In before, interactive exec works as following:
* Client makes an API call to server to request an interactive
execution inside a container
* Server returns a URL that is an endpoint of the docker daemon
* Client connects to the docker's URL
This approach is considered to be unsecure because it directly
exposes docker API endpoint to end-users. This patch changes
the workflow to mitigate the security risk. The new workflow
is as following:
* Client makes an API call to server to request an interactive
execution inside a container
* Server return a URL that is the websocket proxy server
* Clients connects to the proxy server
* The proxy server proxies the request to docker daemon
The proxy server will validate each incoming requests before
doing the proxy calls. The API endpoint of docker daemon will
be hidden from end-users.
Reviewed: https:/ /review. openstack. org/563482 /git.openstack. org/cgit/ openstack/ zun/commit/ ?id=ed9e3ee72b4 f5e8bda0f5b3b06 360e1a9a53e30e
Committed: https:/
Submitter: Zuul
Branch: master
commit ed9e3ee72b4f5e8 bda0f5b3b06360e 1a9a53e30e
Author: Hongbin Lu <email address hidden>
Date: Mon Apr 23 01:51:44 2018 +0000
Support websocket proxy for exec
In before, interactive exec works as following:
* Client makes an API call to server to request an interactive
execution inside a container
* Server returns a URL that is an endpoint of the docker daemon
* Client connects to the docker's URL
This approach is considered to be unsecure because it directly
exposes docker API endpoint to end-users. This patch changes
the workflow to mitigate the security risk. The new workflow
is as following:
* Client makes an API call to server to request an interactive
execution inside a container
* Server return a URL that is the websocket proxy server
* Clients connects to the proxy server
* The proxy server proxies the request to docker daemon
The proxy server will validate each incoming requests before
doing the proxy calls. The API endpoint of docker daemon will
be hidden from end-users.
Change-Id: I68e49b99eee9e6 c22a9df2cc19a1d 2ba5053489e
Partial-Bug: #1735076