How can I make Traefik v3 work with podman?

Hi everyone,
I've just started a VPS and I wanted to play with the basics of Traefik on podman instead of docker. I'm trying to set up a simple whoami.

The following docker-compose.yml works for docker but not for podman:

services:
  reverse-proxy:
    image: docker.io/traefik
    restart: always
    command:
      # - "--api.insecure=true"
      - "--providers.docker=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http.tls=true"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=censored@for.reasons" # Here goes the real mail
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"
    ports:
      - "80:80"
      - "443:443"
      # - "8080:8080"
    volumes:
      - "/run/docker.sock:/var/run/docker.sock" # It is different for podman, read below
      - "./letsencrypt:/letsencrypt"
    networks:
      - traefik_default

  whoami:
    image: "docker.io/traefik/whoami"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`for.reasons`) && Path(`/whoami`)" # Here goes the real host
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.http.routers.whoami.tls.certresolver=myresolver"
    networks:
      - traefik_default

networks:
  traefik_default:
    name: traefik_default

volumes:
  letsencrypt:
    name: letsencrypt

Under the volumes of the service reverse-proxy I've tried to replace many times the following line

- "/run/docker.sock:/var/run/docker.sock"

with these lines (only one at a time)

- "/usr/lib/systemd/system/podman.socket:/var/run/docker.sock"
- "/usr/lib/systemd/system/podman.socket:/var/run/podman.sock"
- "/usr/lib/systemd/user/podman.socket:/var/run/docker.sock"
- "/usr/lib/systemd/user/podman.socket:/var/run/podman.sock"
- "/run/user/1000/podman/podman.sock:/var/run/docker.sock"
- "/run/user/1000/podman/podman.sock:/var/run/podman.sock"
- "/run/user/1000/podman/podman.sock:/run/user/1000/podman/podman.sock"

some of which are the files I've found searching for the podman socket with sudo find / -name "*podman.sock* and others have been created following the socket activation guide.

Is it the right line to replace? Or are there other settings that I'm missing?
What am I doing wrong?

Thanks

On the left side you need your podman socket on host, on the right side it should be the Docker default inside the container, like:

      - /run/user/1005/podman/podman.sock:/var/run/docker.sock

Here is a tip if you are running Linux:

Short story:
Use quadlet instead of compose. See example1 where a traefik container proxies traffic to a whoami container:

Long story:
If you run traefik with rootless Podman (with the pasta network driver) in a custom network, then traefik will not see the correct source IP address of a client connecting from the internet if the port was published in the normal way (with podman run option --publish ).

That is for example how docker-compose runs rootless Podman.

A workaround is to run the traefik container with socket activation and quadlet.
The traefik container should then be able to see the correct source IP address.

A tip is to convert the file docker-compose.yml to quadlet files with the help of the tool podlet (see GitHub - containers/podlet: Generate Podman Quadlet files from a Podman command, compose file, or existing object).

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.