diff --git a/CHANGELOG.md b/CHANGELOG.md index 843f0212d0..ab145e595e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Changelog +## 0.5.2 (2013-08-08) + * Builder: Forbid certain paths within docker build ADD + - Runtime: Change network range to avoid conflict with EC2 DNS + * API: Change daemon to listen on unix socket by default + ## 0.5.1 (2013-07-30) + API: Docker client now sets useragent (RFC 2616) + Runtime: Add `ps` args to `docker top` diff --git a/api.go b/api.go index 4ad2ba461a..221cabed56 100644 --- a/api.go +++ b/api.go @@ -18,8 +18,9 @@ import ( ) const APIVERSION = 1.4 -const DEFAULTHTTPHOST string = "127.0.0.1" -const DEFAULTHTTPPORT int = 4243 +const DEFAULTHTTPHOST = "127.0.0.1" +const DEFAULTHTTPPORT = 4243 +const DEFAULTUNIXSOCKET = "/var/run/docker.sock" func hijackServer(w http.ResponseWriter) (io.ReadCloser, io.Writer, error) { conn, _, err := w.(http.Hijacker).Hijack() @@ -972,9 +973,8 @@ func ListenAndServe(proto, addr string, srv *Server, logging bool) error { if e != nil { return e } - //as the daemon is launched as root, change to permission of the socket to allow non-root to connect if proto == "unix" { - os.Chmod(addr, 0777) + os.Chmod(addr, 0700) } httpSrv := http.Server{Addr: addr, Handler: r} return httpSrv.Serve(l) diff --git a/buildfile.go b/buildfile.go index 736725e915..33e68c6211 100644 --- a/buildfile.go +++ b/buildfile.go @@ -273,6 +273,9 @@ func (b *buildFile) addContext(container *Container, orig, dest string) error { if strings.HasSuffix(dest, "/") { destPath = destPath + "/" } + if !strings.HasPrefix(origPath, b.context) { + return fmt.Errorf("Forbidden path: %s", origPath) + } fi, err := os.Stat(origPath) if err != nil { return err diff --git a/buildfile_test.go b/buildfile_test.go index 78e53b8419..73cc5b8394 100644 --- a/buildfile_test.go +++ b/buildfile_test.go @@ -325,3 +325,52 @@ func TestBuildEntrypoint(t *testing.T) { if img.Config.Entrypoint[0] != "/bin/echo" { } } + +func TestForbiddenContextPath(t *testing.T) { + runtime, err := newTestRuntime() + if err != nil { + t.Fatal(err) + } + defer nuke(runtime) + + srv := &Server{ + runtime: runtime, + pullingPool: make(map[string]struct{}), + pushingPool: make(map[string]struct{}), + } + + context := testContextTemplate{` + from {IMAGE} + maintainer dockerio + add ../../ test/ + `, + [][2]string{{"test.txt", "test1"}, {"other.txt", "other"}}, nil} + + httpServer, err := mkTestingFileServer(context.remoteFiles) + if err != nil { + t.Fatal(err) + } + defer httpServer.Close() + + idx := strings.LastIndex(httpServer.URL, ":") + if idx < 0 { + t.Fatalf("could not get port from test http server address %s", httpServer.URL) + } + port := httpServer.URL[idx+1:] + + ip := srv.runtime.networkManager.bridgeNetwork.IP + dockerfile := constructDockerfile(context.dockerfile, ip, port) + + buildfile := NewBuildFile(srv, ioutil.Discard, false) + _, err = buildfile.Build(mkTestContext(dockerfile, context.files, t)) + + if err == nil { + t.Log("Error should not be nil") + t.Fail() + } + + if err.Error() != "Forbidden path: /" { + t.Logf("Error message is not expected: %s", err.Error()) + t.Fail() + } +} diff --git a/commands.go b/commands.go index 8523c3b2e8..7f70c8c09b 100644 --- a/commands.go +++ b/commands.go @@ -27,7 +27,7 @@ import ( "unicode" ) -const VERSION = "0.5.1" +const VERSION = "0.5.2" var ( GITCOMMIT string diff --git a/docker/docker.go b/docker/docker.go index 2db50bf328..8c6b28bffe 100644 --- a/docker/docker.go +++ b/docker/docker.go @@ -33,7 +33,7 @@ func main() { flGraphPath := flag.String("g", "/var/lib/docker", "Path to graph storage base dir.") flEnableCors := flag.Bool("api-enable-cors", false, "Enable CORS requests in the remote api.") flDns := flag.String("dns", "", "Set custom dns servers") - flHosts := docker.ListOpts{fmt.Sprintf("tcp://%s:%d", docker.DEFAULTHTTPHOST, docker.DEFAULTHTTPPORT)} + flHosts := docker.ListOpts{fmt.Sprintf("unix://%s", docker.DEFAULTUNIXSOCKET)} flag.Var(&flHosts, "H", "tcp://host:port to bind/connect to or unix://path/to/socket to use") flag.Parse() if len(flHosts) > 1 { diff --git a/docs/sources/api/docker_remote_api.rst b/docs/sources/api/docker_remote_api.rst index 193be501d0..a1b4cab1c9 100644 --- a/docs/sources/api/docker_remote_api.rst +++ b/docs/sources/api/docker_remote_api.rst @@ -15,7 +15,7 @@ Docker Remote API ===================== - The Remote API is replacing rcli -- Default port in the docker deamon is 4243 +- By default the Docker daemon listens on unix:///var/run/docker.sock and the client must have root access to interact with the daemon - The API tends to be REST, but for some complex commands, like attach or pull, the HTTP connection is hijacked to transport stdout stdin and stderr diff --git a/network.go b/network.go index 2e2dc7785c..4e3c7456a0 100644 --- a/network.go +++ b/network.go @@ -122,8 +122,8 @@ func CreateBridgeIface(ifaceName string) error { // In theory this shouldn't matter - in practice there's bound to be a few scripts relying // on the internal addressing or other stupid things like that. // The shouldn't, but hey, let's not break them unless we really have to. - "172.16.42.1/16", - "10.0.42.1/16", // Don't even try using the entire /8, that's too intrusive + "172.17.42.1/16", // Don't use 172.16.0.0/16, it conflicts with EC2 DNS 172.16.0.23 + "10.0.42.1/16", // Don't even try using the entire /8, that's too intrusive "10.1.42.1/16", "10.42.42.1/16", "172.16.42.1/24",