Greetings homelabbers,

I have been running a bunch of my homelab on docker, on a fedora server box for quite some time. And wanted to gauge how much of a security risk it is for me to expose the docker socket directly to containers. Is this really a huge issue when my homelab is not exposed to the internet?

The reason this question came up for me was because I cannot seem to get Docker Socket Proxy (https://github.com/Tecnativa/docker-socket-proxy) setup and working for Homepage, even following the recommendations from their guide (https://gethomepage.dev/configs/docker/#using-docker-socket-proxy)

I suppose this is mix of a discussion post, and requesting some help/guidance.

Thank you all! Hellmo

  • grehund@lemmy.world
    2·
    1 day ago

    The risk is certainly lower if you’re not exposing services to the internet, but that’s not the only way to end up with a rogue container. I use docker-socket-proxy for most of my stacks that need socket access. It can sometimes require a little bit of troubleshooting to understand what services you need to proxy, but I’ve had a pretty good success rate. Reading the logs from the socket-proxy and referring to the Docker Engine API documentation will help you to understand what Services you need to enable in the socket-proxy config.

    • hellmo_luciferrari@lemmy.zipOPEnglish
      1·
      24 hours ago

      Thank you! Another potentially dumb question, is it recommended to use multiple socket-proxy containers to separate each container? Or can I utilize one socket-proxy container and call it from the other containers I am running.

      Currently I have each container I run with their own compose file (with exception of one stack)

      • grehund@lemmy.world
        2·
        16 hours ago

        It really depends on which Socket Services the container requires. If you have a lot of containers that all need the same set of Socket Services, you could potentially use a single socket-proxy to serve all of them (in theory, I think).

        I usually run one per stack, sometimes more if I have a container within my stack that requires more/different Socket Services to the other(s).

        I’m not a docker expert though, so I’m not sure I can say what’s recommended. If you find/get a more authoritative answer on this question, I’d be interested to know.