e84babd1c4
* Add first version of tests
From https://github.com/Tecnativa/docker-socket-proxy/pull/14
* Expand tests
* Add GH CI
* Apply suggestions
* Apply autopretty template + fix prettier
* Fix isort
* Apply autoprettier
* Fix VSCode settings
* Make tests run in parallel
* Build docker image before testing
* Update workspace settings
* Try multi-platform builds and push to ghcr.io
* Push to docker hub as well from ci
* Upgrade autopretty
* Update pyproject configurations
* Improve test configuration and execution
TT26468
* Provide initial conftest
* Improve tests
* Add python3 in image
* Remove POST rule from proxy
* Build image before testing and push at the end
Builds the image (in single arch) before testing
Loads the image into local docker (See https://github.com/docker/build-push-action#export-image-to-docker)
Rebuilds and pushes the final image in multi-arch at the end.
* Fix python path
* Remove build fixture from tests to see if image is built in CI
* Organize docker tests definition and document
* Restore fixture allowing usage for local testing
This reverts commit dc0b60e63f and allows using `--prebuild` CLI flag for pytest when doing local tests.
Co-authored-by: Jairo Llopis <jairo.llopis@tecnativa.com>
6.5 KiB
Docker Socket Proxy
What?
This is a security-enhanced proxy for the Docker Socket.
Why?
Giving access to your Docker socket could mean giving root access to your host, or even to your whole swarm, but some services require hooking into that socket to react to events, etc. Using this proxy lets you block anything you consider those services should not do.
How?
We use the official Alpine-based HAProxy image with a small configuration file.
It blocks access to the Docker socket API according to the environment variables you
set. It returns a HTTP 403 Forbidden status for those dangerous requests that should
never happen.
Security recommendations
- Never expose this container's port to a public network. Only to a Docker networks where only reside the proxy itself and the service that uses it.
- Revoke access to any API section that you consider your service should not need.
- This image does not include TLS support, just plain HTTP proxy to the host Docker Unix socket (which is not TLS protected even if you configured your host for TLS protection). This is by design because you are supposed to restrict access to it through Docker's built-in firewall.
- Read the docs for the API version you are using, and know what you are doing.
Usage
-
Run the API proxy (
--privilegedflag is required here because it connects with the docker socket, which is a privileged connection in some SELinux/AppArmor contexts and would get locked otherwise):$ docker container run \ -d --privileged \ --name dockerproxy \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2375:2375 \ tecnativa/docker-socket-proxy -
Connect your local docker client to that socket:
$ export DOCKER_HOST=tcp://localhost -
You can see the docker version:
$ docker version Client: Version: 17.03.1-ce API version: 1.27 Go version: go1.7.5 Git commit: c6d412e Built: Mon Mar 27 17:14:43 2017 OS/Arch: linux/amd64 Server: Version: 17.03.1-ce API version: 1.27 (minimum version 1.12) Go version: go1.7.5 Git commit: c6d412e Built: Mon Mar 27 17:14:43 2017 OS/Arch: linux/amd64 Experimental: false -
You cannot see running containers:
$ docker container ls Error response from daemon: <html><body><h1>403 Forbidden</h1> Request forbidden by administrative rules. </body></html>
The same will happen to any containers that use this proxy's 2375 port to access the
Docker socket API.
Grant or revoke access to certain API sections
You grant and revoke access to certain features of the Docker API through environment variables.
Normally the variables match the URL prefix (i.e. AUTH blocks access to /auth/*
parts of the API, etc.).
Possible values for these variables:
0to revoke access.1to grant access.
Access granted by default
These API sections are mostly harmless and almost required for any service that uses the API, so they are granted by default.
EVENTSPINGVERSION
Access revoked by default
Security-critical
These API sections are considered security-critical, and thus access is revoked by default. Maximum caution when enabling these.
AUTHSECRETSPOST: When disabled, onlyGETandHEADoperations are allowed, meaning any section of the API is read-only.
Not always needed
You will possibly need to grant access to some of these API sections, which are not so extremely critical but can expose some information that your service does not need.
BUILDCOMMITCONFIGSCONTAINERSDISTRIBUTIONEXECIMAGESINFONETWORKSNODESPLUGINSSERVICESSESSIONSWARMSYSTEMTASKSVOLUMES
Development
All the dependencies you need to develop this project (apart from Docker itself) are managed with poetry.
To set up your development environment, run:
poetry install
Testing
To run the tests locally, add --prebuild to autobuild the image before testing:
poetry run pytest --prebuild
By default, the image that the tests use (and optionally prebuild) is named
docker-socket-proxy:local. If you prefer, you can build it separately before testing,
and remove the --prebuild flag, to run the tests with that image you built:
docker image build -t docker-socket-proxy:local .
poetry run pytest
If you want to use a different image, export the DOCKER_IMAGE_NAME env variable with
the name you want:
# To build it automatically
env DOCKER_IMAGE_NAME=my_custom_image poetry run pytest --prebuild
# To prebuild it separately
docker image build -t my_custom_image .
env DOCKER_IMAGE_NAME=my_custom_image poetry run pytest
Logging
You can set the logging level or severity level of the messages to be logged with the
environment variable LOG_LEVEL. Defaul value is info. Possible values are: debug,
info, notice, warning, err, crit, alert and emerg.
Supported API versions
Feedback
Please send any feedback (issues, questions) to the issue tracker.