Comments (3)
Thank you for sharing the article. Unfortunately docker-fabric
would not work with this, since just like the docker
command line client it requires access to the socket. Therefore docker-fabric
would have to generate command line strings rather than communicating with the API directly. I am currently refactoring parts of the underlying library Docker-Map which would technically also make this easier, but it would require some more work in order to get all options transformed correctly.
In docker-fabric
, socat
handles the redirection of the client to the socket. Therefore, if it is just about knowing when Docker is run, socat
(or an alias thereof) could be prefixed with sudo
. That would be easy to implement). However, that would not expose to the system logs which containers are being run and in which configuration. So in the sense of the article, it is not sufficient.
If the idea is to restrict management to a set of managed containers, I would suggest implementing a script based on Docker-Map that either cannot be modified or simply disallows setting the privileged
flag by checking configuration and keyword arguments before creating a container. That script and its configuration would have to be installed directly on the server, but could be invoked via Fabric.
from docker-fabric.
The goal is the audit logs... not restricting container access.
I also realized that I closed this issue too soon since a full solution requires a change to the way commands are piped to the client... which is all handled in this project.
If you like my suggested strategy in docker-map
, we'd still need a way to get those commands to run on the remote machine. I'm thinking we could write the docker CLI module with a "call" method that basically shadows subprocess.call. docker-fabric
need only overload that method with an appropriate fabric
command (e.g. run
or sudo
).
from docker-fabric.
Implemented in release 0.4.0.
from docker-fabric.
Related Issues (17)
- Basic example does not work HOT 2
- Docker CLI Client Inheritance HOT 6
- Regex for CLI parser is too narrow HOT 1
- API Connection Issue HOT 10
- Start with Recursive Dependencies HOT 9
- Invalid Hostname HOT 1
- 0.4.1: object has no attribute 'rsplit' HOT 3
- I cant configure environment variable to container HOT 1
- _build_socat
- unknown flag: --host-config HOT 1
- Executing SSH command in running container? HOT 1
- task list_containers does not return anything HOT 4
- Documentation lacks more examples HOT 2
- lxc-docker vs. docker-engine HOT 2
- CLI Client Error Parsing HOT 13
- CLI Cient Authentication HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-fabric.