mirror of
https://github.com/Tecnativa/docker-socket-proxy
synced 2025-07-04 14:22:36 +00:00
Merge 593f1808ce
into 0e8d6601b6
This commit is contained in:
commit
4bed1f766a
8
.github/workflows/ci.yml
vendored
8
.github/workflows/ci.yml
vendored
@ -29,7 +29,7 @@ env:
|
||||
|
||||
jobs:
|
||||
build-test:
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
strategy:
|
||||
matrix:
|
||||
python:
|
||||
@ -47,7 +47,7 @@ jobs:
|
||||
echo "CACHE=${{ secrets.CACHE_DATE }} ${{ runner.os }} $(python -VV |
|
||||
sha256sum | cut -d' ' -f1) ${{ hashFiles('pyproject.toml') }} ${{
|
||||
hashFiles('poetry.lock') }}" >> $GITHUB_ENV
|
||||
- uses: actions/cache@v2
|
||||
- uses: actions/cache@v4
|
||||
with:
|
||||
path: |
|
||||
.cache.~
|
||||
@ -61,7 +61,7 @@ jobs:
|
||||
# Run tests
|
||||
- run: poetry run pytest --prebuild
|
||||
build-push:
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
services:
|
||||
registry:
|
||||
image: registry:2
|
||||
@ -74,7 +74,7 @@ jobs:
|
||||
steps:
|
||||
# Set up Docker Environment
|
||||
- uses: actions/checkout@v2
|
||||
- uses: actions/cache@v2
|
||||
- uses: actions/cache@v4
|
||||
with:
|
||||
path: |
|
||||
/tmp/.buildx-cache
|
||||
|
@ -1,4 +1,4 @@
|
||||
FROM haproxy:2.2-alpine
|
||||
FROM haproxy:lts-alpine
|
||||
|
||||
EXPOSE 2375
|
||||
ENV ALLOW_RESTARTS=0 \
|
||||
@ -32,4 +32,6 @@ ENV ALLOW_RESTARTS=0 \
|
||||
VERSION=1 \
|
||||
VOLUMES=0
|
||||
COPY docker-entrypoint.sh /usr/local/bin/
|
||||
COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg.template
|
||||
COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
|
||||
COPY start-haproxy.sh /usr/local/bin/
|
||||
USER root
|
@ -37,17 +37,17 @@ never happen.
|
||||
|
||||
## Usage
|
||||
|
||||
1. Run the API proxy (`--privileged` flag is required here because it connects with the
|
||||
docker socket, which is a privileged connection in some SELinux/AppArmor contexts
|
||||
and would get locked otherwise):
|
||||
1. Run the API proxy:
|
||||
|
||||
$ docker container run \
|
||||
-d --privileged \
|
||||
-d \
|
||||
--name dockerproxy \
|
||||
-v /var/run/docker.sock:/var/run/docker.sock \
|
||||
-p 127.0.0.1:2375:2375 \
|
||||
tecnativa/docker-socket-proxy
|
||||
|
||||
An additional `--privileged` flag is required in some SELinux/AppArmor contexts, because the Docker socket is considered a privileged resource and might otherwise be blocked.
|
||||
|
||||
2. Connect your local docker client to that socket:
|
||||
|
||||
$ export DOCKER_HOST=tcp://localhost:2375
|
||||
|
@ -1,33 +1,9 @@
|
||||
#!/bin/sh
|
||||
set -e
|
||||
|
||||
# Normalize the input for DISABLE_IPV6 to lowercase
|
||||
DISABLE_IPV6_LOWER=$(echo "$DISABLE_IPV6" | tr '[:upper:]' '[:lower:]')
|
||||
# add haproxy user to group of docker socket
|
||||
DOCKER_GROUP=$(stat -c %G "$SOCKET_PATH")
|
||||
adduser haproxy "$DOCKER_GROUP"
|
||||
|
||||
# Check for different representations of 'true' and set BIND_CONFIG
|
||||
case "$DISABLE_IPV6_LOWER" in
|
||||
1|true|yes)
|
||||
BIND_CONFIG=":2375"
|
||||
;;
|
||||
*)
|
||||
BIND_CONFIG="[::]:2375 v4v6"
|
||||
;;
|
||||
esac
|
||||
|
||||
# Process the HAProxy configuration template using sed
|
||||
sed "s/\${BIND_CONFIG}/$BIND_CONFIG/g" /usr/local/etc/haproxy/haproxy.cfg.template > /usr/local/etc/haproxy/haproxy.cfg
|
||||
|
||||
# first arg is `-f` or `--some-option`
|
||||
if [ "${1#-}" != "$1" ]; then
|
||||
set -- haproxy "$@"
|
||||
fi
|
||||
|
||||
if [ "$1" = 'haproxy' ]; then
|
||||
shift # "haproxy"
|
||||
# if the user wants "haproxy", let's add a couple useful flags
|
||||
# -W -- "master-worker mode" (similar to the old "haproxy-systemd-wrapper"; allows for reload via "SIGUSR2")
|
||||
# -db -- disables background mode
|
||||
set -- haproxy -W -db "$@"
|
||||
fi
|
||||
|
||||
exec "$@"
|
||||
# continue as haproxy user, preserving entrypoint parameters
|
||||
su -s /bin/sh -c 'start-haproxy.sh "$@"' haproxy -- "$@"
|
@ -1,7 +1,7 @@
|
||||
global
|
||||
log stdout format raw daemon "${LOG_LEVEL}"
|
||||
|
||||
pidfile /run/haproxy.pid
|
||||
pidfile /tmp/haproxy.pid
|
||||
maxconn 4000
|
||||
|
||||
# Turn on stats unix socket
|
||||
@ -44,7 +44,7 @@ backend docker-events
|
||||
timeout server 0
|
||||
|
||||
frontend dockerfrontend
|
||||
bind ${BIND_CONFIG}
|
||||
bind "$BIND_PORT" "$BIND_OPTIONS"
|
||||
http-request deny unless METH_GET || { env(POST) -m bool }
|
||||
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) } { env(ALLOW_RESTARTS) -m bool }
|
||||
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/start } { env(ALLOW_START) -m bool }
|
||||
|
@ -3,6 +3,7 @@ name = "docker-socket-proxy"
|
||||
version = "0.0.0"
|
||||
description = ""
|
||||
authors = ["Tecnativa"]
|
||||
package-mode = false
|
||||
|
||||
[tool.poetry.dependencies]
|
||||
python = "^3.8"
|
||||
|
32
start-haproxy.sh
Executable file
32
start-haproxy.sh
Executable file
@ -0,0 +1,32 @@
|
||||
#!/bin/sh
|
||||
set -e
|
||||
|
||||
# Normalize the input for DISABLE_IPV6 to lowercase
|
||||
DISABLE_IPV6_LOWER=$(echo "$DISABLE_IPV6" | tr '[:upper:]' '[:lower:]')
|
||||
|
||||
# Check for different representations of 'true' and set BIND_PORT and BIND_OPTIONS accordingly
|
||||
case "$DISABLE_IPV6_LOWER" in
|
||||
1|true|yes)
|
||||
export BIND_PORT=':2375'
|
||||
export BIND_OPTIONS=''
|
||||
;;
|
||||
*)
|
||||
export BIND_PORT=':::2375'
|
||||
export BIND_OPTIONS='v4v6'
|
||||
;;
|
||||
esac
|
||||
|
||||
# first arg is `-f` or `--some-option`
|
||||
if [ "${1#-}" != "$1" ]; then
|
||||
set -- haproxy "$@"
|
||||
fi
|
||||
|
||||
if [ "$1" = 'haproxy' ]; then
|
||||
shift # "haproxy"
|
||||
# if the user wants "haproxy", let's add a couple useful flags
|
||||
# -W -- "master-worker mode" (similar to the old "haproxy-systemd-wrapper"; allows for reload via "SIGUSR2")
|
||||
# -db -- disables background mode
|
||||
set -- haproxy -W -db "$@"
|
||||
fi
|
||||
|
||||
exec "$@"
|
@ -1,6 +1,7 @@
|
||||
import json
|
||||
import logging
|
||||
import time
|
||||
import grp
|
||||
from contextlib import contextmanager
|
||||
from pathlib import Path
|
||||
|
||||
@ -56,6 +57,7 @@ def proxy_factory(image):
|
||||
@contextmanager
|
||||
def _proxy(**env_vars):
|
||||
container_id = None
|
||||
docker_gid = grp.getgrnam("docker").gr_gid
|
||||
env_list = [f"--env={key}={value}" for key, value in env_vars.items()]
|
||||
_logger.info(f"Starting {image} container with: {env_list}")
|
||||
try:
|
||||
@ -66,6 +68,7 @@ def proxy_factory(image):
|
||||
"--privileged",
|
||||
"--publish=2375",
|
||||
"--volume=/var/run/docker.sock:/var/run/docker.sock",
|
||||
f"--group-add={docker_gid}",
|
||||
*env_list,
|
||||
image,
|
||||
).strip()
|
||||
|
Loading…
Reference in New Issue
Block a user