Context
At the moment, the agent requires read-write access to the Docker socket. Because we bind-mount the socket in the agent's container, we need the uid/gid of the Docker socket to match the user the container is running as (which is node-red, a non-root user, for obvious security reasons).
This means we need to give read-write permissions to all users on the Docker socket:
chmod a+rw /var/run/docker.sock
This is obviously a security risk if other users have access to the host.
Feature Request
Docker can expose the socket in TCP (with or without TLS), see this page for more information.
We could configure the Docker daemon to expose the socket on 127.0.0.1:2376, with (or without) TLS.
Then, we setup the Agent's container to run on the host Docker network, and access 127.0.0.1:2376 (with client certificate authentication eventually) instead of /var/run/docker.sock.
Context
At the moment, the agent requires read-write access to the Docker socket. Because we bind-mount the socket in the agent's container, we need the uid/gid of the Docker socket to match the user the container is running as (which is
node-red, a non-root user, for obvious security reasons).This means we need to give read-write permissions to all users on the Docker socket:
This is obviously a security risk if other users have access to the host.
Feature Request
Docker can expose the socket in TCP (with or without TLS), see this page for more information.
We could configure the Docker daemon to expose the socket on
127.0.0.1:2376, with (or without) TLS.Then, we setup the Agent's container to run on the
hostDocker network, and access127.0.0.1:2376(with client certificate authentication eventually) instead of/var/run/docker.sock.