More routes created than defined via label

Jarod2801 · March 9, 2025, 9:27pm

Hi,

I want to deploy netbox on a docker swarm cluster.

I can get it up and running but looks like Traefik is created 3 routes although only 1 container has the labels fpor traefik.

My compose file looks like this:

services:
  # NetBox frontend
  netbox: &netbox
    image: docker.io/netboxcommunity/netbox:${VERSION-v4.2-3.2.0}
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.role == worker  # soll auf einem Worker-Knoten laufen
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.netbox.rule=Host(`netbox.MYDOMAIN`)"
        - "traefik.http.routers.netbox.entrypoints=websecure"
        - "traefik.http.routers.netbox.tls.certresolver=cloudflare"
        - "traefik.http.services.netbox.loadbalancer.server.port=8080"
        - "traefik.docker.network=traefik-net"
    environment:
      CORS_ORIGIN_ALLOW_ALL: 1
      DB_HOST: postgres
      DB_NAME: netbox
      DB_PASSWORD: MYPASSWORD
      DB_USER: netbox
      EMAIL_FROM: netbox@bar.com
      EMAIL_PASSWORD: 
      EMAIL_PORT: 25
      EMAIL_SERVER: localhost
      EMAIL_SSL_CERTFILE: 
      EMAIL_SSL_KEYFILE: 
      EMAIL_TIMEOUT: 5
      EMAIL_USERNAME: netbox
      # EMAIL_USE_SSL and EMAIL_USE_TLS are mutually exclusive, i.e. they can't both be `true`!
      EMAIL_USE_SSL: 0
      EMAIL_USE_TLS: 1
      GRAPHQL_ENABLED: 1
      HOUSEKEEPING_INTERVAL: 86400
      MEDIA_ROOT: /opt/netbox/netbox/media
      METRICS_ENABLED: 1
      REDIS_CACHE_DATABASE: 1
      REDIS_CACHE_HOST: redis-cache
      REDIS_CACHE_INSECURE_SKIP_TLS_VERIFY: 0
      REDIS_CACHE_PASSWORD: MYPASSWORD
      REDIS_CACHE_SSL: 0
      REDIS_DATABASE: 0
      REDIS_HOST: redis
      REDIS_INSECURE_SKIP_TLS_VERIFY: 0
      REDIS_PASSWORD: 123456779
      REDIS_SSL: 0
      RELEASE_CHECK_URL: https://api.github.com/repos/netbox-community/netbox/releases
      SECRET_KEY: 'MYSECRETKEY'
      SKIP_SUPERUSER: 1
      WEBHOOKS_ENABLED: 1
    user: "unit:root"
    healthcheck:
      test: curl -f http://localhost:8080/login/ || exit 1
      start_period: 90s
      timeout: 3s
      interval: 15s
    volumes:
      - /mnt/worker_gluster/netbox/config:/etc/netbox/config:z,ro
      - /mnt/worker_gluster/netbox/media:/opt/netbox/netbox/media:rw
      - /mnt/worker_gluster/netbox/reports:/opt/netbox/netbox/reports:rw
      - /mnt/worker_gluster/netbox/scripts:/opt/netbox/netbox/scripts:rw
    networks:
      - traefik-net
      - netbox-net

  # NetBox worker
  netbox-worker:
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.role == worker  # soll auf einem Worker-Knoten laufen
    <<: *netbox
    command:
      - /opt/netbox/venv/bin/python
      - /opt/netbox/netbox/manage.py
      - rqworker
    healthcheck:
      test: ps -aux | grep -v grep | grep -q rqworker || exit 1
      start_period: 20s
      timeout: 3s
      interval: 15s
    networks:
      - netbox-net

  # NetBox housekeeping
  netbox-housekeeping:
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.role == worker  # soll auf einem Worker-Knoten laufen
    <<: *netbox
    command:
      - /opt/netbox/housekeeping.sh
    healthcheck:
      test: ps -aux | grep -v grep | grep -q housekeeping || exit 1
      start_period: 20s
      timeout: 3s
      interval: 15s
    networks:
      - netbox-net
          
networks:
  traefik-net:
    driver: overlay
    external: true
    
  netbox-net:
    driver: overlay
    external: true

and my traefik is configured like this

api:
  dashboard: true
  insecure: false

#ping:
#  manualRouting: true

metrics:
  prometheus:
    buckets:
      - 0.1
      - 0.3
      - 1.2
      - 5.0
#    entryPoint: metrics
    addEntryPointsLabels: true
    addRoutersLabels: true
    addServicesLabels: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: "websecure"
          scheme: "https"

  websecure:
    address: ":443"
    http:
      tls:
        certresolver: "cloudflare"
        domains:
          - main: "*.MYDOMAIN"
#  metrics:
#    address: ":8082"

serversTransport:
  insecureSkipVerify: true

log:
  filePath: "/var/log/traefik.log"
  format: json
  level: DEBUG
  maxSize: 100
  maxBackups: 3
  compress: true

providers:
  swarm:
    endpoint: "unix:///var/run/docker.sock"
    watch: true
    exposedByDefault: false

  file:
#    filename: "/etc/traefik/dynamic.yml"
    directory: /etc/traefik/dynamic
    watch: true

certificatesResolvers:
  cloudflare:
    acme:
      email: "MYEMAIL"
      storage: "/etc/certs/acme.json"
#      caserver: "https://acme-staging-v02.api.letsencrypt.org/directory" #Just for testing, after that, disable it!
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

In Traefik 3 servers are listed in the service:

Anyone an idea what I am doing wrong?

bluepuma77 · March 10, 2025, 6:55am

Did you use docker stack deploy?

Check Swarm services with docker service ls.

Ensure that no orphan containers are still running on the nodes (with the same labels), as you might have made changes to your compose file over time.

Jarod2801 · March 10, 2025, 6:40pm

I deployed it via Portainer stack. So technicially yes.

A docker service ls | grep netbox gives me

socuo59z2v8c   netbox_netbox                     replicated   1/1        netboxcommunity/netbox:v4.2-3.2.0
riksmq6qq1lp   netbox_netbox-housekeeping        replicated   1/1        netboxcommunity/netbox:v4.2-3.2.0
tqcqc8s0thvn   netbox_netbox-worker              replicated   1/1        netboxcommunity/netbox:v4.2-3.2.0
ebt8jxs7pjid   netbox_postgres                   replicated   1/1        postgres:17-alpine
u4blqjwzw8qt   netbox_redis                      replicated   1/1        valkey/valkey:8.0-alpine
daa34iq8np9w   netbox_redis-cache                replicated   1/1        valkey/valkey:8.0-alpine

So looks like just the services I wanted to run are running.

What I'm curious about is, even when I set the traefik label to false Traefik lists the servers in the service like shown in the screenshot above.

  # NetBox worker
  netbox-worker:
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.role == worker  # soll auf einem Worker-Knoten laufen
      labels:
        - "traefik.enable=false"
    <<: *netbox
    command:
      - /opt/netbox/venv/bin/python
      - /opt/netbox/netbox/manage.py
      - rqworker
    healthcheck:
      test: ps -aux | grep -v grep | grep -q rqworker || exit 1
      start_period: 20s
      timeout: 3s
      interval: 15s
    networks:
      - netbox-net

  # NetBox housekeeping
  netbox-housekeeping:
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.role == worker  # soll auf einem Worker-Knoten laufen
      labels:
        - "traefik.enable=false"
    <<: *netbox
    command:
      - /opt/netbox/housekeeping.sh
    healthcheck:
      test: ps -aux | grep -v grep | grep -q housekeeping || exit 1
      start_period: 20s
      timeout: 3s
      interval: 15s
    networks:
      - netbox-net

bluepuma77 · March 10, 2025, 7:40pm

Try to list all your Traefik service labels:

docker service ls --format '{{.Name}}' | while read service; do
  echo "$service:"
  docker service inspect --format '{{range $k, $v := .Spec.Labels}}  {{$k}}={{$v}}{{"\n"}}{{end}}' "$service"
  docker service inspect --format '{{range $k, $v := .Spec.TaskTemplate.ContainerSpec.Labels}}  {{$k}}={{$v}}{{"\n"}}{{end}}' "$service"
done

It's probably a service which a different name, that has "netbox" router labels on it.

Jarod2801 · March 10, 2025, 8:45pm

bluepuma77:

docker service ls --format '{{.Name}}' | while read service; do
  echo "$service:"
  docker service inspect --format '{{range $k, $v := .Spec.Labels}}  {{$k}}={{$v}}{{"\n"}}{{end}}' "$service"
  docker service inspect --format '{{range $k, $v := .Spec.TaskTemplate.ContainerSpec.Labels}}  {{$k}}={{$v}}{{"\n"}}{{end}}' "$service"
done

I found these

Suche "netbox" (42 Treffer in 1 Dateien von 1 gesucht) [Normal]
  neu 2 (42 Treffer)
	Zeile 143: netbox_netbox:
	Zeile 144:   com.docker.stack.image=docker.io/netboxcommunity/netbox:v4.2-3.2.0
	Zeile 145:   com.docker.stack.namespace=netbox
	Zeile 148:   traefik.http.routers.netbox.entrypoints=websecure
	Zeile 149:   traefik.http.routers.netbox.rule=Host(`netbox.MYDOMAIN`)
	Zeile 150:   traefik.http.routers.netbox.tls.certresolver=cloudflare
	Zeile 151:   traefik.http.services.netbox.loadbalancer.server.port=8080
	Zeile 153:   com.docker.stack.namespace=netbox
	Zeile 155: netbox_netbox-housekeeping:
	Zeile 156:   com.docker.stack.image=docker.io/netboxcommunity/netbox:v4.2-3.2.0
	Zeile 157:   com.docker.stack.namespace=netbox
	Zeile 160:   traefik.http.routers.netbox.entrypoints=websecure
	Zeile 161:   traefik.http.routers.netbox.rule=Host(`netbox.MYDOMAIN`)
	Zeile 162:   traefik.http.routers.netbox.tls.certresolver=cloudflare
	Zeile 163:   traefik.http.services.netbox.loadbalancer.server.port=8080
	Zeile 165:   com.docker.stack.namespace=netbox
	Zeile 167: netbox_netbox-worker:
	Zeile 168:   com.docker.stack.image=docker.io/netboxcommunity/netbox:v4.2-3.2.0
	Zeile 169:   com.docker.stack.namespace=netbox
	Zeile 172:   traefik.http.routers.netbox.entrypoints=websecure
	Zeile 173:   traefik.http.routers.netbox.rule=Host(`netbox.MYDOMAIN`)
	Zeile 174:   traefik.http.routers.netbox.tls.certresolver=cloudflare
	Zeile 175:   traefik.http.services.netbox.loadbalancer.server.port=8080
	Zeile 177:   com.docker.stack.namespace=netbox
	Zeile 179: netbox_postgres:
	Zeile 181:   com.docker.stack.namespace=netbox
	Zeile 183:   com.docker.stack.namespace=netbox
	Zeile 185: netbox_redis:
	Zeile 187:   com.docker.stack.namespace=netbox
	Zeile 189:   com.docker.stack.namespace=netbox
	Zeile 191: netbox_redis-cache:
	Zeile 193:   com.docker.stack.namespace=netbox
	Zeile 195:   com.docker.stack.namespace=netbox
Suche "netbox" (42 Treffer in 1 Dateien von 1 gesucht) [Normal]

That looks good to me.
No "foreign" services.
Just the ones used in the netbox-stack.

bluepuma77 · March 11, 2025, 5:09am

In compose, "housekeeping" has no labels. On your system it does. And it uses "netbox" as router name, so the service/container will be added as target.

Jarod2801 · March 11, 2025, 9:31am

Hm, you're right.

Looks like I messed sth up with the anchors and aliases.
I now removed them and all looks fine.

Maybe I have to re-read the docs for anchors.

Thank you very much.

system · March 14, 2025, 9:31am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Traefik automatically creates routers / ignoring container labels Traefik v2 docker	0	903	September 14, 2022
Paramertize Docker Labels? Traefik v2 docker-swarm	0	434	May 12, 2020
Config from labels on swarm Traefik v2 docker , docker-swarm	2	869	October 9, 2019
What is required host Swarmpit behind Traefik 2.x Traefik v2 docker-swarm , letsencrypt-acme	0	1724	December 22, 2021
Traefik on Docker Swarm: factorise router/service redundant labels Traefik v2 docker-swarm	1	231	May 2, 2023

More routes created than defined via label

Related topics