Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Bring Your Own Resources #205
Conversation
StrausMG
added some commits
May 25, 2017
StrausMG
closed this
Jun 20, 2017
StrausMG
reopened this
Jun 20, 2017
StrausMG
closed this
Jun 21, 2017
StrausMG
reopened this
Jun 21, 2017
| +load_subconfig('etc/github_auth.py') | ||
| + | ||
| +from dockerspawner import DockerSpawner | ||
| +c.DockerSpawner.hub_ip_connect = c.JupyterHub.hub_ip |
anaderi
Jun 21, 2017
Owner
let's remove the last 2 lines. check that it doesn't break anything. if so, you can just load_subconfig('etc/local_config.py')
| @@ -0,0 +1,87 @@ | ||
| +SPAWNER_OPTIONS_FORM = """ | ||
| +<div style="margin-bottom: 0px;"> |
| + For a successful run <a href="https://www.docker.com/" target="_black">Docker</a> | ||
| + must be installed on your server.<br /> | ||
| + Enter ip and port of the Docker daemon running on your server.<br /> | ||
| + (Click <a href="https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option" |
anaderi
Jun 21, 2017
Owner
should read:
Enter IP address and port of the Docker daemon running on your server.
| + self._byor_client = docker.Client('{}:{}'.format(byor_ip, byor_port), | ||
| + version='auto', | ||
| + timeout=self.byor_timeout) | ||
| + self.container_ip = byor_ip | ||
| @@ -331,7 +344,7 @@ def remove_old_container(self): | ||
| force=True | ||
| ) | ||
| except APIError as e: | ||
| - self.log.info("Can't erase container %s due to %s" % (self.container_name, e)) | ||
| + self.log.info("Can't erase container %s due to %s" % (self.container_name, e)) | ||
StrausMG
added some commits
Jun 24, 2017
| + | ||
| +from os.path import join as pjoin | ||
| +with open(pjoin(c.JupyterHub.template_paths[0], '_byor_options_form.html')) as form: | ||
| + c.ByorDockerSpawner.options_form = form.read() |
StrausMG
and others
added some commits
Jun 27, 2017
anaderi
merged commit 7e9dead
into everware:master
Jun 30, 2017
1 check passed
yuvipanda
commented
Jul 4, 2017
|
This is awesome! Thank you for working on this! However, I have some concerns about security & authentication. If you open up a docker daemon without any authentication to the internet, that pretty much provides attackers with root on that machine with no effort. There already is malware that looks for these kinds of vulnerabilities - https://duo.com/blog/over-18000-redis-instances-targeted-by-fake-ransomware for one that attacked redis, http://www.securityweek.com/elasticsearch-servers-latest-target-ransom-attacks for elasticsearch, https://nakedsecurity.sophos.com/2017/01/11/thousands-of-mongodb-databases-compromised-and-held-to-ransom/ for mongodb, etc. Since docker allows much more arbitrary compute execution than the others did (except for elasticsearch - there were attacks that used ES to spawn a VM!), it is also potentially used as command & control center for malware / ransomware attacks (unpatched wordpress instances were used in cyberattacks related to the US '16 Election, for example https://www.wordfence.com/blog/2017/02/russia-election-hack-worpress-used/). Docker has TLS support for doing client authentication (https://docs.docker.com/engine/security/https/). This will require users to provide everware a certificate as well as the docker daemon URL - the client certificate can then be kinda used like a password (@betatim's idea!). This would be a huge improvement over plain unauthenticated docker endpoints. I hope you would consider implementing it, and more importantly requiring it - since otherwise people would just probably skip it. Thanks! |
|
Thanks Yuvi. It was just the first step. Tls part is on its way. Stay tuned! |
yuvipanda
commented
Jul 7, 2017
|
tyvm! This is great :D |
StrausMG commentedJun 20, 2017
The branch adds a brand-new feature which allows to use custom servers for running containers.