From ce9dba4923eded540b99d49afaf338ba701a58e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Gra=CC=88fenstein?= Date: Sun, 22 Mar 2026 12:19:10 +0100 Subject: [PATCH] limit docker socket api access to alloy --- monitoring/config.alloy | 4 ++-- monitoring/docker-compose.yml | 32 +++++++++++++++++++++++++++++++- review.md | 2 +- 3 files changed, 34 insertions(+), 4 deletions(-) diff --git a/monitoring/config.alloy b/monitoring/config.alloy index 94a5001..706e5af 100644 --- a/monitoring/config.alloy +++ b/monitoring/config.alloy @@ -3,7 +3,7 @@ // ============================================================ discovery.docker "containers" { - host = "unix:///var/run/docker.sock" + host = "http://docker-socket-proxy:2375" } discovery.relabel "containers" { @@ -21,7 +21,7 @@ discovery.relabel "containers" { } loki.source.docker "containers" { - host = "unix:///var/run/docker.sock" + host = "http://docker-socket-proxy:2375" targets = discovery.relabel.containers.output forward_to = [loki.write.grafana_cloud.receiver] } diff --git a/monitoring/docker-compose.yml b/monitoring/docker-compose.yml index 7ffd13f..8260e33 100644 --- a/monitoring/docker-compose.yml +++ b/monitoring/docker-compose.yml @@ -1,12 +1,42 @@ services: + docker-socket-proxy: + image: tecnativa/docker-socket-proxy:0.3 + container_name: docker-socket-proxy + restart: unless-stopped + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + environment: + - CONTAINERS=1 + - LOG=1 + - POST=0 + - BUILD=0 + - COMMIT=0 + - CONFIGS=0 + - DISTRIBUTION=0 + - EXEC=0 + - IMAGES=0 + - INFO=0 + - NETWORKS=0 + - NODES=0 + - PLUGINS=0 + - SERVICES=0 + - SESSION=0 + - SWARM=0 + - SYSTEM=0 + - TASKS=0 + - VOLUMES=0 + networks: + - monitoring + alloy: image: grafana/alloy:latest container_name: alloy restart: unless-stopped + depends_on: + - docker-socket-proxy env_file: .env volumes: - ./config.alloy:/etc/alloy/config.alloy:ro - - /var/run/docker.sock:/var/run/docker.sock:ro - /proc:/host/proc:ro - /sys:/host/sys:ro - /:/host/root:ro diff --git a/review.md b/review.md index 7085d99..617227e 100644 --- a/review.md +++ b/review.md @@ -8,7 +8,7 @@ | 4 | High | `scripts/backup.sh:20` | `pg_dumpall -U nextcloud` hardcodes DB username instead of reading from env | DONE | | 5 | High | `scripts/restore.sh:68` | `psql -U nextcloud` hardcodes DB username instead of reading from env | DONE | | 6 | High | `scripts/deploy.sh:13` | `source .env` in a root-privileged script can execute arbitrary commands. Consider safer parsing or variable validation | DONE | -| 7 | Medium | `monitoring/docker-compose.yml` | Docker socket + `/proc` + `/sys` + `/` mounted into Alloy container. Consider using a Docker socket proxy to limit API access | TODO | +| 7 | Medium | `monitoring/docker-compose.yml` | Docker socket + `/proc` + `/sys` + `/` mounted into Alloy container. Consider using a Docker socket proxy to limit API access | DONE | | 8 | Medium | `caddy/Caddyfile` | No rate limiting configured at the reverse proxy layer | TODO | | 9 | Low | `gitea/docker-compose.yml` | `gitea/gitea:latest-rootless` unpinned — pin to specific version like Nextcloud does | TODO | | 10 | Low | `monitoring/docker-compose.yml` | `grafana/alloy:latest` unpinned — pin to specific version | TODO |