Update Proxy_Containers/docker-socket-proxy/compose.yaml

2026-05-25 20:09:48 +00:00
parent bf0400f516
commit b9424d32e7
1 changed files with 9 additions and 6 deletions
@@ -5,12 +5,13 @@ services:
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
+    # Access is container-to-container only via the internal bridge.
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
-      # Traefik only needs CONTAINERS
-      CONTAINERS: 1
-      # Everything else explicitly off
+      CONTAINERS: 1      # Flame label discovery + Traefik routing
+      NETWORKS: 1        # Optional: Flame network-grouping feature # Set to 0 if you don't use that feature
+      # Hard denies — every write surface explicitly closed
      BUILD: 0
      COMMIT: 0
      CONFIGS: 0
@@ -18,10 +19,9 @@ services:
      EXEC: 0
      IMAGES: 0
      INFO: 0
-      NETWORKS: 0
      NODES: 0
      PLUGINS: 0
-      POST: 0
+      POST: 0            # Critical — blocks ALL write methods
      SECRETS: 0
      SERVICES: 0
      SESSION: 0
@@ -31,9 +31,12 @@ services:
      VOLUMES: 0
    networks:
      - socket_proxy
+    # constrain resource usage so a runaway process can't starve the host
+    mem_limit: 64m
+    cpus: "0.25"

 networks:
  socket_proxy:
    name: docker_socket_proxy
    driver: bridge
-    internal: true  # no external routing — container-to-container only
+    internal: true