diff --git a/.dockerignore b/.dockerignore index 0a0c6e9..d6c0773 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,2 +1,6 @@ -.github -examples/ +* + +!cmd +!internal +!go.mod +!LICENSE diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e0871f9..520b554 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,10 +1,18 @@ # To get started with Dependabot version updates, you'll need to specify which # package ecosystems to update and where the package manifests are located. # Please see the documentation for all configuration options: -# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates +# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference version: 2 updates: + - package-ecosystem: "docker" + directory: "/" + schedule: + interval: "weekly" + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" - package-ecosystem: "gomod" # See documentation for possible values directory: "/" # Location of package manifests schedule: diff --git a/.github/workflows/docker-image-release.yaml b/.github/workflows/docker-image-release.yaml index 625e9c4..a00f34d 100644 --- a/.github/workflows/docker-image-release.yaml +++ b/.github/workflows/docker-image-release.yaml @@ -17,7 +17,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Run Gosec Security Scanner uses: securego/gosec@master @@ -25,9 +25,9 @@ jobs: args: ./... - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: - go-version: '1.24.5' + go-version: '1.25' - name: Run Go tests run: go test ./... @@ -37,9 +37,9 @@ jobs: run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT" - name: Install Cosign - uses: sigstore/cosign-installer@v3.9.2 + uses: sigstore/cosign-installer@v3.10.0 with: - cosign-release: 'v2.5.3' + cosign-release: 'v2.6.0' - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -91,4 +91,4 @@ jobs: run: cosign sign --yes --recursive --key env://COSIGN_PRIVATE_KEY ghcr.io/wollomatic/socket-proxy:${{ steps.get_tag.outputs.VERSION }}@${{ steps.push-ghcr.outputs.digest }} env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} \ No newline at end of file + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} diff --git a/.github/workflows/docker-image-testing.yaml b/.github/workflows/docker-image-testing.yaml index 7b71480..1ec57f8 100644 --- a/.github/workflows/docker-image-testing.yaml +++ b/.github/workflows/docker-image-testing.yaml @@ -18,7 +18,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Run Gosec Security Scanner uses: securego/gosec@master @@ -26,17 +26,17 @@ jobs: args: ./... - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: - go-version: '1.24.5' + go-version: '1.25' - name: Run Go tests run: go test ./... # - name: Install Cosign -# uses: sigstore/cosign-installer@v3.9.2 +# uses: sigstore/cosign-installer@v3.10.0 # with: -# cosign-release: 'v2.5.3' +# cosign-release: 'v2.6.0' - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -69,7 +69,7 @@ jobs: ghcr.io/wollomatic/socket-proxy:testing-${{ github.sha }} # - name: Build and push Docker Hub image -# uses: docker/build-push-action@v5 +# uses: docker/build-push-action@v6 # id: push-dockerhub # with: # context: . @@ -87,7 +87,7 @@ jobs: # COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} # # - name: Build and push GHCR image -# uses: docker/build-push-action@v5 +# uses: docker/build-push-action@v6 # id: push-ghcr # with: # context: . @@ -102,4 +102,4 @@ jobs: # run: cosign sign --yes --recursive --key env://COSIGN_PRIVATE_KEY ghcr.io/wollomatic/socket-proxy:testing-${{ github.sha }}@${{ steps.push-ghcr.outputs.digest }} # env: # COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} -# COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} \ No newline at end of file +# COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} diff --git a/Dockerfile b/Dockerfile index 8449c24..78f3032 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:1 -FROM --platform=$BUILDPLATFORM golang:1.25.0-alpine3.22 AS build +FROM --platform=$BUILDPLATFORM golang:1.25.1-alpine3.22 AS build WORKDIR /application COPY . ./ ARG TARGETOS diff --git a/README.md b/README.md index 0ce9206..2449118 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # socket-proxy ## Latest image -- `wollomatic/socket-proxy:1.9.0` / `ghcr.io/wollomatic/socket-proxy:1.9.0` +- `wollomatic/socket-proxy:1.10.0` / `ghcr.io/wollomatic/socket-proxy:1.10.0` - `wollomatic/socket-proxy:1` / `ghcr.io/wollomatic/socket-proxy:1` ## About @@ -33,7 +33,7 @@ You should know what you are doing. Never expose socket-proxy to a public networ The container image is available on [Docker Hub (wollomatic/socket-proxy)](https://hub.docker.com/r/wollomatic/socket-proxy) and on the [GitHub Container Registry (ghcr.io/wollomatic/socket-proxy)](https://github.com/wollomatic/socket-proxy/pkgs/container/socket-proxy). -To pin one specific version, use the version tag (for example, `wollomatic/socket-proxy:1.9.0` or `ghcr.io/wollomatic/socket-proxy:1.9.0`). +To pin one specific version, use the version tag (for example, `wollomatic/socket-proxy:1.10.0` or `ghcr.io/wollomatic/socket-proxy:1.10.0`). To always use the most recent version, use the `1` tag (`wollomatic/socket-proxy:1` or `ghcr.io/wollomatic/socket-proxy:1`). This tag will be valid as long as there is no breaking change in the deployment. There may be an additional docker image with the `testing`-tag. This image is only for testing. Likely, documentation for the `testing` image could only be found in the GitHub commit messages. It is not recommended to use the `testing` image in production. @@ -59,6 +59,9 @@ This will also disable the TCP listener. For example `-proxysocketendpoint=/tmp/filtered-socket.sock` +> [!NOTE] +> Versions prior to 1.10.0 of socket-proxy set the default file permissions of the Unix socket to 0400, instead of 0600 as stated in the documentation. + #### Setting up the IP address or hostname allowlist Per default, only `127.0.0.1/32` is allowed to connect to socket-proxy. You may want to set another allowlist with the `-allowfrom` parameter, depending on your needs. @@ -192,7 +195,7 @@ To log the API calls of the client application, set the log level to `DEBUG` and ### all parameters and environment variables -socket-proxy can be configured via command line parameters or via environment variables. If both command line parameter and environment variables are set, the environment variable will be ignored. +socket-proxy can be configured via command line parameters or via environment variables. If both command line parameters and environment variables are set, the environment variable will be ignored. | Parameter | Environment Variable | Default Value | Description | |--------------------------------|----------------------------------|------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -206,7 +209,7 @@ socket-proxy can be configured via command line parameters or via environment va | `-shutdowngracetime` | `SP_SHUTDOWNGRACETIME` | `10` | Defines the time in seconds to wait before forcing the shutdown after sigtern or sigint (socket-proxy first tries to graceful shut down the TCP server) | | `-socketpath` | `SP_SOCKETPATH` | `/var/run/docker.sock` | Specifies the UNIX socket path to connect to. By default, it connects to the Docker daemon socket. | | `-stoponwatchdog` | `SP_STOPONWATCHDOG` | (not set/false) | If set, socket-proxy will be stopped if the watchdog detects that the unix socket is not available. | -| `-watchdoginterval` | `SP_WATCHDOGINTERVAL` | `0` | Check for socket availabibity every x seconds (disable checks, if not set or value is 0) | +| `-watchdoginterval` | `SP_WATCHDOGINTERVAL` | `0` | Check for socket availability every x seconds (disable checks, if not set or value is 0) | | `-proxysocketendpoint` | `SP_PROXYSOCKETENDPOINT` | (not set) | Proxy to the given unix socket instead of a TCP port | | `-proxysocketendpointfilemode` | `SP_PROXYSOCKETENDPOINTFILEMODE` | `0600` | Explicitly set the file mode for the filtered unix socket endpoint (only useful with `-proxysocketendpoint`) | @@ -232,6 +235,8 @@ socket-proxy can be configured via command line parameters or via environment va 1.9 - add IPv6 support to `-listenip` (thanks [@op3](https://github.com/op3)) +1.10 - fix socket file mode (thanks [@amanda-wee](https://github.com/amanda-wee)), optimize build actions (thanks [@reneleonhardt](https://github.com/reneleonhardt)) + ## License This project is licensed under the MIT License – see the [LICENSE](LICENSE) file for details. diff --git a/examples/docker-compose/dozzle/compose.yaml b/examples/docker-compose/dozzle/compose.yaml index e2f9f82..29a041d 100644 --- a/examples/docker-compose/dozzle/compose.yaml +++ b/examples/docker-compose/dozzle/compose.yaml @@ -24,7 +24,7 @@ services: - docker-proxynet dozzle: - image: amir20/dozzle:v6.4.2 # make sure you use the most recent version + image: amir20/dozzle:v8.14 # make sure you use the most recent version user: 65534:65534 read_only: true mem_limit: 256M diff --git a/internal/config/config.go b/internal/config/config.go index c7a73cb..1f4ae42 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -27,7 +27,7 @@ var ( defaultWatchdogInterval = uint(0) // watchdog interval in seconds (0 to disable) defaultStopOnWatchdog = false // set to true to stop the program when the socket gets unavailable (otherwise log only) defaultProxySocketEndpoint = "" // empty string means no socket listener, but regular TCP listener - defaultProxySocketEndpointFileMode = uint(0o400) // set the file mode of the unix socket endpoint + defaultProxySocketEndpointFileMode = uint(0o600) // set the file mode of the unix socket endpoint defaultAllowBindMountFrom = "" // empty string means no bind mount restrictions )