diff --git a/README.md b/README.md index 2c0c042..5517563 100644 --- a/README.md +++ b/README.md @@ -62,12 +62,16 @@ If a mod requires additional packages to be installed, each container will still Note that the Modmanager container itself does not support applying mods *or* custom files/services. +### Security considerations + +Mapping `docker.sock` is a potential security liability because docker has root access on the host and any process that has full access to `docker.sock` would also have root access on the host. Docker api has no built-in way to set limitations on access, however, you can use a proxy for the `docker.sock` via a solution like [our docker socket proxy](https://github.com/linuxserver/docker-socket-proxy), which adds the ability to limit access. Then you would just set `DOCKER_HOST=` environment variable to point to the proxy address. + ### Multiple Hosts >[!WARNING] >Make sure you fully understand what you're doing before you try and set this up as there are lots of ways it can go wrong. -Modmanager can query & download mods for remote hosts, as well as the one on which it is installed. At a very basic level if you're just using the DOCKER_MODS env and not the docker integration, simply mount the `/modcache` folder on your remote host(s), ensuring it is writeable by all participating containers. +Modmanager can query & download mods for remote hosts, as well as the one on which it is installed. At a very basic level if you're just using the DOCKER_MODS env and not the docker integration, simply mount the `/modcache` folder on your remote host(s), ensuring it is mapped for all participating containers. If you are using the docker integration, our only supported means for connecting to remote hosts is [our socket proxy container](). Run an instance on each remote host: @@ -97,11 +101,7 @@ And then add it to the `DOCKER_MODS_EXTRA_HOSTS` env using the full protocol and - DOCKER_MODS_EXTRA_HOSTS=tcp://host1.example.com:2375|tcp://host2.example.com:2375|tcp://192.168.0.5:2375 ``` -As above you will need to mount the `/modcache` folder on your remote host(s), ensuring it is writeable by all participating containers. - -### Security considerations - -Mapping `docker.sock` is a potential security liability because docker has root access on the host and any process that has full access to `docker.sock` would also have root access on the host. Docker api has no built-in way to set limitations on access, however, you can use a proxy for the `docker.sock` via a solution like [our docker socket proxy](https://github.com/linuxserver/docker-socket-proxy), which adds the ability to limit access. Then you would just set `DOCKER_HOST=` environment variable to point to the proxy address. +As above you will need to mount the `/modcache` folder on your remote host(s), ensuring it is mapped for all participating containers. ## Usage diff --git a/readme-vars.yml b/readme-vars.yml index 1b6486a..7d913af 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -66,12 +66,16 @@ full_custom_readme: | Note that the Modmanager container itself does not support applying mods *or* custom files/services. + ### Security considerations + + Mapping `docker.sock` is a potential security liability because docker has root access on the host and any process that has full access to `docker.sock` would also have root access on the host. Docker api has no built-in way to set limitations on access, however, you can use a proxy for the `docker.sock` via a solution like [our docker socket proxy](https://github.com/linuxserver/docker-socket-proxy), which adds the ability to limit access. Then you would just set `DOCKER_HOST=` environment variable to point to the proxy address. + ### Multiple Hosts >[!WARNING] >Make sure you fully understand what you're doing before you try and set this up as there are lots of ways it can go wrong. - Modmanager can query & download mods for remote hosts, as well as the one on which it is installed. At a very basic level if you're just using the DOCKER_MODS env and not the docker integration, simply mount the `/modcache` folder on your remote host(s), ensuring it is writeable by all participating containers. + Modmanager can query & download mods for remote hosts, as well as the one on which it is installed. At a very basic level if you're just using the DOCKER_MODS env and not the docker integration, simply mount the `/modcache` folder on your remote host(s), ensuring it is mapped for all participating containers. If you are using the docker integration, our only supported means for connecting to remote hosts is [our socket proxy container](). Run an instance on each remote host: @@ -101,11 +105,7 @@ full_custom_readme: | - DOCKER_MODS_EXTRA_HOSTS=tcp://host1.example.com:2375|tcp://host2.example.com:2375|tcp://192.168.0.5:2375 ``` - As above you will need to mount the `/modcache` folder on your remote host(s), ensuring it is writeable by all participating containers. - - ### Security considerations - - Mapping `docker.sock` is a potential security liability because docker has root access on the host and any process that has full access to `docker.sock` would also have root access on the host. Docker api has no built-in way to set limitations on access, however, you can use a proxy for the `docker.sock` via a solution like [our docker socket proxy](https://github.com/linuxserver/docker-socket-proxy), which adds the ability to limit access. Then you would just set `DOCKER_HOST=` environment variable to point to the proxy address. + As above you will need to mount the `/modcache` folder on your remote host(s), ensuring it is mapped for all participating containers. ## Usage