search

buildkite / sockguard

A proxy for docker.sock that enforces access control and isolated privileges
MIT License
143 stars 22 forks source link

"docker login" #15

Open CpuID opened 6 years ago

CpuID commented 6 years ago

Should we passthrough /vx.xx/auth POST calls, to allow the use of docker login some.registry:port?

Noticed it when setting up our ephemeral agents to login using a Jenkins credential store entry, and hit:

Error response from daemon: POST /v1.37/auth not implemented yet

Which is from https://github.com/buildkite/sockguard/blob/master/director.go#L153 I expect. Maybe add it to https://github.com/buildkite/sockguard/blob/master/director.go#L66 - thoughts?

(note: not using any credential store plugins, my workaround is to write out a hand crafted ~/.docker/config.json with the base64 encoded credentials in it instead)

lox commented 6 years ago

I wonder what the information leak implications of this are. Will this mean other sockguard partitions will be able to access authentication information?

CpuID commented 6 years ago

I wonder what the information leak implications of this are. Will this mean other sockguard partitions will be able to access authentication information?

from what I can gather - no? I believe the API client is responsible for authentication + storing authed tokens etc...? I could be wrong about that, need to research more to be 100% sure. I would assume the daemon would have knowledge of it, but the fact it's fed into the docker CLI at execution time maybe makes me think not...