So we all know you can allow docker containers to query/control aspects of other docker containers via passing /var/run/docker.sock to the container (like with Telegraf). This can be useful for most cases. I have it setup so that the docker socket proxy in on its own docker network for a bit more security.

But what if someone compromised one of your docker containers that has access to the docker socket?

Many of you might already be familiar with Tecnativa's docker-socket-proxy which says:

Giving access to your Docker socket could mean giving root access to your host, or even to your whole swarm, but some services require hooking into that socket to react to events, etc. Using this proxy lets you block anything you consider those services should not do.

Now the setup can be a little difficult for people not well versed in how docker containers work behind the scene so I will help you step-by-step.

Step 1:

Go to the Docker Settings (Advanced View) and enable Preserve user defined networks]

Screenshot

Description: This will prevent unRAID from removing any custom docker networks we create.

Step 2:

SSH into/open the terminal and run docker network create socket_proxy (socket_proxycan be whatever you want to be called so change it when needed)

Description: This creates the docker network that the socket proxy will be in (and other containers can be added to to allow access)

Step 3:

Search dockersocket in CA and hit install. In the container setup, change the network_type to the network you just created. Once done, hit Apply and check the logs.

Screenshot (yours won't have the INFO environment variable)

Step 4:

Once you have it setup, you can go to each container that access's the docker socket and reconfigure it. To add a container to the socket_proxy network, we can add && docker network connect socket_proxy <container name> to the Post Arguments field for a container in the Advanced View.

Examples:

Telegraf:

hddtemp: