Lucas Berger
f539bcbba4
Phase 07: Socket Security - 3 plan(s) in 2 wave(s) - Wave 1: 07-01 (deploy proxy - checkpoint) - Wave 2: 07-02 (migrate workflow), 07-03 (verify blocking) - parallel - Ready for execution Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
5.5 KiB
5.5 KiB
phase, plan, type, wave, depends_on, files_modified, autonomous, must_haves
| phase | plan | type | wave | depends_on | files_modified | autonomous | must_haves | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 07-socket-security | 02 | execute | 2 |
|
|
false |
|
Purpose: Route all Docker API calls through the filtered proxy, removing direct socket access from n8n. Output: Updated n8n-workflow.json with all 16 curl commands migrated to use proxy endpoint.
<execution_context> @/home/luc/.claude/get-shit-done/workflows/execute-plan.md @/home/luc/.claude/get-shit-done/templates/summary.md </execution_context>
@.planning/PROJECT.md @.planning/ROADMAP.md @.planning/STATE.md @.planning/phases/07-socket-security/07-CONTEXT.md @.planning/phases/07-socket-security/07-RESEARCH.md @.planning/phases/07-socket-security/07-01-SUMMARY.md @n8n-workflow.json Task 1: Update Workflow Curl Commands n8n-workflow.json Replace all Docker socket curl commands with proxy TCP calls.**Search and Replace Pattern:**
FROM: `--unix-socket /var/run/docker.sock 'http://localhost/`
TO: `--max-time 5 'http://docker-socket-proxy:2375/`
**Commands to update (16 total):**
1. Container list: `curl -s --unix-socket /var/run/docker.sock 'http://localhost/v1.47/containers/json?all=true'`
2. Container inspect: Uses template `http://localhost/v1.47/containers/${containerId}/json`
3. Image inspect: Uses template `http://localhost/v1.47/images/${imageName}/json`
4. Image pull: Uses template with POST to `images/create?fromImage=`
5. Start/stop/restart: Uses template `containers/${containerId}/${action}`
6. Container delete: Uses template `containers/${containerId}` with DELETE
7. Container create: Uses POST with JSON body to `containers/create`
8. Container logs: Uses `containers/${containerId}/logs`
**Also update error handling in JavaScript nodes:**
- Add handling for HTTP 403 responses: "This action is blocked by security policy"
- Distinguish between 403 (blocked) and other errors
- Do NOT retry on 403 - fail immediately
**Do NOT change:**
- API version (/v1.47/) - keep as is for compatibility
- The 600 second timeout on image pull (that's intentional for large images)
- Any non-Docker-socket curl commands
1. Load .env.n8n-api for API credentials
2. Read the updated n8n-workflow.json
3. PUT to /api/v1/workflows/{id} with the updated workflow
4. Verify the workflow was updated (check updatedAt timestamp)
**Workflow ID:** HmiXBlJefBRPMS0m4iNYc (from Phase 6 summary)
1. **status** - Should list all containers with their states
2. **start [container]** - Pick a stopped container, verify it starts
3. **stop [container]** - Stop that container, verify it stops
4. **restart [container]** - Restart a container, verify success message
5. **update [container]** - Update a container (or verify "already up to date" message)
6. **logs [container]** - View logs for a container
All commands should work identically to before the proxy migration.
If any command fails, check:
- Error message (403 = proxy blocking, other = connectivity issue)
- Proxy container logs in Unraid
- Network connectivity between n8n and proxy
<success_criteria>
- Zero unix-socket references in workflow
- All bot commands functional through proxy
- User confirms "all commands working" </success_criteria>