Docker Socket Proxy
Why?¶
The simple configuration is to pass the Docker socket straight into the Nautical container like this:
/var/run/docker.sock:/var/run/docker.sock
However, giving access to your Docker socket could mean giving root access to your host. While Nautical needs some control of your Docker socket to inspect/start/stop/exec your containers, it does not need complete control. Using the Docker Socket Proxy allows you to remove permissions away from Nautical but still allow what's necessary.
How?¶
We can use the Docker Socket Proxy container to act as a man-in-the-middle (AKA Proxy) for the Docker socket.
Essentially, the DSP gets full control over the Docker Socket, but it then gives out smaller permissions to the socket out to Nautical (or anything else).
Setup¶
For more information about which Docker Socket Proxy Enviornment varibles you must enable, check out their docs.
services:
# Establish the docker socket proxy
docker_socket_proxy:
image: tecnativa/docker-socket-proxy
container_name: docker_socket_proxy
ports:
- 2375:2375
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
# Enable the API access to the following sections of the Docker API
- CONTAINERS=1
- IMAGES=1
- ALLOW_START=1
- ALLOW_STOP=1
- EXEC=1
- VOLUMES=1
nautical-backup:
image: minituff/nautical-backup:2.10
container_name: nautical-backup
volumes:
# Notice we removed the socket mount
- /config:/config
- /source:/app/source
- /destination:/app/destination
environment:
# Enable the Proxy in Nautical
# The name `docker_socket_proxy` must match the name of the service
# And they must be in the same compose, unless you use the absolute URL
- DOCKER_HOST=tcp://docker_socket_proxy:2375
LinuxServer.io has their own version of avialable here.
It is based off the original Tecnativa/docker-socket-proxy, so all the configs and variables will carry over.