Docker Socket Proxy - Needed?

[SimpleHomelab]

Hello All,

I just wanted to gauge what the community thinks. I have read that socket-proxy can slow things down (I have not verified this). It may add a bit of overhead.

In addition, I recently added CrowdSec to the stack (a guide on that is coming).

[flotteur]

Not only I think Socket-Proxy is very much needed, I think you should have a different socket proxy container for every need. One for traefik, one for Netdata, one for portainer, etc.

For example, Netdata only require the socket to retrieve the containers names. Giving it POST is, in my opinion, a risk that can be easily avoided.

A dedicated container would look like this for netdata:

    container_name: netdata-proxy
    image: tecnativa/docker-socket-proxy
    restart: always
    networks:
      - netdata-proxy
    privileged: true
    ports:
     - "127.0.0.1:2375:2375"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    environment:
      - LOG_LEVEL=info
      - CONTAINERS=1``` 

[strausmann]

I also find this very sensible and would welcome it very much.

[boywiz]

This is an idea I have gone back and forth on, in terms of more than one, but I have not had time to test the overhead and impact. However, from a Security standpoint, this would be split out by use, as @strausmann has pointed out.

It depends on the setup, but given that most are exposing containers to the internet, it would be a security recommendation of mine.