[breaking] switch to complete distroless

Author: 11notes

.json

@@ -1,18 +1,19 @@
 {
   "image":"11notes/socket-proxy",
   "name":"socket-proxy",
-  "root":"/socket-proxy",
+  "root":"/",
 
   "semver":{
-    "version":"1.0.1",
-    "stable":"1.0.1",
-    "latest":"1.0.1"
+    "version":"2.0.0",
+    "stable":"2.0.0",
+    "latest":"2.0.0"
   },
 
   "readme":{
-    "description":"Access your docker socket safely as read-only",
+    "description":"Access your docker socket safely as read-only, rootless and distroless",
     "parent":{
-      "image":"11notes/alpine:stable"
-    }
+      "image":"scratch"
+    },
+    "distroless":true
   }
 }

arch.dockerfile

@@ -1,16 +1,24 @@
-# :: Util
-  FROM 11notes/util AS util
-
-# :: Build
-  FROM golang:1.24-alpine AS build
+# :: Distroless
+  FROM alpine AS fs
+  USER root
+  RUN set -ex; \
+    mkdir -p /rootfs/run/proxy; \
+    mkdir -p /rootfs/etc; \
+    echo "root:x:0:0:root:/root:/bin/sh" > /rootfs/etc/passwd; \
+    echo "root:x:0:root" > /rootfs/etc/group;
+
+# :: Build // socket-proxy
+  FROM golang:1.24-alpine AS socket-proxy
+  ARG TARGETARCH
+  USER root
   COPY ./go/ /go
   RUN set -ex; \
     cd /go/socket-proxy; \
     go build -ldflags="-extldflags=-static" -o socket-proxy main.go; \
     mv socket-proxy /usr/local/bin/socket-proxy;
 
 # :: Header
-  FROM 11notes/alpine:stable
+  FROM scratch
 
   # :: arguments
     ARG TARGETARCH
@@ -27,30 +35,18 @@
     ENV APP_VERSION=${APP_VERSION}
     ENV APP_ROOT=${APP_ROOT}
 
-    ENV SOCKET_PROXY="${APP_ROOT}/run/docker.sock"
+    ENV SOCKET_PROXY_VOLUME="/run/proxy"
     ENV SOCKET_PROXY_DOCKER_SOCKET="/run/docker.sock"
+    ENV SOCKET_PROXY_UID=1000
+    ENV SOCKET_PROXY_GID=1000
 
   # :: multi-stage
-    COPY --from=util /usr/local/bin/ /usr/local/bin
-    COPY --from=build /usr/local/bin/ /usr/local/bin
-
-# :: Run
-  USER root
-  RUN eleven printenv;
-
-  # :: install application
-    RUN set -ex; \
-      eleven mkdir ${APP_ROOT}/{etc,run};
-
-  # :: copy filesystem changes and set correct permissions
-    COPY ./rootfs /
-    RUN set -ex; \
-      chmod +x -R /usr/local/bin; \
-      chown -R 1000:1000 \
-        ${APP_ROOT}
+    COPY --from=fs /rootfs/ /
+    COPY --from=socket-proxy /usr/local/bin/socket-proxy /
 
 # :: Monitor
-  HEALTHCHECK --interval=5s --timeout=2s CMD curl --unix-socket ${SOCKET_PROXY} http://localhost/version || exit 1
+  HEALTHCHECK --interval=5s --timeout=2s CMD ["/socket-proxy", "--healthcheck"]
 
 # :: Start
-  USER root
+  USER root
+  ENTRYPOINT ["/socket-proxy"]

compose.yaml

@@ -1,10 +1,10 @@
-name: "socket-proxy"
+name: "traefik" # this is a compose example for Traefik
 services:
   socket-proxy:
-    image: "11notes/socket-proxy:1.0.0"
+    image: "11notes/socket-proxy:2.0.0"
     volumes:
       - "/run/docker.sock:/run/docker.sock:ro" # mount host docker socket, the :ro does not mean read-only for the socket, just for the actual file
-      - "socket-proxy:/socket-proxy/run" # this socket is run as 1000:1000, not as root!
+      - "socket-proxy:/run/proxy" # this socket is run as 1000:1000, not as root!
     restart: "always"
 
   traefik:
@@ -37,7 +37,7 @@ services:
       net.ipv4.ip_unprivileged_port_start: 80
     restart: "always"
 
-  nginx:
+  nginx: # example container
     image: "11notes/nginx:1.26.2"
     labels:
       - "traefik.enable=true"

go/socket-proxy/main.go

@@ -12,12 +12,15 @@ import(
 	"syscall"
 	"sync"
 	"regexp"
+	"strconv"
+	"flag"
 )
 
 var(
 	proxy *httputil.ReverseProxy
 	socket net.Listener
 	wg sync.WaitGroup
+	socketProxy string
 )
 
 func signals(){
@@ -29,7 +32,35 @@ func signals(){
 	}()
 }
 
+func prepareFileSystemDropPrivileges(){
+	// unprivileged user
+	proxyUID, err := strconv.Atoi(os.Getenv("SOCKET_PROXY_UID"))
+	if err != nil {
+		log.Fatalf("SOCKET_PROXY_UID must be a number %v", err)
+	}
+	proxyGID, err := strconv.Atoi(os.Getenv("SOCKET_PROXY_GID"))
+	if err != nil {
+		log.Fatalf("SOCKET_PROXY_GID must be a number %v", err)
+	}
+	proxyVolume := regexp.MustCompile(`/+$`).ReplaceAllString(os.Getenv("SOCKET_PROXY_VOLUME"), "")
+
+	// chown file system for unprivileged user	
+	if err := os.Chown(proxyVolume, proxyUID , proxyGID); err != nil {
+		log.Fatalf("could not chown folder %s", proxyVolume, err)
+	}
+
+	// drop privileges since only the proxy must access the socket as root and nothing else
+	if err := syscall.Setgid(proxyGID); err != nil {
+		log.Fatalf("could not set GID to %d %v", proxyGID, err)
+	}
+
+	if err := syscall.Setuid(proxyUID); err != nil {
+		log.Fatalf("could not set UID to %d %v", proxyUID, err)
+	}
+}
+
 func httpProxyBlockedPaths(url string) bool {
+	// block paths that use GET but pose security risk
 	blockedPatterns := []*regexp.Regexp{
 		regexp.MustCompile(`(?i)containers/\S+/attach/ws.*`), // could attach to stdin via web socket and issue command inside the container
 		regexp.MustCompile(`(?i)containers/\S+/export.*`), // could exfil container data
@@ -60,54 +91,70 @@ func httpProxy(w http.ResponseWriter, r *http.Request){
 }
 
 func main(){
-	signals()
-
-	// setup proxy to docker socket
-	localhost, _ := url.Parse("http://localhost")
-	proxy = httputil.NewSingleHostReverseProxy(localhost)
-	proxy.Transport = &http.Transport{
-		DialContext: func(_ context.Context, _, _ string)(net.Conn, error){
-			return net.Dial("unix", os.Getenv("SOCKET_PROXY_DOCKER_SOCKET"))
-		},
-	}
-
-	// drop privileges since only the proxy must access the socket as root and nothing else
-	if err := syscall.Setgid(1000); err != nil {
-		log.Fatalf("could not set GID to 1000 %v", err)
-	}
-
-	if err := syscall.Setuid(1000); err != nil {
-		log.Fatalf("could not set UID to 1000 %v", err)
-	}
+	// set socket proxy file path
+	socketProxy = regexp.MustCompile(`/+$`).ReplaceAllString(os.Getenv("SOCKET_PROXY_VOLUME"), "") + "/docker.sock"
+
+	// check for command line flags
+	healthCheckFlag := flag.Bool("healthcheck", false, "just run healthcheck")
+	flag.Parse()
+
+	if(*healthCheckFlag){
+		// only run healthcheck
+		_, err := net.Dial("unix", socketProxy)
+		if err != nil {
+			os.Exit(1)
+		}
+		os.Exit(0)
+	}else{
+		// setup signal handler
+		signals()
+
+		// setup proxy to docker socket as root
+		localhost, _ := url.Parse("http://localhost")
+		proxy = httputil.NewSingleHostReverseProxy(localhost)
+		proxy.Transport = &http.Transport{
+			DialContext: func(_ context.Context, _, _ string)(net.Conn, error){
+				return net.Dial("unix", os.Getenv("SOCKET_PROXY_DOCKER_SOCKET"))
+			},
+		}
 
-	wg.Add(2)
+		// prepare the file system and drop privileges to UID/GID
+		prepareFileSystemDropPrivileges()
 
-	// setup unix to socket proxy
-	serverUnix := &http.Server{
-		Handler: http.HandlerFunc(httpProxy),
-	}
+		wg.Add(2)
 
-	os.Remove(os.Getenv("SOCKET_PROXY"))
-	unix, _ := net.Listen("unix", os.Getenv("SOCKET_PROXY"))
-	go func(){
-		defer wg.Done()
-		if err := serverUnix.Serve(unix); err != nil {
+		// setup unix to socket proxy
+		serverUnix := &http.Server{
+			Handler: http.HandlerFunc(httpProxy),
+		}
+		os.Remove(socketProxy)
+		unix, err := net.Listen("unix", socketProxy)
+		if err != nil {
 			log.Fatalf("could not start unix socket %v", err)
 		}
-	}()
-
-	// setup http to socket proxy
-	httpServer := &http.Server{
-		Handler: http.HandlerFunc(httpProxy),
-	}
+		go func(){
+			defer wg.Done()
+			if err := serverUnix.Serve(unix); err != nil {
+				log.Fatalf("could not start unix socket %v", err)
+			}
+		}()
+
+		// setup http to socket proxy
+		httpServer := &http.Server{
+			Handler: http.HandlerFunc(httpProxy),
+		}
 
-	tcp, _ := net.Listen("tcp", "0.0.0.0:8080")
-	go func(){
-		defer wg.Done()
-		if err := httpServer.Serve(tcp); err != nil {
+		tcp, err := net.Listen("tcp", "0.0.0.0:2375")
+		if err != nil {
 			log.Fatalf("could not start tcp socket %v", err)
 		}
-	}()
-
-	wg.Wait()
+		go func(){
+			defer wg.Done()
+			if err := httpServer.Serve(tcp); err != nil {
+				log.Fatalf("could not start tcp socket %v", err)
+			}
+		}()
+
+		wg.Wait()
+	}
 }

project.md

@@ -1,12 +1,23 @@
-${{ content_synopsis }} This image will run a proxy to access your docker socket read-only. The exposed proxy socket is run as 1000:1000, not as root, although the image starts the proxy process as root to interact with the actual docker socket as root. There is also a TCP endpoint started at 8080 that will also proxy to the actual docker socket if needed.
+${{ content_synopsis }} This image will run a proxy to access your docker socket as read-only. The exposed proxy socket is run as 1000:1000, not as root, although the image starts the proxy process as root to interact with the actual docker socket. There is also a TCP endpoint started at 2375 that will also proxy to the actual docker socket if needed. It is not exposed by default and must be exposed via using ```- "2375:2375/tcp"``` in your compose.
 
-${{ content_compose }}
+${{ content_uvp }} Good question! All the other images on the market that do exactly the same don’t do or offer these options:
+
+* This image runs the proxy part as a specific UID/GID (not root), all other images run everything as root
+* This image uses a single binary, all other images use apps like Nginx or HAProxy (bloat)
+* This image has no shell since it is 100% distroless, all other images run on a distro like Debian or Alpine with full shell access (security)
+* This image does not ship with any CVE and is automatically maintained via CI/CD, all other images mostly have no CVE scanning or code quality tools in place
+* This image has no upstream dependencies, all other images have upstream dependencies
+* This image exposes the socket as a UNIX socket and TCP socket, all other images only expose it via a TCP socket
 
-${{ content_defaults }}
+If you value security, simplicity and the ability to interact with the maintainer and developer of an image. Then using my images is a great start in the right direction.
+
+${{ content_compose }}
 
 ${{ content_environment }}
-| `SOCKET_PROXY` | path to the socket used as a proxy | ${{ json_root }}$/run/docker.sock |
+| `SOCKET_PROXY_VOLUME` | path to the docker volume used to expose the prox socket | /run/proxy |
 | `SOCKET_PROXY_DOCKER_SOCKET` | path to the actual docker socket | /run/docker.sock |
+| `SOCKET_PROXY_UID` | the UID used to run the proxy parts | 1000 |
+| `SOCKET_PROXY_GID` | the GID used to run the proxy parts | 1000 |
 
 ${{ content_source }}