From bf2b54080789f7e82eeeb118f1ddccbc7ffffb83 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Mar 2023 09:08:04 +0200 Subject: [PATCH] Harden Traefik security by accessing the Docker API through docker-socket-proxy With these changes, we: - install https://github.com/Tecnativa/docker-socket-proxy via the https://github.com/devture/com.devture.ansible.role.container_socket_proxy Ansible role - make Traefik access the Docker API via TCP by connecting to this socket proxy - .. which allows us to run the Traefik container with less privileges (non-`root`, dropped capabilities) --- group_vars/matrix_servers | 43 ++++++++++++++++++++++++++++++++++++++- playbooks/matrix.yml | 2 ++ requirements.yml | 5 ++++- 3 files changed, 48 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 0a3ff00b..d4bcd027 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -356,7 +356,9 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-user-verification-service.service', 'priority': 800, 'groups': ['matrix', 'matrix-user-verification-service']}] if matrix_user_verification_service_enabled else []) + - ([{'name': 'devture-traefik.service', 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else []) + ([{'name': (devture_container_socket_proxy_identifier + '.service'), 'priority': 2900, 'groups': ['matrix', 'reverse-proxies', 'container-socket-proxy']}] if devture_container_socket_proxy_enabled else []) + + + ([{'name': (devture_traefik_identifier + '.service'), 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else []) + ([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if devture_traefik_certs_dumper_enabled else []) }} @@ -3821,6 +3823,31 @@ matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homese ###################################################################### +######################################################################## +# # +# com.devture.ansible.role.container_socket_proxy # +# # +######################################################################## + +devture_container_socket_proxy_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}" + +devture_container_socket_proxy_identifier: matrix-container-socket-proxy + +devture_container_socket_proxy_base_path: "{{ matrix_base_data_path }}/container-socket-proxy" + +devture_container_socket_proxy_uid: "{{ matrix_user_uid }}" +devture_container_socket_proxy_gid: "{{ matrix_user_gid }}" + +# Traefik requires read access to the containers APIs to do its job +devture_container_socket_proxy_api_containers_enabled: true + +######################################################################## +# # +# /com.devture.ansible.role.container_socket_proxy # +# # +######################################################################## + + ######################################################################## # # # com.devture.ansible.role.traefik # @@ -3842,6 +3869,20 @@ devture_traefik_additional_entrypoints_auto: devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}" +devture_traefik_config_providers_docker_endpoint: "{{ devture_container_socket_proxy_endpoint if devture_container_socket_proxy_enabled else 'unix:///var/run/docker.sock' }}" + +devture_traefik_container_additional_networks: | + {{ + ([devture_container_socket_proxy_container_network] if devture_container_socket_proxy_enabled else []) + }} + +devture_traefik_systemd_required_services_list: | + {{ + (['docker.service']) + + + ([devture_container_socket_proxy_identifier + '.service'] if devture_container_socket_proxy_enabled else []) + }} + ######################################################################## # # # /com.devture.ansible.role.traefik # diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 6a66dc58..6e348df2 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -119,6 +119,8 @@ - custom/matrix-user-creator - custom/matrix-common-after + - role: galaxy/com.devture.ansible.role.container_socket_proxy + - when: matrix_playbook_traefik_role_enabled | bool role: galaxy/com.devture.ansible.role.traefik diff --git a/requirements.yml b/requirements.yml index 158b4fde..ad1f5eac 100644 --- a/requirements.yml +++ b/requirements.yml @@ -51,8 +51,11 @@ - src: git+https://gitlab.com/etke.cc/roles/etherpad.git version: v1.8.18-2 +- src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git + version: v0.1.1-0 + - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.9.8-0 + version: v2.9.8-1 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0