Traefik filtering portainer as a "disabled container" in docker swarm

Traefik Traefik v2
1

I have a small docker swam setup with 3 nodes.
Traefik is running on the manager node with this stack file:

version: '3.8'

services:

  traefik:
    image: traefik:v2.6
    command:
      - --configFile=/traefik.yml
    ports:
      - 80:80
      - 8080:8080
      - 443:443
    deploy:
      mode: global
      placement:
        constraints:
          - node.role == manager 
      labels:
        - traefik.enable=true
        - traefik.docker.network=traefik-public
        - traefik.http.routers.traefik-public-https.middlewares=admin-auth
        - traefik.http.middlewares.admin-auth.basicauth.users=admin:kttMoHm$$ZeaIvc8uDXZaapr1$$xsez8wWG$$2O0
        - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
        - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
        - traefik.http.routers.traefik-public-http.rule=Host(`traefik-test.mydomain.com`)
        - traefik.http.routers.traefik-public-http.entrypoints=http
        - traefik.http.routers.traefik-public-http.middlewares=https-redirect
        - traefik.http.routers.traefik-public-https.rule=Host(`traefik-test.mydomain.com`)
        - traefik.http.routers.traefik-public-https.entrypoints=https
        - traefik.http.routers.traefik-public-https.tls=true     
        - traefik.http.services.traefik-public.loadbalancer.server.port=8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik-public-certificates:/certificates
      - /certs:/certs
      - /logs:/logs
      - /configs/traefik.yml:/traefik.yml
      - /configs/tls-cert.yml:/etc/traefik/tls-cert.yml
      
    networks:
      - traefik-public


volumes:
  traefik-public-certificates:

networks:
  traefik-public:
    external: true

I also have Portainer deployed with the following stack file:

version: '3.8'

services:
  agent:
    image: portainer/agent:latest
    environment:
      AGENT_CLUSTER_ADDR: tasks.agent
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/lib/docker/volumes:/var/lib/docker/volumes
    networks:
      - agent_network
    deploy:
      mode: global
      placement:
        constraints: [node.platform.os == linux]

  portainer:
    image: portainer/portainer-ce:latest
    command: -H tcp://tasks.agent:9001 --tlsskipverify
    ports:
      - 9000:9000
    volumes:
      - portainer_data:/data
    networks:
      - agent_network
      - traefik-public
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints: [node.role == manager]
    labels:
        - traefik.enable=true
        - traefik.http.routers.portainer.rule=Host(`portainer-test.mydomain.com`)
        - traefik.http.services.portainer.loadbalancer.server.port=9000
        - traefik.http.routers.portainer.entrypoints=https
        - traefik.http.routers.portainer.tls=true


networks:
  agent_network:
    driver: overlay
    attachable: true
  traefik-public:
    external: true

volumes:
  portainer_data:

For some reason, Traefik is skipping my Portainer container.

time="2023-04-08T23:55:17Z" level=debug msg="Filtering disabled container" providerName=docker container=portainer-agent-h8m7kqdzqh8ik4rahjmbc7qw2
time="2023-04-08T23:55:17Z" level=debug msg="Filtering disabled container" providerName=docker container=portainer-agent-rs2l6xaem2l4dztb8kvf4iqrh
time="2023-04-08T23:55:17Z" level=debug msg="Filtering disabled container" container=portainer-agent-ytot9erq29a7zfh2d4o9p7z1b providerName=docker
time="2023-04-08T23:55:17Z" level=debug msg="Filtering disabled container" providerName=docker container=portainer-portainer-bispq34jvxyk8roxv7hndb28b

To double-check that my setup and labels are correct I created this stack and deployed it

version: '3.8'

services:
  my-app:
    image: containous/whoami:v1.3.0
    networks:
      - traefik-public
    command:
      - --port=8082 
    ports:
      - 8082:8082
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.my-app.rule=Host(`whoami.mydomain.com`)
        - traefik.http.services.my-app.loadbalancer.server.port=8082
        - traefik.http.routers.my-app.entrypoints=https
        - traefik.http.routers.my-app.tls=true

networks:
  traefik-public:
    external: true

And I am able to access it on "whoami.mydomain.com"; however, I am unable to access Portainer on "portainer-test.mydomain.com".
PS: I am able to access Portainer directly using EXTERNAL_IP:9000

Any idea why this might be the case?

2

For Docker Swarm you need to place labels inside deploy, that’s not the case for your portainer.

3

Sadly that didn't solve it either.

4

I solved it by using Nginx between Traefik and Portainer.
Though I would really appreciate a simpler solution if anyone can point out the exact problem here:

version: '3.8'

services:
  agent:
    image: portainer/agent:latest
    environment:
      AGENT_CLUSTER_ADDR: tasks.agent
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/lib/docker/volumes:/var/lib/docker/volumes
    networks:
      - agent_network
    deploy:
      mode: global
      placement:
        constraints: [node.platform.os == linux]

  portainer:
    image: portainer/portainer-ce:latest
    command: -H tcp://tasks.agent:9001 --tlsskipverify
    volumes:
      - portainer_data:/data
    networks:
      - agent_network

  portainer_proxy:
    image: nginx:stable-alpine
    volumes:
      - /configs/nginx-portainer.conf:/etc/nginx/conf.d/default.conf
    networks:
      - traefik-public
      - agent_network
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints: [node.role == manager]
      labels:
        - traefik.enable=true
        - traefik.http.routers.portainer.rule=Host(`portainer-test.mydomain-rnd.com`)
        - traefik.http.services.portainer.loadbalancer.server.port=80
        - traefik.http.routers.portainer.entrypoints=https
        - traefik.http.routers.portainer.tls=true
        - traefik.docker.network=traefik-public

networks:
  agent_network:
    driver: overlay
    attachable: true
  traefik-public:
    external: true

volumes:
  portainer_data:

nginx setup:

server {
    listen 80;

    location / {
        proxy_pass http://tasks.portainer:9000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
``
5

This is the Docker Swarm Portainer setup with Traefik we got from a consultant:

version: '3.9'

services:
  agent:
    image: portainer/agent:2.16.0
    environment:
      - LOG_LEVEL=DEBUG
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/lib/docker/volumes:/var/lib/docker/volumes
    networks:
      - agent_network
    deploy:
      mode: global
      placement:
        constraints: [node.platform.os == linux]

  portainer:
    image: portainer/portainer-ce:2.16.0
    command: -H tcp://tasks.agent:9001 --tlsskipverify
    #ports:
    #  - "9443:9443"
    #  - "9000:9000"
    #  - "8000:8000"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - portainer_data:/data
    networks:
      - agent_network
      - proxy
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints:
          - node.role == manager
          - node.hostname == server1
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.portainer.entrypoints=websecure"
        - "traefik.http.routers.portainer.rule=Host(`portainer.example.com`)"
        - "traefik.http.services.portainer.loadbalancer.server.port=9000"
        - "traefik.http.services.portainer.loadbalancer.passhostheader=true"

networks:
  agent_network:
    driver: overlay
    attachable: true
  proxy:
    external: true

volumes:
  portainer_data:

But it sometimes shows strange slowdowns.

Update: thanks for making me to look into my own Portainer config :grinning: We use a vSwitch, finally solved our slowdowns:

networks:
  agent_network:
    driver: overlay
    driver_opts:
      com.docker.network.driver.mtu: 1400
    attachable: true
  proxy:
    external: true