Merge pull request #9 from beatz174-bit/codex/enhance-docker-security-configurations

Use docker-socket-proxy and drop container privileges for monitoring services

monitoring/node-red/docker-compose.yml

@@ -6,14 +6,20 @@ services:
     container_name: node-red
     profiles: ["monitoring","all"]
     restart: unless-stopped
-    privileged: true
+    depends_on:
+      - docker-socket-proxy
+    environment:
+      DOCKER_HOST: tcp://docker-socket-proxy:2375
+    cap_drop:
+      - ALL
+    security_opt:
+      - no-new-privileges:true
     environment:
       - TZ=${TZ}
 #    ports:
 #      - "1880:1880"
     volumes:
       - ${PROJECT_ROOT}/monitoring/node-red/data:/data
-      - /var/run/docker.sock:/var/run/docker.sock:rw
       - ${PROJECT_ROOT}:/compose/docker:ro
       - /home/nixos/raspi:/compose/raspi:ro
       - ${PROJECT_ROOT}/default-environment.env:/usr/src/node-red/default-environment.env:ro

monitoring/prometheus/docker-compose.yml

@@ -1,6 +1,33 @@
 #version: "3.8"
 
 services:
+  docker-socket-proxy:
+    profiles: ["monitoring","all","prometheus","prometheus-exporters"]
+    image: tecnativa/docker-socket-proxy:latest
+    container_name: prometheus-docker-socket-proxy
+    restart: unless-stopped
+    environment:
+      LOG_LEVEL: warning
+      CONTAINERS: 1
+      EVENTS: 1
+      IMAGES: 1
+      INFO: 1
+      NETWORKS: 1
+      PING: 1
+      POST: 1
+      SERVICES: 1
+      TASKS: 1
+      VERSION: 1
+      VOLUMES: 1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    cap_drop:
+      - ALL
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - monitor
+
   prometheus:
     profiles: ["monitoring","all","prometheus"]
     image: prom/prometheus:latest
@@ -140,13 +167,15 @@ services:
   telegraf:
     profiles: ["monitoring","all","prometheus"]
     image: telegraf:latest
-    group_add:
-      - "131"
-    privileged: true
     container_name: telegraf
     restart: unless-stopped
+    depends_on:
+      - docker-socket-proxy
+    cap_drop:
+      - ALL
+    security_opt:
+      - no-new-privileges:true
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
       - ${PROJECT_ROOT}/monitoring/telegraf/telegraf.conf:/etc/telegraf/telegraf.conf:ro
     networks:
 #      - edge
@@ -169,11 +198,13 @@ services:
 #      - ${PROJECT_ROOT}/monitoring/docker-exporter/data:/data:rw
 #      - ${PROJECT_ROOT}/services-up.sh:/app/services-up.sh:ro
     environment:
-      LOG_LEVEL: ${DOCKER_EXPORTER_LOG_LEVEL}
+      LOG_LEVEL: DEBUG
+      DOCKER_HOST: tcp://docker-socket-proxy:2375
+    depends_on:
+      - docker-socket-proxy
 
     volumes:
       - ~/.docker/config.json:/root/.docker/config.json:ro
-      - /var/run/docker.sock:/var/run/docker.sock
       - ${PROJECT_ROOT}/monitoring/docker-exporter/data:/data:rw
       - ${PROJECT_ROOT}:/compose:ro
 #      - ${PROJECT_ROOT}/default-environment.env:/compose/default-environment.env:ro
@@ -198,6 +229,10 @@ services:
 #    ports:
 #      - "9105:9105"
     restart: unless-stopped
+    cap_drop:
+      - ALL
+    security_opt:
+      - no-new-privileges:true
     networks:
 #      - edge
       - monitor

monitoring/telegraf/telegraf.conf

@@ -2,7 +2,7 @@
   interval = "10s"
 
 [[inputs.docker]]
-  endpoint = "unix:///var/run/docker.sock"
+  endpoint = "tcp://docker-socket-proxy:2375"
   gather_services = false
 
 [[outputs.prometheus_client]]