[GH-ISSUE #1864] Resources created from Docker labels are not removed when labels are deleted, leaving services unintentionally exposed #8795

New Issue

GiteaMirror · 2026-04-30T04:50:32-05:00

GiteaMirror commented

2026-04-30 04:50:32 -05:00

Originally created by @hilsonp on GitHub (Nov 14, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/1864

Describe the Bug

When a Pangolin resource is created via Docker labels, it correctly appears in the UI.
However, if those labels are later removed from the Docker Compose configuration and the container is restarted, the Pangolin resource remains active instead of being removed or disabled.

This results in a potentially dangerous situation where a service is still reachable from the public network even though the configuration-as-code source (Git) no longer defines any labels for it.
Users familiar with Traefik may assume resources are dynamically added/removed based on labels, potentially leading to accidental exposure.

This may relate to: https://github.com/orgs/fosrl/discussions/1648

Environment

OS Type & Version: 22.04.1-Ubuntu
Pangolin Version: 1.10.0
Gerbil Version: 1.2.1
Traefik Version: 3.4.0
Newt Version: 1.6.0

To Reproduce

Deploy the following minimal Docker Compose configuration:

   services:
     hello:
       image: nginxdemos/hello:0.4
       container_name: hello
       labels:
         - pangolin.proxy-resources.hello.full-domain=hello.${DOMAIN}
         - pangolin.proxy-resources.hello.targets[0].method=http
       networks:
         - fossorial_newt

   networks:
     fossorial_newt:
       external: true

Start the stack (docker compose up -d).
➜ The resource appears in Pangolin as expected.
Remove the two Pangolin labels from the hello service.
Restart the container.
Check the Pangolin UI and test public accessibility.
➜ The resource is still present and the service remains reachable.

Expected Behavior

When labels defining a resource are removed:
•	The Pangolin resource should automatically disappear, or automatically disable itself.
•	The service should no longer be reachable via the proxy.
•	The UI should match the state defined in Docker Compose so Git remains the single source of truth.

Originally created by @hilsonp on GitHub (Nov 14, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/1864 ### Describe the Bug When a Pangolin resource is created via Docker labels, it correctly appears in the UI. However, if those labels are later removed from the Docker Compose configuration and the container is restarted, the Pangolin resource **remains active** instead of being removed or disabled. This results in a potentially dangerous situation where a service is still reachable from the public network even though the configuration-as-code source (Git) no longer defines any labels for it. Users familiar with Traefik may assume resources are dynamically added/removed based on labels, potentially leading to accidental exposure. This may relate to: https://github.com/orgs/fosrl/discussions/1648 ### Environment - OS Type & Version: 22.04.1-Ubuntu - Pangolin Version: 1.10.0 - Gerbil Version: 1.2.1 - Traefik Version: 3.4.0 - Newt Version: 1.6.0 ### To Reproduce 1. Deploy the following minimal Docker Compose configuration: ```yaml services: hello: image: nginxdemos/hello:0.4 container_name: hello labels: - pangolin.proxy-resources.hello.full-domain=hello.${DOMAIN} - pangolin.proxy-resources.hello.targets[0].method=http networks: - fossorial_newt networks: fossorial_newt: external: true ``` 2. Start the stack (docker compose up -d). ➜ The resource appears in Pangolin as expected. 3. Remove the two Pangolin labels from the hello service. 4. Restart the container. 5. Check the Pangolin UI and test public accessibility. ➜ The resource is still present and the service remains reachable. ### Expected Behavior When labels defining a resource are removed: • The Pangolin resource should automatically disappear, or automatically disable itself. • The service should no longer be reachable via the proxy. • The UI should match the state defined in Docker Compose so Git remains the single source of truth.

GiteaMirror closed this issue

2026-04-30 04:50:33 -05:00

GiteaMirror commented

2026-04-30 04:50:35 -05:00

@hilsonp commented on GitHub (Nov 14, 2025):

Upgraded and re-tested with:

OS Type & Version: 22.04.1-Ubuntu
Pangolin Version: 1.12.2
Gerbil Version: 1.2.2
Traefik Version: 3.6.1
Newt Version: 1.6.0

@hilsonp commented on GitHub (Nov 14, 2025): Upgraded and re-tested with: OS Type & Version: 22.04.1-Ubuntu Pangolin Version: 1.12.2 Gerbil Version: 1.2.2 Traefik Version: 3.6.1 Newt Version: 1.6.0

GiteaMirror commented

2026-04-30 04:50:37 -05:00

@github-actions[bot] commented on GitHub (Nov 29, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

@github-actions[bot] commented on GitHub (Nov 29, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

GiteaMirror commented

2026-04-30 04:50:37 -05:00

@hilsonp commented on GitHub (Nov 29, 2025):

Hopefully, this will be considered.
Thank you for the great work.

@hilsonp commented on GitHub (Nov 29, 2025): Hopefully, this will be considered. Thank you for the great work.

GiteaMirror commented

2026-04-30 04:50:38 -05:00

@github-actions[bot] commented on GitHub (Dec 15, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

@github-actions[bot] commented on GitHub (Dec 15, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

GiteaMirror commented

2026-04-30 04:50:39 -05:00

@hilsonp commented on GitHub (Dec 23, 2025):

Unstaled

@hilsonp commented on GitHub (Dec 23, 2025): Unstaled

GiteaMirror commented

2026-04-30 04:50:39 -05:00

@oschwartz10612 commented on GitHub (Dec 24, 2025):

Closing in favor of https://github.com/orgs/fosrl/discussions/1648 as mentioned in your post. I think this is a feature request.

Right now this is expected operation. Resources must be deleted from the UI or the API.

I agree with your statements though so we will consider this as soon as possible and track on the discussion!

@oschwartz10612 commented on GitHub (Dec 24, 2025): Closing in favor of https://github.com/orgs/fosrl/discussions/1648 as mentioned in your post. I think this is a feature request. Right now this is expected operation. Resources must be deleted from the UI or the API. I agree with your statements though so we will consider this as soon as possible and track on the discussion!

Sign in to join this conversation.

Branches Tags

main

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

crowdin_dev

dev

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#8795