whats-up-docker icon indicating copy to clipboard operation
whats-up-docker copied to clipboard

Published 20 hours ago verified publisher icon fmartinou

Use docker socket proxy instead of mounting /var/run/docker.sock

Open mgite opened this issue 1 year ago • 12 comments

Can we add support to use docker-socket-proxy container instead of using mount to /var/run/docker.sock for security purposes?

mgite avatar Sep 09 '23 11:09 mgite

been wanting this for a while

kingp0dd avatar Mar 15 '24 01:03 kingp0dd

I have been using WUD with docker-socket-proxy and it works pretty well.

ameer1234567890 avatar Mar 15 '24 11:03 ameer1234567890

What is your compose like?

On Fri, Mar 15, 2024, 7:45 PM Ameer Dawood @.***> wrote:

I have been using WUD with docker-socket-proxy and it works pretty well.

— Reply to this email directly, view it on GitHub https://github.com/fmartinou/whats-up-docker/issues/317#issuecomment-1999485122, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACGD6KTE5WTSWJ2P5G6MI7DYYLNL3AVCNFSM6AAAAAA4RML3KKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOJZGQ4DKMJSGI . You are receiving this because you commented.Message ID: @.***>

kingp0dd avatar Mar 15 '24 11:03 kingp0dd

Here is my compose file.

services:
  whatsupdocker:
    image: fmartinou/whats-up-docker
    container_name: whatsupdocker
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /home/pi/docker/whatsupdocker:/store
    environment:
      - WUD_WATCHER_NAS2_SOCKET=/var/run/docker.sock
      - WUD_WATCHER_NAS2_WATCHALL=true
      - WUD_WATCHER_FIG_HOST=fig.lan
      - WUD_WATCHER_FIG_WATCHALL=true
    ports:
      - 3000:3000
    restart: unless-stopped

ameer1234567890 avatar Mar 15 '24 13:03 ameer1234567890

I've been using the socket proxy for a remote server and it has been working well. My local watcher uses the direct socket mount, but it should work the same doing it local vs remote. There is some configuring to the proxy container as well, which I pulled an issue here for, and @fmartinou helped out with (#354). My compose entries are below. Hope this helps.

Host Machine:

services:
   whatsupdocker:
     container_name: wud
     image: ghcr.io/fmartinou/whats-up-docker:6.3.0
     restart: unless-stopped
     security_opt:
       - no-new-privileges:true
     healthcheck:
       test: wget --no-verbose --tries=1 --no-check-certificate --spider http://localhost:3000
       interval: 10s
       timeout: 10s
       retries: 3
       start_period: 10s  
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - $DOCKERDIR/whats-up-docker:/store
     environment:
       - WUD_WATCHER_local_SOCKET=/var/run/docker.sock
       - WUD_WATCHER_remote_HOST=10.x.x.x

Remote machine

services:
  dockerproxy:
    image: ghcr.io/tecnativa/docker-socket-proxy:0.1.1
    container_name: dockerproxy
    restart: unless-stopped
    ports:
      - 2375:2375
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - LOG_LEVEL=debug
      - CONTAINERS=1 # Allow access to viewing containers
      - ALLOW_START=1
      - ALLOW_STOP=1
      - IMAGES=1
      - POST=0 # Disallow any POST operations (effectively read-only)

jrbarronumd avatar Mar 15 '24 14:03 jrbarronumd

I've been using the socket proxy for a remote server and it has been working well. My local watcher uses the direct socket mount, but it should work the same doing it local vs remote. There is some configuring to the proxy container as well, which I pulled an issue here for, and @fmartinou helped out with (#354). My compose entries are below. Hope this helps.

Host Machine:

services:
   whatsupdocker:
     container_name: wud
     image: ghcr.io/fmartinou/whats-up-docker:6.3.0
     restart: unless-stopped
     security_opt:
       - no-new-privileges:true
     healthcheck:
       test: wget --no-verbose --tries=1 --no-check-certificate --spider http://localhost:3000
       interval: 10s
       timeout: 10s
       retries: 3
       start_period: 10s  
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - $DOCKERDIR/whats-up-docker:/store
     environment:
       - WUD_WATCHER_local_SOCKET=/var/run/docker.sock
       - WUD_WATCHER_remote_HOST=10.x.x.x

Remote machine

services:
  dockerproxy:
    image: ghcr.io/tecnativa/docker-socket-proxy:0.1.1
    container_name: dockerproxy
    restart: unless-stopped
    ports:
      - 2375:2375
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - LOG_LEVEL=debug
      - CONTAINERS=1 # Allow access to viewing containers
      - ALLOW_START=1
      - ALLOW_STOP=1
      - IMAGES=1
      - POST=0 # Disallow any POST operations (effectively read-only)

thanks for sharing this. i'm confused though, why isn't your WUD using the socket proxy port?

kingp0dd avatar Mar 18 '24 03:03 kingp0dd

@kingp0dd It's been a bit since I set it up, but I think because 2375 is the default port for the docker socket to be exposed (whether using the proxy or not). If exposing the socket proxy on a different port, you would have to specify in the WUD config.

jrbarronumd avatar Mar 18 '24 20:03 jrbarronumd

@kingp0dd It's been a bit since I set it up, but I think because 2375 is the default port for the docker socket to be exposed (whether using the proxy or not). If exposing the socket proxy on a different port, you would have to specify in the WUD config.

that makes much more sense now. thanks mate!

edit: upon further checking, it seems that containers do not use 2375 as default, they use the docker.sock file. so WUD still has to be configured to use docker-socket-proxy explicitly, which i think it doesn't support

kingp0dd avatar Mar 19 '24 00:03 kingp0dd

Hi @kingp0dd, are you still having the problem? In my cases is working without any problem.

cerealconyogurt avatar Jun 25 '24 02:06 cerealconyogurt

Was there a recent update or change to support it? I haven't tried it yet

On Tue, Jun 25, 2024, 10:47 AM cerealconyogurt @.***> wrote:

Hi @kingp0dd https://github.com/kingp0dd, are you still having the problem? In my cases is working without any problem.

— Reply to this email directly, view it on GitHub https://github.com/fmartinou/whats-up-docker/issues/317#issuecomment-2187850192, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACGD6KUMPUPNDZGYXDUOZGDZJDK5VAVCNFSM6AAAAAA4RML3KKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBXHA2TAMJZGI . You are receiving this because you were mentioned.Message ID: @.***>

kingp0dd avatar Jun 25 '24 15:06 kingp0dd

I am not sure since this is the first time for me installing this app. My setup indeed is using two socket proxies; one for the local machine and the second one for a remote machine:

WUD_WATCHER_NAS_HOST: xxx.xxx.0.2 WUD_WATCHER_NAS_PORT: 2375 WUD_WATCHER_NAS_WATCHALL: true WUD_WATCHER_DIETPI_HOST: xxx.xxx.1.73 WUD_WATCHER_DIETPI_PORT: 2376 WUD_WATCHER_DIETPI_WATCHALL: true

cerealconyogurt avatar Jun 26 '24 17:06 cerealconyogurt

I have had success using the following configuration for only using docker-socket-proxy on the localhost.

services:

  whatsupdocker:
    image: fmartinou/whats-up-docker
    environment:
      - DOCKER_HOST=tcp://docker-socket-proxy:2375
    depends_on:
      - docker-socket-proxy

  docker-socket-proxy:
    image: ghcr.io/tecnativa/docker-socket-proxy
    volumes:
      - type: bind
        source: /var/run/docker.sock
        target: /var/run/docker.sock
        read_only: true
    environment:
      - CONTAINERS=1
      - IMAGES=1
      - POST=0

I've excluded my networks etc, as they are specific to my setup.

lamiskin avatar Aug 20 '24 02:08 lamiskin