Open lonix1 opened 1 year ago
As a starting place, I believe this works:
version: "3"
services:
socket-proxy:
image: tecnativa/docker-socket-proxy:latest
environment:
CONTAINERS: 1
DELETE: 1
IMAGES: 1
NETWORKS: 1
CONTAINERS_CREATE: 1
CONTAINERS_START: 1
CONTAINERS_UPDATE: 1
CONTAINERS_DELETE: 1
IMAGES_DELETE: 1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
watchtower:
image: containrrr/watchtower
environment:
DOCKER_HOST: tcp://socket-proxy:2375
WATCHTOWER_CLEANUP: "true"
Is your feature request related to a problem? Please describe.
The docs show that the watchtower container needs access to the docker socket. It's good practice to use a proxy instead of exposing the entire socket. The most common is the "tecnativa proxy".
I assume that at the very least, watchtower needs the ability to stop and start containers, so needs access to the "containers" endpoint. Presumably it needs other endpoints too, e.g. for pulling images.
Describe the solution you'd like
Please consider documenting which parts of the docker api are needed by watchtower. Then we could use the docker socket proxy to allow those and restrict the others.
Describe alternatives you've considered
The status quo.
Additional context
These are the docker api's endpoints: