Skip to content
This repository has been archived by the owner on Mar 27, 2019. It is now read-only.
/ sherpa Public archive

A simple way to access Docker's remote API

License

MIT license
50 stars 12 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

djenriquez/sherpa

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
examples
examples
 
 
nginx
nginx
 
 
src
src
 
 
templates
templates
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main
main
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Sherpa

The current recommendation to enable Docker's remote API is to change the daemon configuration and then restart. With Sherpa, you simply need to run the container and you'll have access to the docker.sock via TCP.

ACL Configuration

Sherpa has two access modes, --allow and --deny(default). In allow mode, access to the Docker API is implicitly allowed. Meaning, you must explicitly define endpoints and HTTP methods that are forbidden. In --deny mode, the default mode, the reverse is true: access to the API is implicitly forbidden. Paths must be explicitly defined.

Paths can be configured using the $CONFIG environment variable with a json blob passed in and/or by mounting config files to /etc/sherpa. This blob has the following schema:

[
    { 
        "Path" : "STRING",
        "Access": "allow|deny",
        "Methods": ["STRING"],
        "Addresses": ["STRING"]
    }
]
  • "Path": The URI path to configure
  • "Access": The access mode. Accepts "allow" or "deny"
  • "Methods": The HTTP Methods to allow. Ignored if access is "deny".
  • "Addresses": Specific addresses to allow. See NGINX allow for accepted values. Ignored if access is "deny".

Admins can also restrict access to Sherpa by using a combination of volume mounting permissions and IP binding.

Examples

Multiple ACLs can be defined to create a strictly contained remote API. Here are a few examples:

Full access

docker run -d \
--name sherpa \
-v /var/run/docker.sock:/tmp/docker.sock \
-p 4550:4550 \
djenriquez/sherpa --allow

Access to /containers/json GET only

docker run -d \
--name sherpa \
-e CONFIG='[
    { 
        "Path" : "/containers/json",
        "Access": "allow",
        "Methods": ["GET"]
    }
]' \
-v /var/run/docker.sock:/tmp/docker.sock \
-p 4550:4550 \
djenriquez/sherpa

Access to everything but kill

docker run -d \
--name sherpa \
-e CONFIG='[
    { 
        "Path" : "/containers/*/kill",
        "Access": "deny"
    }
]' \
-v /var/run/docker.sock:/tmp/docker.sock \
-p 4550:4550 \
djenriquez/sherpa --allow

Mount example config files /w env Config

docker run -d \
--name sherpa \
-e CONFIG='[
    { 
        "Path" : "/containers/json",
        "Access": "deny"
    }
]' \
-v `pwd`/examples:/etc/sherpa \
-v /var/run/docker.sock:/tmp/docker.sock \
-p 4550:4550 \
djenriquez/sherpa --allow

Full access to internal IPs only

docker run -d \
--name sherpa \
-e CONFIG='[
    { 
        "Path" : "/",
        "Access": "allow",
        "Addresses": ["10.0.0.0/8", "192.168.0.0/16", "172.0.0.0/8"]
    }
]' \
-v /var/run/docker.sock:/tmp/docker.sock \
-p 4550:4550 \
djenriquez/sherpa --allow

About

A simple way to access Docker's remote API

Topics

python api docker nginx remote

Resources

Readme

License

MIT license
Activity

Stars

50 stars

Watchers

7 watching

Forks

12 forks
Report repository

Releases 2

IP Filtering Latest
Oct 19, 2016
+ 1 release

Packages

No packages published

Contributors 2

  •  
  •  

Languages