Jafner/homelab
1
1
Fork 0
Code Issues 15 Pull Requests Actions Packages Projects Releases Wiki Activity

Use docker-socket-proxy to grant secure access to the docker socket #80

New Issue
Closed
opened 2023-01-27 21:37:28 -08:00 by Jafner · 19 comments
Jafner commented 2023-01-27 21:37:28 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

https://github.com/Tecnativa/docker-socket-proxy

Services currently using the docker socket:

Not all of these need the proxy.

https://github.com/Tecnativa/docker-socket-proxy Services currently using the docker socket: - [Jafner.tools/monitoring_exporter-docker](https://gitlab.jafner.net/Jafner/homelab/-/blob/main/jafner-tools/config/monitoring/docker-compose.yml) - [Jafner.tools/traefik_traefik](https://gitlab.jafner.net/Jafner/homelab/-/blob/main/jafner-tools/config/traefik/docker-compose.yml) - [Jafner.net/gitlab_runner_0](https://gitlab.jafner.net/Jafner/homelab/-/blob/main/jafner-net/config/gitlab/docker-compose.yml) - [Jafner.net/gitlab_runner_1](https://gitlab.jafner.net/Jafner/homelab/-/blob/main/jafner-net/config/gitlab/docker-compose.yml) - [Jafner.net/homepage_homepage](https://gitlab.jafner.net/Jafner/homelab/-/blob/main/jafner-net/config/homepage/docker-compose.yml) - [Jafner.net/monitoring_exporter-docker](https://gitlab.jafner.net/Jafner/homelab/-/blob/main/jafner-net/config/monitoring/docker-compose.yml) - [Jafner.net/portainer_portainer](https://gitlab.jafner.net/Jafner/homelab/-/blob/main/jafner-net/config/portainer/docker-compose.yml) - [Jafner.net/traefik_traefik](https://gitlab.jafner.net/Jafner/homelab/-/blob/main/jafner-net/config/traefik/docker-compose.yml) Not all of these need the proxy.
Jafner commented 2023-01-27 21:37:28 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

assigned to @Jafner

assigned to @Jafner
Jafner commented 2023-01-27 21:44:04 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

We should implement this for both Jafner.net and Jafner.tools. Both for security reasons, and to enable homepage to remotely read the docker socket for health info in its service widgets.

We should implement this for both Jafner.net and Jafner.tools. Both for security reasons, and to enable [homepage](https://gitlab.jafner.net/Jafner/homelab/-/blob/main/server/config/homepage/docker-compose.yml) to remotely read the docker socket for health info in its service widgets.
Jafner commented 2023-01-29 18:50:13 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

mentioned in commit 91549029cc

mentioned in commit 91549029cca1cc36bd70fe88d892a1d6020fb929
Jafner commented 2023-01-29 18:51:41 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

mentioned in commit a0b569b8c7

mentioned in commit a0b569b8c7ab4d8e9aa83586ad88cdd821afd37f
Jafner commented 2023-01-29 18:57:30 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

mentioned in commit 28cd1721b0

mentioned in commit 28cd1721b0f83fb6037f42d0e11166ebfce99ee8
Jafner commented 2023-01-29 19:01:36 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

mentioned in commit 7bc6aa2c68

mentioned in commit 7bc6aa2c684f21630528beccfa9c4f8c387abda6
Jafner commented 2023-01-29 19:02:12 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

mentioned in commit 4c30b3e258

mentioned in commit 4c30b3e258012f2c57193b4a70c7797363863aba
Jafner commented 2023-01-30 14:51:48 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

mentioned in commit 2001773642

mentioned in commit 2001773642ace23349e217fa22082165cce5e5f0
Jafner commented 2023-01-30 14:53:48 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

mentioned in commit cf4e8d1f59

mentioned in commit cf4e8d1f59ae49b489f4ac94cb26ecd16e94d79f
Jafner commented 2023-01-30 14:55:36 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

changed the description

changed the description
Jafner commented 2023-01-30 14:56:44 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

All done and good to go for homepage.

All done and good to go for homepage.
Jafner commented 2023-01-30 15:00:15 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

So we can split the containers using the socket into two categories: those who only need to read, and those who need full control.

Service Perms
exporter-docker read
traefik read
homepage read
gitlab_runner write
portainer write
So we can split the containers using the socket into two categories: those who only need to read, and those who need full control. | Service | Perms | |:-------:|:-----:| | exporter-docker | read | | traefik | read | | homepage | read | | gitlab_runner | write | | portainer | write |
Jafner commented 2023-01-30 15:00:40 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

Next we'll do exporter-docker and Traefik.

Next we'll do exporter-docker and Traefik.
Jafner commented 2023-01-30 15:20:13 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

mentioned in commit f781676d13

mentioned in commit f781676d135dc858b4a6b1a512e2f92e0080d7db
Jafner commented 2023-08-04 11:54:55 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

changed the description

changed the description
Jafner commented 2023-08-04 12:26:03 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

marked the checklist item Jafner.net/homepage_homepage as incomplete

marked the checklist item **[Jafner.net/homepage_homepage](https://gitlab.jafner.net/Jafner/homelab/-/blob/main/jafner-net/config/homepage/docker-compose.yml)** as incomplete
Jafner commented 2023-08-04 12:32:06 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

changed the description

changed the description
Jafner commented 2023-08-04 12:48:13 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

changed the description

changed the description
Jafner commented 2023-08-04 12:48:30 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

This is not a useful security layer for us.

This is not a useful security layer for us.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Jafner/homelab#80
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?