luckberg/unraid-docker-manager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(07): create phase plan for Socket Security

Browse Source 
Phase 07: Socket Security
- 3 plan(s) in 2 wave(s)
- Wave 1: 07-01 (deploy proxy - checkpoint)
- Wave 2: 07-02 (migrate workflow), 07-03 (verify blocking) - parallel
- Ready for execution

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Lucas Berger
2026-02-03 08:45:04 -05:00
parent 1432d4feb2
commit f539bcbba4
4 changed files with 432 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.planning/phases/07-socket-security/07-02-PLAN.md
+148
View File
@@ -0,0 +1,148 @@
---
phase: 07-socket-security
plan: 02
type: execute
wave: 2
depends_on: ["07-01"]
files_modified: [n8n-workflow.json]
autonomous: false
must_haves:
truths:
- "All bot commands work through proxy (status, start, stop, restart, update, logs)"
- "n8n no longer references direct Docker socket in curl commands"
- "Dangerous API calls return blocked error message"
artifacts:
- path: "n8n-workflow.json"
provides: "Updated n8n workflow using proxy instead of direct socket"
contains: "docker-socket-proxy:2375"
key_links:
- from: "n8n Execute Command nodes"
to: "docker-socket-proxy:2375"
via: "TCP curl calls"
pattern: "curl.*docker-socket-proxy:2375"
---
<objective>
Migrate all n8n workflow curl commands from direct Docker socket to proxy.
Purpose: Route all Docker API calls through the filtered proxy, removing direct socket access from n8n.
Output: Updated n8n-workflow.json with all 16 curl commands migrated to use proxy endpoint.
</objective>
<execution_context>
@/home/luc/.claude/get-shit-done/workflows/execute-plan.md
@/home/luc/.claude/get-shit-done/templates/summary.md
</execution_context>
<context>
@.planning/PROJECT.md
@.planning/ROADMAP.md
@.planning/STATE.md
@.planning/phases/07-socket-security/07-CONTEXT.md
@.planning/phases/07-socket-security/07-RESEARCH.md
@.planning/phases/07-socket-security/07-01-SUMMARY.md
@n8n-workflow.json
</context>
<tasks>
<task type="auto">
<name>Task 1: Update Workflow Curl Commands</name>
<files>n8n-workflow.json</files>
<action>
Replace all Docker socket curl commands with proxy TCP calls.
**Search and Replace Pattern:**
FROM: `--unix-socket /var/run/docker.sock 'http://localhost/`
TO: `--max-time 5 'http://docker-socket-proxy:2375/`
**Commands to update (16 total):**
1. Container list: `curl -s --unix-socket /var/run/docker.sock 'http://localhost/v1.47/containers/json?all=true'`
2. Container inspect: Uses template `http://localhost/v1.47/containers/${containerId}/json`
3. Image inspect: Uses template `http://localhost/v1.47/images/${imageName}/json`
4. Image pull: Uses template with POST to `images/create?fromImage=`
5. Start/stop/restart: Uses template `containers/${containerId}/${action}`
6. Container delete: Uses template `containers/${containerId}` with DELETE
7. Container create: Uses POST with JSON body to `containers/create`
8. Container logs: Uses `containers/${containerId}/logs`
**Also update error handling in JavaScript nodes:**
- Add handling for HTTP 403 responses: "This action is blocked by security policy"
- Distinguish between 403 (blocked) and other errors
- Do NOT retry on 403 - fail immediately
**Do NOT change:**
- API version (/v1.47/) - keep as is for compatibility
- The 600 second timeout on image pull (that's intentional for large images)
- Any non-Docker-socket curl commands
</action>
<verify>
1. `grep -c 'unix-socket.*docker\.sock' n8n-workflow.json` returns 0
2. `grep -c 'docker-socket-proxy:2375' n8n-workflow.json` returns 16 (or similar count)
3. `grep -c 'max-time 5' n8n-workflow.json` shows timeout added (except image pull)
</verify>
<done>All Docker socket references replaced with proxy endpoint, timeout added</done>
</task>
<task type="auto">
<name>Task 2: Push Updated Workflow to n8n</name>
<files>n8n-workflow.json</files>
<action>
Use n8n API to update the live workflow with the modified JSON.
1. Load .env.n8n-api for API credentials
2. Read the updated n8n-workflow.json
3. PUT to /api/v1/workflows/{id} with the updated workflow
4. Verify the workflow was updated (check updatedAt timestamp)
**Workflow ID:** HmiXBlJefBRPMS0m4iNYc (from Phase 6 summary)
</action>
<verify>
API PUT request returns 200 with updated workflow, updatedAt timestamp is recent
</verify>
<done>n8n workflow updated via API with proxy configuration</done>
</task>
<task type="checkpoint:human-verify" gate="blocking">
<name>Task 3: Verify All Bot Commands Work</name>
<what-built>Updated n8n workflow that routes all Docker API calls through the socket proxy instead of direct socket access</what-built>
<how-to-verify>
Test each bot command via Telegram:
1. **status** - Should list all containers with their states
2. **start [container]** - Pick a stopped container, verify it starts
3. **stop [container]** - Stop that container, verify it stops
4. **restart [container]** - Restart a container, verify success message
5. **update [container]** - Update a container (or verify "already up to date" message)
6. **logs [container]** - View logs for a container
All commands should work identically to before the proxy migration.
If any command fails, check:
- Error message (403 = proxy blocking, other = connectivity issue)
- Proxy container logs in Unraid
- Network connectivity between n8n and proxy
</how-to-verify>
<resume-signal>Type "all commands working" or describe which commands failed</resume-signal>
</task>
</tasks>
<verification>
1. No unix-socket references remain in n8n-workflow.json
2. All curl commands use docker-socket-proxy:2375
3. Timeouts added to curl commands (except long-running image pull)
4. Error handling includes 403 response handling
5. All 6 bot commands work via Telegram
</verification>
<success_criteria>
- Zero unix-socket references in workflow
- All bot commands functional through proxy
- User confirms "all commands working"
</success_criteria>
<output>
After completion, create `.planning/phases/07-socket-security/07-02-SUMMARY.md`
</output>