Rootless Traefik service discovery

[OfficerKoo]

Hello, is this even possible. I have read a lot of discussions, and got mixed ideas about this.
I setup traefik with systemd and socket activation according to this - https://github.com/eriksjolund/podman-traefik-socket-activation.
And it seems to work fine, but only when both routed service and traefik in one bridged network. When i use host network for traefik it discover the service, but can't connect, which makes sense because traefik discover internal ip. When i run whoami container without specifying network or specifying pasta, it's not discovered. Same if i do that with traefik container. But won't pasta with socket activation supposed to expose external ip with port?

I try to use rootless traefik as a reverse proxy for other rootless and rootfull containers on a host, but either service discovery doesn't work, which defeats purpose of traefik ,or i can't access the services.

$ podman version
Client:       Podman Engine
Version:      5.2.3
API Version:  5.2.3
Go Version:   go1.22.7
Built:        Tue Sep 24 02:00:00 2024
OS/Arch:      linux/amd64

[Unit]
After=http.socket https.socket
Requires=http.socket https.socket

[Service]
Sockets=http.socket https.socket

[Container]
ContainerName=traefik
Image=docker.io/library/traefik
Exec=--entrypoints.web --entrypoints.websecure --providers.docker --providers.docker.exposedbydefault=false --api.insecure=true
PublishPort=8080:8080
Volume=%t/podman/podman.sock:/var/run/docker.sock
SecurityLabelDisable=true
Network=pasta

[Container]
Image=docker.io/traefik/whoami
ContainerName=whoami
Label="traefik.enable=true"
Network=pasta
PublishPort=8889:80

[Socket]

ListenStream=0.0.0.0:80
FileDescriptorName=web
Service=traefik.service

[Install]
WantedBy=sockets.target
[Socket]

ListenStream=0.0.0.0:443
FileDescriptorName=websecure
Service=traefik.service

[Install]
WantedBy=sockets.target

[sbrivio-rh]

And it seems to work fine, but only when both routed service and traefik in one bridged network. When i use host network for traefik it discover the service, but can't connect, which makes sense because traefik discover internal ip.

Tagging @eriksjolund here as this part is not clear to me either.

But won't pasta with socket activation supposed to expose external ip with port?

As far as I know systemd xinetd-like socket activation doesn't really make sense with pasta (and the other way around): systemd runs as root and will open a socket that directly connects into the container for you.

Which, by the way, makes "rootless" a bit of a misnomer here: the whole thing relies on the fact that there's a component running as root. The socket was created as root and permission checks in the kernel are performed accordingly.

[Luap99]

Which, by the way, makes "rootless" a bit of a misnomer here: the whole thing relies on the fact that there's a component running as root. The socket was created as root and permission checks in the kernel are performed accordingly.

No, when you use systemd user session with sockets the systemd --user process running as your user is binding the port.

[eriksjolund]

@OfficerKoo Could you show the contents of the files separately together with their file names? Right now it looks like the quadlet files have been concatenated.

I noticed one thing. The traefik container unit contains:

PublishPort=8080:8080

What is port 8080 used for? PublishPort= should typically not be used together with socket activation unless you want to expose
some other port that is not representing a socket-activated port.

[eriksjolund]

@OfficerKoo Maybe you could use a fully qualified domain name (FQDN) as container name

ContainerName=whoami.example.com

Regarding connecting to the host's main interface from a container that is running in a custom network, check out

https://github.com/eriksjolund/podman-networking-docs?tab=readme-ov-file#outbound-tcpudp-connections-to-the-hosts-main-network-interface-eg-eth0

You might want to add AddHost=whoami.example.com:host-gateway to the traefik container unit. (But then it's not really auto-discovery because you need to add the hostname in advance)

[sbrivio-rh]

systemd runs as root and will open a socket that directly connects into the container for you.

Socket activation is used fully rootless when the socket unit is defined in ~/.config/systemd/user/example.socket In that case the systemd user manager instance creates the socket. (Maybe I misunderstood what you wrote?)

Ah, sorry, I wasn't up to date with it, in that case it's systemd --user so yes, the socket is not created as root.

I still find it a bit confusing in the sense that you pass a socket from outside the container to inside the container, and that's not what I would traditionally call user-mode networking (hence, traditionally, "rootless"). It doesn't run as root, and it's also user-mode in some sense: it doesn't need a (separate) kernel interface... but network traffic is not entirely decoupled in userspace.

Maybe we should make an effort to call things "user-mode networking" or "socket activation" without making "rootless" the defining term. Otherwise the expectation is that systemd socket activation can be used with pasta or something like that (and I really can't think of a sensible way to combine the two things).

[OfficerKoo]

Thanks for your answer. @eriksjolund
Here are quadlets separated by file. I use 8080 port to access traefik web interface. I also published port 8889 on whoami service for testing purposes. I also can see that when i use predefined network mynet, that it uses bridge networking with ip 10.89.x.x

#~/.config/systemd/user/http.socket
[Socket]

ListenStream=0.0.0.0:80
FileDescriptorName=web
Service=traefik.service

[Install]
WantedBy=sockets.target

#~/.config/systemd/user/https.socket
[Socket]

ListenStream=0.0.0.0:443
FileDescriptorName=websecure
Service=traefik.service

[Install]
WantedBy=sockets.target

#~/.config/containers/systemd/traefik.container
[Unit]
After=http.socket https.socket
Requires=http.socket https.socket

[Service]
Sockets=http.socket https.socket

[Container]
ContainerName=traefik
Image=docker.io/library/traefik
Exec=--entrypoints.web --entrypoints.websecure --providers.docker --providers.docker.exposedbydefault=false --api.insecure=true
PublishPort=8080:8080
Volume=%t/podman/podman.sock:/var/run/docker.sock
SecurityLabelDisable=true
Network=pasta

#~/.config/containers/systemd/whoami.container
[Container]
Image=docker.io/traefik/whoami
ContainerName=whoami
Label="traefik.enable=true"
Network=pasta
PublishPort=8889:80

i tried to add Network=pasta:--map-guest-addr=192.168.2.10 but it didn't work for me

[eriksjolund]

@OfficerKoo Good now it's clear how the quadlets look like.
It's an interesting problem. Right now I don't have a clear understanding of how to combine
pasta, traefik, socket activation and host services. I plan to investigate it a bit.

[OfficerKoo]

@eriksjolund thanks, for now i managed to make it work with bridged and host networks with adding --providers.docker.usebindportip to traefik and traefik.http.services.whoami.loadbalancer.server.port=80 to whoami service by leveraging behaviour outlined here.

Interestingly enough it only works if publish port on 127.0.0.1, otherwise it's just uses internal ip. It's the same for containers with host networking, i have to just configure the prot. But i could not make it work with pasta, because traefik just can't discover any container's ip's.

Here is the quadlets, if someone is interesed

#whoami.container
[Container]
Image=docker.io/traefik/whoami
ContainerName=whoami
Label="traefik.enable=true"
Label="traefik.http.services.whoami.loadbalancer.server.port=80"
Network=mynet.network
PublishPort=127.0.0.1:8889:80

#traefik.container
[Unit]
After=http.socket https.socket
Requires=http.socket https.socket

[Service]
Sockets=http.socket https.socket

[Container]
ContainerName=traefik
Image=docker.io/library/traefik
Exec=--entrypoints.web --entrypoints.websecure --providers.docker --providers.docker.usebindportip --providers.docker.exposedbydefault=false --api.insecure=true
PublishPort=8080:8080
Volume=%t/podman/podman.sock:/var/run/docker.sock
SecurityLabelDisable=true
Network=host