Greetings homelabbers,
I have been running a bunch of my homelab on docker, on a fedora server box for quite some time. And wanted to gauge how much of a security risk it is for me to expose the docker socket directly to containers. Is this really a huge issue when my homelab is not exposed to the internet?
The reason this question came up for me was because I cannot seem to get Docker Socket Proxy (https://github.com/Tecnativa/docker-socket-proxy) setup and working for Homepage, even following the recommendations from their guide (https://gethomepage.dev/configs/docker/#using-docker-socket-proxy)
I suppose this is mix of a discussion post, and requesting some help/guidance.
Thank you all! Hellmo
The risk is certainly lower if you鈥檙e not exposing services to the internet, but that鈥檚 not the only way to end up with a rogue container. I use docker-socket-proxy for most of my stacks that need socket access. It can sometimes require a little bit of troubleshooting to understand what services you need to proxy, but I鈥檝e had a pretty good success rate. Reading the logs from the socket-proxy and referring to the Docker Engine API documentation will help you to understand what Services you need to enable in the socket-proxy config.
Thank you! Another potentially dumb question, is it recommended to use multiple socket-proxy containers to separate each container? Or can I utilize one socket-proxy container and call it from the other containers I am running.
Currently I have each container I run with their own compose file (with exception of one stack)
It really depends on which Socket Services the container requires. If you have a lot of containers that all need the same set of Socket Services, you could potentially use a single socket-proxy to serve all of them (in theory, I think).
I usually run one per stack, sometimes more if I have a container within my stack that requires more/different Socket Services to the other(s).
I鈥檓 not a docker expert though, so I鈥檓 not sure I can say what鈥檚 recommended. If you find/get a more authoritative answer on this question, I鈥檇 be interested to know.