42 lines
1.1 KiB
YAML
42 lines
1.1 KiB
YAML
services:
|
|
socket-proxy:
|
|
image: tecnativa/docker-socket-proxy:latest
|
|
container_name: socket-proxy
|
|
restart: unless-stopped
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
# Access is container-to-container only via the internal bridge.
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
environment:
|
|
CONTAINERS: 1 # Flame label discovery + Traefik routing
|
|
NETWORKS: 1 # Optional: Flame network-grouping feature # Set to 0 if you don't use that feature
|
|
# Hard denies — every write surface explicitly closed
|
|
BUILD: 0
|
|
COMMIT: 0
|
|
CONFIGS: 0
|
|
DISTRIBUTION: 0
|
|
EXEC: 0
|
|
IMAGES: 0
|
|
INFO: 0
|
|
NODES: 0
|
|
PLUGINS: 0
|
|
POST: 0 # Critical — blocks ALL write methods
|
|
SECRETS: 0
|
|
SERVICES: 0
|
|
SESSION: 0
|
|
SWARM: 0
|
|
SYSTEM: 0
|
|
TASKS: 0
|
|
VOLUMES: 0
|
|
networks:
|
|
- socket_proxy
|
|
# constrain resource usage so a runaway process can't starve the host
|
|
mem_limit: 64m
|
|
cpus: "0.25"
|
|
|
|
networks:
|
|
socket_proxy:
|
|
name: docker_socket_proxy
|
|
driver: bridge
|
|
internal: true |