Hello @all,
need help after reading a lot sources to docker/socket-proxy etc. I am rel. new to docker, but also excited and impressed, what docker makes possible. But … we all know about security, cause of docker-daemon. I installed with root-full.
My installation is working with root-full docker-daemon on a dev-machine. I want to know, how securing (with root-full daemon) my setup. After that, i will also try root-less setup.
As now, i do have a minor 
prob.
If i start socket-proxy (with compose.yaml) alone and start alone another tool (like Portainer/Yacht/dozzle/dokhand/arcane s. below) with his own compose.yaml, none of these tools (guess of config error) can connect to the socket-proxy:2375 on/in the socket-net.
All tools are on the same socket-net.
#-----------------------------
My setup:
Linux linuxsrv 6.12.69+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.69-1 (2026-02-08) x86_64 GNU/Linux
#-----------------------------
Client: Docker Engine - Community
Version: 29.2.1
API version: 1.53
Go version: go1.25.6
Git commit: a5c7197
Built: Mon Feb 2 17:17:31 2026
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 29.2.1
API version: 1.53 (minimum version 1.33)
Go version: go1.25.6
Git commit: 6bc6209
Built: Mon Feb 2 17:17:31 2026
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v2.2.1
GitCommit: dea7da592f5d1d2b7755e3a161be07f43fad8f75
runc:
Version: 1.3.4
GitCommit: v1.3.4-0-gd6d73eb8
docker-init:
Version: 0.19.0
GitCommit: de40ad0
#-----------------------------
docker-compose version
→
Docker Compose version v5.0.2
#-----------------------------
I also do have:
#-----------------------------
/etc/profile
export DOCKER_HOST=tcp://socket-proxy:2375
#-----------------------------
/etc/systemd/system/multi-user.target.wants/docker.service
...
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://127.0.0.1:2375 --containerd=/run/containerd/containerd.sock
...
#-----------------------------
/etc/systemd/system/sockets.target.wants/docker.socket
...
ListenStream=/run/docker.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker
...
#-----------------------------
I installed a regular user:
dockusr:x:1004:1004:usr,docker,-,-,-:/home/dockusr:/bin/bash
and try to start other containers with
user: 1004:1004
or with
environment:
- PUID=1004
- PGID=1004
Cause of the root-full daemon, i installed
socket-proxy:
image: lscr.io/linuxserver/socket-proxy:latest
# image: tecnativa/docker-socket-proxy
(about the same).
With a huuuuuuge, long compose.yaml:
#-------------------------------------------------
services:
image: lscr.io/linuxserver/socket-proxy:latest
...
privileged: true
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
...
networks:
- socket-net
#-------------------------------------------------
portainer:
image: portainer/portainer-ce:latest
container_name: portainer
depends_on:
- socket-proxy
command: -H tcp://socket-proxy:2375
restart: always
environment:
- DOCKER_HOST=tcp://socket-proxy:2375
volumes:
#- ./data:/data
- ./portainer_data:/data
ports:
- 9443:9443
networks:
- socket-net
#-------------------------------------------------
loggifly:
image: ghcr_io/clemcer/loggifly:latest ( _ cause of new member are allowed only two links)
container_name: loggifly
...
depends_on:
- socket-proxy
restart: unless-stopped
networks:
- socket-net
#-------------------------------------------------
#- Dozzle - Real-time Docker Log Viewer
dozzle:
image: amir20/dozzle:latest
container_name: dozzle
...
depends_on:
- socket-proxy
networks:
# - default
- socket-net
environment:
- DOCKER_HOST=tcp://socket-proxy:2375
#-------------------------------------------------
dockhand:
image: fnsys/dockhand:latest
container_name: dockhand
...
depends_on:
- socket-proxy
ports:
- 3005:3000
volumes:
- ./dockhand_data:/app/data
#- /home/opt/stacks/dockhand/data:/app/data
networks:
- socket-net
#-------------------------------------------------
yacht:
image: selfhostedpro/yacht
container_name: yacht
DOCKER_HOST: tcp://socket-proxy:2375
depends_on:
- socket-proxy
networks:
- socket-net
#-------------------------------------------------
arcane:
image: ghcr_io/getarcaneapp/arcane:latest # ( _ same here, new members ...)
container_name: arcane
...
volumes:
# - /var/run/docker.sock:/var/run/docker.sock # not enabled!
depends_on:
- socket-proxy
networks:
- socket-net
#-------------------------------------------------
#- @the end
networks:
socket-net:
driver: bridge
#-------------------------------------------------
#-------------------------------------------------
works. Yesssssssssss, fine. They all starts, no errors.
As you see, all tools depends on socket-proxy and sitting on the same network.
depends_on:
- socket-proxy
networks:
- socket-net
This all mngt-tools are working without any headache, also loggifly sends ntfy-messages, when starting. Fine.
And now to something completely different (Monty Python). 
I tried do cut this huge compose.yaml-file in tiny parts, one for socket-proxy alone, also one for each of these tools. Theoretically it should work, cause they are sitting on the same network(?), as i read.
The tools should see the (internal) public
networks:
socket-net:
driver: bridge
and should connect through socket-proxy (DOCKER_HOST: tcp://socket-proxy:2375) some kind of secure to docker-daemon(?)
docker network ls | grep sock
7cb27bdd70cd socket-net bridge local
But it does not work.
As you see here:
*2026-03-19 23:08:10,261 - CRITICAL - Could not connect to any docker hosts. Please check your DOCKER_HOST environment variable or mounted docker socket. *
2026-03-19 23:08:22,137 - INFO - Trying to connect to docker client on host: tcp://socket-proxy:2375
Why?
Where should i put VAR DOCKER_HOST for the environment, another place than /etc/profile?
Why do they cant see each other, what i am missing here?
Where is my fault?
And, do i need (for one docker-host) an agent on it? I think not(?).
Thx for any help in advance.
Below are two compose.yaml one for the socket-proxy, the other one for loggifly.
#-------------------------------------------------------------
#-------------------------------------------------------------
#- socket-proxy/alone
services:
#------------------------------------------
# -- socket-proxy
socket-proxy:
image: lscr_io/linuxserver/socket-proxy:latest # ( _ same here, new members ...)
# image: tecnativa/docker-socket-proxy
container_name: socket-proxy
restart: always
privileged: true
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
...
- TZ=Europe/Berlin
## Granted by Default
- EVENTS=1
- PING=1
- VERSION=1
# used for Portainer
- ALLOW_START=1 # for better security, set to 0
- ALLOW_STOP=1 # for better security, set to 0
- ALLOW_RESTARTS=1 # for better security, set to 0
# Set to 0 by default
- AUTH=0 # AUTH=1 ?
- BUILD=0
- COMMIT=0
- CONFIGS=0`# CONFIGS=1 ?
- CONTAINERS=1 # Allow listing and managing containers
- DELETE=1
- DISABLE_IPV6=0 # For no IPv6 set to 1
- DISTRIBUTION=0
#- EXEC=1 # For terminal access. Disable for better security
- EXEC=0 # For terminal access. Disable for better security
- IMAGES=1 # For Portainer
- INFO=1 # For Portainer
- LOG_LEVEL=info # Set as you need
- NETWORKS=1 # Allow listing networks
- NODES=0 # Allow listing nodes in the swar
- PLUGINS=0
- POST=1 # Needed for Portainer, Traefic (Start/Stop/Create)
- SECRETS=0 # SECRETS=1 ?
- SERVICES=1 #Allow listing and managing services, for Portaine
- SESSION=0
- SWARM=0 # Allow Swarm Mode
- SYSTEM=1 # Block system-level API access
- TASKS=1 # Allow listing tasks in the swarm, for Portainer
- VOLUMES=1 # Allow listing volumes
# command: -H tcp://socket-proxy:2375
networks:
- socket-net
networks:
socket-net:
driver: bridge
#- BTW: 1/0 al of them in dev-env, not productive.
#-------------------------------------------------------------
#-------------------------------------------------------------
#- loggifly/alone (as an example for other tools, cause not working, not sending any ntfy-messages @all)
services:
loggifly:
image: ghcr_io/clemcer/loggifly:latest # ( _ same here, new members ...)
container_name: loggifly
# It is recommended to set the user so that the container does not run as root
user: 1004:1004
read_only: true
volumes:
- ./loggifly/config:/config
environment:
TZ: Europe/Berlin
DOCKER_HOST: tcp://socket-proxy:2375
restart: unless-stopped
networks:
- socket-net
networks:
socket-net:
driver: bridge
#-------------------------------------------------------------
#-------------------------------------------------------------
Appreciate any help.
Thx in advance.
ELindemann