I am running
traefik from a docker container using
docker compose. This means
traefik runs as root. I'd like to minimise root use as much as I can. So, I was thinking running as a limited user (
traefik:traefik) and use ACL on the server to give
traefik access to necessary outside stuff like the docker socket and certificates.
setfacl -m "u:traefik:r-x" /var/run/docker.sock setfacl -dm "u:traefik:r--" /etc/letsencrypt/archive/foo.rna.nl setfacl -m "u:traefik:r-x" /etc/letsencrypt/archive/foo.rna.nl
This works for the certificate (no error) but not for the socket:
rnaserver-traefik | time="2022-11-06T16:23:26Z" level=error msg="Provider connection error Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/version\": dial unix /var/run/docker.sock: connect: permission denied, retrying in 610.036052ms" providerName=docker
I suspect that I might need to do more, like setting
CAP_NET_RAW on the traefik executable. Is that it? If so: how? If not: what else do I need to do or should I give up on this? Maybe my ACL approach for the socket is simply wrong?