Is the use of PORTS, PUBLISH or EXPOSE manditory to make Traefik work?

I'm bit confused by the statements in the docs of API and Port detection

If I look at providers overview the picture and quick start/, they tell me, that all is done by API calls and I don't need to make any port available to other containers. In addition, it is said that containers see each other anyway, if they are in the same network but that is not that good documented you find rather

If you do not specify any of those, the service in the container will not be accessible from anywhere except from inside the container itself.

for both see What is the difference between “expose” and “publish” in Docker?

But if I read [Operations -> API], [Docker Engine API Access] and
[Docker Swarm API Access], I'm not that sure anymore.
One the one hand it is said traefik provides only information via APIs but on the other hand, it also acts by means of API calls.
Moreover, port detection is explicitly mentioned in Docker Engine Port Detection and in [Docker Swarm Port Detection]

Any chance that someone could explain the differences in bit more details?

Thank you


Hi @PackElend, can you elaborate a bit please, not sure to understand what do you mean and ask?

(spoiler: I wrote the section"Docker Enfine Port Detection" recently and I might have missed some part, so interested in understanding so we can improve the doc).

I will do but I have got some feedback regarding docker networking. I'll try to understand that to have that incorporated in my answer. That may take a few days

ok :+1:

To (try to) answer the question on the title of this topic:

  • There is no need to publish the port of your backend container for sure! "Publish" means "tell docker to add a port address translation from public network to a specified private port of a container. The whole goal of Traefik is to avoid publishing other applications :slight_smile:
  • You can either explicitly tell Traefik which port to use with Traefik's dynamic configuration (with a ...service.loadbalancer.server.port label for example in Docker), which is mandatory when using Swarm.
  • If (and only if) you have a docker container, NOT in swarm, which only "exposes" one port (with the directive EXPOSE of Dockerfile), then Traefik assumes this is the port to use. This is an implicit behaviour aimed at having less labels to provide. I personnaly try to avoid this as I consider that implicit behavior like this leads to confusion and misunderstanding.

This is true: Traefik watches the Docker API for new containers. By using the "expose" driective, or by adding the right label, then the Docker API object representing containers are populated with more metadats that Traefik can use to auto-configure itself.

=> It means that port detection itself is a Traefik internal behavior, not a Docker one (or not an ifnrastructure one), as it is only based on metadatas from Docker's API. This explains why we wrote the section , in order to explain this "internal behavior" for end user.

These are 2 differents APIs:

  • On one side you have a "provider" API (Docker API, Kubernetes API, Consul, File, etc.) which Traefiks watches to retrieves the "dynamic configuration".
  • On the other side, Traefik has its own API, to allows you to request it, which is not mandatory at all (except for the Traefik dashboard itself).
1 Like