Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

README.md

doxy

Docker unix-socket proxy to provide unharmful, read-only API calls

Usage

$ ./doxy_darwin --help
*snip*
GLOBAL OPTIONS:
   --docker-socket value  Docker host to connect to. (default: "/var/run/docker.sock") [$DOXY_DOCKER_SOCKET]
   --proxy-socket value   Proxy socket to be created (default: "/tmp/doxy.sock") [$DOXY_PROXY_SOCKET]
   --debug                Print proxy requests [$DOXY_DEBUG]
   --pattern-file value   File holding line-separated regex-patterns to be allowed (comments allowed, use #) (default: "/etc/doxy.pattern") [$DOXY_PATTERN_FILE]
   --help, -h             show help
   --version, -v          print the version
$ ./doxy_darwin
2017/08/18 11:37:43 [II] Start Version: 0.1.0
2017/08/18 11:37:43 Error reading patterns file (open /etc/doxy.pattern: no such file or directory), using default patterns
2017/08/18 11:37:43 [doxy] Listening on /tmp/doxy.sock

Filter mechanism

Request Method

For starters the proxy only allows GET requests.

$ docker -H unix:///tmp/doxy.sock run ubuntu bash
docker: Error response from daemon: Only GET requests are allowed, req.Method: POST.
See 'docker run --help'.

Regex

Once the method is checked, a list of regular expressions are checked. In version 0.1.0 the list reads:

# List, inspect, metrics and processes of containers
^/(v\d\.\d+/)?containers(/\w+)?/(json|stats|top)$
# List and inspect services
^/(v\d\.\d+/)?services(/[0-9a-f]+)?$
# List and inspect tasks
^/(v\d\.\d+/)?tasks(/\w+)?$
# List and inspect networks
^/(v\d\.\d+/)?networks(/\w+)?$
# List and inspect volumes
^/(v\d\.\d+/)?volumes(/\w+)?$
# List and inspect nodes
^/(v\d\.\d+/)?nodes(/\w+)?$
# Show engine info
^/(v\d\.\d+/)?info$
# Show engine version
^/(v\d\.\d+/)?version$
# Healthcheck
^/_ping$

Thus, an export of a container filesystem is not allowed.

$ docker -H unix:///tmp/doxy.sock export -o test.tar $(docker ps -lq)
Error response from daemon: '/v1.31/containers/a62250e0890a/export' is not allowed.

Debug output

The tool uses negroni, a nice web middleware in golang. When providing the -debug flag, the Logger() middleware will be added.

$ ./doxy_darwin -debug
2017/08/18 11:44:50 [II] Start Version: 0.1.0
2017/08/18 11:44:50 Error reading patterns file (open /etc/doxy.pattern: no such file or directory), using default patterns
2017/08/18 11:44:50 0  : ^/(v\d\.\d+/)?containers(/\w+)?/json$
2017/08/18 11:44:50 1  : ^/(v\d\.\d+/)?services(/[0-9a-f]+)?$
2017/08/18 11:44:50 2  : ^/(v\d\.\d+/)?tasks(/\w+)?$
2017/08/18 11:44:50 3  : ^/(v\d\.\d+/)?networks(/\w+)?$
2017/08/18 11:44:50 4  : ^/(v\d\.\d+/)?nodes(/\w+)?$
2017/08/18 11:44:50 5  : ^/(v\d\.\d+/)?info$
2017/08/18 11:44:50 6  : ^/_ping$
2017/08/18 11:44:50 [doxy] Listening on /tmp/doxy.sock
[negroni] 2017-08-18T11:45:00+02:00 | 200 | 	 3.800713ms | docker | GET /_ping
[negroni] 2017-08-18T11:45:00+02:00 | 403 | 	 34.067µs | docker | GET /v1.31/containers/a62250e0890a/export
[negroni] 2017-08-18T11:45:04+02:00 | 200 | 	 1.800044ms | docker | GET /_ping
[negroni] 2017-08-18T11:45:04+02:00 | 200 | 	 2.055015ms | docker | GET /v1.31/containers/json

About

Docker unix-socket proxy to provide unharmful, read-only API calls

Topics

Resources

License

Packages

No packages published
You can’t perform that action at this time.