Hello,
I have moved from Traefik 2 to Traefik 3.0.0.
When restarted traefik:
2024-05-06T11:02:49+03:00 ERR Plugins are disabled because an error has occurred. error="unable to create plugins client: unable to create directory /plugins-storage/sources: mkdir plugins-storage: read-only file system"
What file system its suppose to be ??
Thx
Share your full Traefik static and dynamic config, and docker-compose.yml if used.
You try to use Docker rootless or use a dedicated uses/group for the container?
services:
traefik:
image: traefik:v3.0.0
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
read_only: true
mem_limit: 2G
cpus: 0.75
depends_on:
- dockerproxy
networks:
- docker_net
- socket-t
command:
- "--host=tcp://t-docker-socket-proxy:2375"
ports:
- 1180:80
- 11443:443
- 8087:8080
- 1181:1181
- 11444:11444
environment:
- CF_API_EMAIL=myemail
- CF_DNS_API_TOKEN=blabla
volumes:
- /etc/localtime:/etc/localtime:ro
- /mnt/user/appdata/docker/traefik/data/traefik.yml:/traefik.yml:ro
- /mnt/user/appdata/docker/letsencrypt:/letsencrypt
- /mnt/user/appdata/docker/traefik/data/dynamic_conf.yml:/dynamic_conf.yml:ro
- /var/log/crowdsec/:/var/log/crowdsec
labels:
- "traefik.enable=true"
- "traefik.docker.network=docker_net"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.mydomain`)"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.mydomain`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=dns-cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain"
- "traefik.http.routers.traefik-secure.service=api@internal"
- "traefik.http.routers.traefik-secure.middlewares=crowdsec-bouncer@file"
# middlewares
- "traefik.http.middlewares.traefik-auth.basicauth.removeheader=true"
- "traefik.http.middlewares.traefik-auth.basicauth.users=login:passwd"
# middlewares security headers
- "traefik.http.middlewares.security-headers.headers.accesscontrolallowmethods=GET, OPTIONS, PUT"
- "traefik.http.middlewares.security-headers.headers.accesscontrolmaxage=100"
- "traefik.http.middlewares.security-headers.headers.addvaryheader=true"
- "traefik.http.middlewares.security-headers.headers.hostsproxyheaders=X-Forwarded-Host"
- "traefik.http.middlewares.security-headers.headers.sslredirect=true"
- "traefik.http.middlewares.security-headers.headers.sslproxyheaders.X-Forwarded-Proto=https"
- "traefik.http.middlewares.security-headers.headers.stsseconds=63072000"
- "traefik.http.middlewares.security-headers.headers.stsincludesubdomains=true"
- "traefik.http.middlewares.security-headers.headers.stspreload=true"
- "traefik.http.middlewares.security-headers.headers.forcestsheader=true"
- "traefik.http.middlewares.security-headers.headers.framedeny=true"
- "traefik.http.middlewares.security-headers.headers.contenttypenosniff=true"
- "traefik.http.middlewares.security-headers.headers.browserxssfilter=true"
- "traefik.http.middlewares.security-headers.headers.referrerpolicy=same-origin"
- "traefik.http.middlewares.security-headers.headers.featurepolicy=camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
- "traefik.http.middlewares.security-headers.headers.customresponseheaders.X-Robots-Tag=none,noarchive,nosnippet,notranslate,noimageindex"
dockerproxy:
image: wollomatic/socket-proxy:1.1.3
container_name: t-docker-socket-proxy
command:
- '-loglevel=debug'
- '-allowfrom=0.0.0.0/0'
- '-listenip=0.0.0.0'
- '-allowGET=/v1\..{1,2}/(version|containers/.*|events.*)'
- '-watchdoginterval=3600'
- '-stoponwatchdog'
- '-shutdowngracetime=10'
restart: unless-stopped
read_only: true
mem_limit: 64M
cap_drop:
- ALL
security_opt:
- no-new-privileges
user: 65534:119 # change gid from 998 to the gid of the docker group on your host
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- socket-t
networks:
docker_net:
name: docker_net
external: true
socket-t:
driver: bridge
internal: true
attachable: false```api:
dashboard: true
insecure: true
debug: true
entryPoints:
http:
address: ":80"
forwardedHeaders:
trustedIPs:
# Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
# End of Cloudlare public IP list
http:
middlewares:
- crowdsec-bouncer@file
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
forwardedHeaders:
trustedIPs:
# Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
# End of Cloudlare public IP list
http:
middlewares:
- crowdsec-bouncer@file
http-external:
address: ":1181"
http:
middlewares:
- crowdsec-bouncer@file
redirections:
entrypoint:
to: https-external
scheme: https
https-external:
address: ":11444"
http:
middlewares:
- crowdsec-bouncer@file
serversTransport:
insecureSkipVerify: true
providers:
docker:
network: docker_net
endpoint: "tcp://t-docker-socket-proxy:2375"
exposedByDefault: false
file:
filename: /dynamic_conf.yml
watch: true
certificatesResolvers:
dns-cloudflare:
acme:
email: myemail
storage: ./letsencrypt/acme.json
dnsChallenge:
provider: cloudflare
caServer: https://acme-v02.api.letsencrypt.org/directory
#disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
experimental:
plugins:
traefik-get-real-ip:
moduleName: "github.com/Paxxs/traefik-get-real-ip"
version: "v1.0.3"
log:
level: "INFO"
filePath: "/var/log/crowdsec/traefik.log"
accessLog:
filePath: "/var/log/crowdsec/access.log"
bufferingSize: 50
http:
middlewares:
default-whitelist:
ipWhiteList:
sourceRange:
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
secured:
chain:
middlewares:
- default-whitelist
crowdsec-bouncer:
forwardauth:
address: http://bouncer-traefik:8080/api/v1/forwardAuth
trustForwardHeader: true
authentik:
forwardauth:
address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
my-traefik-get-real-ip:
plugin:
traefik-get-real-ip:
Proxy:
- proxyHeadername: X-From-Cdn
proxyHeadervalue: cdn1
realIP: X-Forwarded-For
- proxyHeadername: X-From-Cdn
proxyHeadervalue: cdn2
realIP: Client-Ip
- overwriteXFF: "true"
proxyHeadername: X-From-Cdn
proxyHeadervalue: cdn3
realIP: Cf-Connecting-Ip
- proxyHeadername: '*'
realIP: RemoteAddr
#region routers
routers:
proxmox-rtr:
rule: "Host(`pve.mydomain`)"
entryPoints:
- "http-external"
middlewares:
- https-redirectscheme
- authentik
tls: {}
service: proxmox-svc
secure-webserver:
entryPoints:
- "https-external"
rule: "Host(`www.mydomain`)"
middlewares:
- https-redirectscheme
tls: {}
service: secure-webserver
homeassistant:
entryPoints:
- "https-external"
rule: "Host(`haoss.mydomain`)"
middlewares:
- https-redirectscheme
- authentik
tls: {}
service: homeassistant
authentik:
entryPoints:
- "https-external"
rule: "Host(`authentik.mydomain`)"
middlewares:
- https-redirectscheme
- authentik
priority: 10
tls: {}
service: authentik
code-server:
entryPoints:
- "https-external"
rule: "Host(`code-server.mydomain`)"
middlewares:
- https-redirectscheme
- authentik
tls: {}
service: code-server
#region services
services:
proxmox-svc:
loadBalancer:
servers:
- url: "https://ip:8006/"
passHostHeader: true
secure-webserver:
loadBalancer:
servers:
- url: "http://ip:80"
passHostHeader: true
homeassistant:
loadBalancer:
servers:
- url: "http://ip:8123"
passHostHeader: true
code-server:
loadBalancer:
servers:
- url: "http://ip:8443"
passHostHeader: true
authentik:
loadBalancer:
servers:
- url: "http://authentik-server:9000/outpost.goauthentik.io"
passHostHeader: true
I use a dedicated uses/group for the container, GiD 119
You can’t use static config in traefik.yml and command:, decide for one (doc).
My bet is that your user does not have write permission on the (mounted?) folder, as your error indicates:
unable to create plugins client: unable to create directory /plugins-storage/sources: mkdir plugins-storage: read-only file system
Were you speaking about the command line in my compose file ?
Yes, in your docker-compose.yml: