoints=websecure"
     - "traefik.http.routers.static.service=static"
     - "traefik.http.routers.static.priority=200"
     - "traefik.http.routers.static.tls.certresolver=letsencryptresolver"
     - "traefik.http.services.static.loadbalancer.server.port=8080"
     - "traefik.http.middlewares.static-stripprefix.stripprefix.prefixes=/static"
 
     # Match on the hostname and the path
     # - traefik.enable=true
     # - traefik.http.routers.static.rule=(Host(`example.com`) && Path(`/static`))
     # - traefik.http.routers.static.tls=true
     # - traefik.http.routers.static.tls.certresolver=le
     # - traefik.http.services.static.loadbalancer.server.port=80
 
     # # Define a new middleware to strip the URL prefix before sending it to static-files
     # - traefik.http.middlewares.static-stripprefix.stripprefix.prefixes=/static
 
     # tell Traefik which middlewares we want to use on this container
     # - traefik.http.routers.static.middlewares=gzip@docker,static-stripprefix@docker

   #depends_on:
   #  - web

volumes:
  static_volume:

networks:
  traefik-public:
    external: true

traefik.yml:


services:
  reverse-proxy:
    image: traefik:v2.2.0
    command:
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
      - "--providers.docker.swarmMode=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=traefik-public"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.letsencryptresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.letsencryptresolver.acme.email=myemail@example.com"
      - "--certificatesresolvers.letsencryptresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - 80:80
      - 443:443
    volumes:
      - traefik-certificates:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik-public
    deploy:
      placement:
        constraints:
          - node.role == manager
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
        - "traefik.http.routers.http-catchall.entrypoints=web"
        - "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
        - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
        - "traefik.http.services.static-http.loadbalancer.server.port=443"

volumes:
  traefik-certificates:
networks:
  traefik-public:
    external: true

Sorry once again, don't know where else to go

Thanks!
Sam

Can't pull traefik:latest on AMD hardware

See traefik/traefik#3965

standard_init_linux.go:211: exec user process caused "exec format error" with 1.7.14 arm64 builds

I am building a wrapper image arround the official traefik release. While the amd64 build works as usual ( and has been working for months, same as the arm builds ) with 1.7.14 the arm build is failing:

docker build -t eugenmayer/traefik:arm64 . -f Dockerfile_arm64

Sending build context to Docker daemon  167.4kB
Step 1/10 : FROM arm64v8/traefik:1.7-alpine
 ---> 0d3f272be5ec
Step 2/10 : MAINTAINER Eugen Mayer <[email protected]>
 ---> Using cache
 ---> 324742637052
Step 3/10 : ADD bin/ /usr/local/bin/
 ---> Using cache
 ---> 3c7c9f1ed01b
Step 4/10 : ADD configuration-entrypoint.sh /configuration-entrypoint.sh
 ---> Using cache
 ---> 706c9d9872c6
Step 5/10 : RUN mkdir -p /etc/traefik /mnt/acme /mnt/filestorage /mnt/certs /usr/local/bin /etc/tiller  && apk --update add bash ruby openssl  && chmod +x /usr/local/bin/*.sh /configuration-entrypoint.sh  && gem install tiller json_pure --no-ri
 ---> Running in 346b74d091c1
standard_init_linux.go:211: exec user process caused "exec format error"
The command '/bin/sh -c mkdir -p /etc/traefik /mnt/acme /mnt/filestorage /mnt/certs /usr/local/bin /etc/tiller  && apk --update add bash ruby openssl  && chmod +x /usr/local/bin/*.sh /configuration-entrypoint.sh  && gem install tiller json_pure --no-ri' returned a non-zero code: 1

https://github.com/EugenMayer/docker-image-traefik/blob/master/Dockerfile_arm64

What has been changed from 1.7.13 to 1.7.14 concerning the image itself? i have seen that go has been upgraded, but that should not break the gem installation of a ruby gem i would say.

The same gem installs just find in the amd64 build with 1.7.14

https://github.com/EugenMayer/docker-image-traefik/blob/master/Dockerfile

Thanks!

Problem to forward requests when container has more than one network

Hello,
I'm having problems to forward requests when container has more than one network.
In the docker-compose file, I create 2 networks: frontend for apps and backend for database. The container that is causing me problems is the dspace that has the 2 networks. When I leave only the frontend network the routing of the traefik works.
I've tried using the options "providers.docker.network=frontend" and "traefik.docker.network=frontend" but still don't work.

docker-compose.txt

Traefik container broken - command traefik error: field not found, node: address

It looks like my Traefik linux container was updated today and since then my external connectivity is broken and the logs and this same error repeated over and over.

2019/09/17 04:18:32 command traefik error: field not found, node: address

I have checked with a friend with the same setup and he is getting the same issue. I am running the traefik:latest image on docker on Ubuntu 18.04.

tag: v1.6.0 not available

latest docker image does not start, stuck at create

Installed the latest version and was met with the error:

("OCI runtime create failed: container_linux.go:345: starting container process caused "exec: "/traefik": stat /traefik: no such file or directory": unknown")

I do not exactly know what that means but going back to 1.7 fixed the issue.

Pulling traefik:v1.4.2 fails with not matching manifest for linux/amd64

I can't pull the scratch/amd64 images (at least 1.4) because there is no matching manifest for linux/amd64? The alpine image seems to work just fine.

haster@schootbak3:~
$ docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik
Unable to find image 'traefik:latest' locally
latest: Pulling from library/traefik
docker: no matching manifest for linux/amd64 in the manifest list entries.
See 'docker run --help'.

haster@schootbak3:~
$ docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v1.4.2
Unable to find image 'traefik:v1.4.2' locally
v1.4.2: Pulling from library/traefik
docker: no matching manifest for linux/amd64 in the manifest list entries.
See 'docker run --help'.

haster@schootbak3:~
$ docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v1.4
Unable to find image 'traefik:v1.4' locally
v1.4: Pulling from library/traefik
docker: no matching manifest for linux/amd64 in the manifest list entries.
See 'docker run --help'.

haster@schootbak3:~
$ docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v1.4-alpine
Unable to find image 'traefik:v1.4-alpine' locally
v1.4-alpine: Pulling from library/traefik
b56ae66c2937: Pull complete 
622747cc946a: Pull complete 
38ac1701549a: Pull complete 
625397284ae3: Pull complete 
Digest: sha256:6557adf3f4e3ec101f59f1d419f69ab22bf56b02bc6c14750461bc8818061be0
Status: Downloaded newer image for traefik:v1.4-alpine
07ca2b2a83ca03ebef4c5ee108d464b17258a23e2ac5c2069f081c33ce554ea9

LetsEncrypt isn't working correctly

Using version: latest docker (2.3.6)

Error I'm getting both when renewing and requesting new:
legolog: [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/authz-v3/REDACTED:: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: "REDACTED", url:
legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/REDACTED
Unable to obtain ACME certificate for domains "REDACTED": unable to generate a certificate for the domains [REDACTED]: error: one or more domains had a problem:\n[REDACTED] time limit exceeded: last error: NS ns-1153.awsdns-16.org. returned REFUSED for _acme-challenge.REDACTED.\n" rule="Host(REDACTED)" providerName=default.acme routerName=server@docker

Configuration:
[certificatesResolvers]
[certificatesResolvers.default]
[certificatesResolvers.default.acme]
email = "REDACTED"
storage = "/etc/traefik/acme/acme.json"
[certificatesResolvers.default.acme.dnsChallenge]
provider = "route53"
delayBeforeCheck = "3m"
resolvers = ["192.168.3.1:53"]

Recommended size for Volume at /tmp?

I want use tmp disk in memory (tmpfs).
What max size can be for this tmp disk? and what will happen if out free space?

#45

Add tmp dir for alpine too

Hi,

I'm getting errors like these:

time="2020-05-11T05:43:37Z" level=error msg="open /tmp/temp-multibuf-419673259: read-only file system"                                                                                         
time="2020-05-11T05:48:25Z" level=error msg="vulcand/oxy/buffer: error when reading request body, err: open /tmp/temp-multibuf-063517198: read-only file system"

Based on this issue: #45, the problem is that the image does not have a writeable /tmp directory.
For scratch, it was fixed here: #40

Pls fix this in the alpine image too.

ppc64le support

Support for ppc64le architecure in official Docker image.

v2.5.0 ERROR: no matching manifest for linux/amd64 in the manifest list entries

I get this when trying to upgrade, it seems like v2.5.0 is not available, 2.5 seems to be though

❯ dcup -d --build
Pulling traefik (traefik:v2.5.0)...
v2.5.0: Pulling from library/traefik
ERROR: no matching manifest for linux/amd64 in the manifest list entries

Remove binaries from repo

This repository is huge and trigges some quota warnings on GitHub. Since the official images library does not support multi stage builds, you may consider a similar approach like the busybox image and using a builder Dockerfile.

It would be much simpler to just use ADD instead of COPY (see #46), but this method does not provide any integrity checks and there is currently no way to make the binary executable on unix hosts (see moby/moby#34819).

v1.2.3-alpine fails with "Error parsing command: pflag: help requested"

I wanted to switch from the v1.2.3 docker image to the v1.2.3-alpine image.
Unfortunately I am unable to start the container with the alpine image.

The container quits with the following error:
Error parsing command: pflag: help requested

Please note that traefik works fine when switching back to v1.2.3.

Upgrade to Alpine 3.11

https://alpinelinux.org/posts/Alpine-3.11.0-released.html

Traefik won't auto refresh.

I'm running traefik in docker, setup to talk with docker, and if I restart the traefik container the other containers show up. But it won't do it automatically.

Here is my docker-compose for traefik

##################################################
traefik:
    image: traefik
    restart: always
    ports:
      - 80:80
      - 443:443
    networks:
      - home
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik/traefik.toml:/etc/traefik/traefik.toml
      - ./traefik/acme.json:/acme.json
    container_name: traefik
    labels:
      - traefik.port=8080
      - traefik.frontend.rule=Host:traefik.
#################################################

and here is my traefik.toml

############################################
logLevel = "ERROR"
checkNewVersion = true
defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

[retry]

[acme]
email = "************"
storageFile = "acme.json"
entryPoint = "https"
onHostRule = true
[acem.httpChallenge]
	entryPoint = "http"

[File]
filename = "rules.toml"
watch = true

[api]
address = ":8080"

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "local.local"
watch = true
exposedByDefault = true
###########################################

You should not run as root

you should not run traefik as root in the docker image.

RTSP traffic

Hellu

Is it possible to route RTSP traffic using traefik somehow?

e.g.

[entryPoints]

  [entryPoints.rtsp]
  address = ":4231"

[file]
watch = true

  [frontends] 
    [frontends.cam-1]
    entryPoints = ["rtsp"]
    backend = "cam-1"
    passHostHeader = true
      [frontends.cam-1.routes.root]
      rule = "Host:cam-1.tempuri.org"

  [backends]
    [backends.cam-1]
      [backends.cam-1.loadbalancer.stickiness]
      [backends.cam-1.servers]
        [backends.cam-1.servers.root]
        url = "rtsp://myuser:[email protected]:4231/cam/realmonitor?channel=1&subtype=0"

Missing amd64 manifest for 1.4.2

Upgrade to 1.4.2 is failing on amd64 because of a missing manifest. This seems to be the root cause of #21

$ docker pull traefik:1.4.2
1.4.2: Pulling from library/traefik
no matching manifest for linux/amd64 in the manifest list entries

manifest-tool $ ./manifest-tool inspect traefik:1.4.2
Name:   traefik:1.4.2 (Type: application/vnd.docker.distribution.manifest.list.v2+json)
Digest: sha256:e9dcd8b3b0ded78d1edca42d087650c06a1d742092fe99d67ffb6a201c69ea45
 * Contains 2 manifest references:
1    Mfst Type: application/vnd.docker.distribution.manifest.v2+json
1       Digest: sha256:1a1e91dc981bc6e5e232f6f24f3556be40ddd4fd1327e32b1e06b677d9d38a5c
1  Mfst Length: 739
1     Platform:
1           -      OS: linux
1           - OS Vers: 
1           - OS Feat: []
1           -    Arch: arm
1           - Variant: v6
1           - Feature: 
1     # Layers: 2
         layer 1: digest = sha256:8996ab8c9ae2c6afe7d318a3784c7ba1b1b72d4ae14cf515d4c1490aae91cab0
         layer 2: digest = sha256:ff8e8638d34c45934d48d89851bad4920602c02375f8b174b76507e20813491c

2    Mfst Type: application/vnd.docker.distribution.manifest.v2+json
2       Digest: sha256:a4261837e99952784cc4b4fc27396f062f7ebb202dae4966eb764b5d93f97654
2  Mfst Length: 739
2     Platform:
2           -      OS: linux
2           - OS Vers: 
2           - OS Feat: []
2           -    Arch: arm64
2           - Variant: v8
2           - Feature: 
2     # Layers: 2
         layer 1: digest = sha256:78fe135ba97a13abc86dbe373975f0d0712d8aa6e540e09824b715a55d7e2ed3
         layer 2: digest = sha256:4aa5c73b733a0118e0ff1c0038a0892383d7a330471c5c5849c013a7263a801b

v1.5.4: Pulling from library/traefik
no matching manifest for linux/amd64 in the manifest list entries

but
docker pull traefik:v1.5.3

v1.5.3: Pulling from library/traefik
5d3835484afe: Pull complete
0feefa6e9e49: Pull complete
Digest: sha256:d277007b55a8a8d972b1983ef11387d05f719821a2d2e23e8fa06ac5081a302f
Status: Downloaded newer image for traefik:v1.5.3

v2.3.6 amd64 image missing

The amd64 variants are missing on dockerhub for v2.3.6.

Add alpine-latest tag

There's no docker image for latest tag based on alpine. Alpine has version/release based images but not a tag for latest release. I'm thinking on latest-alpine or simple alpine tag.

Is possible, or is on your routemap, to create this build?