LAB-linuxserver/docker-mods
1
0
Fork 0
mirror of https://github.com/linuxserver/docker-mods.git synced 2026-03-23 00:05:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #207 from linuxserver/universal-docker-readme

Browse Source 
universal-docker: add info on docker.sock proxy
This commit is contained in:
Roxedus 2021-05-31 18:07:37 +02:00 committed by GitHub
commit b58c3ede71
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@ -2,8 +2,26 @@
This mod adds `docker` and `docker-compose` binaries to any linuxserver image.
**IMPORTANT NOTE**: For docker access inside a container, a volume mapping needs to be added for `/var/run/docker.sock:/var/run/docker.sock` in the container's docker run/create/compose. If you'd like to connect to a remote docker service instead, you don't have to map the docker sock; you can either set an env var for `DOCKER_HOST=remoteaddress` or use the docker cli option `-H`.
**IMPORTANT NOTE**: For docker access inside a container, a volume mapping needs to be added for `/var/run/docker.sock:/var/run/docker.sock:ro` in the container's docker run/create/compose. If you'd like to connect to a remote docker service instead, you don't have to map the docker sock; you can either set an env var for `DOCKER_HOST=remoteaddress` or use the docker cli option `-H`.
In the container's docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:universal-docker` to enable.
If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:universal-docker|linuxserver/mods:universal-mod2`
## Security consideration:
Mapping `docker.sock` is a potential security liability because docker has root access on the host and any process that has full access to `docker.sock` would also have root access on the host. Docker api has no built-in way to set limitations on access, however you can use a proxy for the `docker.sock` via a solution like [tecnativa/docker-socket-proxy](https://hub.docker.com/r/tecnativa/docker-socket-proxy), which adds the ability to limit access. Then you would just set `DOCKER_HOST=` environment variable to point to the proxy address.
Here's a sample compose yaml snippet for tecnativa/docker-socket-proxy:
```yaml
dockerproxy:
image: ghcr.io/tecnativa/docker-socket-proxy:latest
container_name: dockerproxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: unless-stopped
environment:
- CONTAINERS=1
- POST=0
```
The above config for instance would allow read only access to the docker api. Then the env var in the container with the docker mod can be set as `DOCKER_HOST=dockerproxy`. This will allow the container to retrieve info on other containers, but it won't be allowed to spin up new containers. With the proxy, you can fine tune the permissions very easily.