Merge 593f1808ce into 0e8d6601b6

.github/workflows/ci.yml

@@ -29,7 +29,7 @@ env:
 
 jobs:
   build-test:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     strategy:
       matrix:
         python:
@@ -47,7 +47,7 @@ jobs:
           echo "CACHE=${{ secrets.CACHE_DATE }} ${{ runner.os }} $(python -VV |
           sha256sum | cut -d' ' -f1) ${{ hashFiles('pyproject.toml') }} ${{
           hashFiles('poetry.lock') }}" >> $GITHUB_ENV
-      - uses: actions/cache@v2
+      - uses: actions/cache@v4
         with:
           path: |
             .cache.~
@@ -61,7 +61,7 @@ jobs:
       # Run tests
       - run: poetry run pytest --prebuild
   build-push:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     services:
       registry:
         image: registry:2
@@ -74,7 +74,7 @@ jobs:
     steps:
       # Set up Docker Environment
       - uses: actions/checkout@v2
-      - uses: actions/cache@v2
+      - uses: actions/cache@v4
         with:
           path: |
             /tmp/.buildx-cache

Dockerfile

@@ -1,4 +1,4 @@
-FROM haproxy:2.2-alpine
+FROM haproxy:lts-alpine
 
 EXPOSE 2375
 ENV ALLOW_RESTARTS=0 \
@@ -32,4 +32,6 @@ ENV ALLOW_RESTARTS=0 \
     VERSION=1 \
     VOLUMES=0
 COPY docker-entrypoint.sh /usr/local/bin/
-COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg.template
+COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
+COPY start-haproxy.sh /usr/local/bin/
+USER root

README.md

@@ -37,17 +37,17 @@ never happen.
 
 ## Usage
 
-1.  Run the API proxy (`--privileged` flag is required here because it connects with the
-    docker socket, which is a privileged connection in some SELinux/AppArmor contexts
-    and would get locked otherwise):
+1.  Run the API proxy:
 
         $ docker container run \
-            -d --privileged \
+            -d \
             --name dockerproxy \
             -v /var/run/docker.sock:/var/run/docker.sock \
             -p 127.0.0.1:2375:2375 \
             tecnativa/docker-socket-proxy
 
+    An additional `--privileged` flag is required in some SELinux/AppArmor contexts, because the Docker socket is considered a privileged resource and might otherwise be blocked.
+
 2.  Connect your local docker client to that socket:
 
         $ export DOCKER_HOST=tcp://localhost:2375

docker-entrypoint.sh

@@ -1,33 +1,9 @@
 #!/bin/sh
 set -e
 
-# Normalize the input for DISABLE_IPV6 to lowercase
-DISABLE_IPV6_LOWER=$(echo "$DISABLE_IPV6" | tr '[:upper:]' '[:lower:]')
+# add haproxy user to group of docker socket
+DOCKER_GROUP=$(stat -c %G "$SOCKET_PATH")
+adduser haproxy "$DOCKER_GROUP"
 
-# Check for different representations of 'true' and set BIND_CONFIG
-case "$DISABLE_IPV6_LOWER" in
-    1|true|yes)
-        BIND_CONFIG=":2375"
-        ;;
-    *)
-        BIND_CONFIG="[::]:2375 v4v6"
-        ;;
-esac
-
-# Process the HAProxy configuration template using sed
-sed "s/\${BIND_CONFIG}/$BIND_CONFIG/g" /usr/local/etc/haproxy/haproxy.cfg.template > /usr/local/etc/haproxy/haproxy.cfg
-
-# first arg is `-f` or `--some-option`
-if [ "${1#-}" != "$1" ]; then
-	set -- haproxy "$@"
-fi
-
-if [ "$1" = 'haproxy' ]; then
-	shift # "haproxy"
-	# if the user wants "haproxy", let's add a couple useful flags
-	#   -W  -- "master-worker mode" (similar to the old "haproxy-systemd-wrapper"; allows for reload via "SIGUSR2")
-	#   -db -- disables background mode
-	set -- haproxy -W -db "$@"
-fi
-
-exec "$@"
+# continue as haproxy user, preserving entrypoint parameters
+su -s /bin/sh -c 'start-haproxy.sh "$@"' haproxy -- "$@"

haproxy.cfg

@@ -1,7 +1,7 @@
 global
     log stdout format raw daemon "${LOG_LEVEL}"
 
-    pidfile /run/haproxy.pid
+    pidfile /tmp/haproxy.pid
     maxconn 4000
 
     # Turn on stats unix socket
@@ -44,7 +44,7 @@ backend docker-events
     timeout server 0
 
 frontend dockerfrontend
-    bind ${BIND_CONFIG}
+    bind "$BIND_PORT" "$BIND_OPTIONS"
     http-request deny unless METH_GET || { env(POST) -m bool }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) } { env(ALLOW_RESTARTS) -m bool }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/start } { env(ALLOW_START) -m bool }

pyproject.toml

@@ -3,6 +3,7 @@ name = "docker-socket-proxy"
 version = "0.0.0"
 description = ""
 authors = ["Tecnativa"]
+package-mode = false
 
 [tool.poetry.dependencies]
 python = "^3.8"

start-haproxy.sh

@@ -0,0 +1,32 @@
+#!/bin/sh
+set -e
+
+# Normalize the input for DISABLE_IPV6 to lowercase
+DISABLE_IPV6_LOWER=$(echo "$DISABLE_IPV6" | tr '[:upper:]' '[:lower:]')
+ 
+# Check for different representations of 'true' and set BIND_PORT and BIND_OPTIONS accordingly
+case "$DISABLE_IPV6_LOWER" in
+    1|true|yes)
+        export BIND_PORT=':2375'
+        export BIND_OPTIONS=''
+        ;;
+    *)
+        export BIND_PORT=':::2375'
+        export BIND_OPTIONS='v4v6'
+        ;;
+esac
+ 
+# first arg is `-f` or `--some-option`
+if [ "${1#-}" != "$1" ]; then
+	set -- haproxy "$@"
+fi
+ 
+if [ "$1" = 'haproxy' ]; then
+	shift # "haproxy"
+	# if the user wants "haproxy", let's add a couple useful flags
+	#   -W  -- "master-worker mode" (similar to the old "haproxy-systemd-wrapper"; allows for reload via "SIGUSR2")
+	#   -db -- disables background mode
+	set -- haproxy -W -db "$@"
+fi
+ 
+exec "$@"

tests/conftest.py

@@ -1,6 +1,7 @@
 import json
 import logging
 import time
+import grp
 from contextlib import contextmanager
 from pathlib import Path
 
@@ -56,6 +57,7 @@ def proxy_factory(image):
     @contextmanager
     def _proxy(**env_vars):
         container_id = None
+        docker_gid = grp.getgrnam("docker").gr_gid
         env_list = [f"--env={key}={value}" for key, value in env_vars.items()]
         _logger.info(f"Starting {image} container with: {env_list}")
         try:
@@ -66,6 +68,7 @@ def proxy_factory(image):
                 "--privileged",
                 "--publish=2375",
                 "--volume=/var/run/docker.sock:/var/run/docker.sock",
+                f"--group-add={docker_gid}",
                 *env_list,
                 image,
             ).strip()