[GH-ISSUE #1784] A single Docker label error prevents all from updating #3946

New Issue

Open

opened 2026-04-20 08:16:27 -05:00 by GiteaMirror · 6 comments

GiteaMirror commented 2026-04-20 08:16:27 -05:00

Owner

Copy Link

Originally created by @sippeangelo on GitHub (Oct 30, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/1784

Originally assigned to: @oschwartz10612 on GitHub.

Describe the Bug

I've been using the Docker socket functionality and it's really cool! However, it seems that if ANY Docker container has a label that Pangolin doesn't like, it prevents all other Docker services from being parsed by Pangolin.

I was updating a port number on an unrelated service (service-2), and I was puzzled why the port number wouldn't update in Pangolin even though I changed the label and brought the service up again. After a while I found this in the Pangolin log:

2025-10-30T18:47:36+00:00 [error]: Failed to update database from config: Error: Validation error: Required at "proxy-resources.service-2.targets[0].port"

The problem seemed to be that the port label NEEDED to be present on service-2 (I'm guessing because the container didn't expose one that it could pick up automatically?), but this made service-1 unable to change. I added the port label to service-2 and that made service-1 update, now that the Pangolin log was error free.

Environment

• Pangolin Version: v1.11.1
• Gerbil Version:
• Traefik Version: v3.3.3
• Newt Version:
• Olm Version: (if applicable)

To Reproduce

See description

Expected Behavior

Unrelated label configuration errors shouldn't affect other services.

Originally created by @sippeangelo on GitHub (Oct 30, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/1784 Originally assigned to: @oschwartz10612 on GitHub. ### Describe the Bug I've been using the Docker socket functionality and it's really cool! However, it seems that if ANY Docker container has a label that Pangolin doesn't like, it prevents all other Docker services from being parsed by Pangolin. I was updating a port number on an unrelated service (`service-2`), and I was puzzled why the port number wouldn't update in Pangolin even though I changed the label and brought the service up again. After a while I found this in the Pangolin log: ``` 2025-10-30T18:47:36+00:00 [error]: Failed to update database from config: Error: Validation error: Required at "proxy-resources.service-2.targets[0].port" ``` The problem seemed to be that the `port` label NEEDED to be present on `service-2` (I'm guessing because the container didn't expose one that it could pick up automatically?), but this made `service-1` unable to change. I added the `port` label to `service-2` and that made `service-1` update, now that the Pangolin log was error free. ### Environment - Pangolin Version: v1.11.1 - Gerbil Version: - Traefik Version: v3.3.3 - Newt Version: - Olm Version: (if applicable) ### To Reproduce See description ### Expected Behavior Unrelated label configuration errors shouldn't affect other services.

GiteaMirror added the Improvementconfig labels 2026-04-20 08:16:27 -05:00

GiteaMirror commented 2026-04-20 08:16:29 -05:00

Author

Owner

Copy Link

@AstralDestiny commented on GitHub (Nov 4, 2025):

Can you show your exact labels by chance? redacting for any secrets? but retain the labels as much as possible?

<!-- gh-comment-id:3483230912 --> @AstralDestiny commented on GitHub (Nov 4, 2025): Can you show your exact labels by chance? redacting for any secrets? but retain the labels as much as possible?

GiteaMirror commented 2026-04-20 08:16:30 -05:00

Author

Owner

Copy Link

@sippeangelo commented on GitHub (Nov 5, 2025):

Here's a minimal repro:

testservice is a Docker image that doesn't "EXPOSE" any port. If I leave the Pangolin port tag commented out on testservice, I receive the error in the Pangolin logs, and any port update I do to the whoami service now seems to be ignored by Pangolin until the "error" on testservice is fixed.

[error]: Failed to update database from config: Error: Validation error: Required at "proxy-resources.testservice.targets[0].port"

I haven't tested if this applies to any other error causing tags, but it feels likely.

./docker-compose.yml

services:
  whoami:
    image: containous/whoami
    labels:
      - pangolin.proxy-resources.whoami.name=whoami
      - pangolin.proxy-resources.whoami.full-domain=whoami.example.com
      - pangolin.proxy-resources.whoami.protocol=http
      - pangolin.proxy-resources.whoami.targets[0].method=http
      - pangolin.proxy-resources.whoami.targets[0].port=80
    restart: unless-stopped

  testservice:
    build: ./testservice
    labels:
      - pangolin.proxy-resources.testservice.name=test
      - pangolin.proxy-resources.testservice.full-domain=test.example.com
      - pangolin.proxy-resources.testservice.protocol=http
      - pangolin.proxy-resources.testservice.targets[0].method=http
      # - pangolin.proxy-resources.testservice.targets[0].port=80
    restart: unless-stopped

./testservice/Dockerfile

FROM alpine:latest
CMD while true; do echo "Hello world"; sleep 1; done

<!-- gh-comment-id:3492544011 --> @sippeangelo commented on GitHub (Nov 5, 2025): Here's a minimal repro: `testservice` is a Docker image that doesn't "EXPOSE" any port. If I leave the Pangolin port tag commented out on `testservice`, I receive the error in the Pangolin logs, and any port update I do to the `whoami` service now seems to be ignored by Pangolin until the "error" on `testservice` is fixed. `[error]: Failed to update database from config: Error: Validation error: Required at "proxy-resources.testservice.targets[0].port"` I haven't tested if this applies to any other error causing tags, but it feels likely. ./docker-compose.yml ``` services: whoami: image: containous/whoami labels: - pangolin.proxy-resources.whoami.name=whoami - pangolin.proxy-resources.whoami.full-domain=whoami.example.com - pangolin.proxy-resources.whoami.protocol=http - pangolin.proxy-resources.whoami.targets[0].method=http - pangolin.proxy-resources.whoami.targets[0].port=80 restart: unless-stopped testservice: build: ./testservice labels: - pangolin.proxy-resources.testservice.name=test - pangolin.proxy-resources.testservice.full-domain=test.example.com - pangolin.proxy-resources.testservice.protocol=http - pangolin.proxy-resources.testservice.targets[0].method=http # - pangolin.proxy-resources.testservice.targets[0].port=80 restart: unless-stopped ``` ./testservice/Dockerfile ``` FROM alpine:latest CMD while true; do echo "Hello world"; sleep 1; done ```

GiteaMirror commented 2026-04-20 08:16:31 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Nov 8, 2025):

Closing this because it is by design. Perhaps it is confusing as you mention in this post but all of the labels are added together each time it is applied in newt. This means that the whole docker compose is the blueprint and blueprints fail if any one part of it is bad to prevent undefined behavior. It would not be possible to silo containers I think because technically you could define things for another resource on a container because it is just referenced by ID so we have to join them all together.

Open to suggestions if this feels incorrect.

<!-- gh-comment-id:3507170325 --> @oschwartz10612 commented on GitHub (Nov 8, 2025): Closing this because it is by design. Perhaps it is confusing as you mention in this post but all of the labels are added together each time it is applied in newt. This means that the whole docker compose is the blueprint and blueprints fail if any one part of it is bad to prevent undefined behavior. It would not be possible to silo containers I think because technically you could define things for another resource on a container because it is just referenced by ID so we have to join them all together. Open to suggestions if this feels incorrect.

GiteaMirror commented 2026-04-20 08:16:33 -05:00

Author

Owner

Copy Link

@sippeangelo commented on GitHub (Nov 10, 2025):

Closing this because it is by design. Perhaps it is confusing as you mention in this post but all of the labels are added together each time it is applied in newt. This means that the whole docker compose is the blueprint and blueprints fail if any one part of it is bad to prevent undefined behavior. It would not be possible to silo containers I think because technically you could define things for another resource on a container because it is just referenced by ID so we have to join them all together.

Open to suggestions if this feels incorrect.

The fact that completely unrelated configuration mistakes can bring down ALL unrelated services on the same Docker socket is really unfortunate and prevents this feature from being used in any realistic production scenario.

I get that we can't completely silo them, but I don't see why one configuration mistake in an unrelated manually namespaced tag need to bring down all the others! Especially since the fault is very insidious in how there is no clear way to see these errors without checking the Pangolin logs, and it might not be discovered until way down the line until you wonder why some other updated service is suddenly just down.

<!-- gh-comment-id:3510409431 --> @sippeangelo commented on GitHub (Nov 10, 2025): > Closing this because it is by design. Perhaps it is confusing as you mention in this post but all of the labels are added together each time it is applied in newt. This means that the whole docker compose is the blueprint and blueprints fail if any one part of it is bad to prevent undefined behavior. It would not be possible to silo containers I think because technically you could define things for another resource on a container because it is just referenced by ID so we have to join them all together. > > Open to suggestions if this feels incorrect. The fact that completely unrelated configuration mistakes can bring down ALL unrelated services on the same Docker socket is really unfortunate and prevents this feature from being used in any realistic production scenario. I get that we can't completely silo them, but I don't see why one configuration mistake in an unrelated manually namespaced tag need to bring down all the others! Especially since the fault is very insidious in how there is no clear way to see these errors without checking the Pangolin logs, and it might not be discovered until way down the line until you wonder why some other updated service is suddenly just down.

GiteaMirror commented 2026-04-20 08:16:35 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Nov 22, 2025):

Ill take a deeper look

<!-- gh-comment-id:3567090366 --> @oschwartz10612 commented on GitHub (Nov 22, 2025): Ill take a deeper look

GiteaMirror commented 2026-04-20 08:16:35 -05:00

Author

Owner

Copy Link

@LunarECL commented on GitHub (Mar 8, 2026):

Found the root cause. ConfigSchema.safeParse() in applyBlueprint.ts validates all resources at once, so one bad resource (like a missing port on a container with no EXPOSE) takes down the whole blueprint. Everything else that's perfectly fine fails too.

Going to add per-resource validation on the Docker blueprint side so we can just skip the broken ones with a warning instead of blowing up entirely. Cross-resource checks stay as-is. Will throw up a draft PR soon.

<!-- gh-comment-id:4019495335 --> @LunarECL commented on GitHub (Mar 8, 2026): Found the root cause. `ConfigSchema.safeParse()` in `applyBlueprint.ts` validates all resources at once, so one bad resource (like a missing port on a container with no EXPOSE) takes down the whole blueprint. Everything else that's perfectly fine fails too. Going to add per-resource validation on the Docker blueprint side so we can just skip the broken ones with a warning instead of blowing up entirely. Cross-resource checks stay as-is. Will throw up a draft PR soon.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

resource-policies

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

redis

crowdin_dev

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

dependabot/docker/docker/library/node-25-slim

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label config Improvement

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#3946