From ed1ab31983e4c299617e462b3cae314d4822e4b0 Mon Sep 17 00:00:00 2001 From: Cell <> Date: Sat, 17 Feb 2018 13:02:51 +0100 Subject: [PATCH 1/6] ADD unix-socket --- Dockerfile | 1 + haproxy.cfg | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 86ac4b4..8b323ea 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,6 +23,7 @@ ENV AUTH=0 \ VERSION=1 \ VOLUMES=0 COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg +VOLUME /run/docker-filtered # Metadata ARG VCS_REF diff --git a/haproxy.cfg b/haproxy.cfg index e63785b..d7f5dd0 100644 --- a/haproxy.cfg +++ b/haproxy.cfg @@ -40,7 +40,7 @@ backend dockerbackend server dockersocket /var/run/docker.sock frontend dockerfrontend - bind :2375 + bind :2375,/run/docker-filtered/docker.sock http-request deny unless METH_GET || { env(POST) -m bool } http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } ! { env(AUTH) -m bool } http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } ! { env(BUILD) -m bool } From 7734dc691137936cc181c354a28b21a7cfa6aa80 Mon Sep 17 00:00:00 2001 From: Cell <> Date: Sat, 17 Feb 2018 18:19:11 +0100 Subject: [PATCH 2/6] FIX deprecated instruction MAINTAINER --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 8b323ea..d942543 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ FROM haproxy:1.7-alpine -MAINTAINER Tecnativa +LABEL maintainer="Tecnativa " EXPOSE 2375 ENV AUTH=0 \ From ccc7b4ca8efabc34f65b90707bbb32a4ee9e168a Mon Sep 17 00:00:00 2001 From: Cell <> Date: Sat, 17 Feb 2018 18:20:15 +0100 Subject: [PATCH 3/6] UPDATE version --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index d942543..c66b1f9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -28,9 +28,10 @@ VOLUME /run/docker-filtered # Metadata ARG VCS_REF ARG BUILD_DATE -LABEL org.label-schema.schema-version="1.0" \ +LABEL org.label-schema.schema-version="1.1" \ org.label-schema.vendor=Tecnativa \ org.label-schema.license=Apache-2.0 \ org.label-schema.build-date="$BUILD_DATE" \ org.label-schema.vcs-ref="$VCS_REF" \ org.label-schema.vcs-url="https://github.com/Tecnativa/docker-tcp-proxy" + From 75c582ca1128b345d675f58b8c5b6acf68a1a651 Mon Sep 17 00:00:00 2001 From: Cell <> Date: Sat, 17 Feb 2018 18:21:19 +0100 Subject: [PATCH 4/6] REMOVE options matching them default value --- haproxy.cfg | 9 --------- 1 file changed, 9 deletions(-) diff --git a/haproxy.cfg b/haproxy.cfg index d7f5dd0..0470044 100644 --- a/haproxy.cfg +++ b/haproxy.cfg @@ -27,15 +27,6 @@ defaults # Allow seamless reloads load-server-state-from-file global - # Use provided example error pages - errorfile 400 /usr/local/etc/haproxy/errors/400.http - errorfile 403 /usr/local/etc/haproxy/errors/403.http - errorfile 408 /usr/local/etc/haproxy/errors/408.http - errorfile 500 /usr/local/etc/haproxy/errors/500.http - errorfile 502 /usr/local/etc/haproxy/errors/502.http - errorfile 503 /usr/local/etc/haproxy/errors/503.http - errorfile 504 /usr/local/etc/haproxy/errors/504.http - backend dockerbackend server dockersocket /var/run/docker.sock From 536813c6891727c7c8a92b03ea6cf0af86ee23a4 Mon Sep 17 00:00:00 2001 From: Cell <> Date: Sat, 17 Feb 2018 18:23:19 +0100 Subject: [PATCH 5/6] ADD logic for a unix-socket frontend --- Dockerfile | 6 ++++-- haproxy.cfg | 16 ++++++++++++---- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index c66b1f9..6b4bc16 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,6 +2,7 @@ FROM haproxy:1.7-alpine LABEL maintainer="Tecnativa " EXPOSE 2375 +VOLUME /run/docker-filtered ENV AUTH=0 \ BUILD=0 \ COMMIT=0 \ @@ -21,9 +22,10 @@ ENV AUTH=0 \ SYSTEM=0 \ TASKS=0 \ VERSION=1 \ - VOLUMES=0 + VOLUMES=0 \ + SOCK_NETWORK=1 \ + SOCK_DISK=1 COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg -VOLUME /run/docker-filtered # Metadata ARG VCS_REF diff --git a/haproxy.cfg b/haproxy.cfg index 0470044..e6cc2af 100644 --- a/haproxy.cfg +++ b/haproxy.cfg @@ -28,10 +28,6 @@ defaults load-server-state-from-file global backend dockerbackend - server dockersocket /var/run/docker.sock - -frontend dockerfrontend - bind :2375,/run/docker-filtered/docker.sock http-request deny unless METH_GET || { env(POST) -m bool } http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } ! { env(AUTH) -m bool } http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } ! { env(BUILD) -m bool } @@ -53,4 +49,16 @@ frontend dockerfrontend http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/tasks } ! { env(TASKS) -m bool } http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version } ! { env(VERSION) -m bool } http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes } ! { env(VOLUMES) -m bool } + + server dockersocket /var/run/docker.sock + +frontend docker-network + bind :2375 + http-request deny if ! { env(SOCK_NETWORK) -m bool } default_backend dockerbackend + +frontend docker-disk + bind /run/docker-filtered/docker.sock + http-request deny if ! { env(SOCK_DISK) -m bool } + default_backend dockerbackend + From 93487b91531a3e4725bab5ff838edd74560e187d Mon Sep 17 00:00:00 2001 From: Cell <> Date: Sat, 17 Feb 2018 18:46:28 +0100 Subject: [PATCH 6/6] ADD documentation to README.md --- README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/README.md b/README.md index c7642bd..ddda480 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,7 @@ requests that should never happen. -d --privileged \ --name dockerproxy \ -v /var/run/docker.sock:/var/run/docker.sock \ + -v /run/docker-filtered:/run/docker-filtered \ -p 127.0.0.1:2375:2375 \ tecnativa/docker-socket-proxy @@ -53,6 +54,10 @@ requests that should never happen. $ export DOCKER_HOST=tcp://localhost +or + + $ export DOCKER_HOST=unix:///run/docker-filtered/docker.sock + 3. You can see the docker version: $ docker version @@ -138,6 +143,13 @@ does not need. - `TASKS` - `VOLUMES` +## Grant or revoke access to API listener + +There are two listeners for the API and each of them can be disable the same way as the previous features: + +- `SOCK_NETWORK` for the port tcp/2375 +- `SOCK_DISK` for `/run/docker-filtered/docker.sock` + ## Supported API versions - [1.27](https://docs.docker.com/engine/api/v1.27/)