https://github.com/eriksjolund/podman-traefik-socket-activation

Demo of how to run socket-activated Traefik with Podman. Source IP address is preserved.
https://github.com/eriksjolund/podman-traefik-socket-activation

container demo podman socket-activation systemd-service traefik

Last synced: 4 months ago
JSON representation

Demo of how to run socket-activated Traefik with Podman. Source IP address is preserved.

• Host: GitHub
• URL: https://github.com/eriksjolund/podman-traefik-socket-activation
• Owner: eriksjolund
• License: apache-2.0
• Created: 2024-06-23T11:13:08.000Z (almost 2 years ago)
• Default Branch: main
• Last Pushed: 2025-09-13T10:07:27.000Z (9 months ago)
• Last Synced: 2025-09-13T12:06:51.040Z (9 months ago)
• Topics: container, demo, podman, socket-activation, systemd-service, traefik
• Homepage:
• Size: 37.1 KB
• Stars: 55
• Watchers: 2
• Forks: 2
• Open Issues: 5
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# podman-traefik-socket-activation

This demo shows how to run a socket-activated traefik container with Podman.

See also the tutorials [Podman socket activation](https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md) and

[podman-nginx-socket-activation](https://github.com/eriksjolund/podman-nginx-socket-activation).

Overview of the examples

| Example | Type of service | Ports | Using quadlet | rootful/rootless podman | Comment |

| --      | --              |   -- | --      | --   | --  |

| [Example 1](examples/example1) | systemd user service | TCP/80, TCP/443 | yes | rootless podman | |

| [Example 2](examples/example2) | systemd user service | TCP/80, TCP/443, UDP/443 | yes | rootless podman | HTTP/3 served both to the internet and to the custom network. Self-signed TLS |

### Advantages of using rootless Podman with socket activation

See https://github.com/eriksjolund/podman-nginx-socket-activation?tab=readme-ov-file#advantages-of-using-rootless-podman-with-socket-activation

### Discussion about SELinux

When using the traefik option __--providers.docker__, traefik needs access to a unix socket

that provides the Docker API. By default the path to the unix socket is  _/var/run/docker.sock_.

SELinux will by default block access to the file.

Currently, the problem is worked around by disabling SELinux for the traefik container.

The quadlet unit file contains this line:

```

SecurityLabelDisable=true

```

Another workaround could have been to bind-mount the unix socket with the `:z` option,

but that would change the file context of the unix socket which might cause problems for

other programs.

See also

https://bugzilla.redhat.com/show_bug.cgi?id=1495053#c2