With the resolution of portainer's issue #3337, this project is deprecated.
Updates portainer ACLs from container labels.
docker run --detach \
--env "PORTAINER_API_PASSWORD=password" \
--env "PORTAINER_API_URL=http://localhost:9000/api" \
--env "PORTAINER_API_USERNAME=admin" \
--network host \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
altaris/portacl
DOCKER_CERT_PATH
: See the Docker SDK documentation.DOCKER_HOST
(default:unix:///var/run/docker.sock
): See the Docker SDK documentation.DOCKER_TLS_VERIFY
: See the Docker SDK documentation.LOGGING_LEVEL
(default:WARNING
): Python logging level, see here.PORTAINER_API_PASSWORD
.PORTAINER_API_USERNAME
.PORTAINER_API_URL
.
Based on this portainer issue on github:
io.portainer.uac.public
(default:false
).io.portainer.uac.teams
: Comma separated list of authorized teams, identified by name (which is assumes not to start with a digit) or an id.io.portainer.uac.users
: Comma separated list of authorized users, identified by name (which is assumes not to start with a digit) or an id.
portacl
will create, update, or delete ACLs upon receiving docker events.
Here is a list of supported and soon (:tm:) to be supported events.
-
container_create
-
volume_create
-
volume_mount
: WIP. For the time being, please set adequate ACLs to volume shared among multiple containers. -
volume_unmount
-
service_create
-
service_update
-
secret_create
- portacl does not manage ACLs of ressources created before it has started.
- API requests setting a volume as piublic always fail. This seems to be a portainer issue.
- This list should probably be repo issues instead of in the readme.
- Start the portainer test instance:
make test-portainer-up
- Start portacl:
# a) direct mode (run this on a dedicated terminal)
make run
# you can also set environment variables, e.g.
LOGGING_LEVEL=WARNING make run
# b) dockerized mode
make run-docker
- Start the test stack (press Ctrl+C to exit):
make test-stack-up
- Cleanup after yourself:
make test-stack-down
make test-portainer-down
The users and teams are as follows:
User | Id | Password |
---|---|---|
admin |
1 | password |
bob |
2 | password |
carol |
3 | password |
daniel |
4 | password |
Team | Id | Members |
---|---|---|
development |
1 | bob & carol |
qa |
2 | carol |
production |
3 | carol & daniel |
To make API calls to the test portainer instance:
. ./test/test-portainer-connect.sh
portainer_api_call "METHOD" "PATH" "JSON_ARGUMENTS_IF_NEEDED"
portainer_api_call "GET" "/users" | jq