Zun

Interactive exec via proxy

Bug #1735076 reported by hongbin on 2017-11-29
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Zun
Critical
Unassigned

Bug Description

The current implementation of interactive execute [1][2][3][4] is as following:

1. client call server with /containers/<id>/exec
2. server return an URL of the Docker daemon
3. client use the URL to connect with Docker daemon directly

Allow clients to connect to Docker daemon in compute host is a big security issue. We should have a proxy process in between client and docker daemon. As a result, the proxy can authenticate the client before allowing the connection. Details are stated in this spec: https://review.openstack.org/#/c/396841/

[1] https://review.openstack.org/#/c/449330/3
[2] https://review.openstack.org/#/c/449306/3
[3] https://review.openstack.org/#/c/449360/
[4] https://review.openstack.org/#/c/445234/16

hongbin (hongbin034) on 2017-11-29
Changed in zun:
importance: Undecided → Critical
status: New → Triaged
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers