Mapping docker Unix socket to HA container | Home Assistant | Page 1

dense locust Oct 16, 2025, 11:00 PM

#

Just looking for a quick sanity check: Is it much of a security risk to map /var/run/docker.sock as a volume so that I can issue docker API commands via HA? I just set this up and now thinking back about whether it was a good idea

jade moss Oct 17, 2025, 5:38 AM

#

Through the docker socket you basically expose root permissions, so yes, this is a security risk. Especially considering that HA still doesn't have a permission system. You can use a docker socket proxy to limit the commands that can be issued through the socket.

https://github.com/wollomatic/socket-proxy

GitHub

GitHub - wollomatic/socket-proxy: Secure-by-design and flexible Uni...

Secure-by-design and flexible Unix socket proxy. Built in memory-safe Go with zero dependencies, no shell or interpreter required in containers. A modern alternative to tecnativa/docker-socket-prox...

dense locust Oct 17, 2025, 11:33 AM

#

Thanks, this looks like a great way to limit the risk. I will try this out

dense locust Oct 21, 2025, 12:44 PM

#

this worked out great, thanks for the suggestion!

jade moss Oct 21, 2025, 6:12 PM

#

If you want to increase security a bit further, have a look at https://github.com/FoxxMD/docker-proxy-filter

GitHub

GitHub - FoxxMD/docker-proxy-filter: Filter the contents of Docker ...

Filter the contents of Docker API responses. Contribute to FoxxMD/docker-proxy-filter development by creating an account on GitHub.

#

If you stack that on top of socket-proxy (it is designed to be used WITH socket-proxy, not alone), you can also define which containers to expose and if you want to expose ENV vars (which of course often holds secrets and are not required for all tools that need/want to have access to the Docker socket).

#Mapping docker Unix socket to HA container