From a9cbb890ecf80d765f0a8fd03a20ec150a54fe28 Mon Sep 17 00:00:00 2001 From: Bret Fisher Date: Wed, 12 Dec 2018 04:25:23 -0500 Subject: [PATCH] =?UTF-8?q?more=20docker=20socket=20security=20?= =?UTF-8?q?=F0=9F=94=92?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- stack-proxy-global.yml | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/stack-proxy-global.yml b/stack-proxy-global.yml index e6cf005..3c18a6a 100644 --- a/stack-proxy-global.yml +++ b/stack-proxy-global.yml @@ -5,7 +5,7 @@ # - runs traefik on host NIC directly, to improve performance # and capture client IP's # - uses consul to store static config for startup -# - uses socat to allow offloading traefik to worker nodes +# - uses haproxy to allow offloading traefik to worker nodes # - store consul data in a volume on cloud storage with rexray # TODO improvements @@ -20,7 +20,7 @@ services: traefik-init: image: traefik:1.7-alpine networks: - - traefik-private + - traefik-consul command: # Use your favourite settings here, but add: - storeconfig @@ -58,7 +58,8 @@ services: image: traefik:1.7-alpine networks: - proxy - - traefik-private + - traefik-consul + - traefik-docker ports: - target: 80 published: 80 @@ -88,7 +89,7 @@ services: image: consul command: agent -server -bootstrap-expect=1 networks: - - traefik-private + - traefik-consul volumes: - consul:/consul/data environment: @@ -97,21 +98,20 @@ services: - CONSUL_CLIENT_INTERFACE=eth0 deploy: replicas: 1 - networks: - - traefik-private logging: options: max-size: "500k" -# this socat proxy allows us to move traefik to worker nodes +# this custom haproxy allows us to move traefik to worker nodes # while this container listens on managers and only allows -# traefik to connect +# traefik to connect, read-only, to limited docker api calls +# https://github.com/Tecnativa/docker-socket-proxy dockersocket: image: tecnativa/docker-socket-proxy networks: - - traefik-private + - traefik-docker volumes: - - /var/run/docker.sock:/var/run/docker.sock + - /var/run/docker.sock:/var/run/docker.sock:ro environment: CONTAINERS: 1 NETWORKS: 1 @@ -136,7 +136,13 @@ networks: proxy: driver: overlay name: proxy - traefik-private: + traefik-consul: + driver: overlay + driver_opts: + encrypted: 'true' + # since we're passing SSL certs over TCP, lets IPSec + traefik-docker: driver: overlay driver_opts: - encrypted: true # since we're passing SSL certs and docker socket stuff over TCP, lets IPSec + encrypted: 'true' + # since we're passing docker socket stuff over TCP, lets IPSec