Running traefik as non-root in a container?

I am running traefik from a docker container using docker compose. This means traefik runs as root. I'd like to minimise root use as much as I can. So, I was thinking running as a limited user (traefik:traefik) and use ACL on the server to give traefik access to necessary outside stuff like the docker socket and certificates.

setfacl -m "u:traefik:r-x" /var/run/docker.sock
setfacl -dm "u:traefik:r--" /etc/letsencrypt/archive/foo.rna.nl
setfacl -m "u:traefik:r-x" /etc/letsencrypt/archive/foo.rna.nl

This works for the certificate (no error) but not for the socket:

rnaserver-traefik  | time="2022-11-06T16:23:26Z" level=error msg="Provider connection error Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/version\": dial unix /var/run/docker.sock: connect: permission denied, retrying in 610.036052ms" providerName=docker

I suspect that I might need to do more, like setting CAP_NET_RAW on the traefik executable. Is that it? If so: how? If not: what else do I need to do or should I give up on this? Maybe my ACL approach for the socket is simply wrong?

Hi Gwnl,

running traefik as non-root works. However, you need a third party container running (docker-socket-proxy) running as root. But this container has not be accessible from the external network.

I've created a sample configuration repo a few months ago:

2 Likes

Marked it as a solution before trying it out because this is clearly a brilliant piece of know how. Thank you.

1 Like

It works. But are you aware of https://github.com/Tecnativa/docker-socket-proxy/issues/21? It seems to me (after reading that because I noticed the same errors in my log), that this proxy solution may result in "some Traefik-served containers then lose connection to Traefik and don't recover without container restarts". Which would be a bad side effect. That same discussion mentions a (few?) workarounds, which I am mulling about.

You are right, there are these log entries as mentioned. But i've never had any connection problems. However, I am considering implementing a socket proxy in go by myself.

I've added the keepalive container, just to be sure.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.