Use woodpecker with docker socket proxy

[lonix1]

Clear and concise description of the problem

The docs show that the agent needs access to the docker socket. It's good practice to use a proxy instead of exposing the entire socket. The most common is the "tecnativa" proxy .

I assume that at the very least, an agent creates new containers, so needs access to the "containers" endpoint. Presumably it needs other endpoints too.

Suggested solution

Please consider documenting which parts of the docker api are needed by the agent. Then we could use the docker socket proxy to allow those and restrict the others.

Alternative

No response

Additional context

These are the docker api's endpoints:

• typically allowed:
  • EVENTS
  • PING
  • VERSION
• security-critical and so typically not allowed:
  • AUTH
  • SECRETS
  • POST
• other
  • BUILD
  • COMMIT
  • CONFIGS
  • CONTAINERS
  • DISTRIBUTION
  • EXEC
  • GRPC
  • IMAGES
  • INFO
  • NETWORKS
  • NODES
  • PLUGINS
  • SERVICES
  • SESSION
  • SWARM
  • SYSTEM
  • TASKS
  • VOLUMES

Validations

• Checked that the feature isn't part of the next version already [https://woodpecker-ci.org/faq#which-version-of-woodpecker-should-i-use]
• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that request the same feature to avoid creating a duplicate.