Deploy Portainer-CE behind a traefik reverse proxy

Portainer is one of those applications which make your life much more easier if working with container based applications and stacks. Portainer gives you the abiltiy to run application in your environment either on one host or in context of a swarm, k8s or other environment. You will be able to include various options of platforms to your envrionment and use them from one central graphical user interface. You will be able to upload your docker-compose files or create those in the useful editor that comes with portainer. 

Portainer could be installed in two different version. First is the so called »business edition« which delivers enhanced funtionalities and opportunities for your daily live. The business edition is a payed service. So you need to conclude a contract with portainer to use the business edition.

The so called »community edition« could be used for free. You have to accept some minor disfunctionalities or disabled options but for smaller envrionments the CE-version is all you need to use the software.

Necessary things

First we need at least one running docker or podman environment. In our case we still use docker but we check the possibiltiy to move to podman later. On our docker environment we are running traefik as the reverseproxy for our containers and we want ot run our portainer behind the reverse-proxy as well.

Create a volume

As we all know we need at least one docker volume to persist all data stored in portainer. To create a new volume we use the shell command

docker volume create portainer

which will create the necessary volume for portainers data. The new volume could be accesss in a compose file to store all data in that directory. If we want to copy the data from the volume you could access the path at

cd /var/lib/docker/volume/portainer/_data

All data neeeded within the application will be stored in this directory. If you prefere a bind volume instead, you could use a mounted directory as well.

Create your docker-compose.yml

 The docker-compose.yml defines the initial configuration of your portainer environment. You will be able combine several docker standalone servers, docker swarm or kubernetes cluster in your portainer environment.  The configuration of applications could be much more easier after configuring portainer and the necessary portainer agents on other nodes. It will ease up the process of migrating applications from one host an other and much more.

During the first step we will deploy the initial portainer instance on a docker standalone server. In the second step we  

  1. services:
  2.   portainer:
  3.       image: portainer/portainer-ce:latest
  4.       command: -H unix:///var/run/docker.sock
  5.       restart: always
  6.       volumes:
  7.         - /var/run/docker.sock:/var/run/docker.sock
  8.         - /mnt/portainer/data:/data
  9.       environment:
  10.         LOG_LEVEL: DEBUG
  11.       labels:
  12.         # Frontend
  13.         traefik.enable: 'true'
  14.         traefik.http.routers.frontend.rule: Host(`<your.fqdn.com>`)
  15.         traefik.http.routers.frontend.entrypoints: websecure
  16.         traefik.http.services.frontend.loadbalancer.server.port: 9000
  17.         traefik.http.routers.frontend.service: frontend
  18.         traefik.http.routers.frontend.tls.certresolver: tls_resolver
  19.         # Edge
  20.         traefik.http.routers.edge.rule: Host(`<yourEdge.fqdn.com>`)
  21.         traefik.http.routers.edge.entrypoints: websecure
  22.         traefik.http.services.edge.loadbalancer.server.port: 8000
  23.         traefik.http.routers.edge.service: edge
  24.         traefik.http.routers.edge.tls.certresolver: tls_resolver
  25.         # traefik.docker.network: proxy
  26.       networks:
  27.         default: null
  28.         proxy: null
  29. networks:
  30.   default:
  31.   proxy:
  32.     external: true

 Now let's explain some lines of this docker-compose.yml by linenumbers. 

Line 3: image: portainer/portainer-ce:latest

We choose the latest version of portainer, which is not the best solution at all. If you decide to take only special versions of software releases you have to care much mor about updates, but you might be safe if some upcoming release do not work at all. 

Line 4: command: -H unix:///var/run/docker.sock

Check whether docker runs or not. If docker does not run and you could not connect to the docker.sock the connection to the socket will fail and you would not be able to deploy services to your docker environment.

 Line 6 to 9: Volumes

The volumes are necessary to enable all functionalities. First

        - /var/run/docker.sock:/var/run/docker.sock

connects portainer with the docker socket to enable the installation, configuration and all necessary interventions to your environment (e.g. stopping containers or stacks).

        - /mnt/portainer/data:/data

 This mounts a given directory (/mnt/portainer/data) from your physical (or virtual) machine to the container (/data). The string ist divided by a colon. The part left from the colon points to your docker host, the right part points to the desired mountpoint inside the container. This enables you to access the data of the container and persist those data over container updates. You will also be able to migrate the container to a different location. 

 Lines 11 to 25: traefik labels

This labels are divided into two parts: First part is the - so called - frontend part. These labels enable the access to the Web-GUI of portainer. You need to adjust the hostname in 

traefik.http.routers.frontend.rule: Host(`<your.fqdn.com>`)

because this will be the hostname for your frontend (eg portainer.myhostname.com). The next lines redirect all requests to be ssl-encrypted and traefik will create an let's encrypt ssl certificate for you and update it as needed.

The same lines are highlighted with the Edge-comment. You need to adjust the hostname here as well. The edge port is needed for all edge-agents from other docker standalone, podman, docker swarm, kubernetes (or other) instances, to be administered by your portainer "installation". The line 

 traefik.http.routers.edge.rule: Host(`<yourEdge.fqdn.com>`)

 needs to be adjusted to your needs as well. This will be the hostname for your edge portainer agents running on different environments.

The first network section sets the networks to be used, the second sections defines to create or - in this case - use existing networks.

Run docker compose

To start your environment run

docker compose up -d

docker will pull the necessary image from docker.hub and run the new container. Traefik will create a new ssl certificate and route the requests to https://<your.fqdn.com> directly to your portainer image.

Everything will work as expected. Now you will be able to create docker compose files inside of your portainer environment and run the containers directly from portainer.

The next article will show how to create integrate other portainer environments into your portainer infrastructure and run containers on different hosts and infrastructures.

Have fun!