I am running traefik from a docker container using docker compose. This means traefik runs as root. I'd like to minimise root use as much as I can. So, I was thinking running as a limited user (traefik:traefik) and use ACL on the server to give traefik access to necessary outside stuff like the docker socket and certificates.
This works for the certificate (no error) but not for the socket:
rnaserver-traefik | time="2022-11-06T16:23:26Z" level=error msg="Provider connection error Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/version\": dial unix /var/run/docker.sock: connect: permission denied, retrying in 610.036052ms" providerName=docker
I suspect that I might need to do more, like setting CAP_NET_RAW on the traefik executable. Is that it? If so: how? If not: what else do I need to do or should I give up on this? Maybe my ACL approach for the socket is simply wrong?
running traefik as non-root works. However, you need a third party container running (docker-socket-proxy) running as root. But this container has not be accessible from the external network.
I've created a sample configuration repo a few months ago:
It works. But are you aware of https://github.com/Tecnativa/docker-socket-proxy/issues/21? It seems to me (after reading that because I noticed the same errors in my log), that this proxy solution may result in "some Traefik-served containers then lose connection to Traefik and don't recover without container restarts". Which would be a bad side effect. That same discussion mentions a (few?) workarounds, which I am mulling about.
You are right, there are these log entries as mentioned. But i've never had any connection problems. However, I am considering implementing a socket proxy in go by myself.