-
Notifications
You must be signed in to change notification settings - Fork 1
Home
Wolfgang Ellsässer edited this page Feb 3, 2024
·
4 revisions
Socket-proxy allows partial access to a Unix socket via TCP. A good use case is giving a docker container some permissions to the docker socket without mounting the docker socket directly in the container.
Dozzle is an easy-to-use docker log viewer.
Here is an example of running Dozzle without being root and without mounting the docker socket in the container. Note that some IP addresses are declared statically, so the socket proxy can be configured to only allow that specific IP address. This is not necessary, but it adds an extra layer of security.
docker-compose.yml
services:
dockerproxy:
image: wollomatic/socket-proxy:1
command:
- '-loglevel=info'
- '-allowfrom=dozzle' # allow only the dozzle container
- '-listenip=0.0.0.0'
- '-allowGET=/v1\..{2}/(containers/.*|events)'
- '-allowHEAD=/_ping'
- '-watchdoginterval=3600'
- '-stoponwatchdog'
- '-shutdowngracetime=10'
restart: unless-stopped
read_only: true
mem_limit: 64M
cap_drop:
- ALL
security_opt:
- no-new-privileges
user: 65534:998
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- docker-proxynet
dozzle:
image: amir20/dozzle:v6.1.1
user: 65534:65534
read_only: true
mem_limit: 256M
cap_drop:
- ALL
security_opt:
- no-new-privileges
depends_on:
- dockerproxy
# ports: # please mind that this would expose dozzle to the whole network!
# - 9999:8080
environment:
DOZZLE_REMOTE_HOST: tcp://dockerproxy:2375
networks:
- docker-proxynet
- dozzle
networks:
docker-proxynet:
internal: true
attachable: false
dozzle:
driver: bridge
attachable: false