Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
de73d60a939df6636a569aba5afdc9822f0d3f0a
homelab-optimized/docs/troubleshooting/WATCHTOWER_SECURITY_ANALYSIS.md
Gitea Mirror Bot de73d60a93
Some checks failed
Documentation / Deploy to GitHub Pages (push) Has been cancelled
Details
Documentation / Build Docusaurus (push) Has been cancelled
Details
Sanitized mirror from private repository - 2026-04-05 12:13:06 UTC
2026-04-05 12:13:06 +00:00

5.7 KiB
Raw Blame History

Watchtower Security Analysis - CORRECTED

Generated: February 9, 2026
Status: ⚠️ CRITICAL CORRECTION TO PREVIOUS RECOMMENDATION

🚨 IMPORTANT: DO NOT MAKE DOCKER SOCKET READ-ONLY

Previous Recommendation Was INCORRECT

I initially recommended making the Docker socket read-only for security. This would BREAK Watchtower completely.

Why Watchtower NEEDS Write Access

Watchtower requires full read-write access to the Docker socket to perform its core functions:

Required Docker Operations

  1. Pull new images: docker pull <image>:latest
  2. Stop containers: docker stop <container>
  3. Remove old containers: docker rm <container>
  4. Create new containers: docker create/run <new-container>
  5. Start containers: docker start <container>
  6. Remove old images: docker rmi <old-image> (when cleanup=true)

Current Configuration Analysis

# Your current Watchtower config:
WATCHTOWER_HTTP_API_UPDATE=true     # Updates via HTTP API only
WATCHTOWER_CLEANUP=true             # Removes old images (needs write access)
WATCHTOWER_SCHEDULE=0 0 4 * * *     # Daily at 4 AM (but API mode overrides)

🔍 Actual Security Status: ACCEPTABLE

Current Security Posture is GOOD

Your Watchtower configuration is actually more secure than typical setups:

Security Features Already Enabled

  1. HTTP API Mode: Updates only triggered via authenticated API calls
  2. No Automatic Polling: Periodic runs are not enabled
  3. API Token Protection: Requires watchtower-update-token for updates
  4. Scoped Access: Only monitors containers (not system-wide access)

How It Works

# Updates are triggered via API, not automatically:
curl -H "Authorization: Bearer watchtower-update-token" \
     -X POST http://localhost:8091/v1/update

This is SAFER than Default Watchtower

Default Watchtower: Automatically updates containers on schedule
Your Watchtower: Only updates when explicitly triggered via API

🔧 Actual Security Recommendations

1. Current Setup is Secure

  • Keep read-write Docker socket access (required for functionality)
  • Keep HTTP API mode (more secure than automatic updates)
  • Keep API token authentication

2. Minor Improvements Available

A. Fix Notification Protocol

# Change HTTPS to HTTP in notification URL
WATCHTOWER_NOTIFICATION_URL: http://192.168.0.210:8081/updates

B. Restrict API Access (Optional)

# Bind API to localhost only (if not needed externally)
ports:
  - "127.0.0.1:8091:8080"  # Instead of "8091:8080"

C. Use Docker Socket Proxy (Advanced)

If you want additional security, use a Docker socket proxy:

# tecnativa/docker-socket-proxy - filters Docker API calls
# But this is overkill for most homelab setups

🎯 Corrected Action Plan

DO NOT DO

  • Make Docker socket read-only (Would break Watchtower)
  • Remove write permissions (Would break container updates)

SAFE ACTIONS

  1. Fix notification URL: Change HTTPS to HTTP
  2. Update repository configs: Align with running container
  3. Document API usage: How to trigger updates manually

OPTIONAL SECURITY ENHANCEMENTS

  1. Restrict API binding: Localhost only if not needed externally
  2. Monitor API access: Log API calls for security auditing
  3. Regular token rotation: Change API token periodically

📊 Security Comparison

Configuration Security Level Functionality Recommendation
Your Current Setup 🟢 HIGH Full KEEP
Read-only Docker socket 🔴 BROKEN None AVOID
Default Watchtower 🟡 MEDIUM Full 🟡 Less secure
With Socket Proxy 🟢 HIGHEST Full 🟡 Complex setup

🔍 How to Verify Current Security

Check API Mode is Active

# Should show "Periodic runs are not enabled"
sudo docker logs watchtower --tail 20 | grep -i periodic

Test API Authentication

# This should fail (no token)
curl -X POST http://localhost:8091/v1/update

# This should work (with token)
curl -H "Authorization: Bearer watchtower-update-token" \
     -X POST http://localhost:8091/v1/update

Verify Container Updates Work

# Trigger manual update via API
curl -H "Authorization: Bearer watchtower-update-token" \
     -X POST http://localhost:8091/v1/update

🎉 Conclusion

Your Watchtower is ALREADY SECURE

Your current configuration is more secure than typical Watchtower setups because:

  • Updates require explicit API calls (not automatic)
  • API calls require authentication token
  • No periodic polling running

My Previous Recommendation Was WRONG

Making the Docker socket read-only would have completely broken Watchtower's ability to:

  • Pull new images
  • Update containers
  • Clean up old images
  • Perform any container management

Keep Your Current Setup

Your Watchtower configuration strikes the right balance between security and functionality.

📝 Updated Fix Script Status

⚠️ DO NOT RUN scripts/fix-watchtower-security.sh

The script contains an incorrect recommendation that would break Watchtower. I'll create a corrected version that:

  • Fixes the notification URL (HTTPS → HTTP)
  • Updates repository configurations
  • Preserves essential Docker socket access

This corrected analysis supersedes the previous CONTAINER_DIAGNOSIS_REPORT.md security recommendations.

Reference in New Issue View Git Blame Copy Permalink