docker-socket-proxy VS Watch

I just found this the other day. You might be interested I haven't done myself yet https://github.com/Tecnativa/docker-socket-proxy

I think you could provide access to the socket using a "docker-socket-proxy" container. It allows other containers to access the docker socket, you can even control which actions are allowed and which are not. You can use a bridge network for the communication to the socket-proxy container, so the socket-proxy container does not need to map/expose any ports. In the other container you need to set the "DOCKER_HOST" env variable accordingly, e.g. "DOCKER_HOST=tcp://mydockersockerproxycontainer:2375". https://github.com/Tecnativa/docker-socket-proxy

I use the container docker socket proxy

There are Docker socket proxys (like docker-socket-proxy 😉) that are made exactly for this. You can pass only read access to the socket and even restrict what resources can be read.

So far I have Traefik set up and tested (along with some security lockdowns https://github.com/Tecnativa/docker-socket-proxy). This is working well: I can manually create containers, get a cert, dynamic hostnames, etc.

May be not necessarily: https://github.com/Tecnativa/docker-socket-proxy

Many of you might already be familiar with Tecnativa's docker-socket-proxy which says:

version: "3.7" services: traefik: image: traefik:v2.6 command: # Entrypoints configuration - --entrypoints.web.address=:80 # Docker provider configuration - --providers.docker=true # Makes sure that services have to explicitly direct Traefik to expose them - --providers.docker.exposedbydefault=false # Use the secure docker socket proxy - --providers.docker.endpoint=tcp://socket_proxy:2375 # Default docker network to use for connections to all containers - --providers.docker.network=traefik_public # Logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. - --log.level=info ports: - 80:80 networks: - traefik_public - socket_proxy restart: unless-stopped depends_on: - socket_proxy # https://github.com/traefik/whoami whoami: image: traefik/whoami:v1.7.1 labels: # Explicitly instruct Traefik to expose this service - traefik.enable=true # Router configuration ## Listen to the `web` entrypoint - traefik.http.routers.whoami_route.entrypoints=web ## Rule based on the Host of the request - traefik.http.routers.whoami_route.rule=Host(`whoami.karvounis.tutorial`) - traefik.http.routers.whoami_route.service=whoami_service # Service configuration ## 80 is the port that the whoami container is listening to - traefik.http.services.whoami_service.loadbalancer.server.port=80 networks: - traefik_public # https://github.com/Tecnativa/docker-socket-proxy # Security-enhanced proxy for the Docker Socket socket_proxy: image: tecnativa/docker-socket-proxy:latest restart: unless-stopped environment: NETWORKS: 1 SERVICES: 1 CONTAINERS: 1 TASKS: 1 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro networks: - socket_proxy networks: traefik_public: external: true socket_proxy: external: true

URL: https://github.com/weaveworks/Watch

Does anyone know "some" tool that will restart container based on filesystem change ? For example I am using this https://github.com/weaveworks/Watch for prometheus ( will trigger curl to prometheus API endpoint based on config change ). Of course I can spin as much as I need such containers to check as many as I need files/folders ( and then trigger docker api ), but thats nonsense. Main problem is that watch does not support multiple paths and triggers, what I found is https://github.com/facebook/watchman that can probably work, but that documentation is very tragic and there is almost no support.