From ba0af9159dff8db8fd8861592ab2c43ea774a49b Mon Sep 17 00:00:00 2001 From: Raiko Date: Sun, 14 Jan 2024 09:55:04 +0100 Subject: [PATCH] docker.sock replacement with socket-proxy --- Traefik-Secure/README.md | 33 +++++++++++++++++++++++++++++ Traefik-Secure/docker-compose.yaml | 34 +++++++++++++++++++++++++++++- Traefik-Secure/traefik.yaml | 3 ++- 3 files changed, 68 insertions(+), 2 deletions(-) create mode 100644 Traefik-Secure/README.md diff --git a/Traefik-Secure/README.md b/Traefik-Secure/README.md new file mode 100644 index 0000000..196c177 --- /dev/null +++ b/Traefik-Secure/README.md @@ -0,0 +1,33 @@ +## Traefik with seperate socket-proxy +The benefit of using a Docker Socket Proxy with Traefik is to enhance security by restricting access to the Docker API. Instead of allowing Traefik full access to the Docker socket, the proxy enables the proxying of only the necessary API calls, thus reducing the exposure of the Docker socket to the public and potential security risks. + +## Use this Socket Proxy with othter Stacks / docker-compose Services +The idear is, to create a internal Traefik Socket Proxy (with only the Permission to read Container Information with the API). +If you would use this socket proxy, for other Stacks, see the example below. + +### Adjustment with the docker-compose.yml from Uptime-Kuma +example: Uptime-Kuma + +``` docker-compose-uptime.yml +services: + uptime-kuma: + image: louislam/uptime-kuma + volumes: + - /opt/dockerdata/uptime-kuma:/app/data + # - /var/run/docker.sock:/var/run/docker.sock:ro # not necessarry - use the socket-proxy +# ... + networks: + - proxy + - socket-proxy + +networks: + socket-proxy: + name: socket-proxy-traefik # use the socket proxy from the Traefik stack + external: true + +``` + +### Adjust the Docker Host Deamon Uptime-Kuma Web-GUI: + +1. Uptime-Kuma Settings > Docker Hosts > Setup Docker Host +2. Docker Daemon: change to `tcp://socket-proxy-traefik:2375` \ No newline at end of file diff --git a/Traefik-Secure/docker-compose.yaml b/Traefik-Secure/docker-compose.yaml index 543404a..17e12aa 100644 --- a/Traefik-Secure/docker-compose.yaml +++ b/Traefik-Secure/docker-compose.yaml @@ -1,6 +1,37 @@ version: '3' services: +# https://github.com/Tecnativa/docker-socket-proxy + socket-proxy-traefik: + networks: + socket-proxy-traefik: + restart: always + image: tecnativa/docker-socket-proxy + container_name: socket-proxy-traefik + ports: + - 127.0.0.1:2375:2375 + environment: + INFO: 1 + CONTAINERS: 1 + BUILD: 0 + COMMIT: 0 + CONFIGS: 0 + DISTRIBUTION: 0 + EXEC: 0 + GRPC: 0 + IMAGES: 0 + NETWORKS: 0 + NODES: 0 + PLUGINS: 0 + SERVICES: 0 + SESSION: 0 + SWARM: 0 + SYSTEM: 0 + TASKS: 0 + VOLUMES: 0 + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + traefik: image: traefik:latest container_name: traefik @@ -9,6 +40,7 @@ services: - no-new-privileges:true networks: proxy: + socket-proxy-traefik: ports: - 80:80 - 81:81 # external http @@ -21,7 +53,7 @@ services: # be sure to use the correct one depending on if you are using a token or key volumes: - /etc/localtime:/etc/localtime:ro - - /var/run/docker.sock:/var/run/docker.sock:ro + # - /var/run/docker.sock:/var/run/docker.sock:ro # use the socket-proxy - /home/ubuntu/docker/traefik/traefik.yml:/traefik.yml:ro - /home/ubuntu/docker/traefik/acme.json:/acme.json - /home/ubuntu/docker/traefik/config.yml:/config.yml:ro diff --git a/Traefik-Secure/traefik.yaml b/Traefik-Secure/traefik.yaml index 1c15f94..a7c498b 100644 --- a/Traefik-Secure/traefik.yaml +++ b/Traefik-Secure/traefik.yaml @@ -35,7 +35,8 @@ serversTransport: insecureSkipVerify: true providers: docker: - endpoint: "unix:///var/run/docker.sock" + # endpoint: "unix:///var/run/docker.sock" + endpoint: "tcp://socket-proxy-traefik:2375" exposedByDefault: false file: filename: /config.yml