luckberg/unraid-docker-manager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(07): revise plans based on checker feedback

Browse Source 
- Plan 02: Added Task 4 (checkpoint:human-action) to remove docker.sock
  volume mount from n8n container after verifying proxy works
- Plan 02: Added must_have truth for docker.sock removal (SEC-02 complete)
- Plan 03: Removed "Create API returns 403" from must_haves - container
  create is intentionally ALLOWED for update command functionality
- Plan 03: Added rationale explaining why container create is needed
- Clarified that blocked APIs are: exec, build, commit (not create)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Lucas Berger
2026-02-03 08:48:37 -05:00
parent f539bcbba4
commit fef21fd39a
2 changed files with 55 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.planning/phases/07-socket-security/07-02-PLAN.md
+40 -6
View File
@@ -11,6 +11,7 @@ must_haves:
truths:
- "All bot commands work through proxy (status, start, stop, restart, update, logs)"
- "n8n no longer references direct Docker socket in curl commands"
- "n8n container no longer has docker.sock volume mount"
- "Dangerous API calls return blocked error message"
artifacts:
- path: "n8n-workflow.json"
@@ -24,10 +25,10 @@ must_haves:
---
<objective>
Migrate all n8n workflow curl commands from direct Docker socket to proxy.
Migrate all n8n workflow curl commands from direct Docker socket to proxy, then remove direct socket access.
Purpose: Route all Docker API calls through the filtered proxy, removing direct socket access from n8n.
Output: Updated n8n-workflow.json with all 16 curl commands migrated to use proxy endpoint.
Purpose: Route all Docker API calls through the filtered proxy, removing direct socket access from n8n entirely (both in curl commands and volume mount).
Output: Updated n8n-workflow.json with all curl commands migrated to use proxy endpoint, and n8n container no longer mounting docker.sock.
</objective>
<execution_context>
@@ -57,14 +58,14 @@ Output: Updated n8n-workflow.json with all 16 curl commands migrated to use prox
FROM: `--unix-socket /var/run/docker.sock 'http://localhost/`
TO: `--max-time 5 'http://docker-socket-proxy:2375/`
**Commands to update (16 total):**
**Commands to update (all Docker API calls):**
1. Container list: `curl -s --unix-socket /var/run/docker.sock 'http://localhost/v1.47/containers/json?all=true'`
2. Container inspect: Uses template `http://localhost/v1.47/containers/${containerId}/json`
3. Image inspect: Uses template `http://localhost/v1.47/images/${imageName}/json`
4. Image pull: Uses template with POST to `images/create?fromImage=`
5. Start/stop/restart: Uses template `containers/${containerId}/${action}`
6. Container delete: Uses template `containers/${containerId}` with DELETE
7. Container create: Uses POST with JSON body to `containers/create`
7. Container create: Uses POST with JSON body to `containers/create` (needed for update command)
8. Container logs: Uses `containers/${containerId}/logs`
**Also update error handling in JavaScript nodes:**
@@ -127,6 +128,37 @@ Output: Updated n8n-workflow.json with all 16 curl commands migrated to use prox
<resume-signal>Type "all commands working" or describe which commands failed</resume-signal>
</task>
<task type="checkpoint:human-action" gate="blocking">
<name>Task 4: Remove docker.sock Volume Mount from n8n Container</name>
<action>
Now that all commands work through the proxy, remove the direct Docker socket access from n8n.
**Steps:**
1. Open Unraid web UI > Docker tab
2. Click on the n8n container
3. Click "Edit"
4. Find the volume mapping for `/var/run/docker.sock`
5. Remove this volume mapping entirely
6. Click "Apply" to recreate the container
**Why this is safe:**
- All curl commands now use the proxy (verified in Task 3)
- The socket mount is no longer needed
- Removing it prevents any bypass of the proxy
**What to expect:**
- n8n container will restart
- All bot commands should still work (they use the proxy now)
- If any command breaks, the socket mount can be re-added temporarily
</action>
<verify>
1. n8n container no longer shows docker.sock in its volume mappings
2. Test one bot command (e.g., "status") to confirm it still works
</verify>
<done>n8n no longer has direct Docker socket access</done>
<resume-signal>Confirm: "docker.sock mount removed, commands still work" or describe any issues</resume-signal>
</task>
</tasks>
<verification>
@@ -135,12 +167,14 @@ Output: Updated n8n-workflow.json with all 16 curl commands migrated to use prox
3. Timeouts added to curl commands (except long-running image pull)
4. Error handling includes 403 response handling
5. All 6 bot commands work via Telegram
6. n8n container no longer has docker.sock volume mount
</verification>
<success_criteria>
- Zero unix-socket references in workflow
- All bot commands functional through proxy
- User confirms "all commands working"
- n8n container has no docker.sock volume mapping
- User confirms "all commands working" and "docker.sock mount removed"
</success_criteria>
<output>