connect to docker socket via a proxy

[HedgeShot]

It would most likely improve the security if the docker socket was accessed behind a proxy such as docker-socket-proxy

[szaimen]

I fear this will break the whole design of being able to start only one container that does the rest.

---

Also I am not sure how big the gained security of this is because we would need to allow new containers to be created apart from other things which you would forbid usually when using this docker socker proxy, if I understand it correctly. In our case a potential hacker would then be able to simply launch another container with malware that mounts the docker socket and has whole root access on its own. Which would destory all security benefits that this container might bring in the first place.

[HedgeShot]

You are probably right! I use it for the traefik reverse proxy that also asks to read the docker socket. It doesn't need to start new containers tho.

[szaimen]

Thanks for your answer!
Seems like we agree that it doesn't make much sense here.
Closing.

[gggeek]

I respectfully disagree with this.

I think there are 2 main scenarios at play:
A) docker-socket usage by the MC
B) docker-socket usage by community containers

I think that we should try to make both of those as safe as possible, ie. only allow filtered access.

For B, it is not too hard - just start a docker-socket proxy* container, and give all other containers that want access to the docker-socket only access to that.

For A, I think that we should try to harden the setup against any RCE exploit found in the AIO web interface.
This means that also all docker-commands executed by the MC php app should be filtered.
This is a bit more tricky, as the docker-socket-proxy container is not available when the MC starts, but we could look into something such as:

• mount the docker socket into the MC with permissions that do not allow access to the user id running the php web interface (or a possible future cli)
• in the MC, run a separate process, as a separate user, that acts as docker-socket-proxy, filtering the requests coming from the php application

[*] = regarding the filtering of access to the docker socket by a proxy, we should strive to use proxies which are semantic-aware, ie. which not only block access based on request path and http method, but can also filter the results based on eg. container tags. This would allow f.e. rogue community containers that send a request to enumerate all containers in the system to only see the AIO-managed ones in any case

[gggeek]

Side quest: github.com/gggeek/yet-another-docker-socket-proxy