fix: Add Socket Proxy for secure Docker socket access#429
Open
zhaog100 wants to merge 1 commit intoillbnm:masterfrom
Open
fix: Add Socket Proxy for secure Docker socket access#429zhaog100 wants to merge 1 commit intoillbnm:masterfrom
zhaog100 wants to merge 1 commit intoillbnm:masterfrom
Conversation
Implements Issue #1 - Base Infrastructure ## Changes ### Added - Socket Proxy service (tecnativa/docker-socket-proxy:0.2.0) - Provides secure, restricted access to Docker API - Read-only operations only (CONTAINERS, SERVICES, NETWORKS, IMAGES, INFO) - All write operations disabled (POST=0, DELETE=0, PUT=0) - Health check endpoint for dependency management ### Modified - Traefik: Now connects to Docker via socket-proxy instead of direct socket mount - Portainer: Now connects to Docker via socket-proxy - Watchtower: Now connects to Docker via socket-proxy - All services depend on socket-proxy being healthy before starting - Fixed middlewares.yml to use proper YAML format instead of shell commands - Updated README with Socket Proxy documentation and security benefits ### Security Improvements - Docker socket is no longer directly mounted into any container - Least-privilege access: services only get required Docker API permissions - Network isolation: Docker socket not exposed to container networks - Auditability: all Docker API calls go through single controlled point ## Verification All services now use DOCKER_HOST=tcp://socket-proxy:2375 instead of mounting /var/run/docker.sock directly. The socket-proxy service must be healthy before dependent services start. Fixes illbnm#1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements Issue #1 (Base Infrastructure) by adding a Socket Proxy service to provide secure, restricted access to the Docker socket.
Problem
Previously, Traefik, Portainer, and Watchtower directly mounted the Docker socket (
/var/run/docker.sock) into their containers. This is a security risk because:Solution
Added
tecnativa/docker-socket-proxyas an intermediary:tcp://socket-proxy:2375)Changes
Added
DOCKER_HOST=tcp://socket-proxy:2375for all Docker clientsModified
middlewares.ymlto use proper YAML formatSecurity Improvements
Verification
Tested that:
Testing Instructions
Acceptance Criteria from Issue #1
docker compose up -dstarts all 4 services (now 4: socket-proxy, traefik, portainer, watchtower)http://IP:80redirects to HTTPStraefik.${DOMAIN}accessible with BasicAuthportainer.${DOMAIN}accessibleproxynetworkFixes #1