search

Tecnativa / docker-socket-proxy

Proxy over your Docker socket to restrict which requests it accepts
Apache License 2.0
1.3k stars 156 forks source link

Stop containers with Portainer #88

Closed raelyan closed 5 months ago

raelyan commented 1 year ago

Hi!

With the following configuration I can't stop containers with Portainer:

environment:
  - LOG_LEVEL=info
  - ALLOW_RESTARTS=1
  # Access granted by default
  - EVENTS=1
  - PING=1
  - VERSION=1
  # Access revoked by default
    # Security-critical
  - AUTH=0
  - SECRETS=0
  - POST=0
    # Not always needed
  - BUILD=0
  - COMMIT=0
  - CONFIGS=0
  - CONTAINERS=1
  - DISTRIBUTION=0
  - EXEC=0
  - GRPC=0
  - IMAGES=1
  - INFO=1
  - NETWORKS=1
  - NODES=0
  - PLUGINS=0
  - SERVICES=1
  - SESSION=0
  - SWARM=0
  - SYSTEM=0
  - TASKS=1
  - VOLUMES=1

I don't know if it is a bug or I am not understanding it correctly. But I think ALLOW_RESTARTS=1 should allow me to do this.

Does anyone know what can happen? Is it necessary to activate POST? If I turn on POST and ALLOW_RESTARTS at the same time, does it only allow "stop, restart and kill" or turn on all POST options?.

Thank you very much.

r-ushil commented 9 months ago

Looks like it only turns POST on for endpoints you've allowed:

Below is an excerpt from /usr/local/etc/haproxy/haproxy.cfg from inside the container. This follows the "fall-through" style rules detailed here: https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-http-request

image

Stop, restart and kill are all POST requests:

https://docs.docker.com/engine/api/v1.43/#tag/Container/operation/ContainerStop https://docs.docker.com/engine/api/v1.43/#tag/Container/operation/ContainerRestart https://docs.docker.com/engine/api/v1.43/#tag/Container/operation/ContainerKill

Hope that helps!