Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow Docker containers widget to pull data from proxied socket #334

Open
retmas-gh opened this issue Feb 9, 2025 · 2 comments
Open

Allow Docker containers widget to pull data from proxied socket #334

retmas-gh opened this issue Feb 9, 2025 · 2 comments
Labels
feature request roadmap

Comments

@retmas-gh
Copy link

retmas-gh commented Feb 9, 2025
edited
Loading

Hi.
I liked the sound of a widget showing Docker containers status, however there is one thing that will keep me from that - it seems to allow only the mentioned connection via a socket.

Now, as a security practice, all containers I use that need a connection to Docker just to pull some information (like traefik for example) go through an instance of docker-socket-proxy, which uses haproxy to proxy the requests to the Docker socket mounted there, allowing only selected methods/endpoints, specified using predefinied environment variables, itself exposing nothing else than the proxy on port 2375.

The way you would set it up is, you run a separate container with the above alongside the one that needs the Docker information with CONTAINERS=1 environment variable to allow the /containers endpoint and in the container of the application that needs the info you set DOCKER_HOST=tcp://<container_name>:2375 environment variable, for example:

services:
  glance:
    image: glanceapp/glance
    volumes:
      - /data/glance:/app/config
    ports:
      - 127.0.0.1:8080:8080
    restart: unless-stopped
    environment:
      - DOCKER_HOST=tcp://glance-socket-proxy:2375
  socket-proxy:
    image: ghcr.io/tecnativa/docker-socket-proxy
    container_name: glance-socket-proxy
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - CONTAINERS=1

With a setup like this, the application requesting the data is only allowed requests that are GET/HEAD to /containers,/events,/ping and /version, preventing it the possibility to start, stop, create, exec, delete or any other action that should probably not be allowed to an application that does not handle such actions anyway.

Of course, with the idea of allowing more hosts, instead of a global variable an option in widget could be used.

As far as I can see, the original commiter, based on the docs/configuration.md file, intented for it to work that way, but the concept changed somewhere between his rework and the release.

Kind regards.
@svilenmarkov
Copy link
Member

Hey, thanks for providing such a detailed explanation! I think this is a reasonable request and shouldn't be difficult to add, here's what I have in mind config-wise:

- type: docker-containers
  providers:
    - type: proxy
      host: tcp://glance-socket-proxy:2375
    - type: proxy
      host: tcp://some-other-server:2375

The type could then be used for other kinds of providers in the future. Any thoughts?

@svilenmarkov svilenmarkov changed the title Allow Docker containers widget to pull data from DOCKER_HOST instead of socket Allow Docker containers widget to pull data from proxied socket Feb 10, 2025
@retmas-gh
Copy link
Author

Hey.
Seems like a reasonable configuration proposal to me.
Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request roadmap
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@svilenmarkov @retmas-gh