-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add systemd socket activation support #9891
Comments
Hey @lalbers! Thanks for your suggestion. |
I love to see this feature to be added to Traefik |
I have a use case for this, too. I am trying to run traefik in a rootless podman stack with crowdsec. With the rootlesskit network mode the real IP address of clients is not preserved. With slirp4netns:porthandler=slirp4netns it is, but there is no name resolution, a performance hit and network separation is not possible (no user generated networks with this mode). Socket activation would be a nice feature to work arround the limitation. |
Pasta is indeed a lot faster than slirp4netns, but from my experience slightly unstable (but that might improve in the future) and still slower than "native" performance (which socket activation should have). Since Traefik is a reverse proxy and users will most likely be routing almost all of their traffic through it I think it would still be great to have this feature. |
also, pasta network mode cannot make traefik docker provider discover the container IP |
any updates? socket activation is really a good need for rootless podman. |
Hi Friedemann, Could you please share your deployment / configuration / docker-compose-file that you have used? |
Hi Thomas, |
Hi Friedemann, I'm already aware of the referred deployment guides. |
Thank you, Thomas, but I already knew that. You could also overcome it by port forwarding in the firewall. I do it the same way, as you, but that is not the issue. When using traefik in rootless mode the real IP of the client is not preserved. Ergo there is no filtering based on the ip lists, provided by crowdsec, possible. Traefik only forwards the ip of the rootless network entrypoint (local ip) and does not see the real ip. Like I wrote: you can overcome that by using pasta or slirp4netns:porthandler=slirp4netns as network backend, but that has disadvantages, too. There is no dns (or you have to configure it), so traefik can't do it's magic, unless you provide ip-adresses/dns entries for the containers. It is far more configuration to write (and for every new container), unlike traefik's automatic service discovery, where you just throw a label on the container and are done with it. EDIT: And since the pull-request of @juliens from last week seems to work, we might get that pretty soon. |
Now I see... it's about socket activation. |
Different socket. That's the podman socket. This is about socket activation of containers. |
Well, I don't know if this issue is still relevant. A workaround for this issue is here. |
@fsdrw08 Can You provide an example of podman-compose file that allows traefik to work with other containers? If I run the following config traefik docker provider can not discover the container IP:
Error:
|
Thank you for your compose-file, Oleksandr. podman does not provide name resolution in the network, so traefik can't find the container. The internal dns of podman does not work. One could provide dns externally or via host-file settings, but that's a hassle. |
Thank you, Friedemann |
@oleksandrborniak If you are on Fedoara 40 check the Podman Version. If it is 5 and higher, pasta is the default network driver for all networks. That means you don't have to define the pasta network-mode via
I've tried it out with the default network "podman" and a user-generated network without options. Works fine in testing. Internal DNS works, preservation of the Client-IP and all the shenanigans... traefik did not make any problems in a minimal setup. Meanwhile I am hoping for a merge of the aforementioned pull request, that enables socket-activation for traefik in podman. |
It looks like I am doing something wrong.
Config file:
Run containers: docker-compose up -d
Check networks:
Result: Removing "network_mode: pasta" from the config creates a container in a bridge network.
|
Hm, try removing |
I've already tried it and it looks like pasta is not used in this case.
This is when "network-mode:pasta" is removed from the config:
Might be the problem that I updated from Fedora 39 and it is not a new installation. {{.Host.RootlessNetworkCmd}} is also unavailable in my setup.
|
@oleksandrborniak The command:
192.168.1.15 is the podman-host While a little podman compose with the content:
gets me:
which contains only internal (podman-network) IP addresses. That's unfortunate. Apparently there are different options passed by the command Regarding your other questions. I've installed the podman developer version from the copr: And "bridge" mode is okay. The podman default network is also a bridge network. I did not find another way to confirm that pasta is used as the network driver than
Hope this helps. :) |
@yznerf |
Have anybody had any success running socket activated Traefik service with Podman? |
seems the attribut |
ok, I understand why so, in oreder to run traefik in here is my ingress style yaml file for apiVersion: v1
kind: Pod
metadata:
name: whoami
labels:
name: whoami
traefik.enable: true
traefik.http.routers.whoami.entryPoints: webSecure
traefik.http.routers.whoami.rule: Host(`whoami.example.com`)
traefik.http.routers.whoami.tls: true
traefik.http.services.whoami.loadbalancer.server.port: 80
spec:
containers:
- name: whoami
image: traefik/whoami:v1.10.2
imagePullPolicy: IfNotPresent
resources:
limits:
memory: "256Mi"
cpu: "500m" |
Description
The systemd project supports socket-activation, for services allowing systemd to listen on the socket initially. When the first connection comes in, systemd starts the service and passes in any listening sockets as file descriptors.
This technique is also useful for containers, for example when running non-root podman it uses netavark for the network stack. This has the disadvantage that container processes are unable to see the real source ip of incoming connections. One solution can be to use podman socket_activation. Currently socket_activation doesn't seem to be supported for traefik.
What I have tried
systemd-socket-activate -l 80 -l 443 podman run --rm docker.io/library/traefik:latest
Here i would expect traefik to use this sockets when configured to use port 80, 443. Using the same pattern for httpd just works.
The text was updated successfully, but these errors were encountered: