Docker unix-socket proxy to provide unharmful, read-only API calls
$ ./doxy_darwin --help
*snip*
GLOBAL OPTIONS:
--docker-socket value Docker host to connect to. (default: "/var/run/docker.sock") [$DOXY_DOCKER_SOCKET]
--proxy-socket value Proxy socket to be created (default: "/tmp/doxy.sock") [$DOXY_PROXY_SOCKET]
--debug Print proxy requests [$DOXY_DEBUG]
--pattern-file value File holding line-separated regex-patterns to be allowed (comments allowed, use #) (default: "/etc/doxy.pattern") [$DOXY_PATTERN_FILE]
--help, -h show help
--version, -v print the version
$ ./doxy_darwin
2017/08/18 11:37:43 [II] Start Version: 0.1.0
2017/08/18 11:37:43 Error reading patterns file (open /etc/doxy.pattern: no such file or directory), using default patterns
2017/08/18 11:37:43 [doxy] Listening on /tmp/doxy.sock
For starters the proxy only allows GET
requests.
$ docker -H unix:///tmp/doxy.sock run ubuntu bash
docker: Error response from daemon: Only GET requests are allowed, req.Method: POST.
See 'docker run --help'.
Once the method is checked, a list of regular expressions are checked. In version 0.1.0 the list reads:
# List, inspect, metrics and processes of containers
^/(v\d\.\d+/)?containers(/\w+)?/(json|stats|top)$
# List and inspect services
^/(v\d\.\d+/)?services(/[0-9a-f]+)?$
# List and inspect tasks
^/(v\d\.\d+/)?tasks(/\w+)?$
# List and inspect networks
^/(v\d\.\d+/)?networks(/\w+)?$
# List and inspect volumes
^/(v\d\.\d+/)?volumes(/\w+)?$
# List and inspect nodes
^/(v\d\.\d+/)?nodes(/\w+)?$
# Show engine info
^/(v\d\.\d+/)?info$
# Show engine version
^/(v\d\.\d+/)?version$
# Healthcheck
^/_ping$
Thus, an export of a container filesystem is not allowed.
$ docker -H unix:///tmp/doxy.sock export -o test.tar $(docker ps -lq)
Error response from daemon: '/v1.31/containers/a62250e0890a/export' is not allowed.
The tool uses negroni, a nice web middleware in golang.
When providing the -debug
flag, the Logger()
middleware will be added.
$ ./doxy_darwin -debug
2017/08/18 11:44:50 [II] Start Version: 0.1.0
2017/08/18 11:44:50 Error reading patterns file (open /etc/doxy.pattern: no such file or directory), using default patterns
2017/08/18 11:44:50 0 : ^/(v\d\.\d+/)?containers(/\w+)?/json$
2017/08/18 11:44:50 1 : ^/(v\d\.\d+/)?services(/[0-9a-f]+)?$
2017/08/18 11:44:50 2 : ^/(v\d\.\d+/)?tasks(/\w+)?$
2017/08/18 11:44:50 3 : ^/(v\d\.\d+/)?networks(/\w+)?$
2017/08/18 11:44:50 4 : ^/(v\d\.\d+/)?nodes(/\w+)?$
2017/08/18 11:44:50 5 : ^/(v\d\.\d+/)?info$
2017/08/18 11:44:50 6 : ^/_ping$
2017/08/18 11:44:50 [doxy] Listening on /tmp/doxy.sock
[negroni] 2017-08-18T11:45:00+02:00 | 200 | 3.800713ms | docker | GET /_ping
[negroni] 2017-08-18T11:45:00+02:00 | 403 | 34.067µs | docker | GET /v1.31/containers/a62250e0890a/export
[negroni] 2017-08-18T11:45:04+02:00 | 200 | 1.800044ms | docker | GET /_ping
[negroni] 2017-08-18T11:45:04+02:00 | 200 | 2.055015ms | docker | GET /v1.31/containers/json