search

buildkite / sockguard

A proxy for docker.sock that enforces access control and isolated privileges
MIT License
143 stars 22 forks source link

Add systemd example to README #43

Open jirislav opened 5 years ago

jirislav commented 5 years ago

I've created a systemd service so that the sockguard is always started on system boot right after docker.

I think it would be good to have this systemd example in README.md for users, who also want to run sockguard uninterrupted synchronously with docker.

Installation

1) Create the file /etc/systemd/system/sockguard.service from this template:

# /etc/systemd/system/sockguard.service
[Unit]
Description=Socket ACL guard for the Docker API
Documentation=https://github.com/buildkite/sockguard
After=network-online.target docker.socket firewalld.service
Wants=network-online.target
Requires=docker.socket

[Service]
User=root
Group=sockguard
ExecStart=/usr/sbin/sockguard -filename /var/run/sockguard.sock -mode "0660"

Restart=on-failure
StartLimitBurst=2
StartLimitInterval=10s

[Install]
WantedBy=multi-user.target

2) Create sockguard group:

sudo addgroup sockguard

3) Enable the sockguard.service:

sudo systemctl enable sockguard.service

4) install the sockguard binary to /usr/sbin:

cd /tmp
git clone https://github.com/buildkite/sockguard.git
docker-compose up -d
sudo docker cp sockguard_sockguard_1:/sockguard /usr/sbin/
docker-compose kill

5) Start the service:

sudo systemctl start sockguard.service

Now everyone within the group sockguard can connect to the guarded docker socket at /var/run/sockguard.sock.

CpuID commented 5 years ago

@lox how do you feel about this vs both ours + your use case of using sockguard as a sidecar...? In terms of caveats of running a "global" sockguard instance?

jirislav commented 5 years ago

Yes, I've thought about it - and it makes sense to run as much sockguards, as you have docker containers with mounted Docker socket to maximize isolation .. Maybe I should rewrite it to service template, as described here:

You could then spawn persistent sockguard by typing simply:

systemctl enable sockguard@runner1.service
systemctl enable sockguard@runner2.service
systemctl enable sockguard@runner3.service

And it would generate these sockets:

/var/run/sockguard.runner1.sock
/var/run/sockguard.runner2.sock
/var/run/sockguard.runner3.sock

What do you think?

jirislav commented 5 years ago

Here is the updated version, which is capable of spawning as much sockguards, as you want ;)

Installation

1) Create the file /etc/systemd/system/sockguard@.service from this template (the @ is important):

# /etc/systemd/system/sockguard@.service
[Unit]
Description=Socket ACL guard for the Docker API
Documentation=https://github.com/buildkite/sockguard
After=network-online.target docker.socket firewalld.service
Wants=network-online.target
Requires=docker.socket

[Service]
User=root
Group=sockguard
ExecStart=/usr/sbin/sockguard -filename /var/run/sockguard.%i.sock -mode "0660" -allow-bind /var/run/sockguard.%i.sock

Restart=on-failure

[Install]
WantedBy=multi-user.target

2) Create /etc/systemd/system/sockguard.target, which will point to all the sockguard@*.service instances:

#/etc/systemd/system/sockguard.target
[Unit]
Description=Target for all instances of sockguard@.service
Requires=multi-user.target
After=multi-user.target
AllowIsolate=yes

3) Create sockguard group:

sudo addgroup sockguard

4) install the sockguard binary to /usr/sbin:

cd /tmp
git clone https://github.com/buildkite/sockguard.git
docker-compose up -d
sudo docker cp sockguard_sockguard_1:/sockguard /usr/sbin/
docker-compose kill

4) Enable as much sockguard boot-persistent instances, as you like:

sudo systemctl enable sockguard@runner-1.service
sudo systemctl enable sockguard@type-anything-in-here.service
sudo systemctl enable sockguard@hello-world.service

5) Start the service:

sudo systemctl start sockguard.target

Now everyone within the group sockguard can connect to the guarded docker sockets at: