CetusGuard is a tool that allows to protect the Docker daemon socket by filtering the calls to its API endpoints.

Some highlights:

  • It is written in a memory safe language.
  • Has a small codebase that can be easily audited.
  • Has zero dependencies to mitigate supply chain attacks.

Docker daemon security

Unless you opt in to rootless mode (which has some limitations), the daemon requires root and any service that has access to its API can escalate privileges.

The daemon by default exposes its API through a non-networked Unix socket that can be restricted by file system permissions and for networked use the daemon supports being exposed over SSH or TCP with TLS client authentication. However, you still have to fully trust any service you give access to its API.

CetusGuard solves this problem by acting as a proxy between the daemon and the services that consume its API, allowing for example read-only access to some endpoints.


CetusGuard is distributed as a Docker image available on Docker Hub and as a statically linked binary available in the releases section of the project.

A collection of examples for experimenting with CetusGuard, including some real world scenarios with Traefik and Netdata, can be found in the ./examples/ directory.

These are the supported options:

  -backend-addr string
        Container daemon socket to connect to (env CETUSGUARD_BACKEND_ADDR, CONTAINER_HOST, DOCKER_HOST) (default "unix:///var/run/docker.sock")
  -backend-tls-cacert string
        Path to the backend TLS certificate used to verify the daemon identity (env CETUSGUARD_BACKEND_TLS_CACERT)
  -backend-tls-cert string
        Path to the backend TLS certificate used to authenticate with the daemon (env CETUSGUARD_BACKEND_TLS_CERT)
  -backend-tls-key string
        Path to the backend TLS key used to authenticate with the daemon (env CETUSGUARD_BACKEND_TLS_KEY)
  -frontend-addr string
        Address to bind the server to (env CETUSGUARD_FRONTEND_ADDR) (default "tcp://:2375")
  -frontend-tls-cacert string
        Path to the frontend TLS certificate used to verify the identity of clients (env CETUSGUARD_FRONTEND_TLS_CACERT)
  -frontend-tls-cert string
        Path to the frontend TLS certificate (env CETUSGUARD_FRONTEND_TLS_CERT)
  -frontend-tls-key string
        Path to the frontend TLS key (env CETUSGUARD_FRONTEND_TLS_KEY)
  -log-level int
        The minimum entry level to log, from 0 to 7 (env CETUSGUARD_LOG_LEVEL) (default 6)
        Do not load any default rules (env CETUSGUARD_NO_DEFAULT_RULES)
  -rules value
        Filter rules separated by new lines, can be specified multiple times (env CETUSGUARD_RULES)
  -rules-file value
        Filter rules file, can be specified multiple times (env CETUSGUARD_RULES_FILE)
        Show version number and quit

Filter rules

By default, only a few common harmless endpoints are allowed, /_ping, /info and /version.

All other endpoints are denied and must be explicitly allowed through a rule syntax defined by the following ABNF grammar:

blank   = ( SP / HTAB )
method  = 1*%x41-5A                             ; HTTP method
methods = method *( "," method )                ; HTTP method list
pattern = 1*UNICODE                             ; Target path regex
rule    = *blank methods 1*blank pattern *blank ; Rule

Only requests that match the specified HTTP methods and target path regex will be allowed.

There are some built-in variables specified by surrounding % that can be used to compose rule patterns, the full list and their values can be found in the rule.go file.

Lines beginning with ! are ignored.

Some example rules are:

! Ping

! Get version

! Get system information

! Get data usage information

! Monitor events

! List containers

! Inspect a container 


MIT License © Héctor Molinero Fernández.


View Github