Issue with Traefik reverse proxy setup for Mattermost in Docker container

Traefik Traefik v2
1

Hi Traefik community,

I'm currently trying to deploy Mattermost using Docker Compose, with Traefik as a reverse proxy to handle automatic SSL configuration and routing. The domain for the Mattermost service is mattermost.phonevillemobile.com. However, I'm encountering an issue where the Mattermost container is continuously restarting after running the following commands:

docker compose -f docker-compose.yml -f docker-compose.without-nginx.yml up -d

My docker-compose.yml :

name: mattermost
# https://docs.docker.com/compose/environment-variables/
services:
  postgres:
    image: postgres:${POSTGRES_IMAGE_TAG}
    restart: ${RESTART_POLICY}
    security_opt:
      - seccomp:unconfined
    pids_limit: 100
    read_only: true
    tmpfs:
      - /tmp
      - /var/run/postgresql
    volumes:
      - ${POSTGRES_DATA_PATH}:/var/lib/postgresql/data
    environment:
      - TZ
      - POSTGRES_USER
      - POSTGRES_PASSWORD
      - POSTGRES_DB

  mattermost:
    depends_on:
      - postgres
    image: mattermost/${MATTERMOST_IMAGE}:${MATTERMOST_IMAGE_TAG}
    container_name: mattermost
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    pids_limit: 200
    read_only: ${MATTERMOST_CONTAINER_READONLY}
    tmpfs:
      - /tmp
    volumes:
      - ${MATTERMOST_CONFIG_PATH}:/mattermost/config:rw
      - ${MATTERMOST_DATA_PATH}:/mattermost/data:rw
      - ${MATTERMOST_LOGS_PATH}:/mattermost/logs:rw
      - ${MATTERMOST_PLUGINS_PATH}:/mattermost/plugins:rw
      - ${MATTERMOST_CLIENT_PLUGINS_PATH}:/mattermost/client/plugins:rw
      - ${MATTERMOST_BLEVE_INDEXES_PATH}:/mattermost/bleve-indexes:rw
    labels:
      - traefik.docker.network=traefik-public
      - traefik.enable=true
      - traefik.http.routers.mattermost-http.entrypoints=http
      - traefik.http.routers.mattermost-http.middlewares=https-redirect
      - traefik.http.routers.mattermost-http.rule=Host(`mattermost.phonevillemobile.com`)
      - traefik.http.routers.mattermost-http.service=mattermost
      - traefik.http.routers.mattermost-https.entrypoints=https
      - traefik.http.routers.mattermost-https.rule=Host(`mattermost.phonevillemobile.com`)
      - traefik.http.routers.mattermost-https.service=mattermost
      - traefik.http.routers.mattermost-https.tls=true
      - traefik.http.routers.mattermost-https.tls.certresolver=le
      - traefik.http.services.mattermost.loadbalancer.server.port=8065
      - traefik.http.routers.mattermost.rule=Host(`mattermost.phonevillemobile.com`)
    environment:
      - TZ
      - MM_SQLSETTINGS_DRIVERNAME
      - MM_SQLSETTINGS_DATASOURCE
      - MM_BLEVESETTINGS_INDEXDIR
      - MM_SERVICESETTINGS_SITEURL

   
networks:
  traefik_proxy:
    external: true

My docker-compose.without-nginx.yml:

services:
  mattermost:
    ports:
      - "8065:8065"

Help please?

2

What’s the log output?

4

Mattermost logs:

exec /entrypoint.sh: operation not permitted
exec /entrypoint.sh: operation not permitted
exec /entrypoint.sh: operation not permitted
exec /entrypoint.sh: operation not permitted
exec /entrypoint.sh: operation not permitted
exec /entrypoint.sh: operation not permitted
exec /entrypoint.sh: operation not permitted
exec /entrypoint.sh: operation not permitted
exec /entrypoint.sh: operation not permitted
exec /entrypoint.sh: operation not permitted
5

You set read_only for the service/container?

6

MATTERMOST_CONTAINER_READONLY=false

should i also set this thing to 'false' in the docker-compose.yml ?

7

I can only guess, but those settings are most rarely used. You could try to run without.

You could also try to add

    security_opt:
      - seccomp:unconfined

What OS are you using? How did you install Docker?

Also note that you would usually not publish ports: on the target service/container, as that might circumvent using Traefik security middlewares.

Instead Traefik and target service should share a common Docker network, within all ports are reachable anyway.

8

Hi there, I'm using Ubuntu Server 22.04 on a VPS

I've followed this one when installing mattermost:

cd mattermost/docker
9

The without-nginx probably stands for "without reverse proxy", as it will open the ports of the container directly. So not needed with Traefik.

You use multiple ENV vars in your compose file, many things could be wrong. But we don't know.

And again the question: how did you install Docker? Root-less?

As a most basic test, you can try to run docker run -it mattermost/mattermost-team-edition (or whatever image you are using). But this really seems more like a Docker permission issue, has nothing to do with Traefik.