Zun

  1. Bug #1735076
  2. Comment #4

Comment 4 for bug 1735076

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to zun (master)

Reviewed: https://review.openstack.org/563482
Committed: https://git.openstack.org/cgit/openstack/zun/commit/?id=ed9e3ee72b4f5e8bda0f5b3b06360e1a9a53e30e
Submitter: Zuul
Branch: master

commit ed9e3ee72b4f5e8bda0f5b3b06360e1a9a53e30e
Author: Hongbin Lu <email address hidden>
Date: Mon Apr 23 01:51:44 2018 +0000

    Support websocket proxy for exec

    In before, interactive exec works as following:
    * Client makes an API call to server to request an interactive
      execution inside a container
    * Server returns a URL that is an endpoint of the docker daemon
    * Client connects to the docker's URL

    This approach is considered to be unsecure because it directly
    exposes docker API endpoint to end-users. This patch changes
    the workflow to mitigate the security risk. The new workflow
    is as following:
    * Client makes an API call to server to request an interactive
      execution inside a container
    * Server return a URL that is the websocket proxy server
    * Clients connects to the proxy server
    * The proxy server proxies the request to docker daemon

    The proxy server will validate each incoming requests before
    doing the proxy calls. The API endpoint of docker daemon will
    be hidden from end-users.

    Change-Id: I68e49b99eee9e6c22a9df2cc19a1d2ba5053489e
    Partial-Bug: #1735076