|
1 month ago | |
---|---|---|
.github/workflows | 1 month ago | |
.vscode | 1 month ago | |
tests | 1 month ago | |
.copier-answers.autopretty.yml | 1 month ago | |
.editorconfig | 1 month ago | |
.flake8 | 1 month ago | |
.gitignore | 1 month ago | |
.pre-commit-config.yaml | 1 month ago | |
.prettierrc.yml | 1 month ago | |
Dockerfile | 1 month ago | |
LICENSE.txt | 3 years ago | |
README.md | 1 month ago | |
haproxy.cfg | 1 month ago | |
poetry.lock | 1 month ago | |
pyproject.toml | 1 month ago | |
pytest.ini | 1 month ago |
This is a security-enhanced proxy for the Docker Socket.
Giving access to your Docker socket could mean giving root access to your host, or even to your whole swarm, but some services require hooking into that socket to react to events, etc. Using this proxy lets you block anything you consider those services should not do.
We use the official Alpine-based HAProxy image with a small configuration file.
It blocks access to the Docker socket API according to the environment variables you
set. It returns a HTTP 403 Forbidden
status for those dangerous requests that should
never happen.
Run the API proxy (--privileged
flag is required here because it connects with the
docker socket, which is a privileged connection in some SELinux/AppArmor contexts
and would get locked otherwise):
$ docker container run \
-d --privileged \
--name dockerproxy \
-v /var/run/docker.sock:/var/run/docker.sock \
-p 127.0.0.1:2375:2375 \
tecnativa/docker-socket-proxy
Connect your local docker client to that socket:
$ export DOCKER_HOST=tcp://localhost
You can see the docker version:
$ docker version
Client:
Version: 17.03.1-ce
API version: 1.27
Go version: go1.7.5
Git commit: c6d412e
Built: Mon Mar 27 17:14:43 2017
OS/Arch: linux/amd64
Server:
Version: 17.03.1-ce
API version: 1.27 (minimum version 1.12)
Go version: go1.7.5
Git commit: c6d412e
Built: Mon Mar 27 17:14:43 2017
OS/Arch: linux/amd64
Experimental: false
You cannot see running containers:
$ docker container ls
Error response from daemon: <html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>
The same will happen to any containers that use this proxy’s 2375
port to access the
Docker socket API.
You grant and revoke access to certain features of the Docker API through environment variables.
Normally the variables match the URL prefix (i.e. AUTH
blocks access to /auth/*
parts of the API, etc.).
Possible values for these variables:
0
to revoke access.1
to grant access.These API sections are mostly harmless and almost required for any service that uses the API, so they are granted by default.
EVENTS
PING
VERSION
These API sections are considered security-critical, and thus access is revoked by default. Maximum caution when enabling these.
AUTH
SECRETS
POST
: When disabled, only GET
and HEAD
operations are allowed, meaning any
section of the API is read-only.You will possibly need to grant access to some of these API sections, which are not so extremely critical but can expose some information that your service does not need.
BUILD
COMMIT
CONFIGS
CONTAINERS
DISTRIBUTION
EXEC
IMAGES
INFO
NETWORKS
NODES
PLUGINS
SERVICES
SESSION
SWARM
SYSTEM
TASKS
VOLUMES
All the dependencies you need to develop this project (apart from Docker itself) are managed with poetry.
To set up your development environment, run:
poetry install
To run the tests locally, add --prebuild
to autobuild the image before testing:
poetry run pytest --prebuild
By default, the image that the tests use (and optionally prebuild) is named
docker-socket-proxy:local
. If you prefer, you can build it separately before testing,
and remove the --prebuild
flag, to run the tests with that image you built:
docker image build -t docker-socket-proxy:local .
poetry run pytest
If you want to use a different image, export the DOCKER_IMAGE_NAME
env variable with
the name you want:
# To build it automatically
env DOCKER_IMAGE_NAME=my_custom_image poetry run pytest --prebuild
# To prebuild it separately
docker image build -t my_custom_image .
env DOCKER_IMAGE_NAME=my_custom_image poetry run pytest
You can set the logging level or severity level of the messages to be logged with the
environment variable LOG_LEVEL
. Defaul value is info. Possible values are: debug,
info, notice, warning, err, crit, alert and emerg.
Right now, the only supported tag in our container images is :latest
.
Any other tag you find in our Docker Hub image is deprecated.
We recommend using GitHub Container Registry instead.
Please send any issues to the issue tracker. For other kind of feedback, you can use our forum.