[Docs] Use watchtower with docker socket proxy

[lonix1]

Is your feature request related to a problem? Please describe.

The docs show that the watchtower container needs access to the docker socket. It's good practice to use a proxy instead of exposing the entire socket. The most common is the "tecnativa proxy".

I assume that at the very least, watchtower needs the ability to stop and start containers, so needs access to the "containers" endpoint. Presumably it needs other endpoints too, e.g. for pulling images.

Describe the solution you'd like

Please consider documenting which parts of the docker api are needed by watchtower. Then we could use the docker socket proxy to allow those and restrict the others.

Describe alternatives you've considered

The status quo.

Additional context

These are the docker api's endpoints:

• typically allowed:
  • EVENTS
  • PING
  • VERSION
• security-critical and so typically not allowed:
  • AUTH
  • SECRETS
  • POST
• other
  • BUILD
  • COMMIT
  • CONFIGS
  • CONTAINERS
  • DISTRIBUTION
  • EXEC
  • GRPC
  • IMAGES
  • INFO
  • NETWORKS
  • NODES
  • PLUGINS
  • SERVICES
  • SESSION
  • SWARM
  • SYSTEM
  • TASKS
  • VOLUMES

[brettinternet]

As a starting place, I believe this works:

version: "3"

services:
  socket-proxy:
    image: tecnativa/docker-socket-proxy:latest
    environment:
      CONTAINERS: 1
      DELETE: 1
      IMAGES: 1
      NETWORKS: 1
      CONTAINERS_CREATE: 1
      CONTAINERS_START: 1
      CONTAINERS_UPDATE: 1
      CONTAINERS_DELETE: 1
      IMAGES_DELETE: 1
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

  watchtower:
    image: containrrr/watchtower
    environment:
      DOCKER_HOST: tcp://socket-proxy:2375
      WATCHTOWER_CLEANUP: "true"