Docker labels suddenly stopped working after using file provider

Traefik Traefik v3 (latest)
1

I've long had a number of services being routed through Traefik and recently added AdGuard (docker container) and HomeAssistant (in a VM).

I obviously couldn't use docker labels for HomeAssistant so I set up that service and router using yaml config with the dynamic file provider. I tested that as working and moved on to AdGuard, as well as enabling the Traefik dashboard.

Apparently since adding that dynamic config file Traefik is just completely ignoring the docker labels? The existing config continues to work but I saw in the debug logs that Traefik considered the AdGuard container to be disabled despite it having the traefik.enabled=true label on it.
Same situation with the Traefik dashboard itself.

Are these 2 ways of configuring mutually exclusive or something? That doesn't seem right but I don't know what else is going on.

2024-05-30T01:45:02Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:184 > Filtering disabled container container=adguard-yams-575ec3a391ceda40325cf737381878f07ad1b152b679af7193af7193a01bf50e5203b0 providerName=docker
2024-05-30T01:46:58Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "adguard.<my.domain>"
2024-05-30T01:46:58Z DBG log/log.go:245 > http: TLS handshake error from 192.168.2.15:51010: remote error: tls: bad certificate

The docker-compose for adguard

  adguard:
    image: adguard/adguardhome
    container_name: adguard
    hostname: adguard
    network_mode: "host"
    ports:
      - 53:53
      - 1525:1525/tcp
      - 444:443
      - 3000:3000/tcp
    volumes:
      - ${INSTALL_DIRECTORY}/config/adguard/work:/opt/adguardhome/work
      - ${INSTALL_DIRECTORY}/config/adguard/conf:/opt/adguardhome/conf
    restart: unless-stopped
    labels:
      - traefik.enable=true
      - traefik.http.routers.adguard.rule=Host(`adguard.<my.domain>`)
      - traefik.http.routers.adguard.entrypoints=websecure
      - traefik.http.routers.adguard.tls.certresolver=letsencrypt
      - traefik.http.services.adguard.loadbalancer.server.port=1525

It's just weird because I flipped the defaultExposed or whatever it is to see what would happen. It did see the containers but it didn't pick up any of the other config from the labels such as the router rule and definitely didn't generate the certs like it should have.

2

You can use providers.file and providers.docker in parallel in Traefik static config.

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

3

This is the traefik.yml

log:
  level: DEBUG
  format: common
  filePath: /etc/traefik/logs/traefik.log

accesslog:
  format: common
  filePath: /etc/traefik/logs/access.log

api:
  dashboard: true

providers:
  docker:
    exposedByDefault: false
  file:
    directory: /etc/traefik
    watch: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http:
      tls:
        domains:
          - main: my.domain
            sans:
              - "*.my.domain"

certificatesResolvers:
  letsencrypt:
    acme:
      email: "my@email.com"
      storage: "/letsencrypt/acme.json"
      dnsChallenge:
        provider: cloudflare

The following is my only dynamic file dynamic/services.yml which is in the folder mapped to the /etc/traefik/ volume in docker-compose.

http:
  services:
    home-assistant:
      loadBalancer:
        servers:
          - url: "http://<home-assistant-url>"
  routers:
    home-assistant:
      rule: "Host(`assistant.<my.domain>`)"
      entryPoints:
        - "websecure"
      tls:
        certResolver: letsencrypt
      service: home-assistant

I have 2 docker compose files, this is docker-compose.custom.yaml

services:

  traefik:
    image: traefik
    container_name: traefik
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - ${INSTALL_DIRECTORY}/config/traefik:/etc/traefik
    environment:
      - "CF_API_EMAIL=my@email.com"
      - "CF_API_KEY=my-api-key"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.<my.domain>`)"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
      - "traefik.http.routers.dashboard.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users=username:pass"

  adguard:
    image: adguard/adguardhome
    container_name: adguard
    hostname: adguard
    network_mode: "host"
    ports:
      - 53:53
      - 1525:1525/tcp
      - 444:443
      - 3000:3000/tcp
    volumes:
      - ${INSTALL_DIRECTORY}/config/adguard/work:/opt/adguardhome/work
      - ${INSTALL_DIRECTORY}/config/adguard/conf:/opt/adguardhome/conf
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.adguard.rule=Host(`adguard.<my.domain>`)"
      - "traefik.http.routers.adguard.entrypoints=websecure"
      - "traefik.http.routers.adguard.tls.certresolver=letsencrypt"
      - "traefik.http.services.adguard.loadbalancer.server.port=1525"

A sampling of config from my main docker-compose.yaml

services:
  jellyfin:
    image: lscr.io/linuxserver/${MEDIA_SERVICE}
    container_name: ${MEDIA_SERVICE}
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - VERSION=docker
      - DOCKER_MODS=linuxserver/mods:jellyfin-opencl-intel
      - JELLYFIN_PublishedServerUrl=http://jellyfin.<my.domain>
    volumes:
      - ${MEDIA_DIRECTORY}/movies:/data/movies
      - ${MEDIA_DIRECTORY}/tvshows:/data/tvshows
      - ${INSTALL_DIRECTORY}/config/${MEDIA_SERVICE}:/config
    devices:
      - /dev/dri:/dev/dri
    ports:
      - 7359:7359/udp
    restart: unless-stopped
    labels:
      - traefik.enable=true
      - traefik.http.routers.jellyfin.rule=Host(`jellyfin.<my.domain>`)
      - traefik.http.routers.jellyfin.entrypoints=websecure
      - traefik.http.routers.jellyfin.tls.certresolver=letsencrypt
      - traefik.http.services.jellyfin.loadbalancer.server.port=8096

So jellyfin works fine, adguard and traefik get completely ignored because traefik considers them disabled. Note that I did try the labels both with double quotes and without, they just happen to have them right now.

4

This does not make sense. When you use network mode host, then all ports are automatically opened on host, so you don’t need ports:

This also makes no sense, as TCP is default:

DNS usually uses UDP, so I would think it should rather be:

    ports:
      - 53:53/udp
      - 1525:1525
5

Yes, it's a few things that I haven't cleaned up yet while I was working on my configuration. It doesn't have anything to do with Traefik not picking up the labels though.

I'm not having issues with ports, I'm having issues with Traefik and docker labels.

6

I've experienced the same issue and resolved it by adding the following to my configuration:

providers:
  docker:
    exposedByDefault: true  # Default is true