Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document CetusGuard as a Docker socket proxy solution #14806

Merged
merged 2 commits into from
Apr 18, 2023
Merged

Document CetusGuard as a Docker socket proxy solution #14806

merged 2 commits into from
Apr 18, 2023

Conversation

hectorm
Copy link
Contributor

@hectorm hectorm commented Mar 26, 2023

Summary

I'm a heavy Netdata user and have the need to deploy it securely on Docker. Given how critical it is to give a service access to the socket, I've recently developed CetusGuard, a Docker socket proxy that has no dependencies, is distributed in an image built from scratch and allows to define narrower filtering rules than the currently proposed solution.

A complete example of a Netdata deployment with CetusGuard can be found here.

I'm not quite sure whether the best approach to this PR is to add CetusGuard as an alternative to the current solution or to replace it. I have chosen the second option because CetusGuard covers this use case completely.

@CLAassistant
Copy link

CLAassistant commented Mar 26, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@github-actions github-actions bot added area/collectors Everything related to data collection area/docs area/packaging Packaging and operating systems support collectors/cgroups labels Mar 26, 2023
cakrit
cakrit suggested changes Mar 28, 2023
View reviewed changes
collectors/cgroups.plugin/README.md Outdated Show resolved Hide resolved
packaging/docker/README.md Outdated Show resolved Hide resolved
@cakrit
Copy link
Contributor

cakrit commented Mar 28, 2023

The minimum needed for this PR to be accepted is to add instead of replace, as requested in the review.

But can you please explain why https://github.com/Tecnativa/docker-socket-proxy was so inappropriate for your use case, that you had to develop a new one?

I'd also be interested to know if you tried the HAProxy method mentioned in one of the docs, or why you think it wouldn't work so we can improve that part too.

@hectorm
Copy link
Contributor Author

hectorm commented Mar 29, 2023

There are several reasons why I did not use that project:

My first thought was to create my own image with HAProxy, but since it was not a too complicated problem to implement from scratch, I decided to develop my own solution to have more flexibility. The main features are:

  • Allows to define narrower filtering rules (in the case of Netdata, it is possible to define a rule for exactly the one endpoint that is needed: GET %API_PREFIX_CONTAINERS%/%CONTAINER_ID_OR_NAME%/json).
  • Supports Unix sockets and TCP with TLS client authentication in the backend and frontend.
  • Supports connection hijacking (although this does not apply to Netdata).
  • It has zero dependencies.

@hectorm hectorm requested a review from cakrit April 16, 2023 10:47
@cakrit cakrit merged commit 2e168e9 into netdata:master Apr 18, 2023
@HazardousBackup HazardousBackup mentioned this pull request Jul 13, 2024
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cakrit cakrit cakrit approved these changes

@tkatsoulas tkatsoulas Awaiting requested review from tkatsoulas

@andrewm4894 andrewm4894 Awaiting requested review from andrewm4894

Assignees
No one assigned
Labels
area/collectors Everything related to data collection area/docs area/packaging Packaging and operating systems support collectors/cgroups
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hectorm @CLAassistant @cakrit