Giters

qdm12 / docker-proxy-acl-alpine

A lightweight docker Unix socket proxy which restricts endpoint usage to allowed sections

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

dockersocketunix-socketacl

Docker-proxy-ACL-Alpine

Lightweight container running a restricted Docker unix socket proxy

Docker Build Status

GitHub last commit GitHub commit activity GitHub issues

Docker Pulls Docker Stars Docker Automated

Image size Image version

Image size RAM usage CPU usage
5.82MB 10MB Low

Why

  • A better version than titpetric/docker-proxy-acl
    • 6MB instead of 450MB Docker image
    • Options can be changed with the command line argument
    • Emojis
    • More checks
  • No need to run with --privileged although you bind mount the docker socket
  • No networking, just unix socket files

Exposing /var/run/docker.sock to a Docker container requiring it (such as netdata) involves security concerns and the container should be limited in what it can do with docker.sock.

You can enable an endpoint with the -a argument. Currently supported endpoints are:

  • containers: opens access to /containers/json and /containers/{name}/json
  • images: opens access to /images/json , /images/{name}/json and /images/{name}/history
  • networks: opens access to /networks and /networks/{name}
  • volumes: opens access to /volumes and /volumes/{name}
  • services: opens access to /services and /services/{id}
  • tasks: opens access to /tasks and /tasks/{name}
  • events: opens access to /events
  • info: opens access to /info
  • version: opens access to /version
  • ping: opens access to /_ping
  • Untested endpoints:
    • events
    • auth
    • secrets
    • build
    • commit
    • configs
    • distribution
    • exec
    • nodes
    • plugins
    • session
    • swarm
    • system

To combine arguments, repeat them like this: -a info -a version

Setup

The following is in example for netdata, such that it can resolve the container names found in the cgroups filesystem.

docker run -d --net=none \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /yourpath:/tmp/docker-proxy-acl \
qmcgaw/docker-proxy-acl-alpine -a containers

A new socket file is hence created at /yourpath/docker.sock with only the /containers/json and /containers/{name}/json endpoints allowed.

This socket file can then be passed to the netdata container, with an additional option like this:

-v /yourpath/docker.sock:/var/run/docker.sock

You can also use docker-compose:

version: '3'
services:
  docker-proxy:
    build: .
    image: qmcgaw/docker-proxy-acl-alpine
    container_name: docker-proxy
    volumes:
      - /yourpath/docker-proxy-acl:/tmp/docker-proxy-acl
      - /var/run/docker.sock:/var/run/docker.sock
    command: -a containers
    network_mode: none
    restart: always

TODOs

  • Change to another router
  • Healthcheck
  • Non root user
  • Title icon

About

A lightweight docker Unix socket proxy which restricts endpoint usage to allowed sections

dockersocketunix-socketacl

License:MIT License

Languages

Language:Go 77.8%Language:Dockerfile 18.3%Language:Shell 3.9%