From 6c1241ed89a07d49d80e1656a602cb5db536e3dd Mon Sep 17 00:00:00 2001 From: hsiegeln <37154749+hsiegeln@users.noreply.github.com> Date: Thu, 23 Apr 2026 18:22:32 +0200 Subject: [PATCH] docs(docker): replace obsolete 504 workaround note with the real wiring MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pre-fix the paragraph claimed every dynamically-created container MUST carry `traefik.docker.network=cameleer-traefik` to avoid a 504, because Traefik's Docker provider pointed at `network: cameleer` (a literal name that never matched any real network). After the one-line static config fix (df64573), Traefik's provider targets `cameleer-traefik` directly — the network every managed container already joins — so the per-container label is just defense-in-depth, not required. Rewritten to describe current behaviour and keep a short note about the pre-fix 504 for operators who roll back to an old image. Co-Authored-By: Claude Opus 4.7 (1M context) --- docker/CLAUDE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/CLAUDE.md b/docker/CLAUDE.md index 2581714..fce073c 100644 --- a/docker/CLAUDE.md +++ b/docker/CLAUDE.md @@ -38,7 +38,7 @@ Per-tenant networks (created dynamically by `DockerTenantProvisioner`): Server containers join three networks: tenant network (primary), shared services network (`cameleer`), and traefik network. Apps deployed by the server use the tenant network as primary. -**IMPORTANT:** Dynamically-created containers MUST have `traefik.docker.network=cameleer-traefik` label. Traefik's Docker provider defaults to `network: cameleer` (compose-internal name) for IP resolution, which doesn't match dynamically-created containers connected via Docker API using the host network name (`cameleer-saas_cameleer`). Without this label, Traefik returns 504 Gateway Timeout for `/t/{slug}/api/*` paths. +**Backend IP resolution:** Traefik's Docker provider is configured with `network: cameleer-traefik` (static `traefik.yml`). Every cameleer-managed container — saas-provisioned tenant containers (via `DockerTenantProvisioner`) and cameleer-server's per-app containers (via `DockerNetworkManager`) — is attached to `cameleer-traefik` at creation, so Traefik always resolves a reachable backend IP. Provisioned tenant containers additionally emit a `traefik.docker.network=cameleer-traefik` label as per-service defense-in-depth. (Pre-2026-04-23 the static config pointed at `network: cameleer`, a name that never matched any real network — that produced 504 Gateway Timeout on every managed app until the Traefik image was rebuilt.) ## Custom sign-in UI (`ui/sign-in/`)