{"id":13581544,"url":"https://github.com/knrdl/docker-socket-protector","last_synced_at":"2025-04-22T18:29:38.721Z","repository":{"id":64308329,"uuid":"450059589","full_name":"knrdl/docker-socket-protector","owner":"knrdl","description":"Protect the Docker Daemon from forbidden requests","archived":false,"fork":false,"pushed_at":"2025-04-08T11:57:44.000Z","size":94,"stargazers_count":24,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-17T10:23:56.961Z","etag":null,"topics":["docker","go","podman","security-tools","traefik"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/knrdl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-01-20T10:55:44.000Z","updated_at":"2025-04-08T11:57:45.000Z","dependencies_parsed_at":"2023-01-15T11:15:32.339Z","dependency_job_id":"8ed73262-61e5-495d-820c-2dd27b5701c1","html_url":"https://github.com/knrdl/docker-socket-protector","commit_stats":null,"previous_names":["knrdl/traefik-docker-protector"],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/knrdl%2Fdocker-socket-protector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/knrdl%2Fdocker-socket-protector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/knrdl%2Fdocker-socket-protector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/knrdl%2Fdocker-socket-protector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/knrdl","download_url":"https://codeload.github.com/knrdl/docker-socket-protector/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250296891,"owners_count":21407111,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","go","podman","security-tools","traefik"],"created_at":"2024-08-01T15:02:05.238Z","updated_at":"2025-04-22T18:29:38.683Z","avatar_url":"https://github.com/knrdl.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# Docker Socket Protector\nSome containerized applications (e.g. portainer, traefik, watchtower, ouroboros) demand access to the Docker socket (`/var/run/docker.sock`). But exposing the Docker socket to a container basically equals giving it **full root privileges** to the host system. Especially when the application just needs to read some information via the Docker socket the access should be locked down. Docker Socket Protector can do this by limiting the control an application gets over the Docker daemon. Only the required functions will be exposed via a customized Docker socket. Therefore, this little program acts as a customizable filtering proxy.\n\n```mermaid\ngraph LR\na[Container]\nb[Docker\\nSocket\\nProtector]\nc[Docker\\nDaemon]\n\n\nsubgraph Docker Network\na--\u003e| tcp://docker-socket-protector:2375 | b\nend\n\nb--\u003e|/var/run/docker.sock| c\n\n\nclick b href \"https://github.com/knrdl/docker-socket-protector\"\nclick c href \"https://docs.docker.com/config/daemon/\"\n```\n\n## Setup\n\n| Env Var      | Values           |                      |\n|--------------|------------------|----------------------|\n| LOG_REQUESTS | `true` / `false` | Whether requests are written to stdout. Useful to craft custom profiles.  |\n| PROFILE      | See [predefined profiles](./profiles/)| The filename of the profile to apply rules from.  |\n\nThis software filters requests to the Docker socket based on a whitelist of rules. These rules are stored in a profile file. See [here](./profiles/) for examples shipped with the software. To allow all requests use the profile `unprotected`.\n\nThe restricted docker socket is provided via TCP on port 2375. See example below.\n\n### Traefik Example Setup\n\nTraefik is a modern reverse proxy with a great [docker integration](https://doc.traefik.io/traefik/providers/docker/). It extracts routing rules from container labels. Therefore, Traefik needs **readonly** access to the Docker socket.\n\n```yaml\nversion: '3.9'\n\nservices:\n\n  traefik:\n    image: traefik\n    command: \"--providers.docker.endpoint=http://docker-socket-protector:2375\"\n    ports:\n      - \"80:80\"\n    networks:\n      - docker_socket_net\n\n  docker-socket-protector:\n    image: knrdl/docker-socket-protector # or: ghcr.io/knrdl/docker-socket-protector\n    hostname: docker-socket-protector\n    read_only: true\n    cap_drop: [ all ]\n    environment:\n      LOG_REQUESTS: \"true\"\n      PROFILE: \"traefik\"\n    volumes:\n      - /var/run/docker.sock:/var/run/docker.sock\n    networks:\n      - docker_socket_net\n    mem_limit: 128mb\n\nnetworks:\n  docker_socket_net:\n    attachable: false\n    internal: true\n```\n\n### Portainer Example Setup\n\n[Portainer](https://docs.portainer.io/) is a container management web interface\nwith RBAC controls for standalone and Swarm based Docker hosts. Portainer\nrequires access to both disruptive and destructive API calls and two\nprofiles are provided for a standalone Portainer instance; one profile is\nread-only `portainer-ro`, while the other has write access `portainer-rw`.\n\n```yaml\nversion: '3.9'\n\nservices:\n\n  portainer:\n    image: portainer/portainer-ce:latest\n    security_opt:\n      - no-new-privileges:true\n    command: \"-H tcp://docker-socket-protector:2375\"\n    ports:\n      - \"127.0.0.1:9000:9000\"\n    networks:\n      - docker_socket_net\n\n  docker-socket-protector:\n    image: knrdl/docker-socket-protector  # or: ghcr.io/knrdl/docker-socket-protector\n    hostname: docker-socket-protector\n    read_only: true\n    cap_drop: [ all ]\n    environment:\n      LOG_REQUESTS: 'true'\n      PROFILE: 'portainer-rw'\n    volumes:\n      - /var/run/docker.sock:/var/run/docker.sock\n    networks:\n      - docker_socket_net\n    mem_limit: 128mb\n\nnetworks:\n  docker_socket_net:\n    attachable: false\n    internal: true\n```\n\n### Crafting custom profiles\n\n1. Record all requests to the Docker socket, e.g.: `docker run -it --rm -e PROFILE=unprotected -e LOG_REQUESTS=true -p127.0.0.1:2375:2375 -v /var/run/docker.sock:/var/run/docker.sock knrdl/docker-socket-protector`\n2. Analyze the lines starting with \"request rule:\" and extract rules into regular expressions\n3. Write a custom profile file \"supersecure\" and start the software with it, e.g.: `docker run -it --rm -e PROFILE=supersecure -e LOG_REQUESTS=true -p127.0.0.1:2375:2375 -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/supersecure:/profiles/supersecure:ro knrdl/docker-socket-protector`\n4. Test the profile, e.g.: `sudo DOCKER_HOST=tcp://localhost:2375 docker ps`\n\n## FAQ\n\n### Why not just mount the docker socket as read only? \nMounting as `/var/run/docker.sock:/var/run/docker.sock:ro` (**ro** = readonly) just prevents the container from changing file permissions on the socket file. The socket as pipe object stays writable, so you can still send arbitrary requests to the socket. Nevertheless, using **ro** mode for socket mount is not wrong, but won't solve the security problem!\n\n### Alternatives\n\nhttps://docs.docker.com/engine/extend/plugins_authorization/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fknrdl%2Fdocker-socket-protector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fknrdl%2Fdocker-socket-protector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fknrdl%2Fdocker-socket-protector/lists"}