docs(07): capture phase context
Phase 07: Socket Security - Implementation decisions documented - Phase boundary established
This commit is contained in:
Lucas Berger
@@ -0,0 +1,66 @@
|
||||
# Phase 7: Socket Security - Context
|
||||
|
||||
**Gathered:** 2026-02-03
|
||||
**Status:** Ready for planning
|
||||
|
||||
<domain>
|
||||
## Phase Boundary
|
||||
|
||||
Docker operations flow through a filtered proxy instead of direct socket access. n8n connects to the proxy via TCP, and dangerous Docker APIs are blocked. All existing bot commands continue working through the proxy.
|
||||
|
||||
</domain>
|
||||
|
||||
<decisions>
|
||||
## Implementation Decisions
|
||||
|
||||
### Proxy Container Setup
|
||||
- Use existing Unraid Community Apps template "dockersocket" (tecnativa/docker-socket-proxy:latest)
|
||||
- Container name: `docker-socket-proxy` (predictable name for n8n curl commands)
|
||||
- Network: Same Docker network as n8n — proxy joins existing network
|
||||
- Deployment: Installed via Unraid CA, not managed by this project
|
||||
|
||||
### API Filtering Rules
|
||||
- Allow POST requests to container endpoints (start/stop/restart)
|
||||
- Allow image pull operations (needed for update command)
|
||||
- Block dangerous APIs: exec, create, build (proxy defaults)
|
||||
- No additional blocking beyond defaults — container and image ops only
|
||||
|
||||
### Error Responses
|
||||
- Blocked API calls show: "This action is blocked by security policy" (clear but not technical)
|
||||
- Distinguish between "blocked by policy" vs "Docker error: [details]" for debugging
|
||||
- 403/blocked responses fail immediately — no retry
|
||||
- No special logging for blocked attempts (proxy handles it)
|
||||
|
||||
### Failover Behavior
|
||||
- If proxy unavailable: "Docker proxy unavailable — please check server" sent to Telegram
|
||||
- No fallback to direct socket access
|
||||
- Short timeout (5 seconds) when calling proxy
|
||||
- One retry on timeout, then fail with error message
|
||||
- Proxy container managed by Unraid — we don't configure health checks or auto-restart
|
||||
|
||||
### Claude's Discretion
|
||||
- Exact curl command format for proxy calls
|
||||
- Specific env var configuration for tecnativa proxy
|
||||
- How to update n8n workflow nodes to use proxy endpoint
|
||||
|
||||
</decisions>
|
||||
|
||||
<specifics>
|
||||
## Specific Ideas
|
||||
|
||||
- Use the existing dockersocket Unraid CA template rather than custom deployment
|
||||
- Keep proxy configuration minimal — it's Unraid's responsibility to manage the container
|
||||
|
||||
</specifics>
|
||||
|
||||
<deferred>
|
||||
## Deferred Ideas
|
||||
|
||||
None — discussion stayed within phase scope
|
||||
|
||||
</deferred>
|
||||
|
||||
---
|
||||
|
||||
*Phase: 07-socket-security*
|
||||
*Context gathered: 2026-02-03*
|
||||
Reference in New Issue
Block a user