Docker labels breaking Pangolin if duplicate names are used #67

New Issue

Open

opened 2025-11-19 07:13:10 -06:00 by GiteaMirror · 0 comments

GiteaMirror commented 2025-11-19 07:13:10 -06:00

Owner

Copy Link

Originally created by @DennisGaida on GitHub (Oct 19, 2025).

Describe the Bug

Trying to make Pangolin be more config based, I want to leverage docker labels, just like I am able with traefik.

Unfortunately labels (blueprints) seem to be yanky currently. Having duplicate label names on different machines connected via newt completely breaks Pangolin and I have to fix stuff in the sqlite database.

Environment

• OS Type & Version: Ubuntu & Debian
• Pangolin Version: 1.11
• Gerbil Version: 1.2.2
• Traefik Version: 3.5.3
• Newt Version: 1.5.2

To Reproduce

1. Have RemoteMachine1 configured via labels:

  [...]
  labels:
      ## Pangolin via Newt
      pangolin.proxy-resources.syncthing.name: syncthing
      pangolin.proxy-resources.syncthing.full-domain: syncthing1.domain.example.com
      pangolin.proxy-resources.syncthing.protocol: http
      pangolin.proxy-resources.syncthing.auth.sso-enabled: "true"
      pangolin.proxy-resources.syncthing.targets[0].method: http
      pangolin.proxy-resources.syncthing.targets[0].hostname: syncthing
      pangolin.proxy-resources.syncthing.targets[0].port: 8384

2. Observe the resource being pushed to Pangolin. Is also accessible via syncthing.domain.example.com
3. Now configure RemoteMachine2 via labels:

  [...]
  labels:
      ## Pangolin via Newt
      pangolin.proxy-resources.syncthing.name: syncthing
      pangolin.proxy-resources.syncthing.full-domain: syncthing2.domain.example.com
      pangolin.proxy-resources.syncthing.protocol: http
      pangolin.proxy-resources.syncthing.auth.sso-enabled: "true"
      pangolin.proxy-resources.syncthing.targets[0].method: http
      pangolin.proxy-resources.syncthing.targets[0].hostname: syncthing
      pangolin.proxy-resources.syncthing.targets[0].port: 8384

4. Observe that I only changed the full-domain.
5. What happens now is the following:

• Pangolin does not create the second resource, but deletes things
• After a restart (don't remember whether it was Pangolin itself, gerbil or newt), I get infinite authentication redirects
• These redirects cannot be fixed in Traefik and are directly related to Badger (since it's doing the redirecting)
• Checking the database I can tell it is broken

6. All resources that were added via any docker label from any machine are broken after adding the duplicate-name resource❗

The database now contains (NULL) for all subdomain that are configured via newt agents. The fullDomain is set to the base domain (if the subdomain would have been syncthing2.domain.example.com, fullDomain now is domain.example.com). This leads to an infinite redirect since there are multiple endpoints for the base domain (the base domain is also where my Pangolin is hosted, i.e. domain.example.com is Pangolin.

The only way to fix this is to manually edit the database and specify subdomain & fullDomain for the broken entries. To fix the database I have to stop Pangolin, then start it again and also restart traefik.

---

After playing around with this some more, I also figured out that the label key pangolin.proxy-resources.**<name>**.name is important, next to the value of the name itself. This really isn't represented in the documentation. I guess the best practice right now is then to create the following configuration if I had two services that are essentially the same, besides the host:

host1:

  [...]
  labels:
      pangolin.proxy-resources.syncthing-host1.name: syncthing-host1
      pangolin.proxy-resources.syncthing-host1.full-domain: syncthing-host1.domain.example.com
      pangolin.proxy-resources.syncthing-host1.protocol: http
      pangolin.proxy-resources.syncthing-host1.auth.sso-enabled: "true"
      pangolin.proxy-resources.syncthing-host1.targets[0].method: http
      pangolin.proxy-resources.syncthing-host1.targets[0].hostname: syncthing
      pangolin.proxy-resources.syncthing-host1.targets[0].port: 8384

host2:

  [...]
  labels:
      pangolin.proxy-resources.syncthing-host2.name: syncthing-host2
      pangolin.proxy-resources.syncthing-host2.full-domain: syncthing-host2.domain.example.com
      pangolin.proxy-resources.syncthing-host2.protocol: http
      pangolin.proxy-resources.syncthing-host2.auth.sso-enabled: "true"
      pangolin.proxy-resources.syncthing-host2.targets[0].method: http
      pangolin.proxy-resources.syncthing-host2.targets[0].hostname: syncthing
      pangolin.proxy-resources.syncthing-host2.targets[0].port: 8384

Expected Behavior

Pangolin shouldn't break like this due to a misconfiguration of docker labels - worse yet, having to remember to not re-use an ID I already used on another host. If an ID already exists, just add a -1 or whatever as a suffix.

Originally created by @DennisGaida on GitHub (Oct 19, 2025). ### Describe the Bug Trying to make Pangolin be more config based, I want to leverage docker labels, just like I am able with traefik. Unfortunately labels (blueprints) seem to be yanky currently. Having duplicate label names on different machines connected via newt completely breaks Pangolin and I have to fix stuff in the sqlite database. ### Environment - OS Type & Version: Ubuntu & Debian - Pangolin Version: 1.11 - Gerbil Version: 1.2.2 - Traefik Version: 3.5.3 - Newt Version: 1.5.2 ### To Reproduce 1. Have RemoteMachine1 configured via labels: ``` [...] labels: ## Pangolin via Newt pangolin.proxy-resources.syncthing.name: syncthing pangolin.proxy-resources.syncthing.full-domain: syncthing1.domain.example.com pangolin.proxy-resources.syncthing.protocol: http pangolin.proxy-resources.syncthing.auth.sso-enabled: "true" pangolin.proxy-resources.syncthing.targets[0].method: http pangolin.proxy-resources.syncthing.targets[0].hostname: syncthing pangolin.proxy-resources.syncthing.targets[0].port: 8384 ``` 2. Observe the resource being pushed to Pangolin. Is also accessible via syncthing.domain.example.com 3. Now configure RemoteMachine2 via labels: ``` [...] labels: ## Pangolin via Newt pangolin.proxy-resources.syncthing.name: syncthing pangolin.proxy-resources.syncthing.full-domain: syncthing2.domain.example.com pangolin.proxy-resources.syncthing.protocol: http pangolin.proxy-resources.syncthing.auth.sso-enabled: "true" pangolin.proxy-resources.syncthing.targets[0].method: http pangolin.proxy-resources.syncthing.targets[0].hostname: syncthing pangolin.proxy-resources.syncthing.targets[0].port: 8384 ``` 4. Observe that I only changed the full-domain. 5. What happens now is the following: - Pangolin does not create the second resource, but deletes things - After a restart (don't remember whether it was Pangolin itself, gerbil or newt), I get infinite authentication redirects - These redirects cannot be fixed in Traefik and are directly related to Badger (since it's doing the redirecting) - Checking the database I can tell it is broken 6. **All** resources that were added via any docker label from any machine are broken after adding the duplicate-name resource❗ <img width="991" height="202" alt="Image" src="https://github.com/user-attachments/assets/c13f9b7f-d363-4c93-93cc-e05a5a42c513" /> The database now contains `(NULL)` for all `subdomain` that are configured via newt agents. The `fullDomain` is set to the base domain (if the subdomain would have been `syncthing2.domain.example.com`, `fullDomain` now is `domain.example.com`). This leads to an infinite redirect since there are multiple endpoints for the base domain (the base domain is also where my Pangolin is hosted, i.e. `domain.example.com` is Pangolin. The only way to fix this is to manually edit the database and specify subdomain & fullDomain for the broken entries. To fix the database I have to stop Pangolin, then start it again and also restart traefik. --- After playing around with this some more, I also figured out that the label key `pangolin.proxy-resources.**<name>**.name` is important, next to the value of the name itself. This really isn't represented in the documentation. I guess the best practice right now is then to create the following configuration if I had two services that are essentially the same, besides the host: host1: ``` [...] labels: pangolin.proxy-resources.syncthing-host1.name: syncthing-host1 pangolin.proxy-resources.syncthing-host1.full-domain: syncthing-host1.domain.example.com pangolin.proxy-resources.syncthing-host1.protocol: http pangolin.proxy-resources.syncthing-host1.auth.sso-enabled: "true" pangolin.proxy-resources.syncthing-host1.targets[0].method: http pangolin.proxy-resources.syncthing-host1.targets[0].hostname: syncthing pangolin.proxy-resources.syncthing-host1.targets[0].port: 8384 ``` host2: ``` [...] labels: pangolin.proxy-resources.syncthing-host2.name: syncthing-host2 pangolin.proxy-resources.syncthing-host2.full-domain: syncthing-host2.domain.example.com pangolin.proxy-resources.syncthing-host2.protocol: http pangolin.proxy-resources.syncthing-host2.auth.sso-enabled: "true" pangolin.proxy-resources.syncthing-host2.targets[0].method: http pangolin.proxy-resources.syncthing-host2.targets[0].hostname: syncthing pangolin.proxy-resources.syncthing-host2.targets[0].port: 8384 ``` ### Expected Behavior Pangolin shouldn't break like this due to a misconfiguration of docker labels - worse yet, having to remember to not re-use an ID I already used on another host. If an ID already exists, just add a `-1` or whatever as a suffix.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

msg-opt

dependabot/go_modules/prod-patch-updates-3194e6d214

dependabot/docker/minor-updates-1134f52710

ssh-agent

msg-delivery

icmp2

port-firewall

platform

hp-multi-client

holepunch

updown

1.10.2

v1.10.2

1.10.1

v1.10.1

1.10.0

v1.10.0

1.9.5

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

v1.9.0

1.8.1

v1.8.1

v1.8.0

1.8.0

1.8.0-rc.0

1.7.0

1.6.1

1.7.0-rc.0

1.6.0

v1.0.1

1.4.9

1.5.2

1.5.1

1.5.0

1.4.4

1.4.3

1.4.2

1.4.1

1.4.0

1.3.4

1.3.3

1.3.2

1.3.1

1.3.0

1.2.1

1.2.0

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

bug

enhancement

good first issue

help wanted

Improvement

pull-request

Mirrored from GitHub Pull Request

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/newt#67