Hello,
When looking for my pb concerning Kuma, I have found in my logs this:
2025-02-28T12:30:52+02:00 INF Testing certificate renew... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=dns-cloudflare.acme
2025-02-28T12:30:58+02:00 ERR Router uses a nonexistent certificate resolver error="unable to create plugins client: unable to create directory /plugins-storage/sources: mkdir plugins-storage: read-only file system" certificateResolver=cloudflare routerName=authentik@docker
2025-02-28T12:30:58+02:00 ERR Router uses a nonexistent certificate resolver error="unable to create plugins client: unable to create directory /plugins-storage/sources: mkdir plugins-storage: read-only file system" certificateResolver=cloudflare routerName=it-tools-secure@docker
2025-02-28T12:30:58+02:00 ERR Router uses a nonexistent certificate resolver error="unable to create plugins client: unable to create directory /plugins-storage/sources: mkdir plugins-storage: read-only file system" certificateResolver=cloudflare routerName=authentik-outpost@docker
Missing context. Share Docker compose file. Are you using bind mounts with :ro.
services:
traefik:
image: traefik:v3.3.4
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
read_only: true
mem_limit: 2G
cpus: 0.75
depends_on:
- dockerproxy
networks:
- mynet
- socket-t
#command:
#- '--host=tcp://t-docker-socket-proxy:2375'
ports:
- target: 80
published: 1180
protocol: tcp
mode: host
- target: 443
published: 11443
protocol: tcp
mode: host
- target: 8080
published: 8087
protocol: tcp
mode: host
- target: 1181
published: 1181
protocol: tcp
mode: host
- target: 11444
published: 11444
protocol: tcp
mode: host
environment:
- CF_API_EMAIL=${CF_API_EMAIL}
- TZ=${TZ}
- TRAEFIK_DASHBOARD_CREDENTIALS=${TRAEFIK_DASHBOARD_CREDENTIALS}
- CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_DNS_API_TOKEN}
volumes:
- /etc/localtime:/etc/localtime:ro
- $BASE/traefik/data/traefik.yml:/traefik.yml:ro
- $BASE/letsencrypt:/letsencrypt
- $BASE/traefik/data/dynamic_conf.yml:/dynamic_conf.yml:ro
- /var/log/crowdsec/:/var/log/crowdsec
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`traefik.mynet.org`) && PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=${user}:${passwd}"
- "traefik.http.routers.traefik-secure.entrypoints=https-external"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=dns-cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=mynet.org"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mynet.org"
- "traefik.http.services.traefik.loadbalancer.server.port=8087"
# middlewares
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
# middlewares security headers
- "traefik.http.middlewares.hsts.headers.customResponseHeaders.Strict-Transport-Security=max-age=31536000; includeSubDomains; preload"
- "traefik.http.middlewares.security-headers.headers.accesscontrolallowmethods=GET, OPTIONS, PUT"
- "traefik.http.middlewares.security-headers.headers.accesscontrolmaxage=100"
- "traefik.http.middlewares.security-headers.headers.addvaryheader=true"
- "traefik.http.routers.traefik.middlewares=hsts"
- "traefik.http.middlewares.security-headers.headers.hostsproxyheaders=X-Forwarded-Host"
- "traefik.http.middlewares.security-headers.headers.sslredirect=true"
- "traefik.http.middlewares.security-headers.headers.sslproxyheaders.X-Forwarded-Proto=https"
- "traefik.http.middlewares.security-headers.headers.stsseconds=63072000"
- "traefik.http.middlewares.security-headers.headers.stsincludesubdomains=true"
- "traefik.http.middlewares.security-headers.headers.stspreload=true"
- "traefik.http.middlewares.security-headers.headers.forcestsheader=true"
- "traefik.http.middlewares.security-headers.headers.framedeny=true"
- "traefik.http.middlewares.x-frame-options.headers.customResponseHeaders.X-Frame-Options=SAMEORIGIN"
- "traefik.http.routers.traefik.middlewares=csp-headers"
- "traefik.http.middlewares.csp-headers.headers.customResponseHeaders.Content-Security-Policy=frame-ancestors 'self' https://www.mynet.org"
- "traefik.http.middlewares.security-headers.headers.contenttypenosniff=true"
- "traefik.http.middlewares.security-headers.headers.browserxssfilter=true"
- "traefik.http.middlewares.security-headers.headers.referrerpolicy=same-origin"
- "traefik.http.middlewares.security-headers.headers.featurepolicy=camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
- "traefik.http.middlewares.security-headers.headers.customresponseheaders.X-Robots-Tag=none,noarchive,nosnippet,notranslate,noimageindex"
dockerproxy:
image: wollomatic/socket-proxy:1.5.3
container_name: t-docker-socket-proxy
command:
- '-loglevel=info'
- '-allowfrom=0.0.0.0/0'
- '-listenip=0.0.0.0'
- '-allowGET=/v1\..{1,2}/(version|containers/.*|events.*)'
- '-watchdoginterval=3600'
- '-stoponwatchdog'
- '-shutdowngracetime=10'
restart: unless-stopped
read_only: true
mem_limit: 64M
cap_drop:
- ALL
security_opt:
- no-new-privileges
user: 65534:110 # change gid from 998 to the gid of the docker group on your host
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- socket-t
networks:
mynet:
name: mynet
external: true
socket-t:
driver: bridge
internal: true
attachable: false
"read-only file system" is probably a result of:
system
Closed
5
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.