Open jirislav opened 5 years ago
@lox how do you feel about this vs both ours + your use case of using sockguard
as a sidecar...? In terms of caveats of running a "global" sockguard instance?
Yes, I've thought about it - and it makes sense to run as much sockguard
s, as you have docker containers with mounted Docker socket to maximize isolation .. Maybe I should rewrite it to service template, as described here:
You could then spawn persistent sockguard
by typing simply:
systemctl enable sockguard@runner1.service
systemctl enable sockguard@runner2.service
systemctl enable sockguard@runner3.service
And it would generate these sockets:
/var/run/sockguard.runner1.sock
/var/run/sockguard.runner2.sock
/var/run/sockguard.runner3.sock
What do you think?
Here is the updated version, which is capable of spawning as much sockguard
s, as you want ;)
1) Create the file /etc/systemd/system/sockguard@.service
from this template (the @
is important):
# /etc/systemd/system/sockguard@.service
[Unit]
Description=Socket ACL guard for the Docker API
Documentation=https://github.com/buildkite/sockguard
After=network-online.target docker.socket firewalld.service
Wants=network-online.target
Requires=docker.socket
[Service]
User=root
Group=sockguard
ExecStart=/usr/sbin/sockguard -filename /var/run/sockguard.%i.sock -mode "0660" -allow-bind /var/run/sockguard.%i.sock
Restart=on-failure
[Install]
WantedBy=multi-user.target
2) Create /etc/systemd/system/sockguard.target
, which will point to all the sockguard@*.service
instances:
#/etc/systemd/system/sockguard.target
[Unit]
Description=Target for all instances of sockguard@.service
Requires=multi-user.target
After=multi-user.target
AllowIsolate=yes
3) Create sockguard
group:
sudo addgroup sockguard
4) install the sockguard
binary to /usr/sbin
:
cd /tmp
git clone https://github.com/buildkite/sockguard.git
docker-compose up -d
sudo docker cp sockguard_sockguard_1:/sockguard /usr/sbin/
docker-compose kill
4) Enable as much sockguard
boot-persistent instances, as you like:
sudo systemctl enable sockguard@runner-1.service
sudo systemctl enable sockguard@type-anything-in-here.service
sudo systemctl enable sockguard@hello-world.service
5) Start the service:
sudo systemctl start sockguard.target
Now everyone within the group sockguard
can connect to the guarded docker sockets at:
/var/run/sockguard.runner-1.sock
/var/run/sockguard.type-anything-in-here.sock
/var/run/sockguard.hello-world.sock
I've created a
systemd
service so that thesockguard
is always started on system boot right after docker.I think it would be good to have this
systemd
example inREADME.md
for users, who also want to runsockguard
uninterrupted synchronously with docker.Installation
1) Create the file
/etc/systemd/system/sockguard.service
from this template:2) Create
sockguard
group:3) Enable the
sockguard.service
:4) install the
sockguard
binary to/usr/sbin
:5) Start the service:
Now everyone within the group
sockguard
can connect to the guarded docker socket at/var/run/sockguard.sock
.