r/unRAID

•

3 yr. ago

[How-to] Securing access to your `docker.sock` file.

So we all know you can allow docker containers to query/control aspects of other docker containers via passing /var/run/docker.sock to the container (like with Telegraf). This can be useful for most cases. I have it setup so that the docker socket proxy in on its own docker network for a bit more security.

But what if someone compromised one of your docker containers that has access to the docker socket?

Many of you might already be familiar with Tecnativa's docker-socket-proxy which says:

Giving access to your Docker socket could mean giving root access to your host, or even to your whole swarm, but some services require hooking into that socket to react to events, etc. Using this proxy lets you block anything you consider those services should not do.

Now the setup can be a little difficult for people not well versed in how docker containers work behind the scene so I will help you step-by-step.

Step 1:

Go to the Docker Settings (Advanced View) and enable Preserve user defined networks]

Screenshot

Description: This will prevent unRAID from removing any custom docker networks we create.

Step 2:

SSH into/open the terminal and run docker network create socket_proxy (socket_proxycan be whatever you want to be called so change it when needed)

Description: This creates the docker network that the socket proxy will be in (and other containers can be added to to allow access)

Step 3:

Search dockersocket in CA and hit install. In the container setup, change the network_type to the network you just created. Once done, hit Apply and check the logs.

Screenshot (yours won't have the INFO environment variable)

Step 4:

Once you have it setup, you can go to each container that access's the docker socket and reconfigure it. To add a container to the socket_proxy network, we can add && docker network connect socket_proxy <container name> to the Post Arguments field for a container in the Advanced View.

Examples:

Telegraf:

Add environment variable INFO with a value of 1 to your dockersocket container
Post Arguments: && docker network connect socket_proxy telegraf
Remove the default /var/run/docker.sock mapping
Edit your telegraf.conf file to add endpoint = "tcp://dockersocket:2375" under [[inputs.docker]]

hddtemp:

Post Arguments: && docker network connect socket_proxy hddtemp
Remove the default /var/run/docker.sock mapping
Add environment variable DOCKER_HOST with a value of tcp://dockersocket:2375

ClickUp_App

•

Promoted

The everything app, for work. Get everyone working in a single platform designed to manage any type of work.

Learn More

clickup.com

Thumbnail image: The everything app, for work. Get everyone working in a single platform designed to manage any type of work.

Sort by:

Best

Open comment sort options

Best

Top

New

Controversial

Old

Q&A

510Threaded

•

3y ago

u/spaceinvaderone - feel free to make a video on this if you want

moraleseder

•

9mo ago

I know this is an old thread but are the post arguments added to the dockersocket container or the container I want to give access to?

Skrivebord22

•

3y ago

Thanks! Very nice write up, also thanks for adding some examples!

510Threaded

•

3y ago

Its useful for non-unraid docker hosts, took a bit if figuring out how to do it in unraid. I think I remember hearing that Lime Tech might be working on an official way of attaching multiple networks to a container.

More replies

JAnguita

•

2y ago

How can I manage modifications made by one container?

For example, Nextcloud-all-in-one made changes unknown on my system and I would like to discover them.

510Threaded

•

2y ago

• Edited 2y ago

socket-proxy keeps a log of everything that is ran through it and what they call.

For nextcloud AIO, add the container to the socket proxy network you created and set DOCKER_SOCKET_PATH to tcp://<proxy_container_name>:2375

More replies

[How-to] Securing access to your `docker.sock` file.

Step 1:

Step 2:

Step 3:

Step 4:

Set up a docker

Essential Docker Security Tips for Self-Hosting

Recommendations for more useful docker apps / CA plugins?

Better Docker container management options?

Upgraded to 7.0 and lost all my docker containers and appdata - do I have any hope of easy recovery?

How to drag and change the order of docker startup

Has anyone got the Immich docker running on Unraid 7?

Can't work out why Docker containers taking up so much space

Setting Up an Unraid Server for Remote Development with Docker and VS Code – Need Advice!

A Step-By-Step Guide on How to Run "occ" in a Docker Console/Terminal Window (aka. How to Reset Your Nextcloud Password if You're Locked Out)

Is Docker faster in 7.0? Recreating my docker image, and everything is moving at a blazing speed.

Docker Hub limiting unauthenticated users to 10 pulls per hour

Tip: clean up old ZFS datasets after moving Docker to overlay2!

The new Tail-scale feature for specific docker containers is awesome!

Docker Security - How much should I question the software I get from places like LinuxserverIO?

How do you back up your Docker Compose / container setup

Docker Security Practices from linuxserver.io

I'm to stupid to search: Forbid user to download new containers

A tool to backup your important notion pages

Scraping password protected sub-pages (help please)

Setting up RustDesk with Docker Image

Using community applications vs docker compose

Migrating to rootless docker

Some simple icons for your docker apps folders

"new" SLSKD Docker on CA - anyone getting it working?

Top Posts