From 551b0090fb0628cafd678162e7d73b0234d74637 Mon Sep 17 00:00:00 2001 From: Vishesh Handa Date: Fri, 7 Jun 2019 12:12:48 +0200 Subject: [PATCH 1/2] Only allow a single IP to access the remote API This way it's a bit more secure. --- Dockerfile | 3 ++- readme.md | 4 +++- run.sh | 12 ++++++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) create mode 100755 run.sh diff --git a/Dockerfile b/Dockerfile index dedc1c8..a370fd8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,4 +4,5 @@ RUN apk update && apk add socat EXPOSE 2375 -CMD socat TCP-LISTEN:2375,reuseaddr,fork UNIX-CLIENT:/var/run/docker.sock +COPY run.sh / +ENTRYPOINT ["/run.sh"] diff --git a/readme.md b/readme.md index 9453f7c..e93b4f0 100644 --- a/readme.md +++ b/readme.md @@ -1,4 +1,6 @@ Makes the Docker Remote API available via port 2375. Start with: -`docker run -p 2375:2375 -v /var/run/docker.sock:/var/run/docker.sock jarkt/docker-remote-api` +`docker run -d -p 2375:2375 -v /var/run/docker.sock:/var/run/docker.sock vhanda/docker-remote-api ALLOWED_IP` + +Where `ALLOWED_IP` is the only IP which can connect to this machine. diff --git a/run.sh b/run.sh new file mode 100755 index 0000000..bdccd0a --- /dev/null +++ b/run.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env sh + +if [ -z "$1" ]; then + echo "First parameter must be the allowed IP" + exit 1 +fi + +set -eu +ALLOWED_IP=$1 + +echo "Starting Docker Remote API for IP $ALLOWED_IP" +socat TCP-LISTEN:2375,reuseaddr,fork,range=${ALLOWED_IP}/32 UNIX-CLIENT:/var/run/docker.sock From bce8f55cfc40fa9bdbac5f12879193b0d9c76442 Mon Sep 17 00:00:00 2001 From: Vishesh Handa Date: Fri, 7 Jun 2019 12:16:37 +0200 Subject: [PATCH 2/2] README: Give the container a name It makes it easier to identifiy --- readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme.md b/readme.md index e93b4f0..96e5642 100644 --- a/readme.md +++ b/readme.md @@ -1,6 +1,6 @@ Makes the Docker Remote API available via port 2375. Start with: -`docker run -d -p 2375:2375 -v /var/run/docker.sock:/var/run/docker.sock vhanda/docker-remote-api ALLOWED_IP` +`docker run -d -p 2375:2375 --name docker_remote_api -v /var/run/docker.sock:/var/run/docker.sock vhanda/docker-remote-api ALLOWED_IP` Where `ALLOWED_IP` is the only IP which can connect to this machine.