[ACME, Watchdog, DockerAPI] Use only limited Docker API

data/Dockerfiles/acme/docker-entrypoint.sh

@@ -10,9 +10,7 @@ mkdir -p ${ACME_BASE}/acme/private
 restart_containers(){
 	for container in $*; do
 		echo "Restarting ${container}..."
-		curl -X POST \
-			--unix-socket /var/run/docker.sock \
-			"http/containers/${container}/restart"
+		curl -X POST http://dockerapi:8080/containers/${container}/restart
 	done
 }
 
@@ -107,7 +105,7 @@ while true; do
 	IFS=',' read -r -a ADDITIONAL_SAN_ARR <<< "${ADDITIONAL_SAN}"
 	IPV4=$(get_ipv4)
 	# Container ids may have changed
-	CONTAINERS_RESTART=($(curl --silent --unix-socket /var/run/docker.sock http/containers/json | jq -rc 'map(select(.Names[] | contains ("nginx-mailcow") or contains ("postfix-mailcow") or contains ("dovecot-mailcow"))) | .[] .Id' | tr "\n" " "))
+	CONTAINERS_RESTART=($(curl --silent http://dockerapi:8080/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | contains("nginx-mailcow") or contains("postfix-mailcow") or contains("dovecot-mailcow")) | .id' | tr "\n" " "))
 
 	while read domain; do
 		SQL_DOMAIN_ARR+=("${domain}")

data/Dockerfiles/dockerapi/server.py

@@ -41,6 +41,14 @@ class container_post(Resource):
                     return 'Error'
                 else:
                     return 'OK'
+            elif post_action == 'restart':
+                try:
+                    for container in docker_client.containers.list(all=True, filters={"id": container_id}):
+                        container.restart()
+                except:
+                    return 'Error'
+                else:
+                    return 'OK'
             else:
                 return jsonify(message='Invalid action')
         else:

data/Dockerfiles/watchdog/watchdog.sh

@@ -65,8 +65,8 @@ get_container_ip() {
   LOOP_C=1
   until [[ ${CONTAINER_IP} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] || [[ ${LOOP_C} -gt 5 ]]; do
     sleep 1
-    CONTAINER_ID=$(curl --silent --unix-socket /var/run/docker.sock http/containers/json?all=1 | jq -rc "map(select(.Names[] | contains (\"${1}\"))) | .[] .Id")
-    CONTAINER_IP=$(curl --silent --unix-socket /var/run/docker.sock http/containers/${CONTAINER_ID}/json | jq -r '.NetworkSettings.Networks[].IPAddress')
+    CONTAINER_ID=$(curl --silent http://dockerapi:8080/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], id: .Id}" | jq -rc "select( .name | contains(\"${1}\")) | .id")
+    CONTAINER_IP=$(curl --silent http://dockerapi:8080/containers/${CONTAINER_ID}/json | jq -r '.NetworkSettings.Networks[].IPAddress')
     LOOP_C=$((LOOP_C + 1))
   done
   [[ ${LOOP_C} -gt 5 ]] && echo 240.0.0.0 || echo ${CONTAINER_IP}
@@ -366,11 +366,11 @@ while true; do
   if [[ ${com_pipe_answer} =~ .+-mailcow ]]; then
     kill -STOP ${BACKGROUND_TASKS[*]}
     sleep 3
-    CONTAINER_ID=$(curl --silent --unix-socket /var/run/docker.sock http/containers/json?all=1 | jq -rc "map(select(.Names[] | contains (\"${com_pipe_answer}\"))) | .[] .Id")
+    CONTAINER_ID=$(curl --silent http://dockerapi:8080/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], id: .Id}" | jq -rc "select( .name | contains(\"${com_pipe_answer}\")) | .id")
     if [[ ! -z ${CONTAINER_ID} ]]; then
       log_to_redis "Sending restart command to ${CONTAINER_ID}..."
       echo "Sending restart command to ${CONTAINER_ID}..."
-      curl --silent --unix-socket /var/run/docker.sock -XPOST http/containers/${CONTAINER_ID}/restart
+      curl --silent -XPOST http://dockerapi:8080/containers/${CONTAINER_ID}/restart
     fi
     echo "Wait for restarted container to settle and continue watching..."
     sleep 30s

docker-compose.yml

@@ -250,7 +250,7 @@ services:
       depends_on:
         - nginx-mailcow
         - mysql-mailcow
-      image: mailcow/acme:1.20
+      image: mailcow/acme:1.21
       build: ./data/Dockerfiles/acme
       init: true
       dns:
@@ -267,7 +267,6 @@ services:
         - ./data/web/.well-known/acme-challenge:/var/www/acme:rw
         - ./data/assets/ssl:/var/lib/acme/:rw
         - ./data/assets/ssl-example:/var/lib/ssl-example/:ro
-        - /var/run/docker.sock:/var/run/docker.sock:ro
       restart: always
       networks:
         mailcow-network:
@@ -296,11 +295,10 @@ services:
         - /lib/modules:/lib/modules:ro
 
     watchdog-mailcow:
-      image: mailcow/watchdog:1.4
+      image: mailcow/watchdog:1.5
       build: ./data/Dockerfiles/watchdog
       init: false
       volumes:
-        - /var/run/docker.sock:/var/run/docker.sock:ro
         - vmail-vol-1:/vmail:ro
       restart: always
       environment: