diff --git a/Dockerfile b/Dockerfile index 6e8ec04..c68d4d6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM haproxy:2.2-alpine +FROM haproxy:lts-alpine EXPOSE 2375 ENV ALLOW_RESTARTS=0 \ @@ -32,4 +32,4 @@ ENV ALLOW_RESTARTS=0 \ VERSION=1 \ VOLUMES=0 COPY docker-entrypoint.sh /usr/local/bin/ -COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg.template +COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg \ No newline at end of file diff --git a/README.md b/README.md index a9de927..ce71753 100644 --- a/README.md +++ b/README.md @@ -37,17 +37,20 @@ never happen. ## Usage -1. Run the API proxy (`--privileged` flag is required here because it connects with the - docker socket, which is a privileged connection in some SELinux/AppArmor contexts - and would get locked otherwise): +1. Run the API proxy: $ docker container run \ - -d --privileged \ + -d \ + --group-add "$(getent group docker | cut -d: -f3)" \ --name dockerproxy \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2375:2375 \ tecnativa/docker-socket-proxy + The `--group-add` adds the container's user (`haproxy`) to the `docker` group, allowing access to the Docker socket. This assumes that the `docker` group exists and has access to the Docker socket. + + An additional `--privileged` flag is required in some SELinux/AppArmor contexts, because the Docker socket is considered a privileged resource and might otherwise be blocked. + 2. Connect your local docker client to that socket: $ export DOCKER_HOST=tcp://localhost:2375 diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index c328d3a..59f703b 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -4,19 +4,18 @@ set -e # Normalize the input for DISABLE_IPV6 to lowercase DISABLE_IPV6_LOWER=$(echo "$DISABLE_IPV6" | tr '[:upper:]' '[:lower:]') -# Check for different representations of 'true' and set BIND_CONFIG +# Check for different representations of 'true' and set BIND_PORT and BIND_OPTIONS accordingly case "$DISABLE_IPV6_LOWER" in 1|true|yes) - BIND_CONFIG=":2375" + export BIND_PORT=':2375' + export BIND_OPTIONS='' ;; *) - BIND_CONFIG="[::]:2375 v4v6" + export BIND_PORT=':::2375' + export BIND_OPTIONS='v4v6' ;; esac -# Process the HAProxy configuration template using sed -sed "s/\${BIND_CONFIG}/$BIND_CONFIG/g" /usr/local/etc/haproxy/haproxy.cfg.template > /usr/local/etc/haproxy/haproxy.cfg - # first arg is `-f` or `--some-option` if [ "${1#-}" != "$1" ]; then set -- haproxy "$@" diff --git a/haproxy.cfg b/haproxy.cfg index 43e3526..352d6e8 100644 --- a/haproxy.cfg +++ b/haproxy.cfg @@ -1,7 +1,7 @@ global log stdout format raw daemon "${LOG_LEVEL}" - pidfile /run/haproxy.pid + pidfile /tmp/haproxy.pid maxconn 4000 # Turn on stats unix socket @@ -44,7 +44,7 @@ backend docker-events timeout server 0 frontend dockerfrontend - bind ${BIND_CONFIG} + bind "$BIND_PORT" "$BIND_OPTIONS" http-request deny unless METH_GET || { env(POST) -m bool } http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) } { env(ALLOW_RESTARTS) -m bool } http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/start } { env(ALLOW_START) -m bool } diff --git a/tests/conftest.py b/tests/conftest.py index 4324a54..e3c1d0a 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -1,6 +1,7 @@ import json import logging import time +import grp from contextlib import contextmanager from pathlib import Path @@ -56,6 +57,7 @@ def proxy_factory(image): @contextmanager def _proxy(**env_vars): container_id = None + docker_gid = grp.getgrnam("docker").gr_gid env_list = [f"--env={key}={value}" for key, value in env_vars.items()] _logger.info(f"Starting {image} container with: {env_list}") try: @@ -66,6 +68,7 @@ def proxy_factory(image): "--privileged", "--publish=2375", "--volume=/var/run/docker.sock:/var/run/docker.sock", + f"--group-add={docker_gid}", *env_list, image, ).strip()