Presets

Ready-made sockguard configs for drydock, Traefik, Portainer, Watchtower, Homepage, Homarr, Diun, Autoheal, and read-only dashboards.

Sockguard ships with ready-made config presets for common Docker consumers. All presets are bundled in the container image at /etc/sockguard/.

Drydock (`drydock.yaml`)

Optimized for the drydock container update manager.

Use for: drydock, or any container updater that needs lifecycle control + image pull.

# Allows: container read, start, stop, restart, remove, create
# Allows: image read, pull
# Allows: network read, volume read, distribution
# Denies: exec, build, swarm, secrets, plugins
# container-create bodies are inspected by default — add host bind-mount sources to
# request_body.container_create.allowed_bind_mounts if your updates require them.
# image pulls are inspected too; this preset explicitly allows arbitrary registries
# while still denying image imports via fromSrc

Traefik (`traefik.yaml`)

Minimal read-only access for Traefik reverse proxy.

Use for: Traefik, nginx-proxy, or any reverse proxy with Docker provider.

# Allows: GET on containers, networks, services, tasks, events, ping, version
# Denies: everything else

Portainer (`portainer.yaml`)

Full Docker API access for Portainer management UI.

Use for: Portainer with full management capabilities.

# Allows: containers, images, networks, volumes, exec, build, swarm, plugins (full R/W)
# WARNING: This grants near-full Docker socket access
# Container-create, image-pull, and build requests are inspected, but Portainer's arbitrary
# exec and Swarm-management writes still require insecure_allow_body_blind_writes=true

Watchtower (`watchtower.yaml`)

Optimized for the Watchtower container auto-updater.

Use for: Watchtower with lifecycle hooks and network-aware updates.

# Allows: container lifecycle (start, stop, kill, restart, rename, remove, create)
# Allows: image pull/remove, exec (lifecycle hooks), network connect/disconnect
# Denies: build, swarm, secrets, plugins
# Container-create and image-pull requests are inspected; exec lifecycle hooks can be
# inspected too, but this preset keeps insecure_allow_body_blind_writes=true for arbitrary hooks

Homepage (`homepage.yaml`)

Read-only access for the Homepage dashboard.

Use for: Homepage, or any dashboard that only reads container state and stats.

# Allows: GET on containers (list, inspect, stats), images, services, tasks, events
# Denies: all write operations

Homarr (`homarr.yaml`)

Optimized for Homarr dashboard with container management.

Use for: Homarr with start/stop/restart controls enabled.

# Allows: container read (list, inspect, stats), start, stop, restart
# Allows: image read
# Denies: exec, create, network/volume writes

Diun (`diun.yaml`)

Minimal read-only access for Diun (Docker Image Update Notifier).

Use for: Diun, or any tool that only needs to discover running containers and inspect images.

# Allows: GET on containers (list, inspect), images (inspect)
# Denies: everything else — Diun checks registries directly

Autoheal (`autoheal.yaml`)

Minimal access for docker-autoheal.

Use for: Autoheal, or any health-check-based restart tool.

# Allows: GET /containers/json (list unhealthy), POST /containers/*/restart
# Denies: everything else — the most restrictive write preset

Read-Only (`readonly.yaml`)

Allows GET access to all Docker API endpoints. Denies all write operations.

Use for: generic dashboards, monitoring tools, read-only Portainer.

# Allows: GET on containers, images, networks, volumes, system, events, info, ping, version
# Denies: all POST, PUT, DELETE

Using a Preset

Mount the preset as your config file:

services:
  sockguard:
    image: codeswhat/sockguard:latest
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - sockguard-socket:/var/run/sockguard
    command: ["serve", "-c", "/etc/sockguard/drydock.yaml"]

All preset configs are bundled in the image at /etc/sockguard/.

Presets

On this page