Traefik (docker) taking all my disk space

Traefik Traefik v3 (latest)
1

Hello,

I have an lxc running traefik and other services and frequently it’s running out of space (10Gb)

and the biggest folder is /var/docker/overlay apparently I can’t do anything with it since its managed by docker and any command like `prune` or something else didn’t help.

I figured out that traefik was the biggest container by doing `compose down` and I win 20Gb of storage (yes I increased the storage meanwhwile but it’s keep going to fill it).

So I don’t know what to do I can’t increase further.

Here is my docker-compose in case
```yaml

services:
  traefik:
    image: traefik:latest  # Use the latest Traefik image
    container_name: traefik  # Name of the container
    restart: unless-stopped  # Ensures the container restarts if it stops unexpectedly
    security_opt:
      - no-new-privileges:true  # Prevents the container from gaining additional privileges

    #network_mode: "host"
    networks:
       proxy:  # Connects to the predefined external network named 'proxy'
    ports:
      - 80:80  # HTTP port
      - 81:81
      - 443:443  # HTTPS port
      - 444:444
      - 2022:2022  # SFTP port
      # -- (Optional) Enable Dashboard, don't do in production
      - 8080:8080  # Traefik dashboard port
    environment:
      - CF_API_EMAIL=ccalvez366@gmail.com
      - CF_DNS_API_TOKEN=TS_aTX4jh73Hs82Mkuhvtk4iTUl2i3gIgH08QoC1
      # - CF_API_KEY=YOU_API_KEY
      - TZ=Europe/Paris  # Set timezone
    volumes:
      - /etc/localtime:/etc/localtime:ro  # Sync time with the host
      - /var/run/docker.sock:/var/run/docker.sock:ro  # Allows Traefik to interact with Docker
      - /root/Traefik/traefik-config/traefik.yml:/traefik.yml:ro  # Traefik configuration file
      - /root/Traefik/traefik-config/acme.json:/acme.json  # SSL certificate file
      - /root/Traefik/traefik-config/rules:/rules:ro  # Rule directory
      - /root/Traefik/logs:/var/log/traefik/  # Log directory

    labels:
      - traefik.enable=true  # Enable Traefik on this service
      - traefik.http.routers.traefik.entrypoints=http  # Define HTTP entrypoint
      - traefik.http.routers.traefik.rule=Host(`traefik.mydomain.com`)  # Host rule for routing
      - traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https  # Redirect HTTP to HTTPS
      #- traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https  # Set forwarded headers for SSL
      - traefik.http.routers.traefik.middlewares=traefik-https-redirect  # Apply HTTPS redirect middleware
      - traefik.http.routers.traefik-secure.entrypoints=https  # Secure entrypoint for HTTPS
      - traefik.http.routers.traefik-secure.rule=Host(`traefik.mydomain.com`)  # Host rule for secure routing
      - traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$QZyBfA0s$$BXqY5JQHH53vFu4dzSUca. # Basic auth for security traefik for username:pass
      - traefik.http.routers.traefik-secure.middlewares=traefik-auth  # Apply authentication middleware
      - traefik.http.routers.traefik-secure.tls=true  # Enable TLS for secure connection
      - traefik.http.routers.traefik-secure.tls.certresolver=cloudflare  # Use Cloudflare for SSL certificate resolution
      - traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain.com  # Main domain for SSL certificate
      - traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain.com  # SANs for SSL certificate
      - traefik.http.routers.traefik-secure.service=api@internal  # Internal service for Traefik API

networks:
  proxy:
    name: proxy  # Specifies the external network to connect to
    external: true  # Indicates that the network is external

```

2

You missed to share your static config, which includes entrypoints and log.

I would assume you log to a file, which is inside the container. Place it externally:

services:
  traefik:
    image: traefik:v3.5
    restart: unless-stopped
    ports:
      - 0.0.0.0:80:80
      - 0.0.0.0:443:443
    networks:
      - proxy
    volumes:
      - /var/log:/var/log
      - /var/run/docker.sock:/var/run/docker.sock
    command:
      - --log.level=INFO
      - --log.filepath=/var/log/traefik.log
      - --accesslog.filepath=/var/log/traefik-access.log
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443

Or limit Docker container default logging in size:

# Define common logging options
x-logging: &default-logging
  driver: json-file
  options:
    max-size: 100m
    max-file: 5

services:
  traefik:
    image: traefik:v3.5
    logging: *default-logging
    ...
3

Yes, my bad, so here it is, I noticed that Im DEBUG Level for log I changed ti to INFO but not sure if its related

api:
  dashboard: true
  debug: true

entryPoints:
  sftp:
    address: :2022  # Utilisation d'un port distinct pour éviter les conflits avec SSH

  http:
    address: ":80"
    forwardedHeaders:
      trustedIPs:
        - "172.18.0.0/16"  # Adresse du réseau Docker interne
    http:
      middlewares:
        - secured@file
      redirections:
        entryPoint:
          to: https
          scheme: https

  https:
    address: ":443"
    transport:
      respondingTimeouts:
        readTimeout: 600s
        idleTimeout: 600s
        writeTimeout: 600s
    forwardedHeaders:
      trustedIPs:
        - "172.18.0.0/16"  # Adresse du réseau Docker interne
    http:
      middlewares:
        - secured@file
      tls:
        options: default
        certResolver: cloudflare

  http-external:
    address: ":81"
    forwardedHeaders:
      trustedIPs:
        - 173.245.48.0/20
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 141.101.64.0/18
        - 108.162.192.0/18
        - 190.93.240.0/20
        - 188.114.96.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 162.158.0.0/15
        - 104.16.0.0/13
        - 104.24.0.0/14
        - 172.64.0.0/13
        - 131.0.72.0/22
        - 2400:cb00::/32
        - 2606:4700::/32
        - 2803:f800::/32
        - 2405:b500::/32
        - 2405:8100::/32
        - 2a06:98c0::/29
        - 2c0f:f248::/32
    http:
      middlewares:
        - secured-external@file
      redirections:
        entryPoint:
          to: https-external
          scheme: https

  https-external:
    address: ":444"
    transport:
      respondingTimeouts:
        readTimeout: 600s
        idleTimeout: 600s
        writeTimeout: 600s
    forwardedHeaders:
      trustedIPs:
        - 173.245.48.0/20
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 141.101.64.0/18
        - 108.162.192.0/18
        - 190.93.240.0/20
        - 188.114.96.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 162.158.0.0/15
        - 104.16.0.0/13
        - 104.24.0.0/14
        - 172.64.0.0/13
        - 131.0.72.0/22
        - 2400:cb00::/32
        - 2606:4700::/32
        - 2803:f800::/32
        - 2405:b500::/32
        - 2405:8100::/32
        - 2a06:98c0::/29
        - 2c0f:f248::/32
    http:
      middlewares:
        - secured-external@file
      tls:
        options: default
        certResolver: cloudflare

serversTransport:
  insecureSkipVerify: true

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    directory: /rules
    watch: true

certificatesResolvers:
  cloudflare:
    acme:
      storage: acme.json
      caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
      #caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

tls:
  options:
    default:
      minVersion: VersionTLS13
      curvePreferences:
        - X25519
        - CurveP256
        - CurveP384

experimental:
  plugins:
    crowdsec-bouncer-traefik-plugin:
      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
      version: "v1.4.2"

log:
  filePath: "/var/log/traefik/traefik.log"
  level: DEBUG
  format: json
accessLog:
  filePath: "/var/log/traefik/access.log"
  format: json
4

Do you see the logs on host in bind-mounted folder?

Having a trailing slash is rather unusual:

    volumes:
      - /root/Traefik/logs:/var/log/traefik/  # Log directory
5

Yes I can see them, but which trailing slash are you referring to ?

6 
    volumes:
      - /root/Traefik/logs:/var/log/traefik/  # Log directory
                                           ^
7

@bluepuma77 Thank you for your responses, I don't really know when to put a slash or not.

By the way, I think I figured out my issue, when I installed Traefik I was copying some config from various people and I had a middleware which was buffering traffic with Nextcloud.

8

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.