congsh/Arch1Panel
1
0
Fork 0
mirror of https://github.com/arch3rPro/1Panel-Appstore.git synced 2026-04-15 00:17:12 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
9f19223ab7df47139475be0898fdcf3ac60afa59
Arch1Panel/apps/docker-socket-proxy/README_en.md

4.2 KiB
Raw Blame History

Docker-Socket-Proxy

The Socket Proxy is a security-enhanced proxy which allows you to apply access rules to the Docker socket, limiting the attack surface for containers such as watchtower or Traefik that need to use it.

Application Setup

This container is conceptually based on https://github.com/Tecnativa/docker-socket-proxy and as such does not follow our usual container conventions. It does not support mods or custom scripts/services, or running as a user other than root (or the docker user in a rootless environment). It is designed to act as a drop-in replacement for the Tecnativa container.

The container should be run on the same docker network as the service(s) using it. Most containers that would normally connect to a mounted docker.sock can have their endpoint overridden using the DOCKER_HOST environment variable if they do not offer the option in their configuration; it should typically be pointed to tcp://socket-proxy:2375.

  • Never expose this container's port to a public network. It should be treated the same way you would treat the docker socket or TCP endpoint.
  • Revoke access to any API section that you consider your service should not need.
  • To see the versions of the API your Docker daemon and client support, use docker version and check the API version.
  • Read the docs for the API version you are using for an explanation of all the available endpoints.

Read-Only Operation

This image can be run with a read-only container filesystem. For details please read the docs.

Parameters

Containers are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate <external>:<internal> respectively. For example, -p 8080:80 would expose port 80 from inside the container to be accessible from the host's IP on port 8080 outside the container.

Parameter Function
-e ALLOW_START=0 /containers/{id}/start - This option will work even if POST=0
-e ALLOW_STOP=0 /containers/{id}/stop - This option will work even if POST=0
-e ALLOW_RESTARTS=0 /containers/{id}/stop, /containers/{id}/restart, and /containers/{id}/kill - This option will work even if POST=0
-e AUTH=0 /auth
-e BUILD=0 /build
-e COMMIT=0 /commit
-e CONFIGS=0 /configs
-e CONTAINERS=0 /containers
-e DISTRIBUTION=0 /distribution
-e DISABLE_IPV6=0 Set to 1 to prevent binding to the IPv6 interface for legacy systems that cannot support IPv6.
-e EVENTS=1 /events
-e EXEC=0 /exec & /containers/{id}/exec
-e IMAGES=0 /images
-e INFO=0 /info
-e LOG_LEVEL=info Possible values are: debug, info, notice, warning, err, crit, alert and emerg. Defaults to info.
-e NETWORKS=0 /networks
-e NODES=0 /nodes
-e PING=1 /_ping
-e PLUGINS=0 /plugins
-e POST=0 When set to 0, only GET and HEAD operations are allowed, making API access read-only.
-e SECRETS=0 /secrets
-e SERVICES=0 /services
-e SESSION=0 /session
-e SWARM=0 /swarm
-e SYSTEM=0 /system
-e TASKS=0 /tasks
-e TZ=Etc/UTC Set container timezone
-e VERSION=1 /version
-e VOLUMES=0 /volumes
-v /var/run/docker.sock:ro Mount the host docker socket into the container.
--read-only Make the container filesystem read-only.
--tmpfs /run Mount /run to tmpfs (RAM) to make it writeable.

Parameter Recommendations

If you need to run the docker socket proxy as a service, it's recommended to configure the following parameters for full functionality:

  • CONTAINERS=1 - Allow container operations
  • NETWORKS=1 - Allow network operations
  • EVENTS=1 - Enable event monitoring
  • PING=1 - Allow ping operations
  • POST=1 - Allow write operations (create, modify, delete)

This parameter combination provides complete Docker API access capabilities, suitable for most container management scenarios.

Reference in New Issue View Git Blame Copy Permalink