Authobot is a simple authorization plugin for docker to prevent some API usages that we know will expose hosts data and are not required for a legitimate use of docker from a containerized jenkins build agent.
We prevent
- running container with bind mounts
- running privileged container
- more to come
We also provide a whitelist of authorized API URIs, based on docker-pipeline / declarative-pipeline requirements. Any other API call will be rejected.
➜ # ➜ # let's run a container ➜ # ➜ docker run --rm -t ubuntu echo Hello Hello ➜ # ➜ # let's now run a _privileged_ container (can access hosts' devices) ➜ # ➜ docker run --rm -t --privileged ubuntu echo Hello docker: Error response from daemon: authorization denied by plugin authobot:latest: use of Privileged contianers is not allowed. See 'docker run --help'. ➜ # ➜ # hum, let's bind mount host filesystem to hack all it's secrets ➜ # ➜ docker run --rm -t -v /:/host ubuntu echo Hello docker: Error response from daemon: authorization denied by plugin authobot:latest: use of bind mounts is not allowed. See 'docker run --help'. ➜ # ➜ # ok, let's just mount a volume to persist our data ➜ # ➜ docker run --rm -t -v some_volume:/host ubuntu echo Hello Hello we use dep to manage dependencies. run dep ensure to generate a local vendor folder so you can hack and build the plugin.
build with docker build -t authobot .
create rootfs directory, and export container filesystem
rm -rf rootfs mkdir rootfs ID=$(docker run -d authobot:latest) docker export $ID | tar -x -C rootfs docker kill $ID docker rm $ID Then, install and enable plugin on your local docker daemon
docker plugin create authobot $(pwd) docker plugin enable authobot change docker daemon configuration to include --authorization-plugin=authobot and restart daemon.