docker-socket-proxy icon indicating copy to clipboard operation
docker-socket-proxy copied to clipboard

Published 20 hours ago verified publisher icon Tecnativa

Update documentation/tags to make docker-socket-proxy more secure for novice users

Open bluepuma77 opened this issue 1 year ago • 4 comments

The README.md shows this usage example:

docker container run \
    -d --privileged \
    --name dockerproxy \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -p 127.0.0.1:2375:2375 \
    tecnativa/docker-socket-proxy

In my optioning the example contains two security risks:

  1. tecnativa/docker-socket-proxy on Docker Hub (link) defaults to latest, which is already 3 years old. Please either update latest tag on Docker Hub to a more current version or add the edge tag to the usage example.
  2. The example uses -privileged, which gives a lot of permissions to the container, even though this is not required, it runs without any issue on plain Debian without the parameter. If there are exceptions, they should be noted, but --privileged should not be assumed to be default, and in 2024 there should be more granular options.

Combining a 3 year old image with --privileged seems to be a very insecure usage example for novice users. The project is intended to improve security, but the example seems very counter-productive.

bluepuma77 avatar Jan 30 '24 12:01 bluepuma77

Can you please propose a better text?

pedrobaeza avatar Jan 31 '24 15:01 pedrobaeza

i don't think this is maintained anymore

kingp0dd avatar Apr 03 '24 01:04 kingp0dd

Not really true, as we are here, but lacking some knowledge as the employee behind this is no longer working with us. Any help is appreciated.

pedrobaeza avatar Apr 03 '24 06:04 pedrobaeza

The 1st point seems to be solved now. Latest points to a recent image and logs: haproxy version is 3.0.2-a45a8e6

thoniTUB avatar Aug 21 '24 19:08 thoniTUB