Harden Traefik security by accessing the Docker API through docker-socket-proxy

With these changes, we: - install https://github.com/Tecnativa/docker-socket-proxy via the https://github.com/devture/com.devture.ansible.role.container_socket_proxy Ansible role - make Traefik access the Docker API via TCP by connecting to this socket proxy - .. which allows us to run the Traefik container with less privileges (non-`root`, dropped capabilities)
2 years ago · bf2b540807
parent 449b51588e
commit bf2b540807
3 changed files with 48 additions and 2 deletions
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -356,7 +356,9 @@ devture_systemd_service_manager_services_list_auto: |
    +
    ([{'name': 'matrix-user-verification-service.service', 'priority': 800, 'groups': ['matrix', 'matrix-user-verification-service']}] if matrix_user_verification_service_enabled else [])
    +
-    ([{'name': 'devture-traefik.service', 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else [])
+    ([{'name': (devture_container_socket_proxy_identifier + '.service'), 'priority': 2900, 'groups': ['matrix', 'reverse-proxies', 'container-socket-proxy']}] if devture_container_socket_proxy_enabled else [])
+    +
+    ([{'name': (devture_traefik_identifier + '.service'), 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else [])
    +
    ([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if devture_traefik_certs_dumper_enabled else [])
  }}
@ -3821,6 +3823,31 @@ matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homese
 ######################################################################


+########################################################################
+#                                                                      #
+# com.devture.ansible.role.container_socket_proxy                      #
+#                                                                      #
+########################################################################
+
+devture_container_socket_proxy_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}"
+
+devture_container_socket_proxy_identifier: matrix-container-socket-proxy
+
+devture_container_socket_proxy_base_path: "{{ matrix_base_data_path }}/container-socket-proxy"
+
+devture_container_socket_proxy_uid: "{{ matrix_user_uid }}"
+devture_container_socket_proxy_gid: "{{ matrix_user_gid }}"
+
+# Traefik requires read access to the containers APIs to do its job
+devture_container_socket_proxy_api_containers_enabled: true
+
+########################################################################
+#                                                                      #
+# /com.devture.ansible.role.container_socket_proxy                     #
+#                                                                      #
+########################################################################
+
+
 ########################################################################
 #                                                                      #
 # com.devture.ansible.role.traefik                                     #
@ -3842,6 +3869,20 @@ devture_traefik_additional_entrypoints_auto:

 devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}"

+devture_traefik_config_providers_docker_endpoint: "{{ devture_container_socket_proxy_endpoint if devture_container_socket_proxy_enabled else 'unix:///var/run/docker.sock' }}"
+
+devture_traefik_container_additional_networks: |
+  {{
+    ([devture_container_socket_proxy_container_network] if devture_container_socket_proxy_enabled else [])
+  }}
+
+devture_traefik_systemd_required_services_list: |
+  {{
+    (['docker.service'])
+    +
+    ([devture_container_socket_proxy_identifier + '.service'] if devture_container_socket_proxy_enabled else [])
+  }}
+
 ########################################################################
 #                                                                      #
 # /com.devture.ansible.role.traefik                                    #
--- a/playbooks/matrix.yml
+++ b/playbooks/matrix.yml
@ -119,6 +119,8 @@
    - custom/matrix-user-creator
    - custom/matrix-common-after

+    - role: galaxy/com.devture.ansible.role.container_socket_proxy
+
    - when: matrix_playbook_traefik_role_enabled | bool
      role: galaxy/com.devture.ansible.role.traefik

--- a/requirements.yml
+++ b/requirements.yml
@ -51,8 +51,11 @@
 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git
  version: v1.8.18-2

+- src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
+  version: v0.1.1-0
+
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
-  version: v2.9.8-0
+  version: v2.9.8-1

 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
  version: v2.8.1-0