Skip to content

Create docker-compose.socket-proxy.yml #132

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Create docker-compose.socket-proxy.yml #132

wants to merge 3 commits into from

Conversation

SheepReaper
Copy link

Adds an example using a docker socket proxy.

Implements #131

@SheepReaper
Create docker-compose.socket-proxy.yml
fe50124 
Adds an example using a docker socket proxy.

Implements containrrr#131
@SheepReaper
Update docker-compose.socket-proxy.yml
5f30d98 
Added a comment about AUTH
djmaze
djmaze reviewed Feb 26, 2025
View reviewed changes
@SheepReaper
Update docker-compose.socket-proxy.yml
146191a 
Added containers and images for the autoclean process
@SheepReaper
Copy link
Author

I missed the autoclean process. That one requires IMAGES and CONTAINER. Added them.
The only genuinely optional one is the AUTH api.

@SheepReaper
Copy link
Author

The docker cli always interfaces with the API, whether on a local socket or remote. Each command has a corresponding API. This particular socket proxy disables all but the version, ping, and events API, and you have to selectively enable each one you need. (also, the POST method on every endpoint is disabled unless you add POST: 1)

Because this script uses a variety of CLI commands, a bunch of APIs are required. I'm not sure which commands require distribution and nodes, but that's probably some CLI command that needs more than one API to complete. My guess is one of the inspect commands.

@SheepReaper
Copy link
Author

But yes, just set everything to 0 for verification, and start the stack. Watch the socket-proxy log. as the script runs, you'll see NOSRV errors on every API that is accessed that you have not enabled. Also, the shepherd container may fail to stay running if certain commands fail to execute. I did not identify which ones. I just kept enabling the blocked api's until it was happy. That's how I missed the autoclean process needing 2 more. mine's also set up to authenticate to dockerhub, but based on the code, I don't see that interfering.

@SheepReaper
Copy link
Author

My best guess is that docker manifest inspect might use distribution, and docker service update, since it's a swarm, makes requests to nodes and tasks.

@djmaze
Copy link
Collaborator

djmaze commented Feb 27, 2025

So.. If I understand correctly, Shepherd uses almost all important and dangerous APIs, leaving the socket proxy to not really protect any important API anymore. Right?

@SheepReaper
Copy link
Author

SheepReaper commented Feb 27, 2025 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djmaze djmaze djmaze left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SheepReaper @djmaze