Traefik v3 / rootless docker and Portainer :)

Traefik Traefik v3 (latest)
1

Hello,
I have move to docker rootless mode, it is working.
I have installed portainer-ce, it is working too.
But I cannot yet install any stack: failed to deploy a stack: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

I have started to change the config for my traefik compose file to be in line with the rootless mode.

volumes 'not rootless':

- /etc/localtime:/etc/localtime:ro
      - /mnt/user/appdata/docker/traefik/data/traefik.yml:/traefik.yml:ro
      - /mnt/user/appdata/docker/letsencrypt:/letsencrypt
      - /mnt/user/appdata/docker/traefik/data/dynamic_conf.yml:/dynamic_conf.yml:ro
      - /var/log/crowdsec/:/var/log/crowdsec

Volumes rootless mode:

      - /etc/localtime:/etc/localtime:ro
      - /run/user/<DOCKER-USER-UID>/docker.sock:/var/run/docker.sock:ro
      - /var/log/crowdsec/:/var/log/crowdsec
      - $BASE/.local/share/docker/volumes/traefik/data/traefik.yml:/traefik.yml:ro
      - $BASE/.local/share/docker/volumes/traefik/data/dynamic_conf.yml:/dynamic_conf.yml:ro
      - $BASE/.local/share/docker/volumes/letsencrypt:/letsencrypt

Not sure about localtime and logs ....
And what about the docker.sock pb ?

I didn't find yet any compose files who reflet a rootless mode ...

the full compose file

services:
  traefik:
    image: traefik:v3.0.0
    container_name: traefik-ng
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    read_only: true
    mem_limit: 2G
    cpus: 0.75
    depends_on:
      - dockerproxy
    networks:
      - mynet
      - socket-t
        #command:
        #- "--host=tcp://t-docker-socket-proxy:2375"
    ports:
      - 1180:80
      - 11443:443
      - 8087:8080
      - 1181:1181
      - 11444:11444
    environment:
      - CF_API_EMAIL=bullet@mydomain
      - CF_DNS_API_TOKEN=nejxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      - TZ=Europe/Helsinki
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/log/crowdsec/:/var/log/crowdsec
      - $BASE/.local/share/docker/volumes/traefik/data/traefik.yml:/traefik.yml:ro
      - $BASE/.local/share/docker/volumes/traefik/data/dynamic_conf.yml:/dynamic_conf.yml:ro
      - $BASE/.local/share/docker/volumes/letsencrypt:/letsencrypt

    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=mydomain"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.mydomain`)"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.mydomain`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=dns-cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      # middlewares
      - "traefik.http.middlewares.traefik-auth.basicauth.removeheader=true"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=theboss:xxxxxxxxxxxxx"
      # middlewares security headers
      - "traefik.http.middlewares.security-headers.headers.accesscontrolallowmethods=GET, OPTIONS, PUT"
      - "traefik.http.middlewares.security-headers.headers.accesscontrolmaxage=100"
      - "traefik.http.middlewares.security-headers.headers.addvaryheader=true"
      - "traefik.http.middlewares.security-headers.headers.hostsproxyheaders=X-Forwarded-Host"
      - "traefik.http.middlewares.security-headers.headers.sslredirect=true"
      - "traefik.http.middlewares.security-headers.headers.sslproxyheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.security-headers.headers.stsseconds=63072000"
      - "traefik.http.middlewares.security-headers.headers.stsincludesubdomains=true"
      - "traefik.http.middlewares.security-headers.headers.stspreload=true"
      - "traefik.http.middlewares.security-headers.headers.forcestsheader=true"
      - "traefik.http.middlewares.security-headers.headers.framedeny=true"
      - "traefik.http.middlewares.security-headers.headers.contenttypenosniff=true"
      - "traefik.http.middlewares.security-headers.headers.browserxssfilter=true"
      - "traefik.http.middlewares.security-headers.headers.referrerpolicy=same-origin"
      - "traefik.http.middlewares.security-headers.headers.featurepolicy=camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
      - "traefik.http.middlewares.security-headers.headers.customresponseheaders.X-Robots-Tag=none,noarchive,nosnippet,notranslate,noimageindex"


  dockerproxy:
    image: wollomatic/socket-proxy:1.3.1
    container_name: t-docker-socket-proxy
    command:
      - '-loglevel=debug'
      - '-allowfrom=0.0.0.0/0'
      - '-listenip=0.0.0.0'
      - '-allowGET=/v1\..{1,2}/(version|containers/.*|events.*)'
      - '-watchdoginterval=3600'
      - '-stoponwatchdog'
      - '-shutdowngracetime=10'
    restart: unless-stopped
    read_only: true
    mem_limit: 64M
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges
    user: 65534:999 # change gid from 998 to the gid of the docker group on your host
    volumes:
      #- /var/run/docker.sock:/var/run/docker.sock:ro
      - /run/user/1000/docker.sock:/var/run/docker.sock:ro
    networks:
      - socket-t

networks:
  mynet:
    name: mynet
    external: true
  socket-t:
    driver: bridge
    internal: true
    attachable: false

Thx

2

sounds like a Docker issue, maybe consult Docker forum.