This repo is deprecated.
100K+
Filtering proxy for a read-only access to the Docker socket, based on HAProxy.
See sample docker-compose file.
The Docker engine does not currently offer any monitoring interface (to list and inspect containers / images / volumes) other than the management socket. This API is pretty stable and allows our agents to get reliable data, but it comes with a severe security risk: all commands sent to it are executed with root privileges. An attacker could use that as a privilege escalation mechanism.
The authorization subsystem tries to solve this issue by enabling a rule-based authorization workflow, but it has several shortcomings:
/var/run/docker.sockThis is why this container aims at providing a simpler solution.
The Docker management API is a standard HTTP REST API, which can be filtered through a filtering HTTP proxy. This container uses HAProxy to provide a read-only access to the API, via a socket created in the shared volume mounted in /safe-docker. Our provided configuration:
GET/HEAD requests, as all requests that modify the state of an object are either POST, PUT or DELETEThe remaining endpoints are deemed safe for use and are accessible on the safe socket. This socket can then be exposed to monitoring software.
Inside the docker-filter container you should be able to access haproxy.sock, see https://www.datadoghq.com/blog/how-to-collect-haproxy-metrics/#socket-communication to know more about how to use it to troubleshoot haproxy.
Content type
Image
Digest
Size
9.6 MB
Last updated
over 7 years ago
docker pull datadog/docker-filter:1.2.1Pulls:
24
Last week