[📃 Docs]: Docker Socket Access #4683
Description
Is your feature request related to a problem? Please describe.
Currently, some compose.yml files grant containers direct access to the Docker socket (/var/run/docker.sock). This poses a significant security risk, as unrestricted access to the Docker socket allows containers to gain full control over the host system.
Describe the solution you'd like
Instead of exposing the raw Docker socket, I propose using linuxserver/socket-proxy as a secure intermediary. This proxy:
Limits API calls to only those explicitly required (e.g., container start/stop, but not host-level operations).
Reduces attack surface while maintaining necessary functionality.
Describe alternatives you've considered
Manual API restrictions: Manually configuring Docker’s API permissions is complex and error-prone.
Read-only socket access: This is insufficient for use cases requiring controlled write operations.
Additional context
The socket-proxy container is maintained by LinuxServer.io and widely trusted in the community.
Example implementation in compose.yml:
services:
socket-proxy:
image: lscr.io/linuxserver/socket-proxy:latest
container_name: socket-proxy
environment:
- ALLOW_START=0 #optional
- ALLOW_STOP=0 #optional
- ALLOW_RESTARTS=0 #optional
- AUTH=0 #optional
- BUILD=0 #optional
- COMMIT=0 #optional
- CONFIGS=0 #optional
- CONTAINERS=0 #optional
- DISABLE_IPV6=0 #optional
- DISTRIBUTION=0 #optional
- EVENTS=1 #optional
- EXEC=0 #optional
- IMAGES=0 #optional
- INFO=0 #optional
- LOG_LEVEL=info #optional
- NETWORKS=0 #optional
- NODES=0 #optional
- PING=1 #optional
- PLUGINS=0 #optional
- POST=0 #optional
- SECRETS=0 #optional
- SERVICES=0 #optional
- SESSION=0 #optional
- SWARM=0 #optional
- SYSTEM=0 #optional
- TASKS=0 #optional
- VERSION=1 #optional
- VOLUMES=0 #optional
networks:
- internal_net
app:
depends_on:
- socket-proxy
networks:
- internal_net
environment:
- DOCKER_HOST=tcp://socket-proxy:2375
I consider it a good solution, if possible.