From f712e10cb21d0056593ea23152d347637396c810 Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Tue, 6 Aug 2013 16:58:52 +0000 Subject: [PATCH 1/4] Forbid certain paths within docker build ADD Conflicts: buildfile_test.go --- buildfile.go | 3 +++ buildfile_test.go | 49 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) diff --git a/buildfile.go b/buildfile.go index 736725e915..33e68c6211 100644 --- a/buildfile.go +++ b/buildfile.go @@ -273,6 +273,9 @@ func (b *buildFile) addContext(container *Container, orig, dest string) error { if strings.HasSuffix(dest, "/") { destPath = destPath + "/" } + if !strings.HasPrefix(origPath, b.context) { + return fmt.Errorf("Forbidden path: %s", origPath) + } fi, err := os.Stat(origPath) if err != nil { return err diff --git a/buildfile_test.go b/buildfile_test.go index 78e53b8419..73cc5b8394 100644 --- a/buildfile_test.go +++ b/buildfile_test.go @@ -325,3 +325,52 @@ func TestBuildEntrypoint(t *testing.T) { if img.Config.Entrypoint[0] != "/bin/echo" { } } + +func TestForbiddenContextPath(t *testing.T) { + runtime, err := newTestRuntime() + if err != nil { + t.Fatal(err) + } + defer nuke(runtime) + + srv := &Server{ + runtime: runtime, + pullingPool: make(map[string]struct{}), + pushingPool: make(map[string]struct{}), + } + + context := testContextTemplate{` + from {IMAGE} + maintainer dockerio + add ../../ test/ + `, + [][2]string{{"test.txt", "test1"}, {"other.txt", "other"}}, nil} + + httpServer, err := mkTestingFileServer(context.remoteFiles) + if err != nil { + t.Fatal(err) + } + defer httpServer.Close() + + idx := strings.LastIndex(httpServer.URL, ":") + if idx < 0 { + t.Fatalf("could not get port from test http server address %s", httpServer.URL) + } + port := httpServer.URL[idx+1:] + + ip := srv.runtime.networkManager.bridgeNetwork.IP + dockerfile := constructDockerfile(context.dockerfile, ip, port) + + buildfile := NewBuildFile(srv, ioutil.Discard, false) + _, err = buildfile.Build(mkTestContext(dockerfile, context.files, t)) + + if err == nil { + t.Log("Error should not be nil") + t.Fail() + } + + if err.Error() != "Forbidden path: /" { + t.Logf("Error message is not expected: %s", err.Error()) + t.Fail() + } +} From 5c56b597a9f6d910ee1f22da42f8b9e5d18c678a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Petazzoni?= Date: Tue, 6 Aug 2013 17:24:10 -0700 Subject: [PATCH 2/4] change network range to avoid conflict with EC2 DNS --- network.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/network.go b/network.go index 2e2dc7785c..4e3c7456a0 100644 --- a/network.go +++ b/network.go @@ -122,8 +122,8 @@ func CreateBridgeIface(ifaceName string) error { // In theory this shouldn't matter - in practice there's bound to be a few scripts relying // on the internal addressing or other stupid things like that. // The shouldn't, but hey, let's not break them unless we really have to. - "172.16.42.1/16", - "10.0.42.1/16", // Don't even try using the entire /8, that's too intrusive + "172.17.42.1/16", // Don't use 172.16.0.0/16, it conflicts with EC2 DNS 172.16.0.23 + "10.0.42.1/16", // Don't even try using the entire /8, that's too intrusive "10.1.42.1/16", "10.42.42.1/16", "172.16.42.1/24", From df9712f1c8039f83497e3c647788dd697f034158 Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Mon, 5 Aug 2013 22:56:02 +0000 Subject: [PATCH 3/4] Change daemon to listen on unix socket by default Conflicts: docs/sources/api/docker_remote_api.rst --- api.go | 8 ++++---- docker/docker.go | 2 +- docs/sources/api/docker_remote_api.rst | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/api.go b/api.go index 4ad2ba461a..221cabed56 100644 --- a/api.go +++ b/api.go @@ -18,8 +18,9 @@ import ( ) const APIVERSION = 1.4 -const DEFAULTHTTPHOST string = "127.0.0.1" -const DEFAULTHTTPPORT int = 4243 +const DEFAULTHTTPHOST = "127.0.0.1" +const DEFAULTHTTPPORT = 4243 +const DEFAULTUNIXSOCKET = "/var/run/docker.sock" func hijackServer(w http.ResponseWriter) (io.ReadCloser, io.Writer, error) { conn, _, err := w.(http.Hijacker).Hijack() @@ -972,9 +973,8 @@ func ListenAndServe(proto, addr string, srv *Server, logging bool) error { if e != nil { return e } - //as the daemon is launched as root, change to permission of the socket to allow non-root to connect if proto == "unix" { - os.Chmod(addr, 0777) + os.Chmod(addr, 0700) } httpSrv := http.Server{Addr: addr, Handler: r} return httpSrv.Serve(l) diff --git a/docker/docker.go b/docker/docker.go index 2db50bf328..8c6b28bffe 100644 --- a/docker/docker.go +++ b/docker/docker.go @@ -33,7 +33,7 @@ func main() { flGraphPath := flag.String("g", "/var/lib/docker", "Path to graph storage base dir.") flEnableCors := flag.Bool("api-enable-cors", false, "Enable CORS requests in the remote api.") flDns := flag.String("dns", "", "Set custom dns servers") - flHosts := docker.ListOpts{fmt.Sprintf("tcp://%s:%d", docker.DEFAULTHTTPHOST, docker.DEFAULTHTTPPORT)} + flHosts := docker.ListOpts{fmt.Sprintf("unix://%s", docker.DEFAULTUNIXSOCKET)} flag.Var(&flHosts, "H", "tcp://host:port to bind/connect to or unix://path/to/socket to use") flag.Parse() if len(flHosts) > 1 { diff --git a/docs/sources/api/docker_remote_api.rst b/docs/sources/api/docker_remote_api.rst index 193be501d0..a1b4cab1c9 100644 --- a/docs/sources/api/docker_remote_api.rst +++ b/docs/sources/api/docker_remote_api.rst @@ -15,7 +15,7 @@ Docker Remote API ===================== - The Remote API is replacing rcli -- Default port in the docker deamon is 4243 +- By default the Docker daemon listens on unix:///var/run/docker.sock and the client must have root access to interact with the daemon - The API tends to be REST, but for some complex commands, like attach or pull, the HTTP connection is hijacked to transport stdout stdin and stderr From e99a99eb6ee7257c0b11312bec33fe27cffdaaaa Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Fri, 9 Aug 2013 00:17:35 +0000 Subject: [PATCH 4/4] Bump to v0.5.2 --- CHANGELOG.md | 5 +++++ commands.go | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 843f0212d0..ab145e595e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Changelog +## 0.5.2 (2013-08-08) + * Builder: Forbid certain paths within docker build ADD + - Runtime: Change network range to avoid conflict with EC2 DNS + * API: Change daemon to listen on unix socket by default + ## 0.5.1 (2013-07-30) + API: Docker client now sets useragent (RFC 2616) + Runtime: Add `ps` args to `docker top` diff --git a/commands.go b/commands.go index 8523c3b2e8..7f70c8c09b 100644 --- a/commands.go +++ b/commands.go @@ -27,7 +27,7 @@ import ( "unicode" ) -const VERSION = "0.5.1" +const VERSION = "0.5.2" var ( GITCOMMIT string