Do you guys expose the docker socket to any of your containers or is that a strict no-no? What are your thoughts behind it if you don’t? How do you justify this decision from a security standpoint if you do?
I am still fairly new to docker but I like the idea of something like Watchtower. Even though I am not a fan of auto-updates and I probably wouldn’t use that feature I still find it interesting to get a notification if some container needs an update. However, it needs to have access to the docker socket to do its work and I read a lot about that and that this is a bad idea which can result in root access on your host filesystem from within a container.
There are probably other containers as well especially in this whole monitoring and maintenance category, that need that privilege, so I wanted to ask how other people handle this situation.
Cheers!
There are use cases where it’s beneficial to do so, like Traefik to automatically handle routing/url rewrites/letsencrypt/nat to the containers, or Jenkins to run build agents only when needed, you have to be extra careful with these services, but most of the time It’s beneficial to do so.
I don’t know how Traefik does this, but even though I don’t expose anything to the internet, I still set up Nginx Proxy Manager with a DNS challenge for letsencrypt certificates to have https on all my containers. I didn’t mind to to set IPs/Ports manually in NPM so I didn’t have to expose the socket, if that is even possible in NPM. This was only a one-time configuration I had to do. But I guess that depends on the features you are using and the complexity of your setup.
I have never setup Jenkins myself, nor have I ever used it so I can’t say anything about that.
The idea of Traefik is not to rely on something like Nginx Proxy Manager, its a container but also on the same host on the other compose files you add labels that Traefik reads and sets up redirections.
For example from the docs:
services: whoami: image: traefik/whoami labels: - "traefik.http.routers.whoami.rule=Host(whoami.localhost)"That creates the rule to forward http://whoami.localhost/ to the container, you just need to adjust dns resolution, letsencrypt is just some extra labels as well and there are plugins for traefik like fail2ban
I knew it is some sort of proxy application and assumed it is somewhat similar to Nginx Proxy Manager. Didn’t know the approach how it works is so much different between the two.