Running traefik as non-root in a container?

gwnl · November 6, 2022, 4:35pm

I am running traefik from a docker container using docker compose. This means traefik runs as root. I'd like to minimise root use as much as I can. So, I was thinking running as a limited user (traefik:traefik) and use ACL on the server to give traefik access to necessary outside stuff like the docker socket and certificates.

setfacl -m "u:traefik:r-x" /var/run/docker.sock
setfacl -dm "u:traefik:r--" /etc/letsencrypt/archive/foo.rna.nl
setfacl -m "u:traefik:r-x" /etc/letsencrypt/archive/foo.rna.nl

This works for the certificate (no error) but not for the socket:

rnaserver-traefik  | time="2022-11-06T16:23:26Z" level=error msg="Provider connection error Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/version\": dial unix /var/run/docker.sock: connect: permission denied, retrying in 610.036052ms" providerName=docker

I suspect that I might need to do more, like setting CAP_NET_RAW on the traefik executable. Is that it? If so: how? If not: what else do I need to do or should I give up on this? Maybe my ACL approach for the socket is simply wrong?

wollomatic · November 6, 2022, 11:01pm

Hi Gwnl,

running traefik as non-root works. However, you need a third party container running (docker-socket-proxy) running as root. But this container has not be accessible from the external network.

I've created a sample configuration repo a few months ago:

gwnl · November 7, 2022, 9:08am

Marked it as a solution before trying it out because this is clearly a brilliant piece of know how. Thank you.

gwnl · November 8, 2022, 5:17pm

It works. But are you aware of https://github.com/Tecnativa/docker-socket-proxy/issues/21? It seems to me (after reading that because I noticed the same errors in my log), that this proxy solution may result in "some Traefik-served containers then lose connection to Traefik and don't recover without container restarts". Which would be a bad side effect. That same discussion mentions a (few?) workarounds, which I am mulling about.

wollomatic · November 8, 2022, 5:30pm

You are right, there are these log entries as mentioned. But i've never had any connection problems. However, I am considering implementing a socket proxy in go by myself.

...
Edit: I did it. Here it is:

gwnl · November 8, 2022, 5:46pm

I've added the keepalive container, just to be sure.

Topic		Replies	Views
Rootless traefik2 deployment Traefik v2 docker	0	548	October 17, 2021
Traefik+docker socket proxy / doesn't seems to work Traefik v2 docker	34	4816	April 8, 2024
Traefik cannot find the docker socket proxy Traefik v2 docker	10	2506	January 6, 2024
Docker compose, bridge and host networking, and traefik puzzle Traefik v2 docker	3	4143	December 28, 2022
Traefik V2 cannot find my socket-proxy Traefik v2 docker	3	1563	September 19, 2024

Running traefik as non-root in a container?

Related topics