### Complete Execution Trace Example Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/docker-entrypoint-script.md Illustrates a full trace of the entrypoint script's execution from container start to HAProxy running, including environment variable processing and command execution. ```shell 1. Docker starts container with DISABLE_IPV6=true CONTAINERS=1 2. Entry point script executes as PID 1: set -e # Enable exit on error ulimit -n 10000 # Raise FD limit DISABLE_IPV6_LOWER=$(echo "true" | tr '[:upper:]' '[:lower:]') # DISABLE_IPV6_LOWER="true" case "true" in 1|true|yes) BIND_CONFIG=":2375" ;; # Matches! esac # BIND_CONFIG=":2375" sed "s|\\\\\${BIND_CONFIG}|:2375|g" \ /usr/local/etc/haproxy/haproxy.cfg.template > /tmp/haproxy.cfg # Generates /tmp/haproxy.cfg with bind :2375 # First arg was not set, so no prepend # $1 is empty string # No "haproxy" command, so no flag enhancement 3. exec "$@" # Executes: haproxy (Docker CMD default) 4. HAProxy starts from /tmp/haproxy.cfg, listening on :2375 ``` -------------------------------- ### HAProxy Example: Container START Operation Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/access-control-model.md An example HAProxy rule to allow starting a container if the path matches the specific start endpoint and the ALLOW_START environment variable is truthy. ```haproxy http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/start } { env(ALLOW_START) -m bool } ``` -------------------------------- ### Container State Control - Start Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/endpoints.md Start a stopped container. Requires ALLOW_START=1 and POST=1. ```APIDOC ## POST /containers/{id}/start ### Description Start a stopped container. ### Method POST ### Endpoint /containers/{id}/start ``` -------------------------------- ### Install Development Dependencies with Poetry Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/README.md Install all necessary development dependencies for the project using poetry. Ensure Docker is installed separately. ```shell poetry install ``` -------------------------------- ### Start Fresh Docker Socket Proxy Instance Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/troubleshooting-diagnostics.md Run a new instance of the docker-socket-proxy with specific environment variables and port mappings. This is used after cleanup or for a fresh start. ```bash docker run -d --privileged \ --name docker-proxy \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2375:2375 \ -e CONTAINERS=1 \ -e POST=1 \ teknativa/docker-socket-proxy ``` -------------------------------- ### Run docker-socket-proxy Container Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/troubleshooting-diagnostics.md Example command to run the docker-socket-proxy container with necessary volume mounts and port mappings. ```bash docker run -d --privileged \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2375:2375 \ teknativa/docker-socket-proxy ``` -------------------------------- ### Start HAProxy with Flags Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/architecture.md Starts HAProxy in master-worker mode (-W) and foreground (-db) for containerized environments. ```bash set -- haproxy -W -db "$@" ``` -------------------------------- ### HAProxy Log Format Example Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/haproxy-frontend.md Example of a HAProxy log entry, showing client information, request details, and timing. ```log 2024-05-15 10:30:45 localhost haproxy[1]: 192.168.1.100:54321 - - [15/May/2024:10:30:45 +0000] "GET /v1.40/containers HTTP/1.1" 403 197 "..." "docker/24.0.0" 0 0 0 0 -- -- -- -- -- 0 0 0 0 0 0 ``` -------------------------------- ### Troubleshooting 403 Error: POST Request Example Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/haproxy-frontend.md Example curl command for a POST request that might be denied due to method restrictions. ```bash # Request curl -X POST http://localhost:2375/containers/create ``` -------------------------------- ### Test Proxy Connectivity After Startup Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/troubleshooting-diagnostics.md Commands to test connectivity to the proxy after it has started, including checking logs and using curl. ```bash # Wait a moment for startup sleep 1 # Test connectivity docker logs curl -v http://localhost:2375/_ping ``` -------------------------------- ### Docker Compose Example Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/docker-entrypoint-script.md A sample Docker Compose configuration for setting up the docker-socket-proxy service. It includes volume mounts, port mappings, and environment variables. ```yaml services: docker-proxy: image: teknativa/docker-socket-proxy volumes: - /var/run/docker.sock:/var/run/docker.sock ports: - "127.0.0.1:2375:2375" environment: CONTAINERS: "1" POST: "1" ALLOW_START: "1" ``` -------------------------------- ### Minimal Proxy Setup Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md Run a minimal docker-socket-proxy that only allows events and health checks. Defaults to PING=1, VERSION=1, EVENTS=1. ```bash docker run -d --privileged \ --name docker-proxy \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2375:2375 \ teknativa/docker-socket-proxy ``` -------------------------------- ### Multiple Proxy Instances for Different Permissions Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md Run separate proxy instances to provide distinct permission levels for different clients. This example shows how to set up a read-only proxy and a write-access proxy. ```bash # Proxy 1: Read-only (port 2375) docker run -d --privileged \ --name docker-proxy-readonly \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2375:2375 \ -e CONTAINERS=1 \ -e INFO=1 \ -e EVENTS=1 \ teknativa/docker-socket-proxy # Proxy 2: Write access (port 2376) docker run -d --privileged \ --name docker-proxy-write \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2376:2375 \ -e CONTAINERS=1 \ -e ALLOW_START=1 \ -e ALLOW_STOP=1 \ -e POST=1 \ teknativa/docker-socket-proxy # Client usage export DOCKER_HOST=tcp://localhost:2375 # Read-only docker ps # Works export DOCKER_HOST=tcp://localhost:2376 # Write access docker start # Works ``` -------------------------------- ### Example Allow Rule for CONTAINERS Endpoint Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/haproxy-frontend.md An example of an endpoint-specific allow rule for the /containers path. It requires the CONTAINERS environment variable to be truthy and matches various path formats including subpaths and case-insensitive variations. ```haproxy http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers } { env(CONTAINERS) -m bool } ``` -------------------------------- ### Permission Hierarchy Example Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/access-control-model.md Shows the hierarchical structure of permissions, including prerequisites for container management operations. ```text Container Management ├─ Read: CONTAINERS=1 (GET/HEAD only) │ └─ List containers │ └─ Inspect container │ └─ View logs │ └─ View stats │ ├─ Write: CONTAINERS=1 + POST=1 │ └─ Create container │ └─ Attach to container │ └─ Other modifications │ └─ Specific Operations (CONTAINERS not required) └─ ALLOW_START: POST /containers/{id}/start └─ ALLOW_STOP: POST /containers/{id}/stop └─ ALLOW_RESTARTS: POST /containers/{id}/restart|stop|kill └─ ALLOW_PAUSE: POST /containers/{id}/pause └─ ALLOW_UNPAUSE: POST /containers/{id}/unpause ``` -------------------------------- ### HAProxy Rule Example: Allow Upload Endpoint Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/haproxy-frontend.md Example rule to allow access to a '/upload' endpoint if the UPLOAD environment variable is set. ```haproxy http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/upload } { env(UPLOAD) -m bool } ``` -------------------------------- ### Frontend Declaration Example Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/haproxy-frontend.md Defines the main proxy interface, including bind address, rules, and default backend routing. ```haproxy frontend dockerfrontend bind ${BIND_CONFIG} ...rules... default_backend dockerbackend use_backend docker-events if { path,url_dec -m reg -i ^(/v[\d\.]+)?/events } ``` -------------------------------- ### Docker Compose Example for Proxy Connectivity Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/troubleshooting-diagnostics.md This Docker Compose configuration shows how to set up a service to connect to the proxy. Ensure the proxy port is accessible from the container network. ```yaml services: app: environment: DOCKER_HOST: tcp://docker-proxy:2375 docker-proxy: ports: - "127.0.0.1:2375:2375" # Only accessible from host ``` -------------------------------- ### Docker Entrypoint Script Execution Flow Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/architecture.md The main shell script for docker-socket-proxy, responsible for setting up HAProxy configuration and starting the proxy. ```bash #!/bin/sh set -e # Exit on any error # Step 1: Raise file descriptor limit for HAProxy v3 ulimit -n 10000 2>/dev/null || true # Step 2: Determine bind configuration from DISABLE_IPV6 if [ -z "$BIND_CONFIG" ]; then DISABLE_IPV6_LOWER=$(echo "$DISABLE_IPV6" | tr '[:upper:]' '[:lower:]') case "$DISABLE_IPV6_LOWER" in 1|true|yes) BIND_CONFIG=":2375" # IPv4 only ;; *) BIND_CONFIG="[::]:2375 v4v6" # Dual-stack ;; esac fi # Step 3: Generate HAProxy config from template via sed substitution sed "s|\\\\${BIND_CONFIG}|$BIND_CONFIG|g" \ /usr/local/etc/haproxy/haproxy.cfg.template > /tmp/haproxy.cfg # Step 4: Handle command execution # If first argument starts with -, add "haproxy" as the command if [ "${1#-}" != "$1" ]; then set -- haproxy "$@" fi # Step 5: If command is "haproxy", enhance with flags if [ "$1" = 'haproxy' ]; then shift # -W: master-worker mode (allows graceful reload via SIGUSR2) # -db: disables background mode (foreground execution) set -- haproxy -W -db "$@" fi # Step 6: Execute final command exec "$@" ``` -------------------------------- ### Docker Compose Setup for Proxy Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md Configure docker-socket-proxy using Docker Compose. Allows container listing, start/stop operations, and sets log level to info. ```yaml version: '3.8' services: docker-proxy: image: teknativa/docker-socket-proxy container_name: docker-proxy privileged: true volumes: - /var/run/docker.sock:/var/run/docker.sock ports: - "127.0.0.1:2375:2375" environment: CONTAINERS: "1" POST: "1" ALLOW_START: "1" ALLOW_STOP: "1" LOG_LEVEL: "info" networks: - proxy-net restart: unless-stopped networks: proxy-net: driver: bridge ``` -------------------------------- ### HAProxy Example: IMAGES Endpoint Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/access-control-model.md An example HAProxy rule to allow access to the IMAGES endpoint if the path matches and the IMAGES environment variable is truthy. ```haproxy http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images } { env(IMAGES) -m bool } ``` -------------------------------- ### Test Proxy Functionality with Curl and Docker Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/troubleshooting-diagnostics.md These examples demonstrate how to test the docker-socket-proxy's functionality from different environments: directly from the host, from within a Docker container, and from a container on the same network. ```bash # From host curl -v http://localhost:2375/_ping # From container docker run --rm \ -e DOCKER_HOST=tcp://docker-proxy:2375 \ docker:latest \ docker version # From same network docker run --rm \ --network proxy-network \ curlimages/curl:latest \ curl http://docker-proxy:2375/_ping ``` -------------------------------- ### Python Client for Read-Only Monitoring Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md Example Python code using the docker SDK to interact with a read-only docker-socket-proxy. Demonstrates listing containers and attempting to run a new one. ```python import docker client = docker.DockerClient(base_url='tcp://localhost:2375') # This works containers = client.containers.list() for container in containers: print(f"{container.name}: {container.status}") # This fails with 403 try: client.containers.run('alpine', 'echo hello') except docker.errors.APIError as e: print(f"Error: {e}") # 403 Client Error ``` -------------------------------- ### Allow Container Management Docker Run Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/configuration.md Enables container lifecycle operations like starting and stopping by setting `CONTAINERS`, `ALLOW_START`, `ALLOW_STOP`, and `POST` to 1. Other management operations remain restricted. ```bash docker run -d --privileged \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2375:2375 \ -e CONTAINERS=1 \ -e ALLOW_START=1 \ -e ALLOW_STOP=1 \ -e POST=1 \ teknativa/docker-socket-proxy ``` -------------------------------- ### HAProxy Rule Example: General Endpoint Rule Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/haproxy-frontend.md A general rule for '/containers' paths that checks an environment variable. ```haproxy http-request allow if ... /containers } { env(CONTAINERS) -m bool } ``` -------------------------------- ### Bash Script for Container Lifecycle Management Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md A bash script demonstrating container lifecycle management through docker-socket-proxy. Includes functions for checking container existence, starting, and restarting. ```bash #!/bin/bash export DOCKER_HOST=tcp://localhost:2375 # Health check check_container() { local container_id=$1 if docker inspect "$container_id" >/dev/null 2>&1; then echo "Container $container_id exists" return 0 else echo "Container not found" return 1 fi } # Start if stopped start_container() { local container_id=$1 docker start "$container_id" echo "Started $container_id" } # Graceful restart restart_container() { local container_id=$1 docker stop "$container_id" sleep 2 docker start "$container_id" echo "Restarted $container_id" } ``` -------------------------------- ### HAProxy Rule Example: Specific Container Operations Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/haproxy-frontend.md An example of a specific rule for container operations, requiring an environment variable to be set. ```haproxy http-request allow if ... /containers/.../start } { env(ALLOW_START) -m bool } ``` -------------------------------- ### Permitted Operations in Restricted Environment Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md Examples of Docker operations that are permitted and will work correctly in the restricted development environment configuration. ```bash # These work docker ps docker images docker run docker exec docker logs docker inspect docker stats docker network ls docker network create docker network connect docker volume ls docker volume create ``` -------------------------------- ### Node.js Client for Read-Only Monitoring Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md Example Node.js code using the dockerode library to interact with a read-only docker-socket-proxy. Demonstrates listing containers and attempting to pull an image. ```javascript const Docker = require('dockerode'); const docker = new Docker({ host: 'localhost', port: 2375 }); // This works docker.listContainers((err, containers) => { containers.forEach(container => { console.log(`${container.Names[0]}: ${container.Status}`); }); }); // This fails with 403 docker.pull('alpine', (err, stream) => { if (err) console.error(err); // 403 error }); ``` -------------------------------- ### CI/CD Pipeline with Docker Compose for Image Building Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md A Docker Compose setup where an 'image-builder' service uses the 'docker-proxy' to build and push Docker images. The proxy is configured to only allow image-related operations. ```yaml version: '3.8' services: image-builder: image: docker:latest volumes: - /var/run/docker.sock:/var/run/docker.sock environment: DOCKER_HOST: tcp://docker-proxy:2375 depends_on: - docker-proxy command: | sh -c " docker login -u $$REGISTRY_USER -p $$REGISTRY_PASSWORD docker build -t myregistry/myapp:latest . docker push myregistry/myapp:latest " env_file: - .env docker-proxy: image: teknativa/docker-socket-proxy privileged: true volumes: - /var/run/docker.sock:/var/run/docker.sock environment: IMAGES: "1" BUILD: "1" POST: "1" networks: default: {} ``` -------------------------------- ### Custom Docker Socket (balenaOS) Docker Run Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/configuration.md Routes traffic through the balenaOS engine socket by specifying the custom socket path in `SOCKET_PATH`. This example also enables container queries. ```bash docker run -d --privileged \ -v /var/run/balena-engine.sock:/var/run/balena-engine.sock \ -p 127.0.0.1:2375:2375 \ -e SOCKET_PATH=/var/run/balena-engine.sock \ -e CONTAINERS=1 \ teknativa/docker-socket-proxy ``` -------------------------------- ### Multi-Service Setup with Docker Compose Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md Configure multiple services with varying permission levels using Docker Compose. The central proxy service exposes the Docker socket, while other services connect to it with specific access controls. ```yaml version: '3.8' services: # Central proxy docker-proxy: image: teknativa/docker-socket-proxy container_name: docker-proxy privileged: true volumes: - /var/run/docker.sock:/var/run/docker.sock ports: - "127.0.0.1:2375:2375" environment: LOG_LEVEL: "warning" restart: unless-stopped # Monitoring service (read-only) prometheus: image: prom/prometheus:latest depends_on: - docker-proxy environment: DOCKER_HOST: tcp://docker-proxy:2375 volumes: - ./prometheus.yml:/etc/prometheus/prometheus.yml # Only needs CONTAINERS=1, POST=0 (read-only) # Orchestration service (lifecycle management) nomad: image: hashicorp/nomad:latest depends_on: - docker-proxy environment: DOCKER_HOST: tcp://docker-proxy:2375 # Expects ALLOW_START=1, ALLOW_STOP=1, CONTAINERS=1, POST=1 # Managed separately with different port or proxy instance # Log aggregation (read-only) logstash: image: docker.elastic.co/logstash/logstash:latest depends_on: - docker-proxy environment: DOCKER_HOST: tcp://docker-proxy:2375 # Only needs CONTAINERS=1, EVENTS=1, POST=0 (read-only) ``` -------------------------------- ### Container Orchestration Configuration Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/access-control-model.md This configuration allows managing the container lifecycle (start, stop, restart) without granting access to other resources like image management or network/volume management. It requires POST requests to be enabled. ```bash docker run -d --privileged \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2375:2375 \ -e ALLOW_START=1 \ -e ALLOW_STOP=1 \ -e ALLOW_RESTARTS=1 \ -e CONTAINERS=1 \ -e POST=1 \ teknativa/docker-socket-proxy ``` -------------------------------- ### Container Lifecycle Management Configuration Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/README.md This configuration enables the management of container lifecycles, allowing users to start, stop, and restart containers. It explicitly denies operations like creating or removing containers, and managing images. ```bash docker run -d --privileged \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2375:2375 \ -e ALLOW_START=1 \ -e ALLOW_STOP=1 \ -e ALLOW_RESTARTS=1 \ -e POST=1 \ teknativa/docker-socket-proxy ``` -------------------------------- ### Permitted Swarm Management Commands via Proxy Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md Examples of Docker commands allowed when the proxy is configured for Swarm management. These commands focus on cluster orchestration, services, and configurations, but not on image or container operations. ```bash export DOCKER_HOST=tcp://localhost:2375 # Swarm management docker swarm init docker node ls docker service create ... docker service update ... docker config create ... # Network management docker network create docker network connect ... # These fail (403) docker pull image # Image access docker run container # Container access docker secret create ... # Secrets not enabled ``` -------------------------------- ### Restart Docker Container with Python Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md A Python script to gracefully stop and start a specified Docker container using the Docker SDK. Ensure the Docker client is configured to connect to the proxy. ```python #!/usr/bin/env python3 import docker import time client = docker.DockerClient(base_url='tcp://localhost:2375') def restart_container(name): """Gracefully restart a container.""" try: container = client.containers.get(name) print(f"Stopping {name}...") container.stop(timeout=10) time.sleep(2) print(f"Starting {name}...") container.start() print(f"Restarted {name}") except docker.errors.NotFound: print(f"Container {name} not found") if __name__ == '__main__': restart_container('myapp') ``` -------------------------------- ### Image Management Configuration Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/access-control-model.md Configure the proxy to manage Docker images (list, inspect, pull, push, build, remove) without allowing container or cluster operations. This setup requires the POST method to be enabled. ```bash docker run -d --privileged \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2375:2375 \ -e IMAGES=1 \ -e BUILD=1 \ -e POST=1 \ teknativa/docker-socket-proxy ``` -------------------------------- ### Allow Container Lifecycle Operations Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/haproxy-frontend.md These rules allow specific container lifecycle operations (start, stop, restart, kill, pause, unpause) if the corresponding environment variable is set and the path matches the pattern. They require the POST=1 flag and the specific ALLOW_* flag, but not necessarily the CONTAINERS flag. ```haproxy http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) } { env(ALLOW_RESTARTS) -m bool } http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/start } { env(ALLOW_START) -m bool } http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/stop } { env(ALLOW_STOP) -m bool } http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/pause } { env(ALLOW_PAUSE) -m bool } http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/unpause } { env(ALLOW_UNPAUSE) -m bool } ``` -------------------------------- ### Info Endpoint Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/endpoints.md Returns detailed system information including server configuration. Requires INFO=1 environment variable. ```APIDOC ## Info Endpoint ### Description Returns detailed system information including server configuration. ### Requires `INFO=1` ### Endpoints #### Get comprehensive Docker daemon info * **Method**: GET * **Endpoint**: `/info` * **Description**: Get comprehensive Docker daemon info (server version, OS, kernel, storage driver, cgroup driver, number of containers/images, etc.). #### Alias for /info * **Method**: GET * **Endpoint**: `/system/info` ``` -------------------------------- ### Docker Socket Proxy Container Startup Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/architecture.md Command to run the Docker Socket Proxy container. It mounts the Docker socket, exposes the proxy port, and sets initial environment variables. ```bash docker run -d --privileged \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2375:2375 \ -e CONTAINERS=1 \ teknativa/docker-socket-proxy ``` -------------------------------- ### Troubleshoot Permission Denied Errors Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md Basic troubleshooting step to ensure the docker-proxy container is running and accessible. ```bash # 1. Verify proxy is running docker ps | grep proxy ``` -------------------------------- ### Execution Endpoints Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/endpoints.md Endpoints for executing commands within running containers, including creating, starting, resizing, and inspecting execution sessions. ```APIDOC ## POST /exec/{id}/create ### Description Create an exec session in a container. ### Method POST ### Endpoint /exec/{id}/create ## POST /exec/{id}/start ### Description Start an exec session. ### Method POST ### Endpoint /exec/{id}/start ## POST /exec/{id}/resize ### Description Resize the TTY for an exec session. ### Method POST ### Endpoint /exec/{id}/resize ## GET /exec/{id}/json ### Description Inspect an exec session. ### Method GET ### Endpoint /exec/{id}/json ``` -------------------------------- ### Build Docker Image and Run Tests Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/README.md Build the Docker image separately before running tests. This allows you to use a pre-built image without the --prebuild flag. ```shell docker image build -t docker-socket-proxy:local . ``` ```shell poetry run pytest ``` -------------------------------- ### Execute HAProxy with Enhanced Flags Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/docker-entrypoint-script.md The entrypoint script enhances flags passed to HAProxy, such as prepending 'haproxy' and adding options like -W and -db. ```bash exec haproxy -W -db -f /tmp/haproxy.cfg -c ``` -------------------------------- ### Denied Operations in Restricted Environment Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md Examples of Docker operations that will fail with a 403 Forbidden error in the restricted development environment configuration. ```bash # These fail (403) docker system prune # Risky docker rm # Requires explicit action docker rmi # Requires explicit action docker network rm # Requires explicit action docker volume rm # Requires explicit action docker swarm init # Cluster changes docker secret create ... # Secrets docker config create ... # Configs docker service create ... # Swarm services docker build # Might be restricted docker pull (private images) # Auth needed (AUTH=0) ``` -------------------------------- ### Inspect Docker Network for Containers Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/troubleshooting-diagnostics.md If using a custom Docker network for the proxy, inspect it to see which containers are connected. This is useful for verifying network setup. ```bash docker network inspect proxy-net | jq '.[0].Containers' ``` -------------------------------- ### Generate HAProxy Configuration from Template Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/docker-entrypoint-script.md Replaces the ${BIND_CONFIG} placeholder in the HAProxy template file with the determined bind configuration and writes the result to a temporary configuration file. ```sh sed "s|\${BIND_CONFIG}|$BIND_CONFIG|g" \ /usr/local/etc/haproxy/haproxy.cfg.template > /tmp/haproxy.cfg ``` -------------------------------- ### Update Proxy Environment for Permissions Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/troubleshooting-diagnostics.md Example of updating the docker-socket-proxy environment variables to grant necessary permissions for operations like listing containers or performing POST requests. ```bash # 1. Identify the required permission curl -v http://localhost:2375/containers/json # Returns 403? Check CONTAINERS=1 # 2. Update proxy environment docker stop docker run -d --privileged \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2375:2375 \ -e CONTAINERS=1 \ -e POST=1 \ teknativa/docker-socket-proxy # 3. Verify permission works docker ps ``` -------------------------------- ### Build Custom Test Image to Verify Script Behavior Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/docker-entrypoint-script.md This command builds a temporary Alpine Linux image to test the docker-entrypoint.sh script's execution flow without actually running HAProxy. ```bash docker run --rm -v /workspace/home/docker-socket-proxy:/src \ alpine:latest sh -c " . /src/docker-entrypoint.sh # Script runs but halts before exec " ``` -------------------------------- ### Path Parameter Matching Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/endpoints.md Explains the naming patterns supported for container and resource IDs in paths. ```APIDOC ## Path Parameter Matching ### Description Explains the naming patterns supported for container and resource IDs in paths. ### Supported Naming Patterns * **Container IDs**: Full 64-character SHA256 hash or 12+ character short hash * **Container Names**: Alphanumeric with underscores, periods, and hyphens: `[a-zA-Z0-9_.-]+` * **Resource Names**: Same pattern as container names ### Example Valid Paths * `/containers/myapp/logs` (by name) * `/containers/abc123def456/logs` (by short ID) * `/containers/abc123def456789abc123def456789abc123def456789abc123def456789/logs` (by full ID) * `/v1.40/containers/myapp/logs` (with API version) ``` -------------------------------- ### Permitted Image Management Commands via Proxy Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md Examples of Docker commands that are permitted when the proxy is configured for image management. These commands interact with images but not with running containers or networks. ```bash export DOCKER_HOST=tcp://localhost:2375 # These work docker images # List docker pull ubuntu:22.04 # Pull docker push myregistry/image # Push docker build -t myimage . # Build docker rmi myimage # Remove image docker inspect myimage # Inspect docker tag image newname # Tag # These fail (403) docker run image # Create/run container docker ps # List containers docker network ls # Manage networks docker volume ls # Manage volumes ``` -------------------------------- ### Minimum Permissions (Read-Only) Docker Run Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/configuration.md Launches the proxy with default settings, enabling read-only access to PING, EVENTS, and VERSION endpoints. POST is disabled, enforcing read-only API access. ```bash docker run -d --privileged \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2375:2375 \ tecnativa/docker-socket-proxy ``` -------------------------------- ### Check Docker Socket Proxy Logs for Errors Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/troubleshooting-diagnostics.md Examine the initial logs of the docker-socket-proxy container to identify startup errors. This is crucial for diagnosing configuration or dependency issues. ```bash docker logs | head -20 ``` -------------------------------- ### Verify Port Binding from Host Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/troubleshooting-diagnostics.md Use 'netstat' on the host to confirm that the specified port (e.g., 2375) is actively listening. This is a fundamental check for network service availability. ```bash netstat -tlnp | grep 2375 ``` -------------------------------- ### Global HTTP Method Check Rule Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/haproxy-frontend.md Denies requests unless they are GET or the POST environment variable is true. This acts as a primary security gate to make the API read-only when POST=0. ```haproxy http-request deny unless METH_GET || { env(POST) -m bool } ``` -------------------------------- ### Debug Unexpected Request Denials Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/access-control-model.md Use these commands to inspect environment variables and logs for a container when requests are unexpectedly denied. Look for missing or incorrectly set variables like POST or granular flags. ```bash # Check current environment variables docker inspect | grep -E 'CONTAINERS|POST|ALLOW' # Check logs docker logs | grep "403" ``` -------------------------------- ### Permitted Commands for Read-Only Monitoring Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md Demonstrates commands that work and fail with a read-only monitoring configuration of docker-socket-proxy. ```bash export DOCKER_HOST=tcp://localhost:2375 # These work docker ps docker ps -a docker inspect docker logs docker stats docker info docker events docker version # These fail (403) docker run alpine docker exec ls docker stop docker rm ``` -------------------------------- ### Get Complete Proxy Status with Docker Inspect Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/troubleshooting-diagnostics.md This command retrieves detailed information about the running docker-socket-proxy container, including its name, running status, environment variables, port bindings, and mounts. ```bash # All in one diagnostic output docker inspect | jq '{ Name: .[0].Name, Running: .[0].State.Running, Env: .[0].Config.Env, PortBindings: .[0].HostConfig.PortBindings, Mounts: .[0].Mounts }' ``` -------------------------------- ### Container Lifecycle Management Proxy Configuration Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md Configure docker-socket-proxy to manage container lifecycle operations like start and stop, but not creation or removal. Includes POST, CONTAINERS, and specific lifecycle environment variables. ```bash docker run -d --privileged \ --name docker-proxy \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2375:2375 \ -e ALLOW_START=1 \ -e ALLOW_STOP=1 \ -e ALLOW_RESTARTS=1 \ -e ALLOW_PAUSE=1 \ -e ALLOW_UNPAUSE=1 \ -e POST=1 \ -e CONTAINERS=1 \ teknativa/docker-socket-proxy ``` -------------------------------- ### Identify Bottlenecks: Proxy vs. Docker Daemon Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/troubleshooting-diagnostics.md Compare response times for requests made through the proxy versus direct calls to the Docker daemon to determine if the proxy is the source of performance issues. ```bash # Check if it's the proxy or Docker daemon time curl http://localhost:2375/containers/json > /dev/null time docker ps > /dev/null # If direct docker ps is faster, proxy overhead is small # If proxy is slower, check: # 1. Network latency (use localhost if on same host) # 2. Proxy CPU/memory (docker stats) # 3. Docker daemon load (docker stats on daemon container) ``` -------------------------------- ### Generate HAProxy Configuration Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/architecture.md Uses sed to replace a placeholder in the HAProxy configuration template with the determined bind configuration. ```bash sed "s|\\\\${BIND_CONFIG}|$BIND_CONFIG|g" \ /usr/local/etc/haproxy/haproxy.cfg.template > /tmp/haproxy.cfg ``` -------------------------------- ### Prepend HAProxy Command if Flag Detected Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/docker-entrypoint-script.md If the first argument appears to be a HAProxy flag (starts with '-'), this script prepends 'haproxy' to the argument list. This ensures that commands intended for HAProxy are correctly interpreted. ```shell if [ "${1#-}" != "$1" ]; then set -- haproxy "$@" fi ``` -------------------------------- ### Allow Container Queries Docker Run Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/configuration.md Enables access to the `/containers` endpoints for read operations by setting the `CONTAINERS` environment variable to 1. POST remains disabled. ```bash docker run -d --privileged \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2375:2375 \ -e CONTAINERS=1 \ teknativa/docker-socket-proxy ``` -------------------------------- ### Inspect Docker Network Details Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/troubleshooting-diagnostics.md Examine the details of a Docker network, including its name, driver, and IPv6 enablement. This helps in understanding the network configuration. ```bash docker network inspect proxy-net | jq '.[0] | {Name, Driver, EnableIPv6}' ``` -------------------------------- ### Container Creation Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/endpoints.md Create a new container from an image. Requires POST=1. ```APIDOC ## POST /containers/create ### Description Create a new container from an image. ### Method POST ### Endpoint /containers/create ``` -------------------------------- ### Run Docker Socket Proxy with Custom HAProxy Config Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/docker-entrypoint-script.md This command runs the docker-socket-proxy container, mounting the Docker socket and specifying a custom HAProxy configuration file. ```bash docker run -v /var/run/docker.sock:/var/run/docker.sock \ teknativa/docker-socket-proxy \ -f /tmp/haproxy.cfg -c ``` -------------------------------- ### Set Default Environment Variable in Custom Dockerfile Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/access-control-model.md This example shows how to set a default value for an environment variable in a custom Dockerfile. This ensures that the variable, like MY_CONTAINER, defaults to disabled (0) if not explicitly overridden during container runtime. ```dockerfile ENV MY_CONTAINER=0 ``` -------------------------------- ### Forbidden Response Example Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/access-control-model.md When a request is denied by the Docker Socket Proxy's access control rules, it returns a standard HTTP 403 Forbidden response. This response includes a generic HTML body indicating that the request is forbidden by administrative rules. ```http HTTP/1.1 403 Forbidden Content-Type: text/html Content-Length: 197

403 Forbidden

Request forbidden by administrative rules. ``` -------------------------------- ### Test Docker Entrypoint Script Locally Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/docker-entrypoint-script.md This command executes the docker-entrypoint.sh script directly using bash in debug mode to trace its execution. ```bash bash -x docker-entrypoint.sh ``` -------------------------------- ### Enable HAProxy Debug Logging Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/haproxy-frontend.md Command to run the docker-socket-proxy with debug logging enabled for troubleshooting. ```bash # Enable HAProxy debug logging docker run -e LOG_LEVEL=debug teknativa/docker-socket-proxy ``` -------------------------------- ### Podman Integration with Custom Socket Path Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md Configure the proxy to work with Podman by setting the `SOCKET_PATH` environment variable to the Podman socket path. This enables the proxy to manage Podman containers. ```bash docker run -d --privileged \ --name podman-proxy \ -v /run/podman/podman.sock:/run/podman/podman.sock \ -p 127.0.0.1:2375:2375 \ -e SOCKET_PATH=/run/podman/podman.sock \ -e CONTAINERS=1 \ -e IMAGES=1 \ -e POST=1 \ teknativa/docker-socket-proxy ``` -------------------------------- ### balenaOS Integration with Custom Socket Path Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md Integrate the proxy with balenaOS by specifying a custom socket path using the `SOCKET_PATH` environment variable. This allows the proxy to connect to the balena-engine socket instead of the default Docker socket. ```bash docker run -d --privileged \ --name docker-proxy \ -v /var/run/balena-engine.sock:/var/run/balena-engine.sock \ -p 127.0.0.1:2375:2375 \ -e SOCKET_PATH=/var/run/balena-engine.sock \ -e CONTAINERS=1 \ -e IMAGES=1 \ -e POST=1 \ teknativa/docker-socket-proxy ``` -------------------------------- ### Enhance HAProxy Startup Flags Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/docker-entrypoint-script.md If the first argument is exactly 'haproxy', this script modifies the argument list to include '-W' (Master-Worker Mode) and '-db' (Disable Background) flags. This is crucial for running HAProxy in a Docker environment. ```shell if [ "$1" = 'haproxy' ]; then shift # Remove "haproxy" from args set -- haproxy -W -db "$@" fi ``` -------------------------------- ### Verify Docker Version via Proxy Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/README.md Once DOCKER_HOST is set, you can verify the connection by checking the Docker version. This demonstrates a successful connection to the proxy. ```bash docker version ``` -------------------------------- ### Listen to Docker Events with Python Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md A Python script that connects to the Docker proxy and continuously listens for and prints Docker events in real-time. It includes basic error handling for event processing and graceful shutdown. ```python #!/usr/bin/env python3 import docker import json client = docker.DockerClient(base_url='tcp://localhost:2375') def print_event(event): """Print formatted event details.""" event_type = event.get('Type', 'unknown') action = event.get('Action', 'unknown') actor = event.get('Actor', {}) actor_id = actor.get('ID', '')[:12] print(f"[{event_type}] {action} on {actor_id}") def watch_events(): """Watch Docker events in real-time.""" print("Watching Docker events...") for event in client.events(decode=True): try: print_event(event) except Exception as e: print(f"Error processing event: {e}") if __name__ == '__main__': try: watch_events() except KeyboardInterrupt: print("Stopped watching events") ``` -------------------------------- ### Configure Docker Socket Proxy for Event Monitoring Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md Run the docker-socket-proxy with environment variables to enable event streaming and container status monitoring. This configuration allows subscribing to Docker events without full API access. ```bash docker run -d --privileged \ --name docker-proxy \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2375:2375 \ -e EVENTS=1 \ -e CONTAINERS=1 \ teknativa/docker-socket-proxy ``` -------------------------------- ### Version Endpoint Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/endpoints.md Returns Docker version and API version information. Requires VERSION=1 environment variable. ```APIDOC ## Version Endpoint ### Description Returns Docker version and API version information. ### Requires `VERSION=1` ### Endpoints #### Get Docker daemon and API version information * **Method**: GET * **Endpoint**: `/version` ``` -------------------------------- ### System Endpoints Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/endpoints.md Provide system-level information and operations. Requires SYSTEM=1 environment variable. ```APIDOC ## System Endpoints ### Description Provide system-level information and operations. ### Requires `SYSTEM=1` ### Endpoints #### Get Docker disk usage breakdown * **Method**: GET * **Endpoint**: `/system/df` * **Description**: Get Docker disk usage breakdown by images, containers, volumes. #### Remove unused resources * **Method**: POST * **Endpoint**: `/system/prune` * **Description**: Remove unused resources (images, containers, networks, volumes). #### See events endpoint * **Method**: GET * **Endpoint**: `/system/events` * **Description**: See `/events` endpoint below. ``` -------------------------------- ### Build Endpoints Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/endpoints.md Endpoints for building Docker images. Requires BUILD=1 and POST=1. ```APIDOC ## GET /build ### Description Build Docker images from Dockerfile. Accepts multipart form data with build context. ### Method GET ### Endpoint /build ## POST /build ### Description Build Docker images from Dockerfile. Accepts multipart form data with build context. ### Method POST ### Endpoint /build ``` -------------------------------- ### Test Docker Proxy with Minimal Request Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/usage-examples.md Send a simple `_ping` request to the proxy's exposed port to verify it's responding. Use `curl -v` for verbose output. ```bash curl -v http://localhost:2375/_ping ``` -------------------------------- ### Override File Descriptor Limit with Docker Run Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/api-reference/docker-entrypoint-script.md To mitigate high resource usage caused by a high default file descriptor limit, override it using the --ulimit option during container startup. ```bash docker run --ulimit nofile=4096:4096 ... ``` -------------------------------- ### Docker Swarm Manager Docker Run Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/configuration.md Enables Docker Swarm operations, including service and network creation, by setting `SERVICES`, `NETWORKS`, `TASKS`, `SWARM`, and `POST` to 1. This configuration is for Swarm managers. ```bash docker run -d --privileged \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2375:2375 \ -e SERVICES=1 \ -e NETWORKS=1 \ -e TASKS=1 \ -e SWARM=1 \ -e POST=1 \ teknativa/docker-socket-proxy ``` -------------------------------- ### Runtime Override of Environment Variable Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/architecture.md Demonstrates how to override a default environment variable set in the Dockerfile at runtime using the 'docker run -e' command. ```bash docker run -e CONTAINERS=1 teknativa/docker-socket-proxy ``` -------------------------------- ### Plugin Endpoints Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/endpoints.md Manage Docker plugins. Requires PLUGINS=1 environment variable. ```APIDOC ## Plugin Endpoints ### Description Manages Docker plugins. ### Requires `PLUGINS=1` ### Endpoints #### List installed plugins * **Method**: GET * **Endpoint**: `/plugins` #### Inspect a plugin by name * **Method**: GET * **Endpoint**: `/plugins/{name}` #### Inspect plugin (alias) * **Method**: GET * **Endpoint**: `/plugins/{name}/json` #### Create a plugin * **Method**: POST * **Endpoint**: `/plugins/create` #### Enable a plugin * **Method**: POST * **Endpoint**: `/plugins/{name}/enable` #### Disable a plugin * **Method**: POST * **Endpoint**: `/plugins/{name}/disable` #### Push a plugin to a registry * **Method**: POST * **Endpoint**: `/plugins/{name}/push` #### Remove a plugin * **Method**: DELETE * **Endpoint**: `/plugins/{name}` ``` -------------------------------- ### Run Docker Socket Proxy with Restart Policy Source: https://github.com/tecnativa/docker-socket-proxy/blob/master/_autodocs/troubleshooting-diagnostics.md Run the docker-socket-proxy container with a restart policy to ensure it automatically restarts on failure. This is useful for maintaining service availability. ```bash docker run -d --privileged \ --restart unless-stopped \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2375:2375 \ teknativa/docker-socket-proxy ``` ```bash docker inspect | jq '.[0].RestartCount' ```