Doubts about features and security

kekru / docker-remote-api-tls

Docker Image that forwards to the Docker API Socket and requires TLS Client authentication

https://hub.docker.com/r/kekru/docker-remote-api-tls

MIT License

76 stars 25 forks source link

Doubts about features and security #20

Closed pedroricardo closed 2 years ago

pedroricardo commented 3 years ago

Is it possible to start, create, delete and collect metrics from containers hosted in other VPS for example securely through this Api?

What is the chance that when using this solution I open a vulnerability in my server?

and how can i use it with docker compose?

kekru commented 2 years ago

Hi @pedroricardo sorry for the late answer

Is it possible to start, create, delete and collect metrics from containers hosted in other VPS for example securely through this Api?

Yes, its made for start, create, delete and so on, on a remote server. You can do everything, what you can do with the local "docker" command.
Metrics: You don't get Prometheus metrics or something like that. You will only get for example "docker inspect ..."

What is the chance that when using this solution I open a vulnerability in my server?

This works with mTLS from nginx (Client needs to authenticate with its TLS client certificate).
As long as this is implemented correctly and you keep the keys private, this is very strong security. nginx is a very stable, widely used software

and how can i use it with docker compose?

See the Readme.md. It is described there. There is also a docker-compose.yml in this repo

pedroricardo commented 2 years ago

Thanks for the answer, Another question I came up with is how can I copy the files and folders from my application (like app.js and etc) to the remote host during my deploy using docker-compose through the docker api with TLS authentication?

kekru commented 2 years ago

docker-compose.yml

services:
  myservice:
    build: .

Dockerfile

FROM ...
COPY app.js /
...

Then run

export DOCKER_HOST=...
export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH=...
docker-compose build
docker-compose up

So you add your app.js etc with COPY to your Dockerfile. The build is effectively done on the remote server and the files, which are added with COPY, are sent during that build to the server.

Volumes will not work out of the box. If you want to put files in your container via volumes, you need to copy them to the remote server another way.
So I would recommend to just COPY all files in your Dockerfile and you're done