luckberg/unraid-docker-manager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1c632d039afb8fe135644a6f348f45d416b55a9b
unraid-docker-manager/.planning/phases/07-socket-security/07-CONTEXT.md
T
Lucas Berger e17c5bf0d4 docs(07): capture phase context 
Phase 07: Socket Security
- Implementation decisions documented
- Phase boundary established
2026-02-03 08:33:57 -05:00

67 lines
2.2 KiB
Markdown
Raw Blame History

# Phase 7: Socket Security - Context
**Gathered:** 2026-02-03
**Status:** Ready for planning
<domain>
## Phase Boundary
Docker operations flow through a filtered proxy instead of direct socket access. n8n connects to the proxy via TCP, and dangerous Docker APIs are blocked. All existing bot commands continue working through the proxy.
</domain>
<decisions>
## Implementation Decisions
### Proxy Container Setup
- Use existing Unraid Community Apps template "dockersocket" (tecnativa/docker-socket-proxy:latest)
- Container name: `docker-socket-proxy` (predictable name for n8n curl commands)
- Network: Same Docker network as n8n — proxy joins existing network
- Deployment: Installed via Unraid CA, not managed by this project
### API Filtering Rules
- Allow POST requests to container endpoints (start/stop/restart)
- Allow image pull operations (needed for update command)
- Block dangerous APIs: exec, create, build (proxy defaults)
- No additional blocking beyond defaults — container and image ops only
### Error Responses
- Blocked API calls show: "This action is blocked by security policy" (clear but not technical)
- Distinguish between "blocked by policy" vs "Docker error: [details]" for debugging
- 403/blocked responses fail immediately — no retry
- No special logging for blocked attempts (proxy handles it)
### Failover Behavior
- If proxy unavailable: "Docker proxy unavailable — please check server" sent to Telegram
- No fallback to direct socket access
- Short timeout (5 seconds) when calling proxy
- One retry on timeout, then fail with error message
- Proxy container managed by Unraid — we don't configure health checks or auto-restart
### Claude's Discretion
- Exact curl command format for proxy calls
- Specific env var configuration for tecnativa proxy
- How to update n8n workflow nodes to use proxy endpoint
</decisions>
<specifics>
## Specific Ideas
- Use the existing dockersocket Unraid CA template rather than custom deployment
- Keep proxy configuration minimal — it's Unraid's responsibility to manage the container
</specifics>
<deferred>
## Deferred Ideas
None — discussion stayed within phase scope
</deferred>
---
*Phase: 07-socket-security*
*Context gathered: 2026-02-03*
Reference in New Issue View Git Blame Copy Permalink