Home

socket-proxy

Socket-proxy allows partial access to a Unix socket via TCP. A good use case is giving a docker container some permissions to the docker socket without mounting the docker socket directly in the container.

Samples

Dozzle

Dozzle is an easy-to-use docker log viewer.

Here is an example of running Dozzle without being root and without mounting the docker socket in the container. Note that some IP addresses are declared statically, so the socket proxy can be configured to only allow that specific IP address. This is not necessary, but it adds an extra layer of security.

docker-compose.yml

services:
  dockerproxy:
    image: wollomatic/socket-proxy:1
    command:
      - '-loglevel=info'
      - '-allowfrom=dozzle' # allow only the dozzle container
      - '-listenip=0.0.0.0'
      - '-allowGET=/v1\..{2}/(containers/.*|events|info)'
      - '-allowHEAD=/_ping'
      - '-watchdoginterval=3600'
      - '-stoponwatchdog'
      - '-shutdowngracetime=10'
    restart: unless-stopped
    read_only: true
    mem_limit: 64M
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges
    user: 65534:998
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - docker-proxynet
      
  dozzle:
    image: amir20/dozzle:v8.5.3
    user: 65534:65534
    read_only: true
    mem_limit: 256M
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges
    depends_on:
      - dockerproxy
#    ports: # please mind that this would expose dozzle to the whole network!
#      - 9999:8080
    environment:
      DOZZLE_REMOTE_HOST: tcp://dockerproxy:2375
    networks:
      - docker-proxynet
      - dozzle

networks:
  docker-proxynet:
    internal: true
    attachable: false
  dozzle:
    driver: bridge
    attachable: false