Traefik cannot find the docker socket proxy

Traefik Traefik v2
1

Hi all, I would appreciate your help on a problem I have. I am trying to add a socket proxy for my docker containers in order to increase the security. I am using wollomatic/socket-proxy but for some reason I do not know, Traefik cannot communicate with it. Here is the error is get

time="2024-01-01T18:19:29Z" level=debug msg="FIXME: Got an status-code for which error does not match any expected type!!!" error="error during connect: Get \"http://dockerproxy:2375/v1.24/version\": dial tcp 172.29.0.2:2375: connect: no route to host" module=api status_code=-1
time="2024-01-01T18:19:29Z" level=error msg="Failed to retrieve information of the docker client and server host: error during connect: Get \"http://dockerproxy:2375/v1.24/version\": dial tcp 172.29.0.2:2375: connect: no route to host" providerName=docker
time="2024-01-01T18:19:29Z" level=error msg="Provider connection error error during connect: Get \"http://dockerproxy:2375/v1.24/version\": dial tcp 172.29.0.2:2375: connect: no route to host, retrying in 2.318606147s" providerName=docker

here is my docker-compose file

version: '3'

services:
  dockerproxy:
    image: wollomatic/socket-proxy:1
    command:
      - '-loglevel=debug'
      - '-allowfrom=172.29.0.3/0'
      - '-allowGET=/v1\..{1,2}/(version|containers/.*|events.*)'
      - '-shutdowngracetime=5'
      - '-watchdoginterval=3600'
      - '-stoponwatchdog'
      - '-proxyport=2375'
    restart: unless-stopped
    read_only: true
    mem_limit: 64M
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges
    user: 65534:977
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      docker-proxynet:
        ipv4_address: 172.29.0.2

  traefik:
    image: traefik:2.10.7
    restart: unless-stopped
    read_only: true
    mem_limit: 2G
    cpus: 0.75
    depends_on:
      - dockerproxy
    user: "2000:2000"
    security_opt:
      - no-new-privileges:true
    volumes:
      - $DOCKERDIR/rules:/rules
      - $DOCKERDIR/acme/acme.json:/acme.json
      - $DOCKERDIR/logs:/logs
    command:
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=true
      - --entryPoints.http.address=:80
      - --entryPoints.https.address=:443
      - --entryPoints.traefik.address=:8080
      - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
      - --log=true
      - --log.filePath=/logs/traefik.log
      - --log.level=DEBUG
      - --accessLog=true
      - --accessLog.filePath=/logs/access.log
      - --accessLog.bufferingSize=100
      - --accessLog.filters.statusCodes=204-299,400-499,500-599
      - --providers.docker=true
      - --providers.docker.endpoint=tcp://dockerproxy:2375
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=traefik-servicenet
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/rules
      - --providers.file.watch=true 
      - --api=true
      - --api.insecure=true
      - --api.dashboard=true
    labels:
      - "traefik.enable=true"
    environment:
      - CF_API_EMAIL=$CLOUDFLARE_EMAIL
      - CF_API_KEY=$CLOUDFLARE_API_KEY
      - DOMAINNAME_CLOUD_SERVER
    networks:
      docker-proxynet:
        ipv4_address: 172.29.0.3
      traefik-servicenet:
        ipv4_address: 192.168.64.2
      
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"


networks:
  traefik-servicenet:
    external: true
    name: traefik-servicenet
  docker-proxynet:
    driver: bridge
    internal: true
    ipam:
      config:
        - subnet: "172.29.0.0/24"
          gateway: "172.29.0.1"

I know it is missing the SSL part, but I removed that to upload it online. Thus SSL is not the issue here. Have you encountered such an issue before? Note that I am using AlmaLinux for OS.

2

Depends_on only checks if the container is started, not if the application is healthy and available, you need a health check on the dockerproxy

  socketproxy:
    healthcheck:
      test:
        [
          "CMD-SHELL",
          "<Successful command here>"
        ]
      interval: 10s
      retries: 3
      start_period: 5s
      timeout: 5s

  traefik:

     depends_on:
       socketproxy:
         condition: service_healthy
3

I don’t think this is correct:

- '-allowfrom=172.29.0.3/0'

The subnet mask should probably be .0/24 or maybe just use 172.29.0.3.

Personally, I would not use this at all, restrict access to dockersocket by using an explicit Docker network for dockersocket and Traefik. Fixed IPs might bite you, when you grow your infra.

Note that your traefik-servicenet by default only allows 254 containers. That’s an un-sweet surprise when you try to scale 100 services to 3 replicas.

4

tried the healthcheck, the container is healthy but still I get the same error message

a1d7058e811b   traefik:2.10.7                                          "/entrypoint.sh --gl…"   40 seconds ago   Up 28 seconds             0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp   traefiknew-traefik-1
94cc3684306b   wollomatic/socket-proxy:1                               "/socket-proxy -logl…"   40 seconds ago   Up 39 seconds (healthy)                                                                                  traefiknew-dockerproxy-1
5

tried with

  • '-allowfrom=172.29.0.3'

and with

  • '-allowfrom=172.29.0.0/24'

but no luck :frowning:

6

Remove it completely and test again :slight_smile:

7

no luck :frowning: for some reason it cannot find the host even though they both get the correct IPs from the same network

8

Try a simple ping from within traefik to dockerproxy.

9

tried it, ping does not work either!

10

Solved by changing network to

docker-proxynet:
    name: docker-proxynet
    driver: bridge
    ipam:
      config:
        - subnet: "172.29.0.0/24"
12

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.