search

Tecnativa / docker-socket-proxy

Proxy over your Docker socket to restrict which requests it accepts
Apache License 2.0
1.52k stars 166 forks source link

Update documentation/tags to make docker-socket-proxy more secure for novice users #115

Open bluepuma77 opened 10 months ago

bluepuma77 commented 10 months ago

The README.md shows this usage example:

docker container run \
    -d --privileged \
    --name dockerproxy \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -p 127.0.0.1:2375:2375 \
    tecnativa/docker-socket-proxy

In my optioning the example contains two security risks:

  1. tecnativa/docker-socket-proxy on Docker Hub (link) defaults to latest, which is already 3 years old. Please either update latest tag on Docker Hub to a more current version or add the edge tag to the usage example.
  2. The example uses -privileged, which gives a lot of permissions to the container, even though this is not required, it runs without any issue on plain Debian without the parameter. If there are exceptions, they should be noted, but --privileged should not be assumed to be default, and in 2024 there should be more granular options.

Combining a 3 year old image with --privileged seems to be a very insecure usage example for novice users. The project is intended to improve security, but the example seems very counter-productive.

pedrobaeza commented 10 months ago

Can you please propose a better text?

kingp0dd commented 8 months ago

i don't think this is maintained anymore

pedrobaeza commented 8 months ago

Not really true, as we are here, but lacking some knowledge as the employee behind this is no longer working with us. Any help is appreciated.

thoniTUB commented 3 months ago

The 1st point seems to be solved now. Latest points to a recent image and logs: haproxy version is 3.0.2-a45a8e6