rkosegi
commented
6 months ago Since nobody is interested in this and I have simple and reliable workaround (mTLS with nginx with unix domain socket as upstream), closing this issue.
Closed rkosegi closed 6 months ago
rkosegi
commented
6 months ago Since nobody is interested in this and I have simple and reliable workaround (mTLS with nginx with unix domain socket as upstream), closing this issue.
ragebflame
commented
5 months ago Just missed this by 2 weeks. Was looking for the ability to do the same as we are limited to using Podman, and I would really prefer to use the Jenkins Cloud functionality.
What feature do you want to see added?
While trying to use machines with podman as workers for Jenkins, I found that podman folks states that you should not expose control socket via TCP.
Please note that the API grants full access to all Podman functionality, and thus allows arbitrary code execution as the user running the API, with no ability to limit or audit this access. The API’s security model is built upon access via a Unix socket with access restricted via standard file permissions, ensuring that only the user running the service will be able to access it. We strongly recommend against making the API socket available via the network
Instead, you should use SSH tunnel to access its unix domain socket.
That got me thinking, can we add connection method, where we use existing SSH client (trilead SSH) to launch
socaton target worker and tunnel control connection to unix socket (such as/run/podman/podman.sock)? That would work for docker socket as well.Upstream changes
None
Are you interested in contributing this feature?
If community is interested in this feature, I can spent some effort on this