modified: core/docker-compose.yml

modified:   core/traefik/dynamic.yml
	modified:   core/traefik/traefik.yml
	modified:   monitoring/portainer/docker-compose.yml
	modified:   monitoring/prometheus/docker-compose.yml
	modified:   monitoring/uptime-kuma/docker-compose.yml

core/docker-compose.yml

@@ -7,6 +7,7 @@ services:
     read_only: true
     hostname: traefik.lan.ddnsgeek.com
     depends_on:
+      - docker-socket-proxy
       - error-pages
       - authelia
       - crowdsec
@@ -21,7 +22,6 @@ services:
  #     - ${PROJECT_ROOT}/secrets/stack-secrets.env
 
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
       - ${PROJECT_ROOT}/core/traefik/data/letsencrypt:/letsencrypt
       - ${PROJECT_ROOT}/core/traefik/data/logs:/logs
       - ${PROJECT_ROOT}/core/traefik/dynamic.yml:/etc/traefik/dynamic.yml:ro

core/test/docker-compose.yml

@@ -17,8 +17,11 @@ services:
     container_name: docker-update-exporter-test
     stdin_open: true
     tty: true
+    depends_on:
+      - docker-socket-proxy
+    environment:
+      DOCKER_HOST: tcp://docker-socket-proxy:2375
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
       - ${PROJECT_ROOT}/monitoring/docker-exporter/data:/data:rw
 #      - ${PROJECT_ROOT}/services-up.sh:/app/services-up.sh:ro
 

core/traefik/dynamic.yml

@@ -4,7 +4,7 @@ http:
       plugin:
         crowdsec-bouncer:
           crowdsecMode: live
-          crowdsecLapiKey: ${CROWDSEC_LAPI_KEY}
+          crowdsecLapiKey: HeneLa2mazFVzl5+DQRKOdchBuJxKdjrHsHBE/03Acs
           crowdsecLapiHost: crowdsec:8080
           crowdsecLapiScheme: http
 

core/traefik/traefik.yml

@@ -13,6 +13,7 @@ ping: {}
 
 providers:
   docker:
+    endpoint: "tcp://docker-socket-proxy:2375"
     exposedByDefault: false
 
   file:

default-environment.env

@@ -58,3 +58,7 @@ GOTIFY_REGISTRATION=false
 
 # Portainer
 PORTAINER_GODEBUG=netdns=cgo
+
+# Node-red
+DOCKER_SOCKET_PROXY_HOST=tcp://docker-socket-proxy:2375
+DOCKER_SOCKET_PROXY_LOG_LEVEL=info

monitoring/docker-exporter/exporter.py

@@ -19,7 +19,7 @@ logger = logging.getLogger("docker-update-exporter")
 
 # --- Config ---
 EXPORTER_PORT = 9105
-CHECK_INTERVAL = 60
+CHECK_INTERVAL = 3600
 CACHE_TTL = int(os.getenv("CACHE_TTL", "300"))
 SERVICES_UP_SCRIPT = os.getenv("SERVICES_UP_SCRIPT", "/compose/services-up.sh")
 CACHE_FILE = os.getenv("CACHE_FILE", "/data/remote_digest_cache.json")
@@ -411,6 +411,9 @@ def check_containers():
     svc_map = parse_compose_services(compose_files, project_name, project_root)
 
     containers = client.containers.list()
+    pending_metrics = []
+    remote_targets = set()
+
     for container in containers:
         proj = container.labels.get("com.docker.compose.project")
         if not proj:
@@ -423,30 +426,47 @@ def check_containers():
         if svc in svc_map:
             compose_image = svc_map[svc]["image"]
 
-        update_flag = 0
-
         local_digest = get_local_digest(running)
         remote_target = compose_image or running
-        remote_digest = get_remote_digest(remote_target)
+
+        # If we cannot determine a local digest, we cannot compare and should
+        # avoid spending a registry lookup for this container.
+        if local_digest:
+            remote_targets.add(remote_target)
+
+        pending_metrics.append({
+            "container_name": container.name,
+            "service": svc,
+            "compose_image": compose_image,
+            "running_image": running,
+            "project_name": proj,
+            "remote_target": remote_target,
+            "local_digest": local_digest,
+        })
+
+    remote_digests = {target: get_remote_digest(target) for target in remote_targets}
+
+    for payload in pending_metrics:
+        local_digest = payload["local_digest"]
+        remote_target = payload["remote_target"]
+        remote_digest = remote_digests.get(remote_target)
+        update_flag = 1 if (local_digest and remote_digest and local_digest != remote_digest) else 0
 
         logger.info(
             "Digest comparison: container=%s service=%s running=%s target=%s local=%s remote=%s",
-            container.name,
-            svc,
-            running,
+            payload["container_name"],
+            payload["service"],
+            payload["running_image"],
             remote_target,
             local_digest,
             remote_digest,
         )
 
-        if local_digest and remote_digest and local_digest != remote_digest:
-            update_flag = 1
-
         set_container_update_metric(
-            container_name=container.name,
-            compose_image=compose_image,
-            running_image=running,
-            project_name=proj,
+            container_name=payload["container_name"],
+            compose_image=payload["compose_image"],
+            running_image=payload["running_image"],
+            project_name=payload["project_name"],
             update_flag=update_flag,
         )
 

monitoring/node-red/docker-compose.yml

@@ -6,14 +6,19 @@ services:
     container_name: node-red
     profiles: ["monitoring","all"]
     restart: unless-stopped
-    privileged: true
+    depends_on:
+      - docker-socket-proxy
     environment:
-      - TZ=${TZ}
+      DOCKER_HOST: ${DOCKER_SOCKET_PROXY_HOST}
+      TZ: ${TZ}
+    cap_drop:
+      - ALL
+    security_opt:
+      - no-new-privileges:true
 #    ports:
 #      - "1880:1880"
     volumes:
       - ${PROJECT_ROOT}/monitoring/node-red/data:/data
-      - /var/run/docker.sock:/var/run/docker.sock:rw
       - ${PROJECT_ROOT}:/compose/docker:ro
       - /home/nixos/raspi:/compose/raspi:ro
       - ${PROJECT_ROOT}/default-environment.env:/usr/src/node-red/default-environment.env:ro

monitoring/portainer/docker-compose.yml

@@ -4,9 +4,10 @@ services:
     image: portainer/portainer-ce:latest
     container_name: portainer
     restart: unless-stopped
-    command: -H unix:///var/run/docker.sock
+    depends_on:
+      - docker-socket-proxy
+    command: -H ${DOCKER_SOCKET_PROXY_HOST}
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
       - ${PROJECT_ROOT}/monitoring/portainer/data:/data
     networks:
 #      - traefik_reverse_proxy

monitoring/prometheus/docker-compose.yml

@@ -1,6 +1,35 @@
 #version: "3.8"
 
 services:
+  docker-socket-proxy:
+    profiles: ["monitoring","all","prometheus","prometheus-exporters"]
+    image: tecnativa/docker-socket-proxy:latest
+    container_name: docker-socket-proxy
+    restart: unless-stopped
+    environment:
+      LOG_LEVEL: ${DOCKER_SOCKET_PROXY_LOG_LEVEL}
+      DISTRIBUTION: 1
+      CONTAINERS: 1
+      EVENTS: 1
+      IMAGES: 1
+      INFO: 1
+      NETWORKS: 1
+      PING: 1
+      POST: 1
+      SERVICES: 1
+      TASKS: 1
+      VERSION: 1
+      VOLUMES: 1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    cap_drop:
+      - ALL
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - monitor
+      - traefik
+
   prometheus:
     profiles: ["monitoring","all","prometheus"]
     image: prom/prometheus:latest
@@ -140,13 +169,15 @@ services:
   telegraf:
     profiles: ["monitoring","all","prometheus"]
     image: telegraf:latest
-    group_add:
-      - "131"
-    privileged: true
     container_name: telegraf
     restart: unless-stopped
+    depends_on:
+      - docker-socket-proxy
+#    cap_drop:
+#      - ALL
+    security_opt:
+      - no-new-privileges:true
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
       - ${PROJECT_ROOT}/monitoring/telegraf/telegraf.conf:/etc/telegraf/telegraf.conf:ro
     networks:
 #      - edge
@@ -170,10 +201,12 @@ services:
 #      - ${PROJECT_ROOT}/services-up.sh:/app/services-up.sh:ro
     environment:
       LOG_LEVEL: ${DOCKER_EXPORTER_LOG_LEVEL}
+      DOCKER_HOST: ${DOCKER_SOCKET_PROXY_HOST}
+    depends_on:
+      - docker-socket-proxy
 
     volumes:
       - ~/.docker/config.json:/root/.docker/config.json:ro
-      - /var/run/docker.sock:/var/run/docker.sock
       - ${PROJECT_ROOT}/monitoring/docker-exporter/data:/data:rw
       - ${PROJECT_ROOT}:/compose:ro
 #      - ${PROJECT_ROOT}/default-environment.env:/compose/default-environment.env:ro
@@ -198,6 +231,10 @@ services:
 #    ports:
 #      - "9105:9105"
     restart: unless-stopped
+    cap_drop:
+      - ALL
+    security_opt:
+      - no-new-privileges:true
     networks:
 #      - edge
       - monitor

monitoring/telegraf/telegraf.conf

@@ -2,7 +2,7 @@
   interval = "10s"
 
 [[inputs.docker]]
-  endpoint = "unix:///var/run/docker.sock"
+  endpoint = "tcp://docker-socket-proxy:2375"
   gather_services = false
 
 [[outputs.prometheus_client]]

monitoring/uptime-kuma/docker-compose.yml

@@ -4,8 +4,11 @@ services:
     image: louislam/uptime-kuma:2.1.1
     container_name: monitor-kuma
     restart: always
+    depends_on:
+      - docker-socket-proxy
+    environment:
+      DOCKER_HOST: ${DOCKER_SOCKET_PROXY_HOST}
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
       - ${PROJECT_ROOT}/monitoring/uptime-kuma/data:/app/data
 #    ports:
 #      - 8888:3001