[PR #61] [CLOSED] Docker "label" functionality to limit containers seen in Pangolin UI #95

New Issue

GiteaMirror · 2025-11-19T07:13:50-06:00

GiteaMirror commented

2025-11-19 07:13:50 -06:00

📋 Pull Request Information

Original PR: https://github.com/fosrl/newt/pull/61
Author: @JonnyBooker
Created: 6/6/2025
Status: ❌ Closed

Base: dev ← Head: docker-label-enable

📝 Commits (10+)

641c7f2 Update sha256
c423f66 Merge pull request #53 from fosrl/dev
f8653e2 Merge remote-tracking branch 'upstream/main'
a937027 Update flake.nix for 1.2.0
4a70af4 Merge pull request #56 from fosrl/dev
21f5aa9 Merge remote-tracking branch 'upstream/main'
35d82ea Update flake.nix for 1.2.1
50b621f Merge pull request #60 from firecat53/main
456ac26 Update main.go
5473964 Update docker client to filter according to label

📊 Changes

5 files changed (+0 additions, -0 deletions)

View changed files

📝 README.md (+31 -0)
📝 docker/client.go (+18 -7)
📝 flake.lock (+4 -4)
📝 flake.nix (+3 -3)
📝 main.go (+46 -14)

📄 Description

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

I wanted the ability to be able to limit which containers pangolin can see. I have containers locally that I would not want to expose and seeing them in a list amongst containers that I did felt redundant and I didn't want to give the option in the UI.

Similar to traefik/watchtower, I have added functionality where if a new environment variable is set DOCKER_LABEL_ENABLE to the value of true, that any container without a dedicated new label of newt.docker.enable=true, would be ignored and not sent to pangolin. Default not setting of this variable would keep existing behaviour.

This does not disable access to the container itself, more disables it from being shown in pangolin, it could still be connected to if you knew the IP address. Therefore if a different name would be preferred, then that would be fine. I was following in the footsteps of other apps. Could have the potential that could call list containers once more to get the enabled one, matching up the IP address of the target against docker containers that are label enabled and reject connecting up this server? Open to suggestions on that one if should that.

I have also made it output the values of the variables being used if the log level is lowered to DEBUG so you can verify you are seeing the values you expect.

I haven't got any experience before today in Go so any conventions/formatting/aspects you would like me to change, I'm completely open. I just wanted to see if could make it happen and offer the option if people wanted it.

How to test?

A build of newt would be required from this branch, in this instance I have built the dockerfile locally in the root git repository using:

docker build . -t newt:test

Using docker compose below, a valid newt id/secret/endpoint will be required
Here is an example docker-compose.yml

services:
  newt:
    image: newt:test
    container_name: newt
    restart: unless-stopped
    environment:
      - PANGOLIN_ENDPOINT=<Endpoint Value>
      - NEWT_ID=<ID Value>
      - NEWT_SECRET=<Secret Value>
      - DOCKER_LABEL_ENABLE=true
      - DOCKER_SOCKET=/var/run/docker.sock
    networks:
      - newt-network
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

  nginx-example-1:
    image: nginx:latest
    container_name: nginx-example-1
    networks:
      - newt-network
    restart: unless-stopped

  nginx-example-2:
    image: nginx:latest
    labels:
      - newt.docker.enable=true
    container_name: nginx-example-2
    networks:
      - newt-network
    restart: unless-stopped

networks:
  newt-network:

In pangolin, only one container should be visible via the dashboard:

Logs will be visible if using a debug log level saying what is and isn't included:

Output of the debug logs for env variables:

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/newt/pull/61 **Author:** [@JonnyBooker](https://github.com/JonnyBooker) **Created:** 6/6/2025 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `docker-label-enable` --- ### 📝 Commits (10+) - [`641c7f2`](https://github.com/fosrl/newt/commit/641c7f27a28fa2d1bd785e048ed76a237779e935) Update sha256 - [`c423f66`](https://github.com/fosrl/newt/commit/c423f6692abab4d8edde9cf517cdad646af89f07) Merge pull request #53 from fosrl/dev - [`f8653e2`](https://github.com/fosrl/newt/commit/f8653e245e9af559e862989e9c48b884301fe8eb) Merge remote-tracking branch 'upstream/main' - [`a937027`](https://github.com/fosrl/newt/commit/a937027838b5f38c00a6a47e5aec8d72e31decc4) Update flake.nix for 1.2.0 - [`4a70af4`](https://github.com/fosrl/newt/commit/4a70af44bb12cd219cce0da642a0d4aa37917de4) Merge pull request #56 from fosrl/dev - [`21f5aa9`](https://github.com/fosrl/newt/commit/21f5aa906dd64b3a634727520cc13f5e2f1e78b3) Merge remote-tracking branch 'upstream/main' - [`35d82ea`](https://github.com/fosrl/newt/commit/35d82ea15c3a416205c26782c56ca422817991d3) Update flake.nix for 1.2.1 - [`50b621f`](https://github.com/fosrl/newt/commit/50b621f17c5380ff45acd6fb394712ebf6ebd17e) Merge pull request #60 from firecat53/main - [`456ac26`](https://github.com/fosrl/newt/commit/456ac26620ae4b5d065ecb27b0a8484e369d7f33) Update main.go - [`5473964`](https://github.com/fosrl/newt/commit/547396490819b4ce3cc3fae09f41f11a039dc4b0) Update docker client to filter according to label ### 📊 Changes **5 files changed** (+0 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `README.md` (+31 -0) 📝 `docker/client.go` (+18 -7) 📝 `flake.lock` (+4 -4) 📝 `flake.nix` (+3 -3) 📝 `main.go` (+46 -14) </details> ### 📄 Description ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description I wanted the ability to be able to limit which containers pangolin can see. I have containers locally that I would not want to expose and seeing them in a list amongst containers that I did felt redundant and I didn't want to give the option in the UI. Similar to traefik/watchtower, I have added functionality where if a new environment variable is set `DOCKER_LABEL_ENABLE` to the value of `true`, that any container without a dedicated new label of `newt.docker.enable=true`, would be ignored and not sent to pangolin. Default not setting of this variable would keep existing behaviour. This does not disable access to the container itself, more disables it from being shown in pangolin, it could still be connected to if you knew the IP address. Therefore if a different name would be preferred, then that would be fine. I was following in the footsteps of other apps. Could have the potential that could call list containers once more to get the enabled one, matching up the IP address of the target against docker containers that are label enabled and reject connecting up this server? Open to suggestions on that one if should that. I have also made it output the values of the variables being used if the log level is lowered to `DEBUG` so you can verify you are seeing the values you expect. I haven't got any experience before today in Go so any conventions/formatting/aspects you would like me to change, I'm completely open. I just wanted to see if could make it happen and offer the option if people wanted it. ## How to test? 1. A build of newt would be required from this branch, in this instance I have built the dockerfile locally in the root git repository using: ```shell docker build . -t newt:test ``` 2. Using docker compose below, a valid newt id/secret/endpoint will be required Here is an example `docker-compose.yml` ```yaml services: newt: image: newt:test container_name: newt restart: unless-stopped environment: - PANGOLIN_ENDPOINT=<Endpoint Value> - NEWT_ID=<ID Value> - NEWT_SECRET=<Secret Value> - DOCKER_LABEL_ENABLE=true - DOCKER_SOCKET=/var/run/docker.sock networks: - newt-network volumes: - /var/run/docker.sock:/var/run/docker.sock nginx-example-1: image: nginx:latest container_name: nginx-example-1 networks: - newt-network restart: unless-stopped nginx-example-2: image: nginx:latest labels: - newt.docker.enable=true container_name: nginx-example-2 networks: - newt-network restart: unless-stopped networks: newt-network: ``` In pangolin, only one container should be visible via the dashboard: <img width="858" alt="image" src="https://github.com/user-attachments/assets/c8e3754d-bd6d-47c7-a9f9-3a769d29a07d" /> Logs will be visible if using a debug log level saying what is and isn't included: ![image](https://github.com/user-attachments/assets/ea510f48-bcd8-4a84-bea1-11bc10a5e379) Output of the debug logs for env variables: <img width="500" alt="image" src="https://github.com/user-attachments/assets/bf4d3f5e-3985-47f6-a0a8-c733e8c317ec" /> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2025-11-19 07:13:50 -06:00

GiteaMirror closed this issue

2025-11-19 07:13:50 -06:00

GiteaMirror referenced this issue

2025-11-19 07:14:24 -06:00

[PR #95] [MERGED] Bump github.com/docker/docker from 28.3.2+incompatible to 28.3.3+incompatible in the prod-patch-updates group #118

GiteaMirror referenced this issue

2025-11-19 07:14:28 -06:00

[PR #98] [CLOSED] Split mTLS client and CA certificates handling for improved TLS configuration #121

Sign in to join this conversation.