exposedbydefault not working?

Traefik Traefik v3 (latest)
1

I am using Traefik with Docker Swarm. Everything seems to be working well except that it appears to be automatically picking up and exposing services including those I don't specify with labels.

I have the following config:

services:
  traefik:
    deploy:
      labels:
        - 'traefik.enable=true'
        - 'traefik.http.routers.my-traefik-dashboard-router.tls=true'
        - 'traefik.http.routers.my-traefik-dashboard-router.rule=Host(`traefik.example.com`)'
        - 'traefik.http.routers.my-traefik-dashboard-router.service=api@internal'
        - 'traefik.http.routers.my-traefik-dashboard-router.entrypoints=websecure'
        - 'traefik.http.routers.my-traefik-dashboard-router.middlewares=my-traefik-middleware@swarm'
        - 'traefik.http.middlewares.my-traefik-middleware.basicauth.usersfile=/run/secrets/traefik-users'
        # # Dummy service for Swarm port detection. The port can be any valid integer value.
        - 'traefik.http.services.dummy-svc.loadbalancer.server.port=9999'
      restart_policy:
        condition: 'any'
    logging:
      driver: 'json-file'
      options:
        max-size: '10m'
        max-file: '3'
    # https://hub.docker.com/_/traefik/tags
    image: 'traefik:v3.7.1@sha256:6b9cbca6fac42ab0075f5437d8dc1685cfd188626d8d515839ea94f8b6271c42'
    command:
        - '--providers.docker=true'
        - '--providers.file.filename=/traefik-config.yml' # CLI or environment configuration is preferred, but traefik only lets you set the TLS certificate paths via file configurtion
        - '--providers.swarm.endpoint=unix:///var/run/docker.sock'
        - '--providers.swarm.watch=true'
        - '--providers.swarm.exposedbydefault=false'
        - '--providers.swarm.network=traefik'
        - '--entryPoints.websecure.address=:443'
        - '--entrypoints.websecure.http.tls=true'
        - '--entrypoints.web.address=:80'
        - '--entrypoints.web.http.redirections.entrypoint.to=websecure'
        - '--entrypoints.web.http.redirections.entrypoint.scheme=https'
        - '--entrypoints.web.http.redirections.entrypoint.permanent=true'
        - '--api.dashboard=true'
        - '--api.insecure=false'
    networks:
      - 'traefik'

In the Traefik logs I'm seeing an attempt to expose a service that shouldn't be exposed:

ERR error="service \"portainer-agent-0xetch9eyinmqf4c6oxjwdchv-zphgr1uyt07ng4fveaxp3se13\" error: port is missing" container=portainer-agent-0xetch9eyinmqf4c6oxjwdchv-zphgr1uyt07ng4fveaxp3se13-54ad46201179b89d2a5e3f28d3fc58890e86dcc4ba02ffe0e8dad5be89aee6e4 providerName=docker

Also, on the traefik dashboard I see a bunch of what appear to be auto-generated services that should not be exposed.

Why isn't --providers.swarm.exposedbydefault=false working? I copied it directly out of the docs and the docs say that it should stop exactly this problem from happening.

The docs show exposedByDefault in some places and exposedbydefault in other places and an older thread said switching to exposedbydefault fixed their problem, but I have tried both and they both have the same symptoms.

2

My issue ended up being that --providers.docker=true should not be set when using Swarm. It would be nice if non-sensical parameter combinations threw a clear error rather than trying to guess what the user meant. In this case, it apparently doesn't make sense to have both providers.docker=true and providers.swarm.* in combination, and setting the first causes the latter to be ignored.