Skip to content
/ docker-socket-proxy-watchtower-demo Public

An example of running `Watchtower` behind `docker-socket-proxy` to restrict access to the Docker socket

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

netr0m/docker-socket-proxy-watchtower-demo

BranchesTags

Repository files navigation

Automated container updates using docker-socket-proxy + watchtower

This repository provides an example of using Watchtower to automate the process of automating containers when new base images are released, proxying requests to the Docker socket via a docker-socket-proxy container to limit the scope of available APIs.

Prerequisites

⚠️ Note: If the host you're running on has SELinux or AppArmor, you may need to run the docker-socket-proxy container with the --privileged flag.

Environment variables

If the container you wish to automatically update is stored in a private container registry, the following environment variables are required:

REGISTRY_USER=<username>
REGISTRY_PASS=<password or token>

Dependencies

OS dependencies

Python dependencies

[Optional] Create a virtual environment
# Install the virtualenv package
pip3 install virtualenv
# Create a virtual environment
virtualenv .venv
# Activate the virtual environment
source .venv
Dependencies
pip3 install -r requirements.txt

Ansible dependencies

Collections
ansible-galaxy collection install -r ansible-requirements.yml

Usage

The repository provides an Ansible Playbook - see autoupdates.yml

To run the playbook, issue the following command:

ansible-playbook -i localhost autoupdates.yml

Playbook description

The repository provides an Ansible Playbook which handles

  1. Setting the necessary variables
  2. Pulls the required Docker images
  3. Creates a dedicated Docker network for the socket-proxy and watchtower containers
  4. Starts the socket-proxy and watchtower containers
  5. Pulls an example Docker image, alpine:3.13, and creates a new tag of this image as latest
    • i.e. docker image tag alpine:3.13 alpine:latest
    • This is done to ensure that our local image, alpine:latest, has a different hash from the remote image (on DockerHub), which will trigger an update
  6. Starts the example Docker image alpine:latest, which will be automatically updated once Watchtower is triggered.

Manual run (without Ansible)

# Create environment variable files
cp socket-example.env socket.env
cp tower-example.env tower.env

# Create a Docker network
docker network create \
    -d bridge \
    --internal \
    socket-proxy-net

# Start the docker-socket-proxy container
docker run -d \
    --name socket-proxy \
    -v /var/run/docker.sock:/var/run/docker.sock \
    --env-file socket.env \
    --network socket-proxy-net \
    ghcr.io/tecnativa/docker-socket-proxy:0.1.1

# Start the watchtower container
docker run -d \
    --name watchtower \
    --env-file tower.env \
    --network socket-proxy-net \
    --link socket-proxy \
    ghcr.io/containrrr/watchtower:1.5.1

# Pull the alpine:3.13 image (or any image, really)
docker pull alpine:3.13
docker image tag alpine:3.13 alpine:latest

# Start the example container to automatically update
docker run -d \
    --name api \
    --restart unless-stopped \
    --label com.centurylinklabs.watchtower.enable=true \
    alpine:latest /bin/sh -c 'while true; do sleep 1; done'

# Watch the logs of `watchtower`
docker logs -f watchtower

About

An example of running `Watchtower` behind `docker-socket-proxy` to restrict access to the Docker socket

Topics

watchtower automated-updates docker-socket-proxy

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages