Skip to content
/ docker-proxy-acl-alpine Public

A lightweight docker Unix socket proxy which restricts endpoint usage to allowed sections

License

MIT license
9 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

qdm12/docker-proxy-acl-alpine

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
hooks
hooks
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

Docker-proxy-ACL-Alpine

Lightweight container running a restricted Docker unix socket proxy

Docker Build Status

GitHub last commit GitHub commit activity GitHub issues

Docker Pulls Docker Stars Docker Automated

Image size Image version

Image size RAM usage CPU usage
5.82MB 10MB Low

Why

  • A better version than titpetric/docker-proxy-acl
    • 6MB instead of 450MB Docker image
    • Options can be changed with the command line argument
    • Emojis
    • More checks
  • No need to run with --privileged although you bind mount the docker socket
  • No networking, just unix socket files

Exposing /var/run/docker.sock to a Docker container requiring it (such as netdata) involves security concerns and the container should be limited in what it can do with docker.sock.

You can enable an endpoint with the -a argument. Currently supported endpoints are:

  • containers: opens access to /containers/json and /containers/{name}/json
  • images: opens access to /images/json , /images/{name}/json and /images/{name}/history
  • networks: opens access to /networks and /networks/{name}
  • volumes: opens access to /volumes and /volumes/{name}
  • services: opens access to /services and /services/{id}
  • tasks: opens access to /tasks and /tasks/{name}
  • events: opens access to /events
  • info: opens access to /info
  • version: opens access to /version
  • ping: opens access to /_ping
  • Untested endpoints:
    • events
    • auth
    • secrets
    • build
    • commit
    • configs
    • distribution
    • exec
    • nodes
    • plugins
    • session
    • swarm
    • system

To combine arguments, repeat them like this: -a info -a version

Setup

The following is in example for netdata, such that it can resolve the container names found in the cgroups filesystem.

docker run -d --net=none \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /yourpath:/tmp/docker-proxy-acl \
qmcgaw/docker-proxy-acl-alpine -a containers

A new socket file is hence created at /yourpath/docker.sock with only the /containers/json and /containers/{name}/json endpoints allowed.

This socket file can then be passed to the netdata container, with an additional option like this:

-v /yourpath/docker.sock:/var/run/docker.sock

You can also use docker-compose:

version: '3'
services:
  docker-proxy:
    build: .
    image: qmcgaw/docker-proxy-acl-alpine
    container_name: docker-proxy
    volumes:
      - /yourpath/docker-proxy-acl:/tmp/docker-proxy-acl
      - /var/run/docker.sock:/var/run/docker.sock
    command: -a containers
    network_mode: none
    restart: always

TODOs

  • Change to another router
  • Healthcheck
  • Non root user
  • Title icon

About

A lightweight docker Unix socket proxy which restricts endpoint usage to allowed sections

Topics

docker socket acl unix-socket

Resources

Readme

License

MIT license
Activity

Stars

9 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages