Merge pull request #11406 from chadlwilson/more-secure-dind

Tell dockerd to only bind TCP/HTTP API to localhost
gocd · Mar 18, 2023 · 9ae5267 · 9ae5267
2 parents d45668b + 969f7ca
commit 9ae5267
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/buildSrc/src/main/resources/gocd-docker-agent/docker-entrypoint.sh b/buildSrc/src/main/resources/gocd-docker-agent/docker-entrypoint.sh
@@ -58,7 +58,7 @@ setup_autoregister_properties_file() {
 }
 
 if [ -e /run-docker-daemon.sh ]; then
-  sudo /run-docker-daemon.sh
+  try sudo /run-docker-daemon.sh
 fi
 
 AGENT_WORK_DIR="/go"

diff --git a/buildSrc/src/main/resources/gocd-docker-agent/run-docker-daemon.sh b/buildSrc/src/main/resources/gocd-docker-agent/run-docker-daemon.sh
@@ -13,6 +13,19 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+# shellcheck disable=SC2086
+$(which dind) dockerd --host=unix:///var/run/docker.sock ${DOCKERD_ADDITIONAL_ARGS:-'--host=tcp://localhost:2375'} > /var/log/dockerd.log 2>&1 &
 
-$(which dind) dockerd --host=unix:///var/run/docker.sock --host=tcp://0.0.0.0:2375 > /var/log/dockerd.log 2>&1 &
+waited=0
+until [ $waited -gt ${DOCKERD_MAX_WAIT_SECS:-30} ] || docker stats --no-stream; do
+  sleep 1
+  ((waited++))
+done
+# shellcheck disable=SC2181
+if ! docker stats --no-stream; then
+  echo "dockerd startup failed..."
+  cat /var/log/dockerd.log
+  exit 1
+fi
+echo "dockerd started"
 disown