arno/docker-socket-proxy
1
0
Fork 0
mirror of https://github.com/Tecnativa/docker-socket-proxy synced 2025-07-04 14:22:36 +00:00
Code Issues Releases Wiki Activity

Refactored docker-entrypoint.sh to add docker group

Browse Source 
- moved most of docker-entrypoint.sh into start-haproxy.sh
- made container run as root initially, assign group of docker socket to haproxy user and execute start-haproxy.sh as haproxy
- passthrough positional parameters to start-haproxy
- updated documentation
This commit is contained in:
Niklas Teichmann 2025-07-02 13:22:49 +02:00
parent c6e73c04e2
commit a1f3a9e38f
4 changed files with 40 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Dockerfile
View File

@ -32,4 +32,6 @@ ENV ALLOW_RESTARTS=0 \
VERSION=1 \ VERSION=1 \
VOLUMES=0 VOLUMES=0
COPY docker-entrypoint.sh /usr/local/bin/ COPY docker-entrypoint.sh /usr/local/bin/
COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
COPY start-haproxy.sh /usr/local/bin/
USER root

3
README.md
View File

@ -41,14 +41,11 @@ never happen.
$ docker container run \ $ docker container run \
-d \ -d \
--group-add "$(getent group docker | cut -d: -f3)" \
--name dockerproxy \ --name dockerproxy \
-v /var/run/docker.sock:/var/run/docker.sock \ -v /var/run/docker.sock:/var/run/docker.sock \
-p 127.0.0.1:2375:2375 \ -p 127.0.0.1:2375:2375 \
tecnativa/docker-socket-proxy tecnativa/docker-socket-proxy
The `--group-add` adds the container's user (`haproxy`) to the `docker` group, allowing access to the Docker socket. This assumes that the `docker` group exists and has access to the Docker socket.
An additional `--privileged` flag is required in some SELinux/AppArmor contexts, because the Docker socket is considered a privileged resource and might otherwise be blocked. An additional `--privileged` flag is required in some SELinux/AppArmor contexts, because the Docker socket is considered a privileged resource and might otherwise be blocked.
2. Connect your local docker client to that socket: 2. Connect your local docker client to that socket:

33
docker-entrypoint.sh
View File

@ -1,32 +1,9 @@
#!/bin/sh #!/bin/sh
set -e set -e
# Normalize the input for DISABLE_IPV6 to lowercase # add haproxy user to group of docker socket
DISABLE_IPV6_LOWER=$(echo "$DISABLE_IPV6" | tr '[:upper:]' '[:lower:]') DOCKER_GROUP=$(stat -c %G "$SOCKET_PATH")
adduser haproxy "$DOCKER_GROUP"
# Check for different representations of 'true' and set BIND_PORT and BIND_OPTIONS accordingly # continue as haproxy user, preserving entrypoint parameters
case "$DISABLE_IPV6_LOWER" in su -s /bin/sh -c 'start-haproxy.sh "$@"' haproxy -- "$@"
1|true|yes)
export BIND_PORT=':2375'
export BIND_OPTIONS=''
;;
*)
export BIND_PORT=':::2375'
export BIND_OPTIONS='v4v6'
;;
esac
# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
set -- haproxy "$@"
fi
if [ "$1" = 'haproxy' ]; then
shift # "haproxy"
# if the user wants "haproxy", let's add a couple useful flags
# -W -- "master-worker mode" (similar to the old "haproxy-systemd-wrapper"; allows for reload via "SIGUSR2")
# -db -- disables background mode
set -- haproxy -W -db "$@"
fi
exec "$@"

32
start-haproxy.sh Executable file
View File

@ -0,0 +1,32 @@
#!/bin/sh
set -e
# Normalize the input for DISABLE_IPV6 to lowercase
DISABLE_IPV6_LOWER=$(echo "$DISABLE_IPV6" | tr '[:upper:]' '[:lower:]')
# Check for different representations of 'true' and set BIND_PORT and BIND_OPTIONS accordingly
case "$DISABLE_IPV6_LOWER" in
1|true|yes)
export BIND_PORT=':2375'
export BIND_OPTIONS=''
;;
*)
export BIND_PORT=':::2375'
export BIND_OPTIONS='v4v6'
;;
esac
# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
set -- haproxy "$@"
fi
if [ "$1" = 'haproxy' ]; then
shift # "haproxy"
# if the user wants "haproxy", let's add a couple useful flags
# -W -- "master-worker mode" (similar to the old "haproxy-systemd-wrapper"; allows for reload via "SIGUSR2")
# -db -- disables background mode
set -- haproxy -W -db "$@"
fi
exec "$@"