Skip to content

waddles/sherpa

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits

examples

examples

 
 

nginx

nginx

 
 

src

src

 
 

templates

templates

 
 

CHANGELOG.md

CHANGELOG.md

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

main

main

 
 

requirements.txt

requirements.txt

 
 

Repository files navigation

Sherpa

The current recommendation to enable Docker's remote API is to change the daemon configuration and then restart. With Sherpa, you simply need to run the container and you'll have access to the docker.sock via TCP.

ACL Configuration

Sherpa has two access modes, --allow and --deny(default). In allow mode, access to the Docker API is implicitly allowed. Meaning, you must explicitly define endpoints and HTTP methods that are forbidden. In --deny mode, the default mode, the reverse is true: access to the API is implicitly forbidden. Paths must be explicitly defined.

Paths can be configured using the $CONFIG environment variable with a json blob passed in and/or by mounting config files to /etc/sherpa. This blob has the following schema:

[
    { 
        "Path" : "STRING",
        "Access": "allow|deny",
        "Methods": ["STRING"],
        "Addresses": ["STRING"]
    }
]
  • "Path": The URI path to configure
  • "Access": The access mode. Accepts "allow" or "deny"
  • "Methods": The HTTP Methods to allow. Ignored if access is "deny".
  • "Addresses": Specific addresses to allow. See NGINX allow for accepted values. Ignored if access is "deny".

Admins can also restrict access to Sherpa by using a combination of volume mounting permissions and IP binding.

Examples

Multiple ACLs can be defined to create a strictly contained remote API. Here are a few examples:

Full access

docker run -d \
--name sherpa \
-v /var/run/docker.sock:/tmp/docker.sock \
-p 4550:4550 \
djenriquez/sherpa --allow

Access to /containers/json GET only

docker run -d \
--name sherpa \
-e CONFIG='[
    { 
        "Path" : "/containers/json",
        "Access": "allow",
        "Methods": ["GET"]
    }
]' \
-v /var/run/docker.sock:/tmp/docker.sock \
-p 4550:4550 \
djenriquez/sherpa

Access to everything but kill

docker run -d \
--name sherpa \
-e CONFIG='[
    { 
        "Path" : "/containers/*/kill",
        "Access": "deny"
    }
]' \
-v /var/run/docker.sock:/tmp/docker.sock \
-p 4550:4550 \
djenriquez/sherpa --allow

Mount example config files /w env Config

docker run -d \
--name sherpa \
-e CONFIG='[
    { 
        "Path" : "/containers/json",
        "Access": "deny"
    }
]' \
-v `pwd`/examples:/etc/sherpa \
-v /var/run/docker.sock:/tmp/docker.sock \
-p 4550:4550 \
djenriquez/sherpa --allow

Full access to internal IPs only

docker run -d \
--name sherpa \
-e CONFIG='[
    { 
        "Path" : "/",
        "Access": "allow",
        "Addresses": ["10.0.0.0/8", "192.168.0.0/16", "172.0.0.0/8"]
    }
]' \
-v /var/run/docker.sock:/tmp/docker.sock \
-p 4550:4550 \
djenriquez/sherpa --allow

About

A simple way to access Docker's remote API

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

3 tags

Packages

No packages published

Languages

  • Python 93.5%
  • Nginx 6.5%