[Feature Request] Add Docker Socket Proxy connection

[cerede2000]

Could you please add Socket Proxy connection mode to increase security and allow limiting Docker socket usage to runtime only?

Like this:

services:
  cronmasterProxy:
    image: lscr.io/linuxserver/socket-proxy:latest
    container_name: cronmasterProxy
    healthcheck:
      test: wget --spider http://localhost:2375/version || exit 1
      interval: 5s
      timeout: 2s
      retries: 3
    env_file: ['../.env']
    environment:
      LOG_LEVEL: info # debug,info,notice,warning,err,crit,alert,emerg
      
      # Base
      PING: 1
      VERSION: 1
      INFO: 1
      EVENTS: 1

      POST: 1
      EXEC: 1

      # Disabled
      CONTAINERS: 0
      IMAGES: 0
      NETWORKS: 0
      VOLUMES: 0
      SYSTEM: 0

      ALLOW_START: 0
      ALLOW_STOP: 0
      ALLOW_RESTARTS: 0
      AUTH: 0
      BUILD: 0        
      COMMIT: 0      
      CONFIGS: 0
      DISTRIBUTION: 0
      NODES: 0
      PLUGINS: 0
      SERVICES: 0
      SESSION: 0
      SWARM: 0
      TASKS: 0
      SECRETS: 0
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    tmpfs:
      - /run:rw,uid=${SUID},gid=${GUID},mode=0755
      - /tmp:rw,mode=1777
      - /var/lib/haproxy:rw,uid=${SUID},gid=${GUID},mode=0755
    security_opt:
      - no-new-privileges:true
    read_only: true
    cap_drop:
      - ALL
    user: ${SUID}:${GUID}
    group_add:
      - 990
    expose:
      - 2375
    restart: unless-stopped

And use env var : DOCKER_HOST: tcp://cronmasterProxy:2375 and remove - /var/run/docker.sock:/var/run/docker.sock

[fccview]

Could you please add Socket Proxy connection mode to increase security and allow limiting Docker socket usage to runtime only?

Like this:

services:
  cronmasterProxy:
    image: lscr.io/linuxserver/socket-proxy:latest
    container_name: cronmasterProxy
    healthcheck:
      test: wget --spider http://localhost:2375/version || exit 1
      interval: 5s
      timeout: 2s
      retries: 3
    env_file: ['../.env']
    environment:
      LOG_LEVEL: info # debug,info,notice,warning,err,crit,alert,emerg
      
      # Base
      PING: 1
      VERSION: 1
      INFO: 1
      EVENTS: 1

      POST: 1
      EXEC: 1

      # Disabled
      CONTAINERS: 0
      IMAGES: 0
      NETWORKS: 0
      VOLUMES: 0
      SYSTEM: 0

      ALLOW_START: 0
      ALLOW_STOP: 0
      ALLOW_RESTARTS: 0
      AUTH: 0
      BUILD: 0        
      COMMIT: 0      
      CONFIGS: 0
      DISTRIBUTION: 0
      NODES: 0
      PLUGINS: 0
      SERVICES: 0
      SESSION: 0
      SWARM: 0
      TASKS: 0
      SECRETS: 0
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    tmpfs:
      - /run:rw,uid=${SUID},gid=${GUID},mode=0755
      - /tmp:rw,mode=1777
      - /var/lib/haproxy:rw,uid=${SUID},gid=${GUID},mode=0755
    security_opt:
      - no-new-privileges:true
    read_only: true
    cap_drop:
      - ALL
    user: ${SUID}:${GUID}
    group_add:
      - 990
    expose:
      - 2375
    restart: unless-stopped

And use env var : DOCKER_HOST: tcp://cronmasterProxy:2375 and remove - /var/run/docker.sock:/var/run/docker.sock

This sounds pretty neat, however I am not entirely sure how it actually would work.

Are you able to fork and create a pull request? If not I'll need to investigate a little and learn about it, and may take a while to implement it

[cerede2000]

I looked at the code a bit, I haven't done any development for several years and I don't think I'm able to make this change :(

In the process, however, it would be necessary to work like this:

• A Socket Proxy container
• The Cronmaster container that manages its own crontab in Docker mode
• A container called Runner that takes care of executing the task

The Cronmaster container uses the Docker API through the Socket Proxy container to manage the Runner container.

No Docker Socket access required (wrapped through Socket Proxy)
No elevated host access required

Better security

The Runner container has the elevation elements --pid=host --privileged
Since it is not running permanently, it is just called when a task is running otherwise it does not exist :)

The crontab in Cronmaster executes a Docker API call (to Socket Proxy) that mounts the Runner with the necessary volumes and the command to execute.

Bind:
/:/host:rw
/proc:/host/proc
/sys:/host/sys
/dev:/host/dev
/run:/host/run

All host binaries are available.