Do you guys expose the docker socket to any of your containers or is that a strict no-no? What are your thoughts behind it if you don’t? How do you justify this decision from a security standpoint if you do?
I am still fairly new to docker but I like the idea of something like Watchtower. Even though I am not a fan of auto-updates and I probably wouldn’t use that feature I still find it interesting to get a notification if some container needs an update. However, it needs to have access to the docker socket to do its work and I read a lot about that and that this is a bad idea which can result in root access on your host filesystem from within a container.
There are probably other containers as well especially in this whole monitoring and maintenance category, that need that privilege, so I wanted to ask how other people handle this situation.
Cheers!
deleted by creator
I don’t know how Traefik does this, but even though I don’t expose anything to the internet, I still set up Nginx Proxy Manager with a DNS challenge for letsencrypt certificates to have https on all my containers. I didn’t mind to to set IPs/Ports manually in NPM so I didn’t have to expose the socket, if that is even possible in NPM. This was only a one-time configuration I had to do. But I guess that depends on the features you are using and the complexity of your setup.
I have never setup Jenkins myself, nor have I ever used it so I can’t say anything about that.
deleted by creator
I knew it is some sort of proxy application and assumed it is somewhat similar to Nginx Proxy Manager. Didn’t know the approach how it works is so much different between the two.