I see the ability to add registry, and maybe I am missing it, but we have a need to block all registry's except what we white list. I have added local registry, and they work, but now we would like the abiltiy to block docker from pulling from any public registry's, ie docker hub.

Hi,
I have to setup docker. For that i have to setup "HBM,TSA,TWIC" for users authentication on docker commands. I have setup TSA server, Docker host, AD.
Docker host:-
packaged installed: docker-engine-1.12.6-1.el7.centos.x86_64,hbm-0.2.2-1.el7.centos.x86_64,twic-0.1.0-1.el7.centos.x86_64,

TSA server : -

[root@workernode2 ~]# tsa info
Certificate Authority:
Type: root
Expire: 2027-05-30
Country: INDIA
State: HR
Locality: Gurgoan
Organization: Example
Organizational Unit: IT department Certificate Authority
Common Name: IT department Root CA
E-mail: [email protected]
API:
FQDN: workernode2.example.com
Bind Address: 0.0.0.0
Bind Port: 443
Auth Type: ldap
Certificates: 1
Valid: 1
Expired: 0
Revoked: 0
Server Version: 0.1.1
Storage Driver: sqlite
Logging Driver: standard
TSA Root Dir: /var/lib/tsa

[root@workernode2 ~]# tsa auth ls
KEY VALUE
auth_type ldap
auth_host ad1.example.com
auth_port 3269
auth_tls true
auth_bind_username [email protected]
auth_attr_members memberOf
auth_bind_password secret
auth_search_base_user ou=containers,dc=example,dc=com
auth_search_filter (&(objectCategory=containers)(cn=%s))
auth_group_admin cn=dockeradmin,ou=containers,ou=admindocker,dc=example,dc=com
auth_group_user cn=docker1,ou=containers,ou=admindocker,dc=example,dc=com

Getting error while generation twic certificate. on client node as well as docker host, below are error message.

[docker1@workernode1 ~]$ twic cert add tsa1
TSA URL : https://workernode2.example.com
Username : admin (Admin user and credential)
Password : ******
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x6b076c]

goroutine 1 [running]:
github.com/kassisol/twic/vendor/github.com/juliengk/stack/client.(*Request).Do(0xc4201a17c0, 0xa24446, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/go/src/github.com/kassisol/twic/vendor/github.com/juliengk/stack/client/client.go:132 +0x74c
github.com/kassisol/twic/vendor/github.com/juliengk/stack/client.(*Request).Get(0xc4201a17c0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
/go/src/github.com/kassisol/twic/vendor/github.com/juliengk/stack/client/client.go:145 +0x95
github.com/kassisol/twic/vendor/github.com/kassisol/tsa/client.(*Config).GetDirectory(0xc4201ab180, 0x1f, 0xc4201ab180)
/go/src/github.com/kassisol/twic/vendor/github.com/kassisol/tsa/client/client.go:42 +0x106
github.com/kassisol/twic/cli/command/cert.runAdd(0xc420077200, 0xc42018f6d0, 0x1, 0x1)
/go/src/github.com/kassisol/twic/cli/command/cert/add.go:144 +0x60c
github.com/kassisol/twic/vendor/github.com/spf13/cobra.(*Command).execute(0xc420077200, 0xc42018f690, 0x1, 0x1, 0xc420077200, 0xc42018f690)
/go/src/github.com/kassisol/twic/vendor/github.com/spf13/cobra/command.go:648 +0x231
github.com/kassisol/twic/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0xc420076b40, 0xc420076b40, 0xc420076b40, 0xc420076b40)
/go/src/github.com/kassisol/twic/vendor/github.com/spf13/cobra/command.go:734 +0x339
github.com/kassisol/twic/vendor/github.com/spf13/cobra.(*Command).Execute(0xc420076b40, 0xc4200001a0, 0xc4200001a0)
/go/src/github.com/kassisol/twic/vendor/github.com/spf13/cobra/command.go:693 +0x2b
main.main()
/go/src/github.com/kassisol/twic/main.go:42 +0x2f

Please help me fix it. Thank you in advance

Hello.

As I know, your plugin support restrictions to by default deny all commands and allow available commands called whitelist.
My use case needs blacklist which by default allows all and deny some commands.

Please tell me how to do above if there is already the feature.

Thanks!

Best regards

Hello.

I suggest a new feature for audit.
When a user changes policy or resource via command line, no log remains.
I found logs about hbm through journald on CentOS but there is no log about hbm resource change history.
I think that only Authz logs are available under the current architecture.
When I run hbm resource ls, it directly call a function.

As I know, all commands of docker go through REST api to execute as below.

1. Run docker command via cli.
2. Internally call REST API through unix sock, for example /run/docker.sock.
3. Execute the proper command.

If HBM has the same architecture as docker, all logs are available.
What do you think of implementing REST api to change policy or resources?
Surely I know this change needs big stuff.

Always thanks.

Hello. I have an idea to restrict ip address range.
Under the network in the company, ip address range developers can use is assigned in advance to prevent from conflicting invalid routing.
As I read docker document, no option is available to do that by docker itself.
I think that HBM becomes nice solution.

What do you think of this feature?

How close is the drop date for hbm 0.3?

Description

I've tried adding the resources like the specific image, container_create action and an option like container_create_param_privileged to a collection in the hopes HBM would require all of them together to allow the container creation but evidently I can create other images in other collections with the --privileged flag as well.

Example

# hbm collection ls
NAME                        RESOURCES
readonly                    info, container_list, container_inspect, container_wait
bash                        container_create, bash
manage_existing_containers  container_attach, container_start, container_remove, container_resize
dind                        container_create, container_create_param_privileged, dind_repo
$ docker run --rm -ti --privileged bash
bash-4.4# exit

Question

Either I missed somewhere in the brief CLI documentation if you could change the behavior to match all resources in a collection (e.g. an AND option in the policy for that collection) or there's not much point in using collections other than management but not functionality...
Is there a way to only allow a container creation of an image with the specified flags but not allow these flags for other images?
Also can I forbid changing the CMD/ENTRYPOINT on container creation?

Hi there,

There's a few broken links in the documentation.
The readme link at the end which send to the harbormaster website documentation is broken for example.
Same goes for most in documentation (*.md files in doc directory) links.

Could be wise to fix them :)

Hi,

We want to allow users to build and tag images and then run them. We have managed to allow users to do so with images matching a specific name by adding a HBM resource:

# hbm resource ls -f 'type=image'
NAME                TYPE                VALUE               OPTIONS             COLLECTIONS
my_image            image               my_image

The above allows users to use the name "my_image". However, we expect to end up in a situation where many images will be built and tagged locally and having to explicitly white-list image names does not scale very well.

Is it possible to / would it be possible to add support for wildcard image names?

right now HBM is installed as a legacy plugin: https://docs.docker.com/engine/extend/legacy_plugins/#types-of-plugins

but the supported method to use the plugin is the managed one:
https://docs.docker.com/v17.09/engine/extend/

it doesn't seem to be that hard, and it could as well help HBM being widely used and the legacy plugin system isn't anymore advised :)

If I allow to mount recursive from a specific path, ie /local/scratch. Then it is possible to mount /local/scratch/* folders. This is as expected.

Sadly it is also possible to mount /local/scratch/../, which shouldn't be allowed.

/Henrik

Hi,

The DNS for harbormaster.io no longer points to the documentation website. The DNS has expired (Dec 15, 2018).

Description

The plugin doesn't allow me to run a service via docker-compose but has no problem running the same configuration via docker. invoking docker-compose gives me the error in the title, the plugin prints "Recovered panic: runtime error: invalid memory address or nil pointer dereference" among other messages.

Commands to reproduce (requires certificates setup)

# docker run -d --privileged -P -w /etc/docker -v /etc/docker/dind:/etc/docker -v /run/docker/plugins/hbm.sock:/run/docker/plugins/hbm.sock docker:dind --data-root /var/lib/docker-packaged --storage-driver=aufs  --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem --authorization-plugin=hbm
bdcc971a1f3ea5d2dd1c67c26fbd8f513cdb805e0f579aa38b7ebe7368354b06
$ docker-compose --tlsverify --tlscacert ~/.docker/ca.pem --tlscert ~/.docker/cert.pem --tlskey ~/.docker/key.pem -H 127.0.0.1:32768 run init
ERROR: Cannot create container for service init: plugin hbm failed with error: AuthZPlugin.AuthZReq: an error occurred; contact your system administrat

Working command with docker:

$ docker run --rm --init --net none -ti bash -c 'echo "Container with init started, try and press Ctrl+C to stop, timeout: 10s" ; sleep 10'
Container with init started, try and press Ctrl+C to stop, timeout: 10s
^C

HBM log

time="2018-08-22T03:40:20+02:00" level=info action=network_inspect admin=false allowed=true authorization=true user=client
time="2018-08-22T03:40:20+02:00" level=info action=network_inspect admin=false allowed=true authorization=true user=client
time="2018-08-22T03:40:20+02:00" level=info action=image_inspect admin=false allowed=true authorization=true user=client
time="2018-08-22T03:40:20+02:00" level=info action=container_list admin=false allowed=true authorization=true user=client
time="2018-08-22T03:40:20+02:00" level=info action=container_list admin=false allowed=true authorization=true user=client
time="2018-08-22T03:40:20+02:00" level=info action=container_list admin=false allowed=true authorization=true user=client
time="2018-08-22T03:40:20+02:00" level=info action=container_list admin=false allowed=true authorization=true user=client
2018/08/22 03:40:20 Recovered: runtime error: invalid memory address or nil pointer dereference
time="2018-08-22T03:40:20+02:00" level=warning msg="Recovered panic: runtime error: invalid memory address or nil pointer dereference"
time="2018-08-22T03:40:20+02:00" level=warning msg="goroutine 5399 [running]:\nruntime/debug.Stack(0xc42083eb20, 0xc420a9fbe0, 0x2)\n\t/usr/local/go/src/runtime/debug/stack.go:24 +0x79\ngithub.com/kassisol/hbm/plugin.(*Api).Allow.func1(0xf74640, 0xc42083eb20, 0xf70560, 0xc4206a1840, 0xc420a37950)\n\t/go/src/github.com/kassisol/hbm/plugin/api.go:56 +0x137\npanic(0xa314e0, 0xf5a0c0)\n\t/usr/local/go/src/runtime/panic.go:489 +0x2cf\ngithub.com/kassisol/hbm/plugin.(*Api).Allow(0xc42083eb00, 0xc420263890, 0x6, 0xc420263896, 0x3, 0xc42026389c, 0x4, 0xc420a28870, 0x2d, 0xc42009c000, ...)\n\t/go/src/github.com/kassisol/hbm/plugin/api.go:112 +0x7e4\ngithub.com/kassisol/hbm/plugin.(*plugin).AuthZReq(0xc420384d80, 0xc420263890, 0x6, 0xc420263896, 0x3, 0xc42026389c, 0x4, 0xc420a28870, 0x2d, 0xc42009c000, ...)\n\t/go/src/github.com/kassisol/hbm/plugin/plugin.go:52 +0x238\ngithub.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization.(*Handler).initMux.func1(0xc420263890, 0x6, 0xc420263896, 0x3, 0xc42026389c, 0x4, 0xc420a28870, 0x2d, 0xc42009c000, 0x2ab, ...)\n\t/go/src/github.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization/api.go:118 +0xa0\ngithub.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization.(*Handler).handle.func1(0xf6f9e0, 0xc4206d62a0, 0xc420270200)\n\t/go/src/github.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization/api.go:139 +0x14c\nnet/http.HandlerFunc.ServeHTTP(0xc42039ae40, 0xf6f9e0, 0xc4206d62a0, 0xc420270200)\n\t/usr/local/go/src/net/http/server.go:1942 +0x44\nnet/http.(*ServeMux).ServeHTTP(0xc420384e70, 0xf6f9e0, 0xc4206d62a0, 0xc420270200)\n\t/usr/local/go/src/net/http/server.go:2238 +0x130\nnet/http.serverHandler.ServeHTTP(0xc420010dc0, 0xf6f9e0, 0xc4206d62a0, 0xc420270200)\n\t/usr/local/go/src/net/http/server.go:2568 +0x92\nnet/http.(*conn).serve(0xc420701220, 0xf702a0, 0xc4207e16c0)\n\t/usr/local/go/src/net/http/server.go:1825 +0x612\ncreated by net/http.(*Server).Serve\n\t/usr/local/go/src/net/http/server.go:2668 +0x2ce\n"

Configuration

hbm collection ls:

$ uname -a
Linux Celmor-PC 4.17.9-1-MANJARO #1 SMP PREEMPT Sun Jul 22 20:01:56 UTC 2018 x86_64 GNU/Linux
$ cat docker-compose.yml
version: '3.7'
services
  init:
    image: bash
    init: true
    stdin_open: true
    tty: true
    network_mode: "none"
    command:
    - -c
    - echo
    - "Container with init started, try and press Ctrl+C to stop, timeout: 10s"
    - sleep 10

I am new to hbm. Trying to understand things .Could some one help me understanding the folder structure and how to run individual scripts in go lang please??

Thanks in advance

I have been working/configuring hbm to see if this is something we want to implement in our organization. So far it looks amazing, great work!

I am seeing one thing that I maybe doing wrong or could be a bug. I have been utilizing docker on my local machine for a little while now and I am trying to start a centos image that has already been downloaded to my machine from Docker Hub.

I have run the following commands below but when I try to execute docker run -itd centos I get a response from HBM that centos is not allowed.

hbm resource add --type image --value alpine image_centos
hbm resource member --add default image_centos
hbm resource member --add default image_create

Hello.

I am using hbm master version.
When I tested with hbm and docker-compose, a panic occurred on 38 lines pkg/cmdbuilder/cmdbuilder.go.
And error message is below.

time="2018-01-20T04:42:05-05:00" level=warning msg="Recovered panic: json: cannot unmarshal array into Go value of type map[string]bool"

To unmarshal filters, map[string]map[string]bool is supposed as a struct.

func (c *Config) AddFilters() {
        if len(c.Params) > 0 {
                if _, ok := c.Params["filters"]; ok {
                        var v map[string]map[string]bool

                        err := json.Unmarshal([]byte(c.Params["filters"][0]), &v)
                        if err != nil {
                                panic(err)
                        }

                        for k, val := range v {
                                for ka := range val {
                                        c.Add(fmt.Sprintf("--filter \"%s=%s\"", k, ka))
                                }
                        }
                }
        }
}

I slightly changed the code to check c.Params["filters"][0] and the result is below.

[{"label": ["com.docker.compose.project=dockerfluentd", "com.docker.compose.oneoff=False"]}]

dockerfluentd looks like my project name I tested.
And when docker-compose up is executed, at the beginning of steps, docker-compose searches container list with above label filters.

I don't know what is supposed to unmarshal using this code.
I check and examine your plugin to harden my job security.
I have an attention to progressively contribute this plugin.

Thanks

When I receive a request to ask if a container can be started I would like to go back to the docker host and get the sha256 of the image thats being started. However I am getting errors indicating the plugin cannot talk to /var/run/docker.sock

I have the following code just trying to list the containers at present

func getContainers() {
	fmt.Printf("***** Container List\n")
	cli, err := client.NewClientWithOpts(client.FromEnv)
	if err != nil {
		panic(err)
	}

	containers, err := cli.ContainerList(context.Background(), types.ContainerListOptions{})
	if err != nil {
		panic(err)
	}

	for _, container := range containers {
		fmt.Printf("%s %s\n", container.ID[:10], container.Image)
	}
}

When running my container before creating the plugin I can achieve the desired behaviour by running the container as follows

docker run -v /var/run/docker.sock:/var/run/docker.sock ${TEMPLATE}:${VERSION}

I believe there is some config somewhere in the config.json to achieve the same thing but I cannot seem to do it I have tried

    "PropagatedMount": "/var/run/docker.sock",
    "Mounts": [
      {
          "Type": "bind",
          "Source": "/var/run/docker.sock",
          "Destination": "/var/run/docker.sock",
          "Mode": "",
          "RW": true,
          "Propagation": "rprivate"
      }
  ]

Any thoughts?

Hello.

Summary

I have a troublesome integrating with syslog on a specific machine.

Version

$ hbm version
Version:     0.9.2
Git commit:  878ff89
Built:       2018-03-13 05:30:07 +0900 KST
Go version:  go1.8.3
OS/Arch:     linux/amd64

$ docker version
Client:
 Version:	17.12.0-ce
 API version:	1.35
 Go version:	go1.9.2
 Git commit:	c97c6d6
 Built:	Wed Dec 27 20:10:14 2017
 OS/Arch:	linux/amd64

Server:
 Engine:
  Version:	17.12.0-ce
  API version:	1.35 (minimum version 1.12)
  Go version:	go1.9.2
  Git commit:	c97c6d6
  Built:	Wed Dec 27 20:12:46 2017
  OS/Arch:	linux/amd64
  Experimental:	false

$ docker-compose version
docker-compose version 1.17.0, build ac53b73
docker-py version: 2.5.1
CPython version: 2.7.13
OpenSSL version: OpenSSL 1.0.1t  3 May 2016

I used docker-compose up to run containers with below docker-compose file.

version: '3'

services:
  syslog:
    image: private.registry.url/library/syslog:alpine
    volumes:
     - ./log:/var/log/docker
    ports:
     - 127.0.0.1:10514:10514

  nginx:
    image: private.registry.url/library/nginx:1.13.9-alpine
    restart: always
    ports:
     - 80:80
     - 443:443
    volumes:
     - ./nginx.conf:/etc/nginx/nginx.conf
     - ./certs:/etc/nginx/certs
    depends_on:
     - syslog
    logging:
      driver: syslog
      options:
        syslog-address: tcp://127.0.0.1:10514
        tag: nginx

And the following result was shown.

$ docker-compose up
Creating nginx_syslog_1 ...
Creating nginx_syslog_1 ... done
Creating nginx_nginx_1 ...
Creating nginx_nginx_1 ... error

ERROR: for nginx_nginx_1  Cannot create container for service nginx: plugin hbm failed with error: AuthZPlugin.AuthZReq: an error occurred; contact your system administrator

ERROR: for nginx  Cannot create container for service nginx: plugin hbm failed with error: AuthZPlugin.AuthZReq: an error occurred; contact your system administrator
ERROR: Encountered errors while bringing up the project.

When nginx service run without syslog driver, no error happened.

I checked HBM log.

Recovered: runtime error: invalid memory address or nil pointer dereference
time="2018-04-24T17:41:50+09:00" level=warning msg="Recovered panic: runtime error: invalid memory address or nil pointer dereference"
time="2018-04-24T17:41:50+09:00" level=warning msg="goroutine 8 [running]:\nruntime/debug.Stack(0xc420321c40, 0xc420910b40, 0x2)\n\t/usr/local/go/src/runtime/debug/stack.go:24 +0x79\ngithub.com/kassisol/hbm/plugin.(*Api).Allow.func1(0xf894e0, 0xc420321c40, 0xf85540, 0xc420246940, 0xc4209e3950)\n\t/go/src/github.com/kassisol/hbm/plugin/api.go:56 +0x137\npanic(0xa453c0, 0xf6f0b0)\n\t/usr/local/go/src/runtime/panic.go:489 +0x2cf\ngithub.com/kassisol/hbm/plugin.(*Api).Allow(0xc420321c20, 0x0, 0x0, 0x0, 0x0, 0xc4200f5c30, 0x4, 0xc4203de930, 0x2b, 0xc4201b5400, ...)\n\t/go/src/github.com/kassisol/hbm/plugin/api.go:116 +0x862\ngithub.com/kassisol/hbm/plugin.(*plugin).AuthZReq(0xc420366cf0, 0x0, 0x0, 0x0, 0x0, 0xc4200f5c30, 0x4, 0xc4203de930, 0x2b, 0xc4201b5400, ...)\n\t/go/src/github.com/kassisol/hbm/plugin/plugin.go:52 +0x238\ngithub.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization.(*Handler).initMux.func1(0x0, 0x0, 0x0, 0x0, 0xc4200f5c30, 0x4, 0xc4203de930, 0x2b, 0xc4201b5400, 0x4b9, ...)\n\t/go/src/github.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization/api.go:118 +0xa0\ngithub.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization.(*Handler).handle.func1(0xf849c0, 0xc4200d0380, 0xc420334500)\n\t/go/src/github.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization/api.go:139 +0x14c\nnet/http.HandlerFunc.ServeHTTP(0xc42037ecc0, 0xf849c0, 0xc4200d0380, 0xc420334500)\n\t/usr/local/go/src/net/http/server.go:1942 +0x44\nnet/http.(*ServeMux).ServeHTTP(0xc420366de0, 0xf849c0, 0xc4200d0380, 0xc420334500)\n\t/usr/local/go/src/net/http/server.go:2238 +0x130\nnet/http.serverHandler.ServeHTTP(0xc420076f20, 0xf849c0, 0xc4200d0380, 0xc420334500)\n\t/usr/local/go/src/net/http/server.go:2568 +0x92\nnet/http.(*conn).serve(0xc42036d400, 0xf85280, 0xc42037b500)\n\t/usr/local/go/src/net/http/server.go:1825 +0x612\ncreated by net/http.(*Server).Serve\n\t/usr/local/go/src/net/http/server.go:2668 +0x2ce\n"

I already tried to run with various versions, 0.9.2, 0.9.5, 0.10.0.
Looking at stacktrace, an error point is https://github.com/kassisol/hbm/blob/0.9.2/plugin/api.go#L116.
And then after executing https://github.com/kassisol/hbm/blob/0.9.2/plugin/api.go#L102, r was set to nil.

I don't know what I should do to debug at this point.

Hello.

Multiple private registries are used for my project.
But now only one registry could be allowed via configuration.
It seems like that there is no way to set policy value as array.

If you note me that, I could implement it instead of you.

Thanks.

Hello.

When hbm is executed, initial config is set in code; authorization=false. which makes hbm disabled.
It seems like that there is no hbm server daemon option about that.

Thanks

The documentation states that

hbm resource add --type volumedriver --value ....

But when executing command

[root@eselnvlx2448 ~]# hbm resource add --type volumedriver --value local localdriver FATA[0000] The Resource Driver: volumedriver is not supported. Supported drivers are action,capability,config,device,dns,image,logdriver,logopt,plugin,port,registry,volume

Has volumedriver been removed intentionally or is it a misstake or has the usage changed?

Hello.

I am integrating with Portainer and HBM.
Portainer is a tool for managing docker resources via docker daemon TLS.

Version

Detail

When I make a request for creating a container using Portainer, HBM has an error below.

docker log

Apr 03 23:15:15 localhost.localdomain dockerd[15944]: time="2018-04-03T23:15:15.664208325-04:00" level=debug msg="Calling POST /containers/create?name=test"
Apr 03 23:15:15 localhost.localdomain dockerd[15944]: time="2018-04-03T23:15:15.664326790-04:00" level=debug msg="form data: {\"Cmd\":[],\"Env\":[],\"ExposedPorts\":{},\"HostConfig\":{\"Binds\":[],\"Devices\":[],\"ExtraHosts\":[],\"NetworkMode\":\"bridge\",\"PortBindings\":{},\"Privileged\":false,\"PublishAllPorts\":false,\"RestartPolicy\":{\"Name\":\"no\"}},\"Image\":\"library/alpine:3.7\",\"Labels\":{},\"MacAddress\":\"\",\"NetworkingConfig\":{\"EndpointsConfig\":{\"bridge\":{\"IPAMConfig\":{\"IPv4Address\":\"\",\"IPv6Address\":\"\"}}}},\"OpenStdin\":true,\"Tty\":true,\"Volumes\":{},\"name\":\"test\"}"
Apr 03 23:15:15 localhost.localdomain dockerd[15944]: time="2018-04-03T23:15:15.664356421-04:00" level=debug msg="AuthZ request using plugin hbm"
Apr 03 23:15:15 localhost.localdomain dockerd[15944]: time="2018-04-03T23:15:15.679614206-04:00" level=error msg="AuthZRequest for POST /containers/create?name=test returned error: plugin hbm failed with error: AuthZPlugin.AuthZReq: Malformed request"

I injected a code for debugging what authorization.Request is given in ContainerCreate function located docker/allow/container.go.
As you can see, the value is below.

hbm log

Apr 03 22:18:52 localhost.localdomain hbm[12486]: time="2018-04-03T22:18:52-04:00" level=info msg="docker container ls -a --filter \"name=^/test$\"" admin=false allowed=true user=client
Apr 03 22:18:52 localhost.localdomain hbm[12486]: time="2018-04-03T22:18:52-04:00" level=info msg="docker image pull library/alpine" admin=false allowed=true user=client
Apr 03 22:18:53 localhost.localdomain hbm[12486]: {User:client UserAuthNMethod:TLS RequestMethod:POST RequestURI:/containers/create?name=test RequestBody:[] RequestHeaders:map[Content-Length:440 Cookie:_ga=GA1.1.734966946.1509693905; _gid=GA1.1.1988790202.1522732951; __lnkrntdmcvrd=-1 Referer:http://127.0.0.1:9000/ Accept-Language:ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 Accept-Encoding:gzip, deflate, br Content-Type:application/json;charset=UTF-8 Origin:http://127.0.0.1:9000 User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 X-Forwarded-For:10.2.0.2 Accept:application/json, text/plain, */*] RequestPeerCertificates:[0xc4200b1180] ResponseStatusCode:0 ResponseBody:[] ResponseHeaders:map[]}
Apr 03 22:18:53 localhost.localdomain hbm[12486]: time="2018-04-03T22:18:53-04:00" level=info msg="docker container run --name=test" admin=false allowed=false msg= user=client

When req.RequestBody is parsed as json, error occurs and the function stops with the error.
And then I tried to run docker without HBM and create container via Portainer and no error occured. Additionally, everything works fine via cli.

But I found that Content-Length of the above request is 440, which means that RequestBody was not delivered from docker daemon to HBM

Summary

1. I installed HBM and Portainer, https://github.com/portainer/portainer
2. Portainer communicates docker over TLS not unix socket.
3. Creating a container via Portainer, an error, json parse error, occurred.
4. authorization.Request > RequestBody is empty in HBM but sent in docker log.
5. Without HBM, it works fine.

Thanks

Hi,

I have been looking for some documentation on how to properly add policies to hbm. Is there any available? If this is the wrong place to ask, can you point me in the right direction.

Thank you,

Hi,
We have come across a runtime errror with HBM any idea why this is happening?

Oct 15 14:16:29 sekalx583 hbm[1918]: time="2018-10-15T14:16:29+02:00" level=info action=image_inspect admin=false allowed=true authorization=true user=root
Oct 15 14:16:29 sekalx583 hbm[1918]: 2018/10/15 14:16:29 Recovered: runtime error: invalid memory address or nil pointer dereference
Oct 15 14:16:29 sekalx583 hbm[1918]: time="2018-10-15T14:16:29+02:00" level=warning msg="Recovered panic: runtime error: invalid memory address or nil pointer dereference"
Oct 15 14:16:29 sekalx583 hbm[1918]: time="2018-10-15T14:16:29+02:00" level=warning msg="goroutine 18 [running]:\nruntime/debug.Stack(0xc42086d100, 0xc42042e360, 0x2)\n\t/usr/local/go/src/runtime/debug/stack.go:24 +0x79\ngithub.com/kassisol/hbm/plugin.(*Api).Allow.func1(0xf74640, 0xc42086d100, 0xf70560, 0xc4205181b0, 0xc42065b950)\n\t/go/src/github.com/kassisol/hbm/plugin/api.go:56 +0x137\npanic(0xa314e0, 0xf5a0c0)\n\t/usr/local/go/src/runtime/panic.go:489 +0x2cf\ngithub.com/kassisol/hbm/plugin.(*Api).Allow(0xc42086d0e0, 0x0, 0x0, 0x0, 0x0, 0xc4202d0c90, 0x4, 0xc4207ec050, 0x4b, 0xc4203e6700, ...)\n\t/go/src/github.com/kassisol/hbm/plugin/api.go:112 +0x7e4\ngithub.com/kassisol/hbm/plugin.(*plugin).AuthZReq(0xc420386d20, 0x0, 0x0, 0x0, 0x0, 0xc4202d0c90, 0x4, 0xc4207ec050, 0x4b, 0xc4203e6700, ...)\n\t/go/src/github.com/kassisol/hbm/plugin/plugin.go:52 +0x238\ngithub.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization.(*Handler).initMux.func1(0x0, 0x0, 0x0, 0x0, 0xc4202d0c90, 0x4, 0xc4207ec050, 0x4b, 0xc4203e6700, 0x656, ...)\n\t/go/src/github.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization/api.go:118 +0xa0\ngithub.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization.(*Handler).handle.func1(0xf6f9e0, 0xc4203900e0, 0xc420270200)\n\t/go/src/github.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization/api.go:139 +0x14c\nnet/http.HandlerFunc.ServeHTTP(0xc42039ae00, 0xf6f9e0, 0xc4203900e0, 0xc420270200)\n\t/usr/local/go/src/net/http/server.go:1942 +0x44\nnet/http.(*ServeMux).ServeHTTP(0xc420386e10, 0xf6f9e0, 0xc4203900e0, 0xc420270200)\n\t/usr/local/go/src/net/http/server.go:2238 +0x130\nnet/http.serverHandler.ServeHTTP(0xc4200acc60, 0xf6f9e0, 0xc4203900e0, 0xc420270200)\n\t/usr/local/go/src/net/http/server.go:2568 +0x92\nnet/http.(*conn).serve(0xc4203c8000, 0xf702a0, 0xc4203cc040)\n\t/usr/local/go/src/net/http/server.go:1825 +0x612\ncreated by net/http.(*Server).Serve\n\t/usr/local/go/src/net/http/server.go:2668 +0x2ce\n"

In HBM I have allowed ports 10000-10001. And also all swarm actions.

I can start containers using docker run ..., but if I use docker stack deploy the same port will report the following error message

Error response from daemon: authorization denied by plugin hbm: Port %!s(uint32=10001) is not allowed to be published