Merge pull request #9 from beatz174-bit/codex/enhance-docker-security-configurations
Use docker-socket-proxy and drop container privileges for monitoring services
This commit is contained in:
beatz174-bit
@@ -6,14 +6,20 @@ services:
|
|||||||
container_name: node-red
|
container_name: node-red
|
||||||
profiles: ["monitoring","all"]
|
profiles: ["monitoring","all"]
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
privileged: true
|
depends_on:
|
||||||
|
- docker-socket-proxy
|
||||||
|
environment:
|
||||||
|
DOCKER_HOST: tcp://docker-socket-proxy:2375
|
||||||
|
cap_drop:
|
||||||
|
- ALL
|
||||||
|
security_opt:
|
||||||
|
- no-new-privileges:true
|
||||||
environment:
|
environment:
|
||||||
- TZ=${TZ}
|
- TZ=${TZ}
|
||||||
# ports:
|
# ports:
|
||||||
# - "1880:1880"
|
# - "1880:1880"
|
||||||
volumes:
|
volumes:
|
||||||
- ${PROJECT_ROOT}/monitoring/node-red/data:/data
|
- ${PROJECT_ROOT}/monitoring/node-red/data:/data
|
||||||
- /var/run/docker.sock:/var/run/docker.sock:rw
|
|
||||||
- ${PROJECT_ROOT}:/compose/docker:ro
|
- ${PROJECT_ROOT}:/compose/docker:ro
|
||||||
- /home/nixos/raspi:/compose/raspi:ro
|
- /home/nixos/raspi:/compose/raspi:ro
|
||||||
- ${PROJECT_ROOT}/default-environment.env:/usr/src/node-red/default-environment.env:ro
|
- ${PROJECT_ROOT}/default-environment.env:/usr/src/node-red/default-environment.env:ro
|
||||||
|
|||||||
@@ -1,6 +1,33 @@
|
|||||||
#version: "3.8"
|
#version: "3.8"
|
||||||
|
|
||||||
services:
|
services:
|
||||||
|
docker-socket-proxy:
|
||||||
|
profiles: ["monitoring","all","prometheus","prometheus-exporters"]
|
||||||
|
image: tecnativa/docker-socket-proxy:latest
|
||||||
|
container_name: prometheus-docker-socket-proxy
|
||||||
|
restart: unless-stopped
|
||||||
|
environment:
|
||||||
|
LOG_LEVEL: warning
|
||||||
|
CONTAINERS: 1
|
||||||
|
EVENTS: 1
|
||||||
|
IMAGES: 1
|
||||||
|
INFO: 1
|
||||||
|
NETWORKS: 1
|
||||||
|
PING: 1
|
||||||
|
POST: 1
|
||||||
|
SERVICES: 1
|
||||||
|
TASKS: 1
|
||||||
|
VERSION: 1
|
||||||
|
VOLUMES: 1
|
||||||
|
volumes:
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||||
|
cap_drop:
|
||||||
|
- ALL
|
||||||
|
security_opt:
|
||||||
|
- no-new-privileges:true
|
||||||
|
networks:
|
||||||
|
- monitor
|
||||||
|
|
||||||
prometheus:
|
prometheus:
|
||||||
profiles: ["monitoring","all","prometheus"]
|
profiles: ["monitoring","all","prometheus"]
|
||||||
image: prom/prometheus:latest
|
image: prom/prometheus:latest
|
||||||
@@ -140,13 +167,15 @@ services:
|
|||||||
telegraf:
|
telegraf:
|
||||||
profiles: ["monitoring","all","prometheus"]
|
profiles: ["monitoring","all","prometheus"]
|
||||||
image: telegraf:latest
|
image: telegraf:latest
|
||||||
group_add:
|
|
||||||
- "131"
|
|
||||||
privileged: true
|
|
||||||
container_name: telegraf
|
container_name: telegraf
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
|
depends_on:
|
||||||
|
- docker-socket-proxy
|
||||||
|
cap_drop:
|
||||||
|
- ALL
|
||||||
|
security_opt:
|
||||||
|
- no-new-privileges:true
|
||||||
volumes:
|
volumes:
|
||||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
||||||
- ${PROJECT_ROOT}/monitoring/telegraf/telegraf.conf:/etc/telegraf/telegraf.conf:ro
|
- ${PROJECT_ROOT}/monitoring/telegraf/telegraf.conf:/etc/telegraf/telegraf.conf:ro
|
||||||
networks:
|
networks:
|
||||||
# - edge
|
# - edge
|
||||||
@@ -169,11 +198,13 @@ services:
|
|||||||
# - ${PROJECT_ROOT}/monitoring/docker-exporter/data:/data:rw
|
# - ${PROJECT_ROOT}/monitoring/docker-exporter/data:/data:rw
|
||||||
# - ${PROJECT_ROOT}/services-up.sh:/app/services-up.sh:ro
|
# - ${PROJECT_ROOT}/services-up.sh:/app/services-up.sh:ro
|
||||||
environment:
|
environment:
|
||||||
LOG_LEVEL: ${DOCKER_EXPORTER_LOG_LEVEL}
|
LOG_LEVEL: DEBUG
|
||||||
|
DOCKER_HOST: tcp://docker-socket-proxy:2375
|
||||||
|
depends_on:
|
||||||
|
- docker-socket-proxy
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
- ~/.docker/config.json:/root/.docker/config.json:ro
|
- ~/.docker/config.json:/root/.docker/config.json:ro
|
||||||
- /var/run/docker.sock:/var/run/docker.sock
|
|
||||||
- ${PROJECT_ROOT}/monitoring/docker-exporter/data:/data:rw
|
- ${PROJECT_ROOT}/monitoring/docker-exporter/data:/data:rw
|
||||||
- ${PROJECT_ROOT}:/compose:ro
|
- ${PROJECT_ROOT}:/compose:ro
|
||||||
# - ${PROJECT_ROOT}/default-environment.env:/compose/default-environment.env:ro
|
# - ${PROJECT_ROOT}/default-environment.env:/compose/default-environment.env:ro
|
||||||
@@ -198,6 +229,10 @@ services:
|
|||||||
# ports:
|
# ports:
|
||||||
# - "9105:9105"
|
# - "9105:9105"
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
|
cap_drop:
|
||||||
|
- ALL
|
||||||
|
security_opt:
|
||||||
|
- no-new-privileges:true
|
||||||
networks:
|
networks:
|
||||||
# - edge
|
# - edge
|
||||||
- monitor
|
- monitor
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
interval = "10s"
|
interval = "10s"
|
||||||
|
|
||||||
[[inputs.docker]]
|
[[inputs.docker]]
|
||||||
endpoint = "unix:///var/run/docker.sock"
|
endpoint = "tcp://docker-socket-proxy:2375"
|
||||||
gather_services = false
|
gather_services = false
|
||||||
|
|
||||||
[[outputs.prometheus_client]]
|
[[outputs.prometheus_client]]
|
||||||
|
|||||||
Reference in New Issue
Block a user