From db8cc8f5f045069f42f93dad20733fa92d58f14d Mon Sep 17 00:00:00 2001 From: Adam Date: Mon, 9 Dec 2024 19:16:20 +0000 Subject: [PATCH] Fix tecnativa ref & update sample compose Signed-off-by: Adam --- README.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 196b870..751466b 100644 --- a/README.md +++ b/README.md @@ -12,16 +12,19 @@ If adding multiple mods, enter them in an array separated by `|`, such as `DOCKE Mapping `docker.sock` is a potential security liability because docker has root access on the host and any process that has full access to `docker.sock` would also have root access on the host. Docker api has no built-in way to set limitations on access, however you can use a proxy for the `docker.sock` via a solution like [our docker socket proxy](https://github.com/linuxserver/docker-socket-proxy), which adds the ability to limit access. Then you would just set `DOCKER_HOST=` environment variable to point to the proxy address. -Here's a sample compose yaml snippet for tecnativa/docker-socket-proxy: +Here's a sample compose yaml snippet for the socket proxy: ```yaml dockerproxy: image: lscr.io/linuxserver/socket-proxy:latest container_name: dockerproxy - volumes: - - /var/run/docker.sock:/var/run/docker.sock:ro - restart: unless-stopped environment: - CONTAINERS=1 - POST=0 + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + restart: unless-stopped + read_only: true + tmpfs: + - /run ``` -The above config for instance would allow read only access to the docker api. Then the env var in the container with the docker mod can be set as `DOCKER_HOST=dockerproxy`. This will allow the container to retrieve info on other containers, but it won't be allowed to spin up new containers. With the proxy, you can fine tune the permissions very easily. +The above config for instance would allow read only access to list containers via the docker api. Then the env var in the container with the docker mod can be set as `DOCKER_HOST=dockerproxy`. This will allow the container to retrieve info on other containers, but it won't be allowed to spin up new containers. With the proxy, you can fine tune the permissions very easily.