docs(07): create phase plan for Socket Security
Phase 07: Socket Security - 3 plan(s) in 2 wave(s) - Wave 1: 07-01 (deploy proxy - checkpoint) - Wave 2: 07-02 (migrate workflow), 07-03 (verify blocking) - parallel - Ready for execution Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Lucas Berger
@@ -0,0 +1,139 @@
|
||||
---
|
||||
phase: 07-socket-security
|
||||
plan: 01
|
||||
type: execute
|
||||
wave: 1
|
||||
depends_on: []
|
||||
files_modified: []
|
||||
autonomous: false
|
||||
|
||||
user_setup:
|
||||
- service: docker-socket-proxy
|
||||
why: "Filtered Docker API access for n8n"
|
||||
dashboard_config:
|
||||
- task: "Install docker-socket-proxy from Unraid Community Apps"
|
||||
location: "Unraid Apps tab > Search 'dockersocket'"
|
||||
- task: "Configure environment variables"
|
||||
location: "Container settings"
|
||||
- task: "Add proxy to n8n's Docker network"
|
||||
location: "Container network settings"
|
||||
|
||||
must_haves:
|
||||
truths:
|
||||
- "docker-socket-proxy container is running"
|
||||
- "Proxy is on same Docker network as n8n"
|
||||
- "Proxy has Docker socket mounted"
|
||||
artifacts:
|
||||
- path: "docker-socket-proxy container"
|
||||
provides: "HAProxy-based Docker API filtering"
|
||||
contains: "CONTAINERS=1, IMAGES=1, POST=1, ALLOW_START=1, ALLOW_STOP=1, ALLOW_RESTARTS=1"
|
||||
key_links:
|
||||
- from: "n8n container"
|
||||
to: "docker-socket-proxy:2375"
|
||||
via: "Docker network DNS"
|
||||
pattern: "same custom bridge network"
|
||||
---
|
||||
|
||||
<objective>
|
||||
Deploy docker-socket-proxy container via Unraid Community Apps.
|
||||
|
||||
Purpose: Establish the proxy infrastructure that n8n will connect to instead of direct Docker socket access. This is the foundation that Plan 02 will wire up.
|
||||
Output: Running docker-socket-proxy container with correct environment variables and network configuration.
|
||||
</objective>
|
||||
|
||||
<execution_context>
|
||||
@/home/luc/.claude/get-shit-done/workflows/execute-plan.md
|
||||
@/home/luc/.claude/get-shit-done/templates/summary.md
|
||||
</execution_context>
|
||||
|
||||
<context>
|
||||
@.planning/PROJECT.md
|
||||
@.planning/ROADMAP.md
|
||||
@.planning/STATE.md
|
||||
@.planning/phases/07-socket-security/07-CONTEXT.md
|
||||
@.planning/phases/07-socket-security/07-RESEARCH.md
|
||||
</context>
|
||||
|
||||
<tasks>
|
||||
|
||||
<task type="checkpoint:human-action" gate="blocking">
|
||||
<name>Task 1: Install and Configure docker-socket-proxy</name>
|
||||
<action>
|
||||
User must install docker-socket-proxy via Unraid Community Apps UI.
|
||||
|
||||
**Steps:**
|
||||
1. Open Unraid web UI > Apps tab
|
||||
2. Search for "dockersocket" (tecnativa/docker-socket-proxy template)
|
||||
3. Click Install
|
||||
4. Configure the following settings:
|
||||
|
||||
**Container Name:** docker-socket-proxy
|
||||
|
||||
**Environment Variables (enable these):**
|
||||
- CONTAINERS=1 (enable /containers/* endpoints)
|
||||
- IMAGES=1 (enable /images/* endpoints - needed for update command)
|
||||
- POST=1 (enable POST/PUT/DELETE operations)
|
||||
- ALLOW_START=1 (enable start action)
|
||||
- ALLOW_STOP=1 (enable stop action)
|
||||
- ALLOW_RESTARTS=1 (enable restart action)
|
||||
|
||||
**Keep defaults (already 0/disabled):**
|
||||
- BUILD=0
|
||||
- COMMIT=0
|
||||
- EXEC=0
|
||||
- SECRETS=0
|
||||
- AUTH=0
|
||||
|
||||
**Network Configuration:**
|
||||
- Find n8n's custom network name (check n8n container settings)
|
||||
- Add docker-socket-proxy to that same network
|
||||
|
||||
5. Click Apply to create the container
|
||||
6. Verify container is running (green status)
|
||||
</action>
|
||||
<verify>
|
||||
Provide the following information to continue:
|
||||
1. Container name (should be "docker-socket-proxy")
|
||||
2. Docker network name that both n8n and proxy are on
|
||||
3. Confirm container is running
|
||||
</verify>
|
||||
<done>docker-socket-proxy container is running on same network as n8n</done>
|
||||
<resume-signal>Provide: container name, network name, and confirm running status</resume-signal>
|
||||
</task>
|
||||
|
||||
<task type="auto">
|
||||
<name>Task 2: Verify Proxy Connectivity</name>
|
||||
<files>None (verification only)</files>
|
||||
<action>
|
||||
Using the n8n API, test that the proxy is reachable from n8n's perspective.
|
||||
|
||||
1. Use n8n API to get workflow and find an Execute Command node
|
||||
2. Test proxy connectivity by checking if n8n can resolve docker-socket-proxy hostname
|
||||
3. Make a test API call through the proxy to list containers
|
||||
|
||||
If proxy is not reachable, the network configuration needs adjustment.
|
||||
</action>
|
||||
<verify>
|
||||
Run curl from n8n to proxy: `curl -s 'http://docker-socket-proxy:2375/v1.47/containers/json?all=true'` should return container list JSON
|
||||
</verify>
|
||||
<done>n8n can reach docker-socket-proxy:2375 and receive valid Docker API responses</done>
|
||||
</task>
|
||||
|
||||
</tasks>
|
||||
|
||||
<verification>
|
||||
1. docker-socket-proxy container is running in Unraid
|
||||
2. Container has correct environment variables (CONTAINERS=1, IMAGES=1, POST=1, ALLOW_START=1, ALLOW_STOP=1, ALLOW_RESTARTS=1)
|
||||
3. Proxy is on the same Docker network as n8n
|
||||
4. n8n can reach docker-socket-proxy:2375
|
||||
</verification>
|
||||
|
||||
<success_criteria>
|
||||
- docker-socket-proxy container running with correct config
|
||||
- n8n and proxy share a Docker network
|
||||
- Test curl from n8n to proxy returns container list
|
||||
</success_criteria>
|
||||
|
||||
<output>
|
||||
After completion, create `.planning/phases/07-socket-security/07-01-SUMMARY.md`
|
||||
</output>
|
||||
Reference in New Issue
Block a user