• This repository has been archived on 24/Aug/2021
  • Stars
    star
    143
  • Rank 257,007 (Top 6 %)
  • Language
    Go
  • License
    MIT License
  • Created about 7 years ago
  • Updated over 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A proxy for docker.sock that enforces access control and isolated privileges

⚠️ This is a discontinued experiment: Much better technology now exists to solve this problem, such as secure docker-in-docker with sysbox.

Sockguard

Safely providing access to a docker daemon to untrusted containers is challenging. By design docker doesn't provide any sort of access control over what can be done over that socket, so anything which has the socket has the same influence over your system as the user that docker is running as. This includes the host filesystem via mounts. To compound this, the default configuration of most docker installations has docker running with root privileges.

In a CI environment, builds need to be able to create containers, networks and volumes with access to a limit set of filesystem directories on the host. They need to have access to the resources they create and be able to destroy them as makes sense in the build.

Usage

This runs a guarded socket that is then passed into a container for Docker outside of Docker usage.

sockguard --upstream-socket /var/run/docker.sock --allow-bind "$PWD" &
docker -H unix://$PWD/sockguard.sock run --rm -v $PWD/sockguard.sock:/var/lib/docker.sock buildkite/agent:3

How it works

Sockguard provides a proxy around the docker socket that is passed to the container that safely runs the build. The proxied socket adds restrictions around what can be accessed via the socket.

When an image, container, volume or network is created it gets given a label of com.buildkite.sockguard.owner={identifier}, which is the identifier of the specific instance of the socket proxy. Each subsequent operation is checked against this ownership socket and only a match (or in the case of images, the lack of an owner), is allowed to proceed for read or write operations.

In addition, creation of containers imposes certain restrictions to ensure that containers are contained:

  • No privileged mode is allowed
  • By default no host bind mounts are allowed, but certain paths can be white-listed with --allow-bind
  • No host network mode is allowed

There is also an option to set cgroup-parent on container creation. This is useful for restricting CPU/Memory resources of containers spawned via this proxy (eg. when using a container scheduler).

How is this solved elsewhere?

Docker provides an ACL system in their Enterprise product, and also provides a plugin API with authorization hooks. At this stage the plugin eco-system is still pretty new. The advantage of using a local socket is that you can use filesystem permissions to control access to it.

Another approach is Docker-in-docker, which is unfortunately slow and fraught with issues.

Implementation status

Very alpha! Most of the high risk endpoints are covered decently. Not yet ready for production usage.

Based off https://docs.docker.com/engine/api/v1.32.

Containers (Done)

  • GET /containers/json (filtered)
  • POST /containers/create (label added)
  • GET /containers/{id}/json (ownership check)
  • GET /containers/{id}/top (ownership check)
  • GET /containers/{id}/logs (ownership check)
  • GET /containers/{id}/changes (ownership check)
  • GET /containers/{id}/export (ownership check)
  • GET /containers/{id}/stats (ownership check)
  • POST /containers/{id}/resize (ownership check)
  • POST /containers/{id}/start (ownership check)
  • POST /containers/{id}/stop (ownership check)
  • POST /containers/{id}/restart (ownership check)
  • POST /containers/{id}/kill (ownership check)
  • POST /containers/{id}/update (ownership check)
  • POST /containers/{id}/rename (ownership check)
  • POST /containers/{id}/pause (ownership check)
  • POST /containers/{id}/unpause (ownership check)
  • POST /containers/{id}/attach (ownership check)
  • GET /containers/{id}/attach/ws (ownership check)
  • POST /containers/{id}/wait (ownership check)
  • DELETE /containers/{id} (ownership check)
  • HEAD /containers/{id}/archive (ownership check)
  • GET /containers/{id}/archive (ownership check)
  • PUT /containers/{id}/archive (ownership check)
  • POST /containers/{id}/exec (ownership check)
  • POST /containers/prune (filtered)
  • POST /exec/{id}/start
  • POST /exec/{id}/resize
  • GET /exec/{id}/json

Images (Partial)

  • GET /images/json (filtered)
  • POST /build (label added)
  • POST /build/prune (filtered)
  • POST /images/create
  • GET /images/{name}/json
  • GET /images/{name}/history
  • PUSH /images/{name}/push
  • POST /images/{name}/tag
  • REMOVE /images/{name}
  • GET /images/search
  • POST /images/prune
  • POST /commit
  • POST /images/{name}/get
  • GET /images/get
  • POST /images/load

Networks (Done)

  • GET /networks
  • GET /networks/{id}
  • POST /networks/create
  • POST /networks/{id}/connect
  • POST /networks/{id}/disconnect
  • POST /networks/prune

Volumes

  • GET /volumes
  • POST /volumes/create
  • GET /volumes/{name}
  • DELETE /volumes/{name}
  • POST /volumes/prune

Swarm (Disabled)

  • GET /swarm
  • POST /swarm/init
  • POST /swarm/join
  • POST /swarm/leave
  • POST /swarm/update
  • GET /swarm/unlockkey
  • POST /swarm/unlock
  • GET /nodes
  • GET /nodes/{id}
  • DELETE /nodes/{id}
  • POST /nodes/{id}/update
  • GET /services
  • POST /services/create
  • GET /services/{id}
  • DELETE /services/{id}
  • POST /services/{id}/update
  • GET /services/{id}/logs
  • GET /tasks
  • GET /tasks/{id}
  • GET /tasks/{id}/logs
  • GET /secrets
  • POST /secrets/create
  • GET /secrets/{id}
  • DELETE /secrets/{id}
  • POST /secrets/{id}/update

Plugins (Disabled)

  • GET /plugins
  • GET /plugins/privileges
  • POST /plugins/pull
  • GET /plugins/{name}/json
  • DELETE /plugins/{name}
  • POST /plugins/{name}/enable
  • POST /plugins/{name}/disable
  • POST /plugins/{name}/upgrade
  • POST /plugins/create
  • POST /plugins/{name}/set

System

  • POST /auth
  • POST /info
  • GET /version
  • GET /_ping (direct)
  • GET /events
  • GET /system/df
  • GET /distribution/{name}/json
  • POST /session

Configs

  • GET /configs
  • POST /configs/create
  • GET /configs/{id}
  • DELETE /configs/{id}
  • POST /configs/{id}/update

Example: Running in Amazon ECS with CgroupParent

Let's say you are spawning a sockguard instance per ECS task, to pass through a guarded Docker socker to some worker (eg. a CI worker). You may want to apply the same CPU/Memory constraints as the ECS task. This can be done via a bash wrapper to /sockguard in a sidecar container (ensure you have bash, curl and jq available):

#!/bin/bash

set -euo pipefail

###########################

# Detect CgroupParent first

# A) Use the container ID from /proc/self/cgroup
# (note: this works fine on a systemd based system, need to adjust the grep on pre-systemd? fine for us right now)
container_id=$(awk -F/ '/1:name=systemd/ {print $NF}' /proc/self/cgroup)

# B) Use the hostname
# (note: works, as long as someone doesnt start the container with --hostname. A) preferred for now)
# container_id="$HOSTNAME"

if [ -z "$container_id" ]; then
  echo "sockguard/start.sh: container_id empty?"
  exit 1
fi

# Get the CgroupParent via the Docker API
container_inspect_url="http:/v1.37/containers/${container_id}/json"
cgroup_parent=$(curl -s --unix-socket /var/run/docker.sock "$container_inspect_url" | jq -r .HostConfig.CgroupParent)

if [ -z "$cgroup_parent" ]; then
  echo "sockguard/start.sh: cgroup_parent empty? (from Docker API)"
  exit 1
fi

###########################

# Start sockguard with some args
exec /sockguard -cgroup-parent '${cgroup_parent}' -owner-label '${cgroup_parent}' ...other args...

Development

Sockguard is built with Golang 1.11 and modules.

export GO111MODULE=on
go run ./cmd/sockguard

More Repositories

1

docker-puppeteer

A minimal Docker image for Puppeteer
Dockerfile
807
star
2

agent

The Buildkite Agent is an open-source toolkit written in Go for securely running build jobs on any device or network
Go
774
star
3

terminal-to-html

Converts arbitrary shell output (with ANSI) into beautifully rendered HTML
Go
603
star
4

elastic-ci-stack-for-aws

An auto-scaling cluster of build agents running in your own AWS VPC
Shell
411
star
5

emojis

:shipit: Custom emoji supported by Buildkite which you can use in your build pipelines and terminal output.
Ruby
376
star
6

cli

A command line interface for Buildkite.
Go
167
star
7

lifecycled

A daemon for responding to AWS AutoScaling Lifecycle Hooks
Go
146
star
8

frontend

🌏 The front-end application code for https://buildkite.com
JavaScript
137
star
9

ecs-run-task

Run a once-off task on Amazon ECS and stream the output
Go
125
star
10

agent-stack-k8s

Spin up an autoscaling stack of Buildkite Agents on Kubernetes
Go
79
star
11

example-pipelines

A list of all the example Buildkite pipelines for various tools, languages and frameworks
77
star
12

go-buildkite

A Go library for the Buildkite API
Go
67
star
13

buildkite-agent-metrics

A command-line tool (and Lambda) for collecting Buildkite agent metrics
Go
66
star
14

buildkite-agent-scaler

📈A lambda for scaling an AutoScalingGroup based on Buildkite metrics
Go
61
star
15

github-release

A command line utility to create GitHub releases and upload packages
Go
60
star
16

charts

Buildkite Helm Charts repository
Shell
59
star
17

trigger-pipeline-action

A GitHub Action for triggering a build on a Buildkite pipeline.
Shell
58
star
18

terraform-provider-buildkite

Terraform provider for Buildkite
Go
56
star
19

docs

The source files for the Buildkite documentation
Ruby
45
star
20

nodejs-docker-example

An example of how to run a Node.js project in Docker in a Buildkite pipeline
Dockerfile
41
star
21

cloudformation-launch-stack-button-svg

A nice, resolution independent, SVG version of the AWS CloudFormation "Launch Stack" button 🎉
39
star
22

interpolate

Interpolate $STRINGS in ${OTHER_STRINGS:-true}
Go
32
star
23

python-docker-example

An example of how to run a Python project w/ Docker in a Buildkite pipeline
Dockerfile
32
star
24

pipeline-schema

A JSON schema for Buildkite’s pipeline file format
JavaScript
30
star
25

docker-ssh-env-config

Sets up SSH config files within a container based on environment variables
Shell
30
star
26

buildkite-signed-pipeline

[Deprecated] This is a tool that adds some extra security guarantees around Buildkite's jobs
Go
27
star
27

docker-buildkite-agent

Previous home of buildkite/agent docker image scripts
26
star
28

feedback

Got feedback? Please let us know!
25
star
29

capybara-inline-screenshot

Extends capybara-screenshot with inline image output
Ruby
24
star
30

elastic-ci-stack-s3-secrets-hooks

🕵️‍♀️ Expose secrets to your buildkite build steps via Amazon S3
Go
24
star
31

on-demand

CloudFormation resources for scheduling On-Demand Buildkite Agents with AWS ECS and AWS Fargate
JavaScript
23
star
32

bash-example

An example repository you can use as a test project with Buildkite
Shell
23
star
33

rails-docker-parallel-example

An example of how to run Rails CI and test steps in parallel with Docker and Buildkite
Ruby
21
star
34

iam-ssh-agent

Keyless SSH Agent for IAM Entities
Rust
20
star
35

golang-docker-example

An example of how to run a Golang project in Docker in a Buildkite pipeline
Go
19
star
36

dynamic-pipeline-example

An example of how to generate dynamic build pipelines in Buildkite
Shell
18
star
37

rspec-buildkite

RSpec failures as Buildkite annotations so you can fix them fast
Ruby
17
star
38

image-builder

Uses EC2 Image Builder to customise AMIs for elastic-ci-stack-for-aws Buildkite agents
JavaScript
16
star
39

test-collector-ruby

Buildkite Test Analytics collector for Ruby test frameworks
Ruby
16
star
40

buildkite-cloudwatch-metrics-publisher

Publish your Buildkite job queue statistics to AWS Cloud Watch for easy EC2 auto-scaling of your build agents
Makefile
16
star
41

elastic-ci-stack-for-aws-ecs

An experiment with AWS SpotFleets and ECS
Go
16
star
42

slack-webhook

An example Slack Outgoing Webhook for Buildkite
JavaScript
16
star
43

homebrew-buildkite

Homebrew formulae for Buildkite software
Ruby
16
star
44

dynamic-build-badges

Dynamic readme badges from your Buildkite build meta-data
JavaScript
16
star
45

anka-packer-images

Packer scripts for building MacOS images for Anka
Shell
15
star
46

python-pipenv-example

An example of how to run a Python project w/ pipenv in a Buildkite pipeline
Python
15
star
47

buildbox-agent-ruby

Buildbox agent written in Ruby
Ruby
14
star
48

build-trace

Generate trace data for a build in Jaeger
Go
13
star
49

heroku-buildkite-agent

A sample Heroku app for running the Buildkite agent on Heroku dynos
13
star
50

test-collector-javascript

Buildkite Test Analytics collectors for JavaScript test frameworks
JavaScript
13
star
51

golang-example

An example on how to test a Golang program using Buildkite
Go
13
star
52

yaml2json

An easy to use command line tool to convert YAML to JSON
Shell
12
star
53

block-step-example

An example of how to include block steps with form fields in your pipeline
Shell
12
star
54

nodejs-example

An example of how to run a Node.js project in a Buildkite pipeline
JavaScript
11
star
55

shellwords

Splits command strings according to POSIX/Batch semantics
Go
11
star
56

bintest

Golang tools for generating mock binaries for that can be orchestrated in realtime for testing
Go
11
star
57

rspec-junit-example

An example pipeline that collects JUnit test failures and annotates a Buildkite build
Ruby
11
star
58

buildkite-fastlane-demo

An example of running Xcode 7 unit, performance and UI tests using Fastlane and Buildkite
Ruby
9
star
59

roko

An easy to use, configurable retry library for Go
Go
9
star
60

statusbot

[ARCHIVED] 🤖 A status slackbot for interacting with statuspage.io
Go
9
star
61

buildkite-secret-santa-2016

Buildkite’s 2016 Secret Santa Draw, using dynamic build pipelines and Lambda webhook receivers
HTML
9
star
62

elastic-ci-stack-for-ec2-mac

CloudFormation template for Auto Scaling AWS EC2 Mac based Buildkite Agents
Makefile
9
star
63

test-collector-swift

Buildkite Test Analytics collector for Swift XCTest
Swift
9
star
64

migration

[Alpha Version] 🛠️ Based on Compat, a tool to transform pipelines from other CI providers to Buildkite
Ruby
8
star
65

go-pipeline

A way to define and manipulate buildkite pipelines using golang. Used internally by the buildkite-agent, so you know it's good
Go
8
star
66

figma-css-paste

Plugin to paste and apply CSS styles to your objects and frames in Figma
JavaScript
8
star
67

docker-signal-test

A test for whether `docker run` handles signals correctly
Shell
8
star
68

elastic-ci-stack-ssm-secrets-hooks

🕵️‍♀️ Agent hooks for fetching git credentials from Amazon SSM Parameter Store
Shell
8
star
69

ruby-docker-example

An example of how to run a Ruby project in Docker in a Buildkite pipeline
Ruby
8
star
70

test-engine-client

Buildkite Test Engine Client (bktec) is an open source tool to orchestrate your test suites. It uses your Buildkite Test Engine suite data to intelligently partition and parallelise your tests.
Go
8
star
71

lifx-buildkite-build-light-ruby

An example Ruby Buildkite webhook endpoint for creating a LIFX-powered build light
Ruby
8
star
72

dependent-pipeline-example

An example of how to trigger Buildkite pipelines from other pipelines
7
star
73

annotation-tester

📝 Test writing Buildkite annotation bodies directly
7
star
74

buildkite-anka-example

An example of running builds in an Anka VM
Shell
7
star
75

conditional

A small language for conditionals
Go
7
star
76

rails-parallel-example

An example of how to run Rails CI and test steps in parallel with Buildkite
Ruby
7
star
77

starter

An example pipeline to get started with Buildkite Pipelines.
7
star
78

demokite

A starter Buildkite repository showcasing some of Buildkite’s features using Dynamic Pipelines
Shell
6
star
79

compat

A tool to transform pipelines from other CI providers to Buildkite
Ruby
6
star
80

bazel-example

An example of how to run a Bazel project in a Buildkite pipeline https://github.com/buildkite/example-…
C++
6
star
81

test-collector-python

Python adapter for Buildkite Test Analytics
Python
6
star
82

graphql-explorer

Buildkite's GraphQL Explorer
JavaScript
6
star
83

simplecov-buildkite

Generate Buildkite annotations from your SimpleCov coverage reports when running your build on Buildkite
Ruby
6
star
84

test-collector-rust

Rust adapter for Buildkite Test Analytics which implements a parser and sender for Rust's JSON test output
Rust
6
star
85

codebuild-run-build

Runs Codebuild Build and streams the output via Cloudwatch Logs.
Go
6
star
86

docker-bootstrap-example

🐳Run your buildkite builds inside an ephemeral per-job container
Shell
5
star
87

deploy-confirm-block-step-example

An example Buildkite pipeline that uses dynamic steps to confirm deployments on Fridays
Shell
5
star
88

slack-slash-command

An example Slack Slash Command for Buildkite
JavaScript
5
star
89

kitesocial

A super basic not-Twitter, for interviews. DO NOT FORK: clone to your machine only.
Ruby
5
star
90

agent-tests

Various scripts to test Buildkite Agent
Shell
5
star
91

lifx-buildkite-build-light-webtask

An example Webtask webhook endpoint for creating a LIFX-powered build light with Buildkite
JavaScript
5
star
92

maven-example

This example uses Maven to run tests, build a package, and then uploads the package as a Buildkite artifact using the current stable Buildkite Agent
Java
5
star
93

ruby-rbenv-example

An example of how to run a Ruby project w/ rbenv in a Buildkite pipeline
Ruby
5
star
94

test-collector-android

Buildkite Test Analytics collector for Android test frameworks
Kotlin
4
star
95

lifx-buildkite-build-light-node

An example Node.js Buildkite webhook endpoint for creating a LIFX-powered build light
JavaScript
4
star
96

polyglot-co-demo-lambda

Lambda services for https://github.com/buildkite/polyglot-co-demo-lambda
JavaScript
4
star
97

build-status-badge-themes

The library of themes you can use to spruce up your Buildkite build status badges
4
star
98

github-webhook-rotate

A utility for rotating the pipeline webhooks used by github triggering builds
Go
4
star
99

screencast-examples

Example pipelines from the Buildkite screencast series
JavaScript
4
star
100

bash-parallel-example

An example of how to a bash script in parallel on Buildkite
Shell
4
star