mirror of
https://github.com/Tecnativa/docker-socket-proxy
synced 2024-12-22 06:38:07 +00:00
Apply autoprettier
This commit is contained in:
parent
7bd86a5425
commit
0206be67e5
8
.github/workflows/test.yaml
vendored
8
.github/workflows/test.yaml
vendored
@ -32,12 +32,12 @@ jobs:
|
||||
- name: Install python
|
||||
uses: actions/setup-python@v1
|
||||
with:
|
||||
python-version: '3.9'
|
||||
python-version: "3.9"
|
||||
- name: Generate cache key CACHE
|
||||
run:
|
||||
echo "CACHE=${{ secrets.CACHE_DATE }} ${{ runner.os }}
|
||||
$(python -VV | sha256sum | cut -d' ' -f1) ${{ hashFiles('pyproject.toml') }}
|
||||
${{ hashFiles('poetry.lock') }}" >> $GITHUB_ENV
|
||||
echo "CACHE=${{ secrets.CACHE_DATE }} ${{ runner.os }} $(python -VV |
|
||||
sha256sum | cut -d' ' -f1) ${{ hashFiles('pyproject.toml') }} ${{
|
||||
hashFiles('poetry.lock') }}" >> $GITHUB_ENV
|
||||
- uses: actions/cache@v2
|
||||
with:
|
||||
path: |
|
||||
|
73
README.md
73
README.md
@ -11,36 +11,36 @@ This is a security-enhanced proxy for the Docker Socket.
|
||||
|
||||
## Why?
|
||||
|
||||
Giving access to your Docker socket could mean giving root access to your host,
|
||||
or even to your whole swarm, but some services require hooking into that socket
|
||||
to react to events, etc. Using this proxy lets you block anything you consider
|
||||
those services should not do.
|
||||
Giving access to your Docker socket could mean giving root access to your host, or even
|
||||
to your whole swarm, but some services require hooking into that socket to react to
|
||||
events, etc. Using this proxy lets you block anything you consider those services should
|
||||
not do.
|
||||
|
||||
## How?
|
||||
|
||||
We use the official [Alpine][]-based [HAProxy][] image with a small
|
||||
configuration file.
|
||||
We use the official [Alpine][]-based [HAProxy][] image with a small configuration file.
|
||||
|
||||
It blocks access to the Docker socket API according to the environment
|
||||
variables you set. It returns a `HTTP 403 Forbidden` status for those dangerous
|
||||
requests that should never happen.
|
||||
It blocks access to the Docker socket API according to the environment variables you
|
||||
set. It returns a `HTTP 403 Forbidden` status for those dangerous requests that should
|
||||
never happen.
|
||||
|
||||
## Security recommendations
|
||||
|
||||
- Never expose this container's port to a public network. Only to a Docker
|
||||
networks where only reside the proxy itself and the service that uses it.
|
||||
- Revoke access to any API section that you consider your service should not
|
||||
need.
|
||||
- This image does not include TLS support, just plain HTTP proxy to the host
|
||||
Docker Unix socket (which is not TLS protected even if you configured your
|
||||
host for TLS protection). This is by design because you are supposed to
|
||||
restrict access to it through Docker's built-in firewall.
|
||||
- [Read the docs](#suppported-api-versions) for the API version you are using,
|
||||
and **know what you are doing**.
|
||||
- Never expose this container's port to a public network. Only to a Docker networks
|
||||
where only reside the proxy itself and the service that uses it.
|
||||
- Revoke access to any API section that you consider your service should not need.
|
||||
- This image does not include TLS support, just plain HTTP proxy to the host Docker
|
||||
Unix socket (which is not TLS protected even if you configured your host for TLS
|
||||
protection). This is by design because you are supposed to restrict access to it
|
||||
through Docker's built-in firewall.
|
||||
- [Read the docs](#suppported-api-versions) for the API version you are using, and
|
||||
**know what you are doing**.
|
||||
|
||||
## Usage
|
||||
|
||||
1. Run the API proxy (`--privileged` flag is required here because it connects with the docker socket, which is a privileged connection in some SELinux/AppArmor contexts and would get locked otherwise):
|
||||
1. Run the API proxy (`--privileged` flag is required here because it connects with the
|
||||
docker socket, which is a privileged connection in some SELinux/AppArmor contexts
|
||||
and would get locked otherwise):
|
||||
|
||||
$ docker container run \
|
||||
-d --privileged \
|
||||
@ -80,16 +80,16 @@ requests that should never happen.
|
||||
Request forbidden by administrative rules.
|
||||
</body></html>
|
||||
|
||||
The same will happen to any containers that use this proxy's `2375` port to
|
||||
access the Docker socket API.
|
||||
The same will happen to any containers that use this proxy's `2375` port to access the
|
||||
Docker socket API.
|
||||
|
||||
## Grant or revoke access to certain API sections
|
||||
|
||||
You grant and revoke access to certain features of the Docker API through
|
||||
environment variables.
|
||||
You grant and revoke access to certain features of the Docker API through environment
|
||||
variables.
|
||||
|
||||
Normally the variables match the URL prefix (i.e. `AUTH` blocks access to
|
||||
`/auth/*` parts of the API, etc.).
|
||||
Normally the variables match the URL prefix (i.e. `AUTH` blocks access to `/auth/*`
|
||||
parts of the API, etc.).
|
||||
|
||||
Possible values for these variables:
|
||||
|
||||
@ -98,8 +98,8 @@ Possible values for these variables:
|
||||
|
||||
### Access granted by default
|
||||
|
||||
These API sections are mostly harmless and almost required for any service that
|
||||
uses the API, so they are granted by default.
|
||||
These API sections are mostly harmless and almost required for any service that uses the
|
||||
API, so they are granted by default.
|
||||
|
||||
- `EVENTS`
|
||||
- `PING`
|
||||
@ -109,19 +109,18 @@ uses the API, so they are granted by default.
|
||||
|
||||
#### Security-critical
|
||||
|
||||
These API sections are considered security-critical, and thus access is revoked
|
||||
by default. Maximum caution when enabling these.
|
||||
These API sections are considered security-critical, and thus access is revoked by
|
||||
default. Maximum caution when enabling these.
|
||||
|
||||
- `AUTH`
|
||||
- `SECRETS`
|
||||
- `POST`: When disabled, only `GET` and `HEAD` operations are allowed, meaning
|
||||
any section of the API is read-only.
|
||||
- `POST`: When disabled, only `GET` and `HEAD` operations are allowed, meaning any
|
||||
section of the API is read-only.
|
||||
|
||||
#### Not always needed
|
||||
|
||||
You will possibly need to grant access to some of these API sections, which are
|
||||
not so extremely critical but can expose some information that your service
|
||||
does not need.
|
||||
You will possibly need to grant access to some of these API sections, which are not so
|
||||
extremely critical but can expose some information that your service does not need.
|
||||
|
||||
- `BUILD`
|
||||
- `COMMIT`
|
||||
@ -159,6 +158,6 @@ You can set the logging level or severity level of the messages to be logged wit
|
||||
|
||||
Please send any feedback (issues, questions) to the [issue tracker][].
|
||||
|
||||
[Alpine]: https://alpinelinux.org/
|
||||
[HAProxy]: http://www.haproxy.org/
|
||||
[alpine]: https://alpinelinux.org/
|
||||
[haproxy]: http://www.haproxy.org/
|
||||
[issue tracker]: https://github.com/Tecnativa/docker-socket-proxy/issues
|
||||
|
@ -1,10 +1,7 @@
|
||||
|
||||
import pytest
|
||||
import logging
|
||||
|
||||
from plumbum import ProcessExecutionError, local
|
||||
from plumbum import ProcessExecutionError
|
||||
from plumbum.cmd import docker
|
||||
from plumbum.machines.local import LocalCommand
|
||||
|
||||
logger = logging.getLogger()
|
||||
|
||||
@ -13,18 +10,19 @@ SOCKET_PROXY = "127.0.0.1:2375"
|
||||
|
||||
|
||||
def _start_proxy(
|
||||
container_name=CONTAINER_NAME,
|
||||
socket_proxy=SOCKET_PROXY,
|
||||
extra_args=None
|
||||
container_name=CONTAINER_NAME, socket_proxy=SOCKET_PROXY, extra_args=None
|
||||
):
|
||||
logger.info(f"Starting {container_name} with args: {extra_args}...")
|
||||
docker(
|
||||
"run",
|
||||
"-d",
|
||||
"--name", container_name,
|
||||
"--name",
|
||||
container_name,
|
||||
"--privileged",
|
||||
"-v", "/var/run/docker.sock:/var/run/docker.sock",
|
||||
"-p", f"{socket_proxy}:2375",
|
||||
"-v",
|
||||
"/var/run/docker.sock:/var/run/docker.sock",
|
||||
"-p",
|
||||
f"{socket_proxy}:2375",
|
||||
extra_args,
|
||||
"tecnativa/docker-socket-proxy",
|
||||
)
|
||||
@ -86,7 +84,6 @@ def test_default_permissions():
|
||||
_check_permission("forbidden", ["build", "."])
|
||||
_check_permission("forbidden", ["swarm", "init"])
|
||||
finally:
|
||||
pass
|
||||
_stop_and_delete_proxy()
|
||||
|
||||
|
||||
@ -100,7 +97,6 @@ def test_container_permissions():
|
||||
_check_permission("forbidden", ["rm", "-f", CONTAINER_NAME])
|
||||
_check_permission("forbidden", ["restart", CONTAINER_NAME])
|
||||
finally:
|
||||
pass
|
||||
_stop_and_delete_proxy()
|
||||
|
||||
|
||||
@ -112,7 +108,6 @@ def test_post_permissions():
|
||||
_check_permission("forbidden", ["run", "--rm", "alpine"])
|
||||
_check_permission("forbidden", ["network", "create", "foobar"])
|
||||
finally:
|
||||
pass
|
||||
_stop_and_delete_proxy()
|
||||
|
||||
|
||||
@ -123,5 +118,4 @@ def test_network_post_permissions():
|
||||
_check_permission("allowed", ["network", "create", "foo"])
|
||||
_check_permission("allowed", ["network", "rm", "foo"])
|
||||
finally:
|
||||
pass
|
||||
_stop_and_delete_proxy()
|
Loading…
Reference in New Issue
Block a user