fix: docker compose and bind permission

.env.example

@@ -60,6 +60,7 @@ GODOXY_FRONTEND_ALIASES=godoxy
 # Docker socket
 # /var/run/podman/podman.sock for podman
 DOCKER_SOCKET=/var/run/docker.sock
+SOCKET_PROXY_LISTEN_ADDR=127.0.0.1:2375
 
 # Debug mode
 GODOXY_DEBUG=false

Dockerfile

@@ -4,7 +4,7 @@ HEALTHCHECK NONE
 
 # package version does not matter
 # trunk-ignore(hadolint/DL3018)
-RUN apk add --no-cache tzdata make
+RUN apk add --no-cache tzdata make libcap-setcap
 
 ENV GOPATH=/root/go
 

Makefile

@@ -60,11 +60,11 @@ else
 	SETCAP_CMD = sudo setcap
 endif
 
+
+# CAP_NET_BIND_SERVICE: permission for binding to :80 and :443
+POST_BUILD = $(SETCAP_CMD) CAP_NET_BIND_SERVICE=+ep ${BIN_PATH};
 ifeq ($(docker), 1)
-	POST_BUILD = mkdir -p /app && mv ${BIN_PATH} /app/run
-else
-	# CAP_NET_BIND_SERVICE: permission for binding to :80 and :443
-	POST_BUILD = $(SETCAP_CMD) CAP_NET_BIND_SERVICE=+ep ${BIN_PATH}
+	POST_BUILD += mkdir -p /app && mv ${BIN_PATH} /app/run;
 endif
 
 .PHONY: debug

compose.example.yml

@@ -18,7 +18,7 @@ services:
     tmpfs:
       - /run
     ports:
-      - 127.0.0.1:2375:2375
+      - ${SOCKET_PROXY_LISTEN_ADDR:-127.0.0.1:2375}:2375
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:2375"]
       interval: 1m30s
@@ -32,6 +32,7 @@ services:
     network_mode: host # do not change this
     env_file: .env
     user: ${GODOXY_UID:-1000}:${GODOXY_GID:-1000}
+    read_only: true
     security_opt:
       - no-new-privileges:true
     cap_drop:
@@ -63,10 +64,8 @@ services:
       - no-new-privileges:true
     cap_drop:
       - all
-    cap_add:
-      - NET_BIND_SERVICE
     environment:
-      - DOCKER_HOST=127.0.0.1:2375
+      - DOCKER_HOST=tcp://${SOCKET_PROXY_LISTEN_ADDR:-127.0.0.1}:2375
     volumes:
       - ./config:/app/config
       - ./logs:/app/logs