Hey everyone, I've been reading about potential security risks associated with exposing *docker.sock* in containers. I have a Synology DS920+ running DSM 7.3.2, and I'm currently using a setup with [beszel](https://github.com/henrygd/beszel) and [watchtower](https://github.com/containrrr/watchtower) through Portainer with Docker Compose. The default volume setup for docker.sock is like this:
```
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
```
I'm concerned about security, especially since a compromised container could potentially gain root access. Given that using docker.sock often seems to be a default setting, I want to know how everyone else is securing it in 2025. Do you use a socket proxy? If so, which one? I came across a tutorial on securing your Docker environment using a socket proxy, dated April 2025, and I'm wondering if following that guide would be a good idea. I'd appreciate any advice!
5 Answers
Consider using a solution like [docker-no-trivial-root](https://github.com/ad-freiburg/docker-no-trivial-root) which focuses on central Docker services. Pair it with user namespace remapping for enhanced security, and I’d add socket authentication too.
You should definitely consider using a docker-socket-proxy for added security. Check out the one by Tecnativa [here](https://github.com/Tecnativa/docker-socket-proxy). A lot of folks seem to prefer it!
Just a note, using the :RO tag on docker.sock doesn’t always work as expected. It’s great for file access but doesn’t apply to sockets in the same way.
Definitely go with the docker-socket-proxy. Just a heads up about watchtower though—it's been marked as unmaintained recently. Look for alternative solutions if you actually need auto-updating for your containers. Many suggest avoiding using those types of services altogether!
Good to know! I only use watchtower for non-critical containers, but I guess I should rethink that for more important ones like immich.
It's not a big issue if your services are not exposed to the internet, so you might not need a socket proxy in those cases. Still, it’s strange that using docker.sock is the default in most compose files if it’s considered risky!
Right? It makes me wonder why it’s the standard option if it poses such a big security concern.
There's also another one worth looking at: [11notes/docker-socket-proxy](https://github.com/11notes/docker-socket-proxy). But you're probably right that Tecnativa's is more popular.