我正在一个容器中运行traefik,与其他容器一起运行,最值得注意的是,docker-socket-proxy这样 traefik 就可以以非 root 身份运行。我的 compose 可以工作,但出现一条警告消息,告诉我这更多的是运气而不是技巧。警告消息是:
rna-webserver-traefik | time="2023-01-26T13:09:10Z" level=warning msg="Could not find network named 'webserver_dockersocketproxynet' for container '/rna-webserver-whoami'! Maybe you're missing the project's prefix in the label? Defaulting to first available network." serviceName=rna-webserver-whoami-webserver providerName=docker container=rna-webserver-whoami-webserver-e8d9d6cbca99e8e81841bdf39bac028ad1063498b881928d109f6f4e0d60e6ce
docker-compose.yml:
networks:
rna-docker-exposed:
external: true # means it is a fixed docker network created with "docker network create rna-docker-exposed"
name: rna-docker-exposed # docker create network rna-docker-exposed
dockersocketproxynet:
internal: true # means it gets created especially for this compose and is called <dirname>_rna-docker-nonexposed
services:
rna-webserver-dockerproxy: # see https://github.com/Tecnativa/docker-socket-proxy
container_name: rna-webserver-dockerproxy
image: ghcr.io/tecnativa/docker-socket-proxy:0.1.1 # this image is rather old but used to have a pinned version
# newer version is ghcr.io/tecnativa/docker-socket-proxy:edge
restart: unless-stopped
mem_limit: 2G
cpus: 0.75
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro # never expose this container to the internet!
environment:
- CONTAINERS=1
- LOG_LEVEL=debug
networks:
- dockersocketproxynet # use only internal network
rna-webserver-traefik:
container_name: rna-webserver-traefik
restart: unless-stopped
read_only: true
mem_limit: 2G
cpus: 0.75
depends_on:
- rna-webserver-dockerproxy
security_opt:
- no-new-privileges:true
image: traefik:v2.9.4
volumes:
- /srv/docker/webserver/traefik.toml:/etc/traefik/traefik.toml:ro
- /srv/docker/webserver/shared_providers_dynamic.toml:/etc/traefik/shared_providers_dynamic.toml:ro
- /srv/docker/webserver/rna.nl.fullchain.pem:/rna.nl.fullchain.pem:ro
- /srv/docker/webserver/rna.nl.privkey.pem:/rna.nl.privkey.pem:ro
user: 115:120
ports:
- "80:10080" # high nr so we don't need to be root to bind
- "443:10443" # ditto
labels:
- "traefik.enable=true"
- "traefik.docker.network=webserver_dockersocketproxynet"
# Configure Traefik dashboard & api on secure entrypoint (":443"), for local LAN clients only
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
- "traefik.http.routers.traefik-dashboard.tls=true"
- "traefik.http.routers.traefik-dashboard.rule=Host(`foo.rna.nl`) && ClientIP(`192.168.2.1/24`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.traefik-dashboard.service=api@internal"
- "traefik.http.routers.traefik-dashboard.middlewares=simpleAuth@file,rnalanWhitelist@file" # double on IP whitelist, this and ClientIP ...
networks:
- dockersocketproxynet
- rna-docker-exposed
rna-webserver-whoami:
image: traefik/whoami
container_name: rna-webserver-whoami
restart: unless-stopped
user: 117:122
depends_on:
- rna-webserver-traefik
labels:
- "traefik.enable=true"
- "traefik.docker.network=webserver_dockersocketproxynet"
- "traefik.http.routers.whoami.rule=Host(`foo.rna.nl`) && PathPrefix(`/whoami`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls=true"
networks:
- rna-docker-exposed
traefik.toml:
[providers.docker]
watch = true
exposedbydefault = false
endpoint = "tcp://rna-webserver-dockerproxy:2375"
# network = "webserver_dockersocketproxynet"
注释掉的行traefik.toml是我在几种形式中包含或省略的内容,但行为是一样的。
使用此设置,whoami可以正常工作。但我认为这纯粹是运气好,因为有那个警告。我做错了什么/我在这里没有正确理解什么?
docker-compose.yml 的目录名为 webserver。
答案1
没关系:
- "traefik.docker.network=webserver_dockersocketproxynet"
必须whoami是
- "traefik.docker.network=rna-docker-exposed"