From 7d4fc89a7015b15f13dc09b2eec1670e01951081 Mon Sep 17 00:00:00 2001
From: Joshua Hoblitt <josh@hoblitt.com>
Date: Mon, 15 Apr 2019 15:57:12 -0700
Subject: [PATCH] add DOCKER_HOST as a build-arg

The current default is for dockerd to be world accessible.  This is
sub-optimal for many use scenarios and can not be overridden without
editing the Dockerfile. Per `docker info`:

    WARNING: API is accessible on http://0.0.0.0:2375 without encryption.
             Access to the remote API is equivalent to root access on the host. Refer
             to the 'Docker daemon attack surface' section in the documentation for
             more information: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface

This changset preserves the existing default build behavior while
enabling the construction of more restricted image. Eg.,

    docker build . --build-arg DOCKER_HOST=tcp://127.0.0.1:2375
---
 18.06/dind/Dockerfile               | 3 +++
 18.06/dind/dockerd-entrypoint.sh    | 4 +++-
 18.09-rc/dind/Dockerfile            | 3 +++
 18.09-rc/dind/dockerd-entrypoint.sh | 4 +++-
 18.09/dind/Dockerfile               | 3 +++
 18.09/dind/dockerd-entrypoint.sh    | 4 +++-
 19.03-rc/dind/Dockerfile            | 3 +++
 19.03-rc/dind/dockerd-entrypoint.sh | 4 +++-
 Dockerfile-dind.template            | 3 +++
 dockerd-entrypoint.sh               | 4 +++-
 10 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/18.06/dind/Dockerfile b/18.06/dind/Dockerfile
index bf76f9d7f..49476ef44 100644
--- a/18.06/dind/Dockerfile
+++ b/18.06/dind/Dockerfile
@@ -1,5 +1,8 @@
 FROM docker:18.06
 
+ARG DOCKER_HOST
+ENV DOCKER_HOST=$DOCKER_HOST
+
 # https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies
 RUN set -eux; \
 	apk add --no-cache \
diff --git a/18.06/dind/dockerd-entrypoint.sh b/18.06/dind/dockerd-entrypoint.sh
index 08f9ac3bd..13ee8522e 100755
--- a/18.06/dind/dockerd-entrypoint.sh
+++ b/18.06/dind/dockerd-entrypoint.sh
@@ -1,13 +1,15 @@
 #!/bin/sh
 set -e
 
+DOCKER_HOST=${DOCKER_HOST:-tcp://0.0.0.0:2375}
+
 # no arguments passed
 # or first arg is `-f` or `--some-option`
 if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then
 	# add our default arguments
 	set -- dockerd \
 		--host=unix:///var/run/docker.sock \
-		--host=tcp://0.0.0.0:2375 \
+		--host="${DOCKER_HOST}" \
 		"$@"
 fi
 
diff --git a/18.09-rc/dind/Dockerfile b/18.09-rc/dind/Dockerfile
index de59f2189..0a27794d7 100644
--- a/18.09-rc/dind/Dockerfile
+++ b/18.09-rc/dind/Dockerfile
@@ -1,5 +1,8 @@
 FROM docker:18.09-rc
 
+ARG DOCKER_HOST
+ENV DOCKER_HOST=$DOCKER_HOST
+
 # https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies
 RUN set -eux; \
 	apk add --no-cache \
diff --git a/18.09-rc/dind/dockerd-entrypoint.sh b/18.09-rc/dind/dockerd-entrypoint.sh
index 08f9ac3bd..13ee8522e 100755
--- a/18.09-rc/dind/dockerd-entrypoint.sh
+++ b/18.09-rc/dind/dockerd-entrypoint.sh
@@ -1,13 +1,15 @@
 #!/bin/sh
 set -e
 
+DOCKER_HOST=${DOCKER_HOST:-tcp://0.0.0.0:2375}
+
 # no arguments passed
 # or first arg is `-f` or `--some-option`
 if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then
 	# add our default arguments
 	set -- dockerd \
 		--host=unix:///var/run/docker.sock \
-		--host=tcp://0.0.0.0:2375 \
+		--host="${DOCKER_HOST}" \
 		"$@"
 fi
 
diff --git a/18.09/dind/Dockerfile b/18.09/dind/Dockerfile
index cb7d8e3b1..8a502c5ce 100644
--- a/18.09/dind/Dockerfile
+++ b/18.09/dind/Dockerfile
@@ -1,5 +1,8 @@
 FROM docker:18.09
 
+ARG DOCKER_HOST
+ENV DOCKER_HOST=$DOCKER_HOST
+
 # https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies
 RUN set -eux; \
 	apk add --no-cache \
diff --git a/18.09/dind/dockerd-entrypoint.sh b/18.09/dind/dockerd-entrypoint.sh
index 08f9ac3bd..13ee8522e 100755
--- a/18.09/dind/dockerd-entrypoint.sh
+++ b/18.09/dind/dockerd-entrypoint.sh
@@ -1,13 +1,15 @@
 #!/bin/sh
 set -e
 
+DOCKER_HOST=${DOCKER_HOST:-tcp://0.0.0.0:2375}
+
 # no arguments passed
 # or first arg is `-f` or `--some-option`
 if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then
 	# add our default arguments
 	set -- dockerd \
 		--host=unix:///var/run/docker.sock \
-		--host=tcp://0.0.0.0:2375 \
+		--host="${DOCKER_HOST}" \
 		"$@"
 fi
 
diff --git a/19.03-rc/dind/Dockerfile b/19.03-rc/dind/Dockerfile
index 14606b8e4..1ae5265a5 100644
--- a/19.03-rc/dind/Dockerfile
+++ b/19.03-rc/dind/Dockerfile
@@ -1,5 +1,8 @@
 FROM docker:19.03-rc
 
+ARG DOCKER_HOST
+ENV DOCKER_HOST=$DOCKER_HOST
+
 # https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies
 RUN set -eux; \
 	apk add --no-cache \
diff --git a/19.03-rc/dind/dockerd-entrypoint.sh b/19.03-rc/dind/dockerd-entrypoint.sh
index 08f9ac3bd..13ee8522e 100755
--- a/19.03-rc/dind/dockerd-entrypoint.sh
+++ b/19.03-rc/dind/dockerd-entrypoint.sh
@@ -1,13 +1,15 @@
 #!/bin/sh
 set -e
 
+DOCKER_HOST=${DOCKER_HOST:-tcp://0.0.0.0:2375}
+
 # no arguments passed
 # or first arg is `-f` or `--some-option`
 if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then
 	# add our default arguments
 	set -- dockerd \
 		--host=unix:///var/run/docker.sock \
-		--host=tcp://0.0.0.0:2375 \
+		--host="${DOCKER_HOST}" \
 		"$@"
 fi
 
diff --git a/Dockerfile-dind.template b/Dockerfile-dind.template
index 2a91d3c16..5059fbbe9 100644
--- a/Dockerfile-dind.template
+++ b/Dockerfile-dind.template
@@ -1,5 +1,8 @@
 FROM docker:%%VERSION%%
 
+ARG DOCKER_HOST
+ENV DOCKER_HOST=$DOCKER_HOST
+
 # https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies
 RUN set -eux; \
 	apk add --no-cache \
diff --git a/dockerd-entrypoint.sh b/dockerd-entrypoint.sh
index 08f9ac3bd..13ee8522e 100755
--- a/dockerd-entrypoint.sh
+++ b/dockerd-entrypoint.sh
@@ -1,13 +1,15 @@
 #!/bin/sh
 set -e
 
+DOCKER_HOST=${DOCKER_HOST:-tcp://0.0.0.0:2375}
+
 # no arguments passed
 # or first arg is `-f` or `--some-option`
 if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then
 	# add our default arguments
 	set -- dockerd \
 		--host=unix:///var/run/docker.sock \
-		--host=tcp://0.0.0.0:2375 \
+		--host="${DOCKER_HOST}" \
 		"$@"
 fi