You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
**What can I do with this?** This image will run a proxy to access your docker socket as read-only. The exposed proxy socket is run as 1000:1000, not as root, although the image starts the proxy process as root to interact with the actual docker socket. There is also a TCP endpoint started at 2375 that will also proxy to the actual docker socket if needed. It is not exposed by default and must be exposed via using ```- "2375:2375/tcp"``` in your compose.
17
10
@@ -42,15 +35,18 @@ If you value security, simplicity and the ability to interact with the maintaine
42
35
43
36
# COMPOSE ✂️
44
37
```yaml
45
-
name: "traefik"# this is a compose example for Traefik
38
+
name: "traefik"
46
39
services:
47
40
socket-proxy:
48
-
image: "11notes/socket-proxy:2.1.2"
41
+
image: "11notes/socket-proxy:2.1.3"
49
42
read_only: true
50
-
user: "0:0"# make sure to use the same UID/GID as the owner of your docker socket!
43
+
# make sure to use the same UID/GID as the owner of your docker socket!
44
+
user: "0:0"
51
45
volumes:
52
-
- "/run/docker.sock:/run/docker.sock:ro"# mount host docker socket, the :ro does not mean read-only for the socket, just for the actual file
53
-
- "socket-proxy:/run/proxy"# this socket is run as 1000:1000, not as root!
46
+
# mount host docker socket, the :ro does not mean read-only for the socket, just for the actual file
47
+
- "/run/docker.sock:/run/docker.sock:ro"
48
+
# this socket is run as 1000:1000, not as root!
49
+
- "socket-proxy:/run/proxy"
54
50
restart: "always"
55
51
56
52
traefik:
@@ -66,10 +62,10 @@ services:
66
62
- "--api.insecure=true"
67
63
- "--log.level=INFO"
68
64
- "--log.format=json"
69
-
- "--providers.docker.exposedByDefault=false"# use docker provider but do not expose by default
65
+
- "--providers.docker.exposedByDefault=false"
70
66
- "--entrypoints.http.address=:80"
71
67
- "--entrypoints.https.address=:443"
72
-
- "--serversTransport.insecureSkipVerify=true"# do not verify downstream SSL certificates
68
+
- "--serversTransport.insecureSkipVerify=true"
73
69
ports:
74
70
- "80:80/tcp"
75
71
- "443:443/tcp"
@@ -116,12 +112,31 @@ networks:
116
112
| `SOCKET_PROXY_UID` | the UID used to run the proxy parts | 1000 |
117
113
| `SOCKET_PROXY_GID` | the GID used to run the proxy parts | 1000 |
118
114
115
+
# MAIN TAGS 🏷️
116
+
These are the main tags for the image. There is also a tag for each commit and its shorthand sha256 value.
### There is no latest tag, what am I supposed to do about updates?
121
+
It is of my opinion that the ```:latest``` tag is dangerous. Many times, I’ve introduced **breaking** changes to my images. This would have messed up everything for some people. If you don’t want to change the tag to the latest [semver](https://semver.org/), simply use the short versions of [semver](https://semver.org/). Instead of using ```:2.1.3``` you can use ```:2``` or ```:2.1```. Since on each new version these tags are updated to the latest version of the software, using them is identical to using ```:latest``` but at least fixed to a major or minor version.
122
+
123
+
If you still insist on having the bleeding edge release of this app, simply use the ```:rolling``` tag, but be warned! You will get the latest version of the app instantly, regardless of breaking changes or security issues or what so ever. You do this at your own risk!
>This image is not based on another image but uses [scratch](https://hub.docker.com/_/scratch) as the starting layer.
138
+
>The image consists of the following distroless layers that were added:
139
+
>* [11notes/distroless](https://github.com/11notes/docker-distroless/blob/master/arch.dockerfile) - contains users, timezones and Root CA certificates
125
140
126
141
127
142
@@ -133,4 +148,4 @@ networks:
133
148
# ElevenNotes™️
134
149
This image is provided to you at your own risk. Always make backups before updating an image to a different version. Check the [releases](https://github.com/11notes/docker-socket-proxy/releases) for breaking changes. If you have any problems with using this image simply raise an [issue](https://github.com/11notes/docker-socket-proxy/issues), thanks. If you have a question or inputs please create a new [discussion](https://github.com/11notes/docker-socket-proxy/discussions) instead of an issue. You can find all my other repositories on [github](https://github.com/11notes?tab=repositories).
0 commit comments