|
1 | 1 | # doxy |
2 | 2 | Docker unix-socket proxy to provide unharmful, read-only API calls |
| 3 | + |
| 4 | +## Usage |
| 5 | + |
| 6 | +```bash |
| 7 | +$ ./doxy_darwin --help |
| 8 | +*snip* |
| 9 | +GLOBAL OPTIONS: |
| 10 | + --docker-socket value Docker host to connect to. (default: "/var/run/docker.sock") [$DOXY_DOCKER_SOCKET] |
| 11 | + --proxy-socket value Proxy socket to be created (default: "/tmp/doxy.sock") [$DOXY_PROXY_SOCKET] |
| 12 | + --debug Print proxy requests [$DOXY_DEBUG] |
| 13 | + --pattern-file value File holding line-separated regex-patterns to be allowed (comments allowed, use #) (default: "/etc/doxy.pattern") [$DOXY_PATTERN_FILE] |
| 14 | + --help, -h show help |
| 15 | + --version, -v print the version |
| 16 | +$ ./doxy_darwin |
| 17 | +2017/08/18 11:37:43 [II] Start Version: 0.1.0 |
| 18 | +2017/08/18 11:37:43 Error reading patterns file (open /etc/doxy.pattern: no such file or directory), using default patterns |
| 19 | +2017/08/18 11:37:43 [gk-soxy] Listening on /tmp/doxy.sock |
| 20 | +``` |
| 21 | +
|
| 22 | +## Filter mechanism |
| 23 | +
|
| 24 | +### Request Method |
| 25 | +
|
| 26 | +For starters the proxy only allows `GET` requests. |
| 27 | +
|
| 28 | +```bash |
| 29 | +$ docker -H unix:///tmp/doxy.sock run ubuntu bash |
| 30 | +docker: Error response from daemon: Only GET requests are allowed, req.Method: POST. |
| 31 | +See 'docker run --help'. |
| 32 | +``` |
| 33 | +
|
| 34 | +### Regex |
| 35 | +
|
| 36 | +Once the method is checked, a list of regular expressions are checked. In version 0.1.0 the list reads: |
| 37 | +
|
| 38 | +```bash |
| 39 | +# List and inspect containers |
| 40 | +^/(v\d\.\d+/)?containers(/\w+)?/json$ |
| 41 | +# List and inspect services |
| 42 | +^/(v\d\.\d+/)?services(/[0-9a-f]+)?$ |
| 43 | +# List and inspect tasks |
| 44 | +^/(v\d\.\d+/)?tasks(/\w+)?$ |
| 45 | +# List and inspect networks |
| 46 | +^/(v\d\.\d+/)?networks(/\w+)?$ |
| 47 | +# List and inspect nodes |
| 48 | +^/(v\d\.\d+/)?nodes(/\w+)?$ |
| 49 | +# Show engine info |
| 50 | +^/(v\d\.\d+/)?info$ |
| 51 | +# Healthcheck |
| 52 | +^/_ping$ |
| 53 | +``` |
| 54 | +
|
| 55 | +Thus, an export of a container filesystem is not allowed. |
| 56 | +
|
| 57 | +```bash |
| 58 | +$ docker -H unix:///tmp/doxy.sock export -o test.tar $(docker ps -lq) |
| 59 | +Error response from daemon: '/v1.31/containers/a62250e0890a/export' is not allowed. |
| 60 | +``` |
| 61 | +
|
| 62 | +## Debug output |
| 63 | +
|
| 64 | +The tool uses [negroni](https://github.com/urfave/negroni), a nice web middleware in golang. |
| 65 | +When providing the `-debug` flag, the `Logger()` middleware will be added. |
| 66 | +
|
| 67 | +```bash |
| 68 | +$ ./doxy_darwin -debug |
| 69 | +2017/08/18 11:44:50 [II] Start Version: 0.1.0 |
| 70 | +2017/08/18 11:44:50 Error reading patterns file (open /etc/doxy.pattern: no such file or directory), using default patterns |
| 71 | +2017/08/18 11:44:50 0 : ^/(v\d\.\d+/)?containers(/\w+)?/json$ |
| 72 | +2017/08/18 11:44:50 1 : ^/(v\d\.\d+/)?services(/[0-9a-f]+)?$ |
| 73 | +2017/08/18 11:44:50 2 : ^/(v\d\.\d+/)?tasks(/\w+)?$ |
| 74 | +2017/08/18 11:44:50 3 : ^/(v\d\.\d+/)?networks(/\w+)?$ |
| 75 | +2017/08/18 11:44:50 4 : ^/(v\d\.\d+/)?nodes(/\w+)?$ |
| 76 | +2017/08/18 11:44:50 5 : ^/(v\d\.\d+/)?info$ |
| 77 | +2017/08/18 11:44:50 6 : ^/_ping$ |
| 78 | +2017/08/18 11:44:50 [gk-soxy] Listening on /tmp/doxy.sock |
| 79 | +[negroni] 2017-08-18T11:45:00+02:00 | 200 | 3.800713ms | docker | GET /_ping |
| 80 | +[negroni] 2017-08-18T11:45:00+02:00 | 403 | 34.067µs | docker | GET /v1.31/containers/a62250e0890a/export |
| 81 | +[negroni] 2017-08-18T11:45:04+02:00 | 200 | 1.800044ms | docker | GET /_ping |
| 82 | +[negroni] 2017-08-18T11:45:04+02:00 | 200 | 2.055015ms | docker | GET /v1.31/containers/json |
| 83 | +``` |
0 commit comments