Docker Homelab - Docker Socket Security Risks and Docker-Socket-Proxy [help/discussion]
from hellmo_luciferrari@lemmy.zip to homelab@lemmy.ml on 09 Apr 12:53
https://lemmy.zip/post/62236625

Greetings homelabbers,

I have been running a bunch of my homelab on docker, on a fedora server box for quite some time. And wanted to gauge how much of a security risk it is for me to expose the docker socket directly to containers. Is this really a huge issue when my homelab is not exposed to the internet?

The reason this question came up for me was because I cannot seem to get Docker Socket Proxy (github.com/Tecnativa/docker-socket-proxy) setup and working for Homepage, even following the recommendations from their guide (gethomepage.dev/configs/docker/#using-docker-sock…)

I suppose this is mix of a discussion post, and requesting some help/guidance.

Thank you all! Hellmo

#homelab

threaded - newest

grehund@lemmy.world on 09 Apr 14:54 collapse

The risk is certainly lower if you’re not exposing services to the internet, but that’s not the only way to end up with a rogue container. I use docker-socket-proxy for most of my stacks that need socket access. It can sometimes require a little bit of troubleshooting to understand what services you need to proxy, but I’ve had a pretty good success rate. Reading the logs from the socket-proxy and referring to the Docker Engine API documentation will help you to understand what Services you need to enable in the socket-proxy config.

hellmo_luciferrari@lemmy.zip on 09 Apr 15:25 collapse

Thank you! Another potentially dumb question, is it recommended to use multiple socket-proxy containers to separate each container? Or can I utilize one socket-proxy container and call it from the other containers I am running.

Currently I have each container I run with their own compose file (with exception of one stack)

grehund@lemmy.world on 09 Apr 23:12 collapse

It really depends on which Socket Services the container requires. If you have a lot of containers that all need the same set of Socket Services, you could potentially use a single socket-proxy to serve all of them (in theory, I think).

I usually run one per stack, sometimes more if I have a container within my stack that requires more/different Socket Services to the other(s).

I’m not a docker expert though, so I’m not sure I can say what’s recommended. If you find/get a more authoritative answer on this question, I’d be interested to know.

hellmo_luciferrari@lemmy.zip on 10 Apr 14:36 collapse

Thank you for chiming in! I will update if i find more out!