Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use docker socket proxy instead of mounting /var/run/docker.sock #317

Open
mgite opened this issue Sep 9, 2023 · 11 comments
Open

Use docker socket proxy instead of mounting /var/run/docker.sock #317

mgite opened this issue Sep 9, 2023 · 11 comments

Comments

@mgite
Copy link

mgite commented Sep 9, 2023
edited
Loading

Can we add support to use docker-socket-proxy container instead of using mount to /var/run/docker.sock for security purposes?
@kingp0dd
Copy link

been wanting this for a while

@ameer1234567890
Copy link

I have been using WUD with docker-socket-proxy and it works pretty well.

@kingp0dd
Copy link

kingp0dd commented Mar 15, 2024 via email

@ameer1234567890
Copy link

Here is my compose file.

services:
  whatsupdocker:
    image: fmartinou/whats-up-docker
    container_name: whatsupdocker
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /home/pi/docker/whatsupdocker:/store
    environment:
      - WUD_WATCHER_NAS2_SOCKET=/var/run/docker.sock
      - WUD_WATCHER_NAS2_WATCHALL=true
      - WUD_WATCHER_FIG_HOST=fig.lan
      - WUD_WATCHER_FIG_WATCHALL=true
    ports:
      - 3000:3000
    restart: unless-stopped

@jrbarronumd
Copy link

I've been using the socket proxy for a remote server and it has been working well. My local watcher uses the direct socket mount, but it should work the same doing it local vs remote. There is some configuring to the proxy container as well, which I pulled an issue here for, and @fmartinou helped out with (#354). My compose entries are below. Hope this helps.

Host Machine:

services:
   whatsupdocker:
     container_name: wud
     image: ghcr.io/fmartinou/whats-up-docker:6.3.0
     restart: unless-stopped
     security_opt:
       - no-new-privileges:true
     healthcheck:
       test: wget --no-verbose --tries=1 --no-check-certificate --spider http://localhost:3000
       interval: 10s
       timeout: 10s
       retries: 3
       start_period: 10s  
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - $DOCKERDIR/whats-up-docker:/store
     environment:
       - WUD_WATCHER_local_SOCKET=/var/run/docker.sock
       - WUD_WATCHER_remote_HOST=10.x.x.x

Remote machine

services:
  dockerproxy:
    image: ghcr.io/tecnativa/docker-socket-proxy:0.1.1
    container_name: dockerproxy
    restart: unless-stopped
    ports:
      - 2375:2375
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - LOG_LEVEL=debug
      - CONTAINERS=1 # Allow access to viewing containers
      - ALLOW_START=1
      - ALLOW_STOP=1
      - IMAGES=1
      - POST=0 # Disallow any POST operations (effectively read-only)

@kingp0dd
Copy link

I've been using the socket proxy for a remote server and it has been working well. My local watcher uses the direct socket mount, but it should work the same doing it local vs remote. There is some configuring to the proxy container as well, which I pulled an issue here for, and @fmartinou helped out with (#354). My compose entries are below. Hope this helps.

Host Machine:

services:
   whatsupdocker:
     container_name: wud
     image: ghcr.io/fmartinou/whats-up-docker:6.3.0
     restart: unless-stopped
     security_opt:
       - no-new-privileges:true
     healthcheck:
       test: wget --no-verbose --tries=1 --no-check-certificate --spider http://localhost:3000
       interval: 10s
       timeout: 10s
       retries: 3
       start_period: 10s  
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - $DOCKERDIR/whats-up-docker:/store
     environment:
       - WUD_WATCHER_local_SOCKET=/var/run/docker.sock
       - WUD_WATCHER_remote_HOST=10.x.x.x

Remote machine

services:
  dockerproxy:
    image: ghcr.io/tecnativa/docker-socket-proxy:0.1.1
    container_name: dockerproxy
    restart: unless-stopped
    ports:
      - 2375:2375
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - LOG_LEVEL=debug
      - CONTAINERS=1 # Allow access to viewing containers
      - ALLOW_START=1
      - ALLOW_STOP=1
      - IMAGES=1
      - POST=0 # Disallow any POST operations (effectively read-only)

thanks for sharing this. i'm confused though, why isn't your WUD using the socket proxy port?

@jrbarronumd
Copy link

@kingp0dd It's been a bit since I set it up, but I think because 2375 is the default port for the docker socket to be exposed (whether using the proxy or not). If exposing the socket proxy on a different port, you would have to specify in the WUD config.

@kingp0dd
Copy link

kingp0dd commented Mar 19, 2024
edited
Loading

@kingp0dd It's been a bit since I set it up, but I think because 2375 is the default port for the docker socket to be exposed (whether using the proxy or not). If exposing the socket proxy on a different port, you would have to specify in the WUD config.

that makes much more sense now. thanks mate!

edit:
upon further checking, it seems that containers do not use 2375 as default, they use the docker.sock file. so WUD still has to be configured to use docker-socket-proxy explicitly, which i think it doesn't support

@cerealconyogurt
Copy link

Hi @kingp0dd, are you still having the problem? In my cases is working without any problem.

@kingp0dd
Copy link

kingp0dd commented Jun 25, 2024 via email

@cerealconyogurt
Copy link

I am not sure since this is the first time for me installing this app.
My setup indeed is using two socket proxies; one for the local machine and the second one for a remote machine:

WUD_WATCHER_NAS_HOST: xxx.xxx.0.2
WUD_WATCHER_NAS_PORT: 2375
WUD_WATCHER_NAS_WATCHALL: true
WUD_WATCHER_DIETPI_HOST: xxx.xxx.1.73
WUD_WATCHER_DIETPI_PORT: 2376
WUD_WATCHER_DIETPI_WATCHALL: true

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ameer1234567890 @kingp0dd @jrbarronumd @cerealconyogurt @mgite