Resources created from Docker labels are not removed when labels are deleted, leaving services unintentionally exposed #1864
Description
Describe the Bug
When a Pangolin resource is created via Docker labels, it correctly appears in the UI.
However, if those labels are later removed from the Docker Compose configuration and the container is restarted, the Pangolin resource remains active instead of being removed or disabled.
This results in a potentially dangerous situation where a service is still reachable from the public network even though the configuration-as-code source (Git) no longer defines any labels for it.
Users familiar with Traefik may assume resources are dynamically added/removed based on labels, potentially leading to accidental exposure.
This may relate to: https://github.com/orgs/fosrl/discussions/1648
Environment
- OS Type & Version: 22.04.1-Ubuntu
- Pangolin Version: 1.10.0
- Gerbil Version: 1.2.1
- Traefik Version: 3.4.0
- Newt Version: 1.6.0
To Reproduce
- Deploy the following minimal Docker Compose configuration:
services:
hello:
image: nginxdemos/hello:0.4
container_name: hello
labels:
- pangolin.proxy-resources.hello.full-domain=hello.${DOMAIN}
- pangolin.proxy-resources.hello.targets[0].method=http
networks:
- fossorial_newt
networks:
fossorial_newt:
external: true- Start the stack (docker compose up -d).
➜ The resource appears in Pangolin as expected. - Remove the two Pangolin labels from the hello service.
- Restart the container.
- Check the Pangolin UI and test public accessibility.
➜ The resource is still present and the service remains reachable.
Expected Behavior
When labels defining a resource are removed:
• The Pangolin resource should automatically disappear, or automatically disable itself.
• The service should no longer be reachable via the proxy.
• The UI should match the state defined in Docker Compose so Git remains the single source of truth.